Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. |
-| [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) | If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. |
+| [Microsoft Edge requirements and language support](hardware-and-software-requirements.md) |Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.|
+| [Available policies for Microsoft Edge](available-policies.md) |Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings.
Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. |
+| [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. |
| [Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |Microsoft Edge is designed with significant security improvements over existing browsers, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. |
## Interoperability goals and enterprise guidance
@@ -59,8 +59,10 @@ You'll need to keep running them using IE11. If you don't have IE11 installed an
## Related topics
- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
+
- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956)
+
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760644)
-- [Internet Explorer 11 - FAQ for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760645)
+
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646)
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index c52a45bbad..8c8984005a 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -5,11 +5,11 @@ author: eross-msft
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
-title: Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge (Microsoft Edge for IT Pros)
+title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)
localizationpriority: high
---
-# Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge
+# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
**Applies to:**
@@ -272,7 +272,10 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
### Keep favorites in sync between Internet Explorer and Microsoft Edge
- **Supported versions:** Windows 10, version 1703
-- **Description:** This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge.
+- **Description:** This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge, including additions, deletions, changes, and position.
+
+ >[!Note]
+ >Enabling this setting stops Edge favorites from syncing between connected Windows 10 devices.
- If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge.
@@ -367,7 +370,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
- If you disable or don’t configure this setting (default), the default app behavior occurs and no additional page appears.
-## Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge
+## Using Microsoft Intune to manage your Mobile Device Management (MDM) settings for Microsoft Edge
If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page.
> [!NOTE]
@@ -954,8 +957,10 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
- **0 (default).** Synchronization is turned off.
- - **1.** Synchronization is turned on.
+ - **1.** Synchronization is turned on.
+ >[!Note]
+ >Enabling this setting stops Edge favorites from syncing between connected Windows 10 devices.
## Microsoft Edge and Windows 10-specific Group Policy settings
These are additional Windows 10-specific Group Policy settings that work with Microsoft Edge.
@@ -1026,4 +1031,4 @@ These are additional Windows 10-specific MDM policy settings that work with Mic
## Related topics
* [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514)
-* [Mobile Data Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
\ No newline at end of file
+* [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
\ No newline at end of file
diff --git a/browsers/edge/breadcrumb/toc.yml b/browsers/edge/breadcrumb/toc.yml
new file mode 100644
index 0000000000..f417737985
--- /dev/null
+++ b/browsers/edge/breadcrumb/toc.yml
@@ -0,0 +1,7 @@
+- name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Microsoft Edge deployment
+ tocHref: /microsoft-edge/deploy
+ topicHref: /microsoft-edge/deploy/index
\ No newline at end of file
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
index ce750be2f7..0ce06c2d4f 100644
--- a/browsers/edge/change-history-for-microsoft-edge.md
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -15,7 +15,7 @@ For a detailed feature list of what's in the current Microsoft Edge releases, th
## February 2017
|New or changed topic | Description |
|----------------------|-------------|
-|[Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. |
+|[Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. |
## November 2016
|New or changed topic | Description |
diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json
index bc72c31b48..48a4dd1620 100644
--- a/browsers/edge/docfx.json
+++ b/browsers/edge/docfx.json
@@ -3,7 +3,7 @@
"content":
[
{
- "files": ["**/**.md"],
+ "files": ["**/*.md","**/*.yml"],
"exclude": ["**/obj/**"]
}
],
@@ -14,7 +14,12 @@
}
],
"globalMetadata": {
- "ROBOTS": "INDEX, FOLLOW"
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json",
+ "ROBOTS": "INDEX, FOLLOW",
+ "ms.technology": "microsoft-edge",
+ "ms.topic": "article",
+ "ms.author": "lizross"
},
"externalReference": [
],
diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
index fefb61f858..25a4a724e7 100644
--- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
+++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
@@ -1,7 +1,6 @@
---
title: Microsoft Edge and Internet Explorer 11 (Microsoft Edge for IT Pros)
description: Enterprise guidance for using Microsoft Edge and Internet Explorer 11.
-ms.assetid: 3c5bc4c4-1060-499e-9905-2504ea6dc6aa
author: eross-msft
ms.prod: edge
ms.mktglfcycl: support
@@ -56,4 +55,4 @@ IE11 offers enterprises additional security, manageability, performance, backwar
- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/itpro/internet-explorer/ie11-ieak/index)
-- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
\ No newline at end of file
+- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
diff --git a/browsers/internet-explorer/breadcrumb/toc.yml b/browsers/internet-explorer/breadcrumb/toc.yml
new file mode 100644
index 0000000000..a0baa945df
--- /dev/null
+++ b/browsers/internet-explorer/breadcrumb/toc.yml
@@ -0,0 +1,7 @@
+- name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Internet Explorer
+ tocHref: /internet-explorer
+ topicHref: /internet-explorer/index
\ No newline at end of file
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index a8dde5aafb..b19b1d7f96 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -3,7 +3,7 @@
"content":
[
{
- "files": ["**/**.md"],
+ "files": ["**/*.md","**/*.yml"],
"exclude": ["**/obj/**"]
}
],
@@ -14,7 +14,13 @@
}
],
"globalMetadata": {
- "ROBOTS": "INDEX, FOLLOW"
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json",
+ "ROBOTS": "INDEX, FOLLOW",
+ "ms.author": "lizross",
+ "author": "eross-msft",
+ "ms.technology": "internet-explorer",
+ "ms.topic": "article"
},
"externalReference": [
],
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
index a923c7b2dd..9660d3d146 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
@@ -82,7 +82,7 @@ To make sure your site list is up-to-date; wait 65 seconds after opening IE and
## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
-  **To add multiple sites**
+ **To add multiple sites**
1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index 4770a4ffb0..327a105fef 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -92,7 +92,7 @@ To make sure your site list is up-to-date; wait 65 seconds after opening IE and
## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2)
After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2).
-  **To add multiple sites**
+ **To add multiple sites**
1. In the Enterprise Mode Site List Manager (schema v.2), click **Bulk add from file**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
index 7e8c3c6910..1140d08486 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
@@ -27,7 +27,7 @@ Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, lett
You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
**Note** If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md).
-  **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
+ **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index b18fa646cd..3ee1358e16 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -27,7 +27,7 @@ Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, lett
You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
**Note** If you're using the v.1 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the WEnterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
-  **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)**
+ **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)**
1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
index a64b645896..3ab6081d7c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
@@ -26,7 +26,7 @@ If you experience issues while setting up your proxy server, you can try these t
- Check that the browser is pointing to the right automatic configuration script location.
-  **To check your proxy server address**
+ **To check your proxy server address**
1. On the **Tools** menu, click **Internet Options**, and then **Connections**.
@@ -34,7 +34,7 @@ If you experience issues while setting up your proxy server, you can try these t
3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
**Note** If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652).
-  **To check that you've turned on the correct settings**
+ **To check that you've turned on the correct settings**
1. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
@@ -42,7 +42,7 @@ If you experience issues while setting up your proxy server, you can try these t
3. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.
**Note** If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again.
-  **To check that you're pointing to the correct automatic configuration script location**
+ **To check that you're pointing to the correct automatic configuration script location**
1. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
index f49ab30704..5b02b0d37f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
@@ -17,7 +17,7 @@ Automatic configuration lets you apply custom branding and graphics to your inte
## Adding the automatic configuration registry key
For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.
**Important** Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs.
-  **To add the registry key**
+ **To add the registry key**
1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**.
@@ -39,7 +39,7 @@ For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry
After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding.
**Important** Your branding changes won't be added or updated if you've previously chosen the **Disable external branding of IE** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514).
-  **To update your settings**
+ **To update your settings**
1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
index b93b60f816..c454b9eb42 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
@@ -23,7 +23,7 @@ Automatic detection works even if the browser wasn't originally set up or instal
## Updating your automatic detection settings
To use automatic detection, you have to set up your DHCP and DNS servers.
**Note** Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options.
-  **To turn on automatic detection for DHCP servers**
+ **To turn on automatic detection for DHCP servers**
1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page.
@@ -31,7 +31,7 @@ To use automatic detection, you have to set up your DHCP and DNS servers.
**No
3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
-  **To turn on automatic detection for DNS servers**
+ **To turn on automatic detection for DNS servers**
1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
index 119052b438..a9ac089edf 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
@@ -17,7 +17,7 @@ Configure and maintain your proxy settings, like pointing your users' browsers t
## Updating your auto-proxy settings
You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified.
-  **To update your settings**
+ **To update your settings**
1. Create a script file with your proxy information, copying it to a server location.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index 1717c9f622..4ec6a7cc70 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -5,6 +5,7 @@ description: This topic lists new and updated topics in the Internet Explorer 11
ms.mktglfcycl: deploy
ms.prod: ie11
ms.sitesec: library
+author: eross-msft
---
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index cf90d5c6b3..9c4a55c2bd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -21,7 +21,7 @@ Before you install Internet Explorer 11, you should:
- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
- - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://go.microsoft.com/fwlink/p/?linkid=276667).
+ - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune).
- **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
index 1d2df29b8f..51f61a1b66 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
@@ -19,7 +19,7 @@ You'll create multiple versions of your custom browser package if:
- You have custom installation packages with only minor differences. Like, having a different phone number.
-  **To create a new package**
+ **To create a new package**
1. Create an installation package using the Internet Explorer Customization Wizard 11, as described in the [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md) topic.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 360620938d..267c606f8b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -22,7 +22,7 @@ ms.sitesec: library
- Windows Server 2008 R2 with Service Pack 1 (SP1)
-  **To delete a single site from your global Enterprise Mode site list**
+ **To delete a single site from your global Enterprise Mode site list**
- From the Enterprise Mode Site List Manager, pick the site you want to delete, and then click **Delete**.
The site is permanently removed from your list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index affd42d162..708fccaaa2 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -45,7 +45,7 @@ To follow the examples in this topic, you’ll need to pin the Bing (http://www.
### Step 1: Creating .website files
The first step is to create a .website file for each website that you want to pin to the Windows 8.1 taskbar during deployment. A .website file is like a shortcut, except it’s a plain text file that describes not only the website’s URL but also how the icon looks.
-  **To create each .website file**
+ **To create each .website file**
1. Open the website in IE11.
@@ -56,7 +56,7 @@ The first step is to create a .website file for each website that you want to pi
### Step 2: Copying the .website files to the deployment share
Next, you must enable your deployment share to copy the bing.website and msn.website files to the **Start** menu on each target computer.
-  **To copy .website files to the deployment share**
+ **To copy .website files to the deployment share**
1. Open your MDT 2013 deployment share in Windows Explorer.
@@ -67,7 +67,7 @@ Next, you must enable your deployment share to copy the bing.website and msn.web
### Step 3: Copying .website files to target computers
After your operating system is installed on the target computer, you need to copy the .website files over so they can be pinned to the taskbar.
-  **To copy .website files to target computers**
+ **To copy .website files to target computers**
1. In the **Deployment Workbench** of MDT 2013, open the deployment share containing the task sequence during which you want to deploy pinned websites, and then click **Task Sequences**.
@@ -84,7 +84,7 @@ After your operating system is installed on the target computer, you need to cop
### Step 4: Pinning .website files to the Taskbar
With the .website files ready to copy to the **Public Links** folder on target computers for all users, the last step is to edit the Unattend.xml answer files to pin those .website files to the taskbar. You will need to complete the following steps for each task sequence during which you want to pin these websites to the taskbar.
-  **To pin .website files to the Taskbar**
+ **To pin .website files to the Taskbar**
1. Open the Windows System Image Manager (Windows SIM).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
index 7ebacccb8b..004a42cb19 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
@@ -25,7 +25,7 @@ You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to c
If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md).
-  **To change how your page renders**
+ **To change how your page renders**
1. In the Enterprise Mode Site List Manager, double-click the site you want to change.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
index 4a7966faaa..68b09c2320 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
@@ -27,7 +27,7 @@ There are 4 types of add-ons:
## Using the Local Group Policy Editor to manage group policy objects
You can use the Local Group Policy Editor to change how add-ons work in your organization.
-  **To manage add-ons**
+ **To manage add-ons**
1. In the Local Group Policy Editor, go to `Computer Configuration\Administrative Templates\Windows Components\Internet Explorer`.
@@ -58,7 +58,7 @@ You can use the Local Group Policy Editor to change how add-ons work in your org
## Using the CLSID and Administrative Templates to manage group policy objects
Because every add-on has a Class ID (CLSID), you can use it to enable and disable specific add-ons, using Group Policy and Administrative Templates.
-  **To manage add-ons**
+ **To manage add-ons**
1. Get the CLSID for the add-on you want to enable or disable:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index e78df6c4c1..16c87cb775 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -224,75 +224,9 @@ In this example, `contoso.com/about/careers` will use the default version of Int
## How to target specific sites
If you want to target specific sites in your organization.
-
contoso.com/about and everything underneath that node will load in Enterprise Mode, except contoso.com/about/business, which will load in the default version of IE.
-
-
-
-
You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored
contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.
-
-
-
\ No newline at end of file
+|Targeted site |Example |Explanation |
+|--------------|--------|------------|
+|You can specify subdomains in the domain tag. |<docMode> <domain docMode="5">contoso.com</domain> <domain docMode="9">info.contoso.com</domain> <docMode> |
contoso.com uses document mode 5.
info.contoso.com uses document mode 9.
test.contoso.com also uses document mode 5.
|
+|You can specify exact URLs by listing the full path. |<emie> <domain exclude="false">bing.com</domain> <domain exclude="false" forceCompatView="true">contoso.com</domain> <emie>|
contoso.com/about and everything underneath that node will load in Enterprise Mode, except contoso.com/about/business, which will load in the default version of IE.
|
+|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie> <domain exclude="true">contoso.com <path>/about <path exclude="true">/business</path> </path> </domain> </emie> |
contoso.com will use the default version of IE.
contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.
|
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
index b45f274bcc..6cbc411a30 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -26,7 +26,7 @@ After you create your Enterprise Mode site list in the Enterprise Mode Site List
**Important**
This file is not intended for distribution to your managed devices. Instead, it is only for transferring data and comments from one manager to another. For example, if one administrator leaves and passes the existing data to another administrator. Internet Explorer doesn’t read this file.
-  **To export your compatibility list**
+ **To export your compatibility list**
1. On the **File** menu of the Enterprise Mode Site List Manager, click **Export**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index 94e5e4a1da..c8d09c6157 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -50,7 +50,7 @@ After you’ve figured out the document mode that fixes your compatibility probl
**Note**
There are two versions of the Enterprise Mode site list schema and the Enterprise Mode Site List Manager, based on your operating system. For more info about the schemas, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) or [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). For more info about the different site list management tools, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md).
-  **To add your site to the site list**
+ **To add your site to the site list**
1. Open the Enterprise Mode Site List Manager, and click **Add**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index 3ae9e11aab..eed0b6ac55 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -29,7 +29,7 @@ From AGPM you can:
- **Manage your GPO lifecycle with change control features.** You can use the available version-control, history, and auditing features to help you manage your GPOs while moving through your archive, to your editing process, and finally to your GPO deployment.
**Note**
-For more information about AGPM, and to get the license, see [Microsoft Advanced Group Policy Management 4.0 SP1 Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=294916).
+For more information about AGPM, and to get the license, see [Advanced Group Policy Management 4.0 Documents](https://www.microsoft.com/en-us/download/details.aspx?id=13975).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
index a5c8385649..f30e991051 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
@@ -23,7 +23,7 @@ Group Policy includes the Shortcuts preference extension, which lets you configu
## How do I configure shortcuts?
You can create and configure shortcuts for any domain-based Group Policy Object (GPO) in the Group Policy Management Console (GPMC).
-  **To create a new Shortcut preference item**
+ **To create a new Shortcut preference item**
1. Open GPMC, right-click the Group Policy object that needs the new shortcut extension, and click **Edit**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
index 77b1ad1227..7550de81b9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
@@ -1,6 +1,7 @@
---
description: A full-sized view of how document modes are chosen in IE11.
title: Full-sized flowchart detailing how document modes are chosen in IE11
+author: eross-msft
---
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
index a52315fec5..a896a41f84 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
@@ -26,7 +26,7 @@ If you need to replace your entire site list because of errors, or simply becaus
**Important**
Importing your file overwrites everything that’s currently in the tool, so make sure it’s what you really mean to do.
-  **To import your compatibility list**
+ **To import your compatibility list**
1. On the **File** menu of the Enterprise Mode Site List Manager, click **Import**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index 37a5a38754..94b6be9b40 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -16,7 +16,7 @@ Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft I
## Adding and deploying the IE11 package
You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune.
-  **To add the IE11 package**
+ **To add the IE11 package**
1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher.
@@ -24,7 +24,7 @@ You can add and then deploy the IE11 package to any computer that's managed by M
For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
-  **To automatically deploy and install the IE11 package**
+ **To automatically deploy and install the IE11 package**
1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard.
@@ -34,7 +34,7 @@ For more info about how to decide which one to use, and how to use it, see [Depl
For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
-  **To let your employees install the IE11 package**
+ **To let your employees install the IE11 package**
1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
index 88f8a3c2f5..63cbd88f37 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
@@ -26,7 +26,7 @@ After you install the .msu file updates, you'll need to add them to your MDT dep
MDT adds IE11 to your Windows images, regardless whether you are creating or deploying a customized or non-customized image. MDT also lets you perform offline servicing during the System Center 2012 R2 Configuration Manager task sequence, letting you add IE11 before starting Windows. For info, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?linkid=331148).
-  **To add IE11 to a MDT deployment share**
+ **To add IE11 to a MDT deployment share**
1. Right-click **Packages** from each **Deployment Shares** location, and then click **Import OS Packages**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index 3e5c532158..8a65258e74 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -14,7 +14,7 @@ ms.sitesec: library
# Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager
You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?linkid=276664). Complete these steps for each operating system and platform combination.
-  **To install IE11**
+ **To install IE11**
1. Download and approve the [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
index 90d10b49a1..7c9f00ad35 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
@@ -15,11 +15,11 @@ You can install Internet Explorer 11 (IE11) over your network by putting your c
**Note** If you support multiple architectures and operating systems, create a subfolder for each combination. If you support multiple languages, create a subfolder for each localized installation file.
-  **To manually create the folder structure**
+ **To manually create the folder structure**
- Copy your custom IE11 installation file into a folder on your network, making sure it's available to your employees.
-  **To create the folder structure using IEAK 11**
+ **To create the folder structure using IEAK 11**
- Run the Internet Explorer Customization Wizard 11 in IEAK 11, using the **Full Installation Package** option.
The wizard automatically puts your custom installation files in your `\\Flat` folder. Where the `` is the location of your other build files.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index d3d5a75fb7..a06e7ae728 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS)
Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790).
-  **To import from Windows Update to WSUS**
+ **To import from Windows Update to WSUS**
1. Open your WSUS admin site. For example, `http:///WSUSAdmin/`.
Where `` is the name of your WSUS server.
@@ -28,7 +28,7 @@ Where `` is the name of your WSUS server.
You can also download the updates without importing them by unchecking the **Import directly into Windows Server Update Services** box.
-  **To approve Internet Explorer in WSUS for installation**
+ **To approve Internet Explorer in WSUS for installation**
1. Open your WSUS admin site and check the **Review synchronization settings** box from the **To Do** list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
index b077e4a853..0469d85cb3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
@@ -30,7 +30,7 @@ If you do, you can:
## Internet Explorer didn't finish installing
If Internet Explorer doesn't finish installing, it might mean that Windows Update wasn't able to install an associated update, that you have a previous, unsupported version of IE installed, or that there's a problem with your copy of IE. We recommend you try this:
-  **To fix this issue**
+ **To fix this issue**
1. Uninstall IE:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
index c51449c0b6..c3ddb1943c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
@@ -22,7 +22,7 @@ IE11 works differently with search, based on whether your organization is domain
To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like ` contoso/` or the `http://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment.
-  **To enable single-word intranet search**
+ **To enable single-word intranet search**
1. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
index 7bb84e0a16..d25450aae1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
@@ -32,7 +32,7 @@ There might be extenuating circumstances in your company, which require you to c
**Important** This functionality is only available in Internet Explorer for the desktop.
-  **To change your Compatibility View settings**
+ **To change your Compatibility View settings**
1. Open Internet Explorer for the desktop, click **Tools**, and then click **Compatibility View settings**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
index 93d825a26b..75d0ad1469 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# .NET Framework problems with Internet Explorer 11
If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0.
-  **To turn managed browser hosting controls back on**
+ **To turn managed browser hosting controls back on**
1. **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 8baab504ad..04b5f82c88 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -67,7 +67,7 @@ Out-of-date ActiveX control blocking also gives you a security warning that tell
## How do I fix an outdated ActiveX control or app?
From the notification about the outdated ActiveX control, you can go to the control’s website to download its latest version.
-  **To get the updated ActiveX control**
+ **To get the updated ActiveX control**
1. From the notification bar, tap or click **Update**.
IE opens the ActiveX control’s website.
@@ -76,7 +76,7 @@ IE opens the ActiveX control’s website.
**Security Note:** If you don’t fully trust a site, you shouldn’t allow it to load an outdated ActiveX control. However, although we don’t recommend it, you can view the missing webpage content by tapping or clicking **Run this time**. This option runs the ActiveX control without updating or fixing the problem. The next time you visit a webpage running the same outdated ActiveX control, you’ll get the notification again.
-  **To get the updated app**
+ **To get the updated app**
1. From the security warning, tap or click **Update** link.
IE opens the app’s website.
@@ -184,7 +184,7 @@ Before you can use WMI to inventory your ActiveX controls, you need to [download
Before running the PowerShell script, you must copy both the .ps1 and .mof file to the same directory location, on the client computer.
-  **To configure IE to use WMI logging**
+ **To configure IE to use WMI logging**
1. Open your Group Policy editor and turn on the `Administrative Templates\Windows Components\Internet Explorer\Turn on ActiveX control logging in IE` setting.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index 544daf207b..8a1618533a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -39,7 +39,7 @@ RIES turns off all custom toolbars, browser extensions, and customizations insta
## IE is crashing or seems slow
If you notice that CPU usage is running higher than normal, or that IE is frequently crashing or slowing down, you should check your browser add-ons and video card. By default, IE11 uses graphics processing unit (GPU) rendering mode. However, some outdated video cards and video drivers don't support GPU hardware acceleration. If IE11 determines that your current video card or video driver doesn't support GPU hardware acceleration, it'll use Software Rendering mode.
-  **To check your browser add-ons**
+ **To check your browser add-ons**
1. Start IE11 in **No Add-ons mode** by running the **Run** command from the **Start** menu, and then typing `iexplore.exe -extoff` into the box.
@@ -51,7 +51,7 @@ If the browser doesn't crash, open Internet Explorer for the desktop, click the
4. Restart IE11. Go back to the **Manage Add-Ons** window and turn on each item, one-by-one.
After you turn each item back on, see if IE crashes or slows down. Doing it this way will help you identify the add-on that's causing IE to crash. After you've figured out which add-on was causing the problem, turn it off until you have an update from the manufacturer.
-  **To check for Software Rendering mode**
+ **To check for Software Rendering mode**
1. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 017f71560c..72143e9cb1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -26,7 +26,7 @@ You can clear all of the sites from your global Enterprise Mode site list.
**Important**
This is a permanent removal and erases everything. However, if you determine it was a mistake, and you saved an XML copy of your list, you can add the file again by following the steps in the [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md), depending on your operating system.
-  **To clear your compatibility list**
+ **To clear your compatibility list**
1. On the **File** menu of the Enterprise Mode Site List Manager, click **Clear list**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
index 4972cd8ee7..cf988c785a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
@@ -23,7 +23,7 @@ ms.sitesec: library
Remove websites that were added to a local compatibility view list by mistake or because they no longer have compatibility problems.
-  **To remove sites from a local compatibility view list**
+ **To remove sites from a local compatibility view list**
1. Open Internet Explorer 11, click **Tools**, and then click **Compatibility View Settings**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
index 1e353200e8..9712b3448d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
@@ -25,7 +25,7 @@ Remove websites that were added to a local Enterprise Mode site list by mistake
**Note** The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator.
-  **To remove single sites from a local Enterprise Mode site list**
+ **To remove single sites from a local Enterprise Mode site list**
1. Open Internet Explorer 11 and go to the site you want to remove.
@@ -34,7 +34,7 @@ The checkmark disappears from next to Enterprise Mode and the site is removed fr
**Note** If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again.
-  **To remove all sites from a local Enterprise Mode site list**
+ **To remove all sites from a local Enterprise Mode site list**
1. Open IE11, click **Tools**, and then click **Internet options**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
index 98e002f0ea..c13d249a8a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
@@ -23,7 +23,7 @@ ms.sitesec: library
You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
-  **To save your list as XML**
+ **To save your list as XML**
1. On the **File** menu of the Enterprise Mode Site List Manager, click **Save to XML**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index b45e7b3744..a26554c11b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -23,7 +23,7 @@ ms.sitesec: library
You can search to see if a specific site already appears in your global Enterprise Mode site list so you don’t try to add it again.
-  **To search your compatibility list**
+ **To search your compatibility list**
- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.
The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 7f11bf5d7f..66d13bed09 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -14,7 +14,7 @@ ms.sitesec: library
# Set the default browser using Group Policy
You can use the Group Policy setting, **Set a default associations configuration file**, to set the default browser for your company devices running Windows 10.
-  **To set the default browser as Internet Explorer 11**
+ **To set the default browser as Internet Explorer 11**
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.
Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index 7a8ec67cc5..32d0ba628a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -34,7 +34,7 @@ Getting these reports lets you find out about sites that aren’t working right,
## Using ASP to collect your data
When you turn logging on, you need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu.
-  **To set up an endpoint server**
+ **To set up an endpoint server**
1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609).
@@ -80,7 +80,7 @@ This sample starts with you turning on Enterprise Mode and logging (either throu
### Setting up, collecting, and viewing reports
For logging, you’re going to need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. These POST messages go into your database, aggregating the report data by URL, giving you the total number of reports where users turned on Enterprise Mode, the total number of reports where users turned off Enterprise Mode, and the date of the last report.
-  **To set up the sample**
+ **To set up the sample**
1. Set up a server to collect your Enterprise Mode information from your users.
@@ -91,7 +91,7 @@ For logging, you’re going to need a valid URL that points to a server that can
4. On the **Build** menu, tap or click **Build Solution**.
The required packages are automatically downloaded and included in the solution.
-  **To set up your endpoint server**
+ **To set up your endpoint server**
1. Right-click on the name, PhoneHomeSample, and click **Publish**.
@@ -106,7 +106,7 @@ The required packages are automatically downloaded and included in the solution.
After you finish the publishing process, you need to test to make sure the app deployed successfully.
-  **To test, deploy, and use the app**
+ **To test, deploy, and use the app**
1. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to:
@@ -122,7 +122,7 @@ The required packages are automatically downloaded and included in the solution.
3. Get your users to visit websites, turning Enterprise Mode on or off locally, as necessary.
-  **To view the report results**
+ **To view the report results**
- Go to `http:///List` to see the report results.
If you’re already on the webpage, you’ll need to refresh the page to see the results.
@@ -133,7 +133,7 @@ If you’re already on the webpage, you’ll need to refresh the page to see the
### Troubleshooting publishing errors
If you have errors while you’re publishing your project, you should try to update your packages.
-  **To update your packages**
+ **To update your packages**
1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index 25e253872a..cd25d1df05 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -28,14 +28,14 @@ In addition, if you no longer want your users to be able to turn Enterprise Mode
**Important**
Turning off both of these features turns off Enterprise Mode for your company. Turning off Enterprise Mode also causes any websites included in your employee’s manual site lists to not appear in Enterprise Mode.
-  **To turn off the site list using Group Policy**
+ **To turn off the site list using Group Policy**
1. Open your Group Policy editor, like Group Policy Management Console (GPMC).
2. Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.
Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately.
-  **To turn off local control using Group Policy**
+ **To turn off local control using Group Policy**
1. Open your Group Policy editor, like Group Policy Management Console (GPMC).
@@ -43,7 +43,7 @@ Enterprise Mode will no longer look for the site list, effectively turning off E
3. Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality.
-  **To turn off the site list using the registry**
+ **To turn off the site list using the registry**
1. Open a registry editor, such as regedit.exe.
@@ -53,7 +53,7 @@ You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the
3. Close all and restart all instances of Internet Explorer.
IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on).
-  **To turn off local control using the registry**
+ **To turn off local control using the registry**
1. Open a registry editor, such as regedit.exe.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
index 16525df353..49f803662c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
@@ -15,7 +15,7 @@ By default, Internet Explorer 11 uses “natural metrics”. Natural metrics us
However, you might find that many intranet sites need you to use Windows Graphics Device Interface (GDI) metrics. To avoid potential compatibility issues, you must turn off natural metrics for those sites.
-  **To turn off natural metrics**
+ **To turn off natural metrics**
- Add the following HTTP header to each site: `X-UA-TextLayoutMetrics: gdi`
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index abdbbc4db2..ef3ed29d52 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -26,7 +26,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
**Note**
We recommend that you store and download your website list from a secure web sever (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employee’s computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
-  **To turn on Enterprise Mode using Group Policy**
+ **To turn on Enterprise Mode using Group Policy**
1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.
Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
@@ -35,7 +35,7 @@ Turning this setting on also requires you to create and store a site list. For m
2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
-  **To turn on Enterprise Mode using the registry**
+ **To turn on Enterprise Mode using the registry**
1. **For only the local user:** Open a registry editor, like regedit.exe and go to `HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`.
-OR-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index e816e64698..04edbdc3b7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -25,7 +25,7 @@ You can turn on local control of Enterprise Mode so that your users can turn Ent
Besides turning on this feature, you also have the option to provide a URL for Enterprise Mode logging. If you turn logging on, Internet Explorer initiates a simple POST back to the supplied address, including the URL and a specification that **EnterpriseMode** was turned on or off through the **Tools** menu.
-  **To turn on local control of Enterprise Mode using Group Policy**
+ **To turn on local control of Enterprise Mode using Group Policy**
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
@@ -33,7 +33,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
-  **To turn on local control of Enterprise Mode using the registry**
+ **To turn on local control of Enterprise Mode using the registry**
1. Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index a4a2db0dae..86929579b2 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -26,7 +26,7 @@ You can see your security zone settings by opening Internet Explorer for the des
## Where did the Favorites, Command, and Status bars go?
For IE11, the UI has been changed to provide just the controls needed to support essential functionality, hiding anything considered non-essential, such as the **Favorites Bar**, **Command Bar**, **Menu Bar**, and **Status Bar**. This is intended to help focus users on the content of the page, rather than the browser itself. However, if you want these bars to appear, you can turn them back on using Group Policy settings.
-  **To turn the toolbars back on**
+ **To turn the toolbars back on**
- Right click in the IE toolbar heading and choose to turn on the **Command bar**, **Favorites bar**, and **Status bar** from the menu.
-OR-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index aeeb37ff4b..7e15a06d41 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Using Setup Information (.inf) files to create install packages
IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](https://go.microsoft.com/fwlink/p/?LinkId=327959).
-  **To add uninstallation instructions to the .inf files**
+ **To add uninstallation instructions to the .inf files**
- Open the Registry Editor (regedit.exe) and add these registry keys:
```
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index 5fb6495a74..443fee4ab1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -26,7 +26,7 @@ The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delive
**Important**
The IE11 Blocker Toolkit doesn't stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you've installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11.
-  **To install the toolkit**
+ **To install the toolkit**
1. Download the IE11 Blocker Toolkit from [Toolkit to Disable Automatic Delivery of Internet Explorer 11](https://go.microsoft.com/fwlink/p/?LinkId=327745).
diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
index 4e54434a53..e44077d74d 100644
--- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
@@ -16,7 +16,7 @@ The **Accelerators** page of the Internet Explorer Administration Kit (IEAK 11)
**Note**
The customizations you make on this page apply only to Internet Explorer for the desktop.
- **To use the Accelerators page**
+ **To use the Accelerators page**
1. Click **Import** to automatically import your existing accelerators from your current version of IE into this list.
diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
index 133e7f4411..0a2f864dce 100644
--- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
@@ -21,7 +21,7 @@ While you might not care about your employees using ActiveX controls while on yo
For example, your employees need to access an important Internet site, such as for a business partner or service provider, but there are ActiveX controls on their page. To make sure the site is accessible and functions the way it should, you can visit the site to review the controls, adding them as new entries to your `\Windows\Downloaded Program Files` folder. Then, as part of your browser package, you can enable and approve these ActiveX controls to run on this specific site; while all additional controls are blocked.
- **To add and approve ActiveX controls**
+**To add and approve ActiveX controls**
1. In IE, click **Tools**, and then **Internet Options**.
diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
index ef6c2ef932..f8749f2d50 100644
--- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
@@ -19,7 +19,7 @@ You can store your user settings in a central location so your employees that lo
You’ll only see this page if you are running the **Internal** version of the IE Customization Wizard 11.
- **To use the Additional Settings page**
+**To use the Additional Settings page**
1. Double-click **Custom Settings**, **Corporate Settings**, or **Internet Settings**, and review the included policy or restriction settings.
diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
index 35814166ac..2147e5ba34 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
@@ -20,13 +20,13 @@ You can set your proxy settings using Internet setting (.ins) files. You can als
You can use the Domain Name System (DNS) and the Dynamic Host Configuration Protocol (DHCP) naming systems to detect and change a browser’s settings automatically when the employee first starts IE on the network. For more info, see [Set up auto detection for DHCP or DNS servers using IEAK 11](auto-detection-dhcp-or-dns-servers-ieak11.md), or refer to the product documentation for your DNS and DHCP software packages.
- **To check the existing settings on your employee’s devices**
+**To check the existing settings on your employee’s devices**
1. Open IE, click **Tools**, click **Internet Options**, and then click the **Connections** tab.
2. Click **LAN Settings** and make sure that the **Use automatic configuration script** box is selected, confirming the path and name of the file in the **Address** box.
- **To use the Automatic Configuration page**
+**To use the Automatic Configuration page**
1. Check the **Automatically detect configuration settings** box to automatically detect browser settings.
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index 65baf63d4b..16ee9d90bb 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -15,7 +15,7 @@ Set up your network to automatically detect and customize Internet Explorer 11
Before you can set up your environment to use automatic detection, you need to turn the feature on.
- **To turn on the automatic detection feature**
+**To turn on the automatic detection feature**
- Open Internet Explorer Administration Kit 11 (IEAK 11), run the IE Customization Wizard 11 and on the **Automatic Configuration** page, check **Automatically detect configuration settings**. For more information, see [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md).
@@ -30,7 +30,7 @@ Your DHCP servers must support the DHCPINFORM message, to obtain the DHCP option
**Note**
DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
- **To set up automatic detection for DHCP servers**
+**To set up automatic detection for DHCP servers**
- Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
@@ -40,7 +40,7 @@ DHCP has a higher priority than DNS for automatic configuration. If DHCP provide
`http://123.4.567.8/account.pac`
For more detailed info about how to set up your DHCP server, see your server documentation.
- **To set up automatic detection for DNS servers**
+**To set up automatic detection for DNS servers**
1. In your DNS database file, the file that’s used to associate your host (computer) names to static IP addresses in a zone, you need to create a host record named, **WPAD**. This record contains entries for all of the hosts that require static mappings, such as workstations, name servers, and mail servers. It also has the IP address to the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
The syntax is:
` IN A `
diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
index ee3c61b17f..a348c82fd6 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
@@ -27,7 +27,7 @@ The **Automatic Version Synchronization** page tells you:
- **Disk space available**. The amount of hard drive space available on the computer that’s running the IE Customization Wizard 11.
- **To use the Automatic Version Synchronization page**
+**To use the Automatic Version Synchronization page**
1. Click **Synchronize**.
You might receive a security warning before downloading your Setup file, asking if you want to continue. Click **Run** to continue.
diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
index 08004bb0a9..de3cd4ccb5 100644
--- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Browser User Interface** page of the Internet Explorer Customization Wizar
**Note** The customizations you make on this page apply only to Internet Explorer for the desktop.
-  **To use the Browser User Interface page**
+ **To use the Browser User Interface page**
1. Check the **Customize Title Bars** box so you can add your custom text to the **Title Bar Text** box.
The text shows up in the title bar as **IE provided by** <*your_custom_text*>.
diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
index f4bab58e1e..3f600fbdde 100644
--- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK
The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page.
- **To use the Browsing Options page**
+**To use the Browsing Options page**
1. Decide how you want to manage links that are already installed on your employee’s computer:
diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
index 0d7cf5093e..ffc214c941 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
@@ -15,13 +15,13 @@ The **Connection Settings** page of the Internet Explorer Administration Kit (IE
**Note** Using the options on the **Additional Settings** page of the wizard, you can let your employees change their connection settings. For more information see the [Additional Settings](additional-settings-ieak11-wizard.md) page. You can also customize additional connection settings using the **Automatic Configuration** page in the wizard. For more information see the [Automatic Configuration](auto-config-ieak11-wizard.md) page.
- **To view your current connection settings**
+**To view your current connection settings**
1. Open IE, click the **Tools** menu, click **Internet Options**, and then click the **Connections** tab.
2. Click **Settings** to view your dial-up settings and click **LAN Settings** to view your network settings.
- **To use the Connection Settings page**
+**To use the Connection Settings page**
1. Decide if you want to customize your connection settings. You can pick:
diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
index 568dfaaa3d..947b9febe9 100644
--- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
@@ -21,7 +21,7 @@ You'll need to create multiple versions of your custom browser package if:
The Internet Explorer Customization Wizard 11 stores your original settings in the Install.ins file and will show them each time you re-open the wizard. For more info about .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md).
- **To create multiple versions of your browser package**
+**To create multiple versions of your browser package**
1. Use the Internet Explorer Customization Wizard 11 to create a custom browser package. For more info about how to run the wizard, start with the [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md) topic.
diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
index bcc88868ed..1715dfaa58 100644
--- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
+++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Use uninstallation .INF files to uninstall custom components
The Internet Explorer Administration Kit 11 (IEAK 11) uses Setup information (.inf) files to provide installation instructions for your custom browser packages. You can also use this file to uninstall your custom components by removing the files, registry entries, and shortcuts, and adding your custom component to the list of programs that can be uninstalled from **Uninstall or change a program**.
- **To uninstall your custom components**
+**To uninstall your custom components**
1. Open the Registry Editor and add a new key and value to: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description"`
Where *description* is the string that’s shown in the **Uninstall or change a program** box.
diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
index ca0125b893..86c289b22d 100644
--- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Custom Components** page of the Internet Explorer Customization Wizard 11
**Important** You should sign any custom code that’s being downloaded over the Internet. The default settings of Internet Explorer 11 will automatically reject any unsigned code. For more info about digitally signing custom components, see [Security features and IEAK 11](security-and-ieak11.md).
- **To use the Custom Component page**
+**To use the Custom Component page**
1. Click **Add**.
The **Add a Custom Component** box appears.
diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
index ba2b7e4076..7f915b87aa 100644
--- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
+++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
@@ -18,7 +18,7 @@ Using the **Administrative Templates** section of Group Policy, you can prevent
## Automatic Search Configuration
You can customize Automatic Search so that your employees can type a single word into the **Address** box to search for frequently used pages. For example, you can let a commonly used webpage about invoices appear if an employee types *invoice* into the **Address** box, even if the URL doesn’t include the term. If a website can’t be associated with the term, or if there are multiple matches, a webpage appears showing the top search results.
- **To set up Automatic Search**
+**To set up Automatic Search**
1. Create a script (.asp) file that conditionally looks for search terms, and post it to an intranet server here: http://ieautosearch/response.asp?MT=%1&srch=%2.
For info about the acceptable values for the *%1* and *%2* parameters, see the [Automatic Search parameters](#automatic-search-parameters). For an example of the script file, see the [Sample Automatic Search script](#sample-automatic-search-script).
@@ -28,11 +28,11 @@ For info about the acceptable values for the *%1* and *%2* parameters, see the [
3. Go to the section labeled **Searching** and type *intranet* into the **Search Provider Keyword** box.
- **To redirect to a different site than the one provided by the search results**
+**To redirect to a different site than the one provided by the search results**
- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Just go to the most likely site**.
- **To disable Automatic Search**
+**To disable Automatic Search**
- In the **Advanced Settings** section, go to the section labeled **Searching** and change the **When searching from the address bar** setting to **Do not search from the address bar**.
diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
index fc1ffdd687..44dcbe0155 100644
--- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
@@ -21,7 +21,7 @@ The **Favorites, Favorites Bar, and Feeds** page of the Internet Explorer Admini
Although we provide default items in the **Favorites, Favorites Bar, and Feeds** area, you can remove any of the items, add more items, or add new folders and links as part of your custom package. The customizations you make on this page only apply to Internet Explorer for the desktop.
- **To work with Favorites**
+**To work with Favorites**
1. To import your existing folder of links, pick **Favorites**, and then click **Import**.
@@ -52,7 +52,7 @@ The **Details** box appears.
13. Continue with the next procedures in this topic to add additional **Favorites Bar** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page.
- **To work with the Favorites Bar**
+**To work with the Favorites Bar**
1. To import your existing folder of links, pick **Favorites Bar**, and then click **Import**.
@@ -78,7 +78,7 @@ The **Details** box appears.
11. Continue with the next procedures in this topic to add additional **Favorites** or **RSS Feeds** links, or you can click **Next** to go to the [Browsing Options](browsing-options-ieak11-wizard.md) page or **Back** to go to the [Accelerators](accelerators-ieak11-wizard.md) page.
- **To work with RSS Feeds**
+**To work with RSS Feeds**
1. To add a new link to the **RSS Feeds**, pick **Favorites Bar**, and then click **Add URL**.
The **Details** box appears.
diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
index 6c37c85e24..f7861e2e5c 100644
--- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
@@ -43,7 +43,7 @@ The **Feature Selection** page of the Internet Explorer Customization Wizard 11
**Note** Your choices on this page determine what wizard pages appear.
- **To use the Feature Selection page**
+**To use the Feature Selection page**
1. Check the box next to each feature you want to include in your custom installation package.
You can also click **Select All** to add, or **Clear All** to remove, all of the features.
diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
index 9081a2c20e..548ad0016d 100644
--- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
@@ -20,7 +20,7 @@ The **File Locations** page of the Internet Explorer Customization Wizard 11 let
**Important**
You can create a custom installation package on your hard drive and move it to an Internet or intranet server, or you can create it directly on a server. If you create the package on a web server that’s running from your hard drive, use the path to the web server as the destination folder location. Whatever location you choose, it must be protected by appropriate access control lists (ACLs). If the location is not protected, the custom package may be tampered with.
- **To use the File Locations page**
+**To use the File Locations page**
1. Browse to the location where you’ll store your finished custom IE installation package and the related subfolders.
**Note** Subfolders are created for each language version, based on operating system and media type. For example, if your destination folder is `C:\Inetpub\Wwwroot\Cie\Dist`, then the English-language version is created as `C:\Inetpub\Wwwroot\Cie\Dist\Flat\Win32\En` subfolders.
diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
index c3ae5a99f1..27fc79e06b 100644
--- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
@@ -17,7 +17,7 @@ The **First Run Wizard and Welcome Page Options** page of the Internet Explorer
- **Windows 7 SP1.** You can disable the first run page for Windows 7 SP1 and then pick a custom **Welcome** page to show instead. If you don’t customize the settings on this page, your employees will see the default IE **Welcome** page.
- **To use the First Run Wizard and Welcome Page Options page**
+**To use the First Run Wizard and Welcome Page Options page**
1. Check the **Use IE11 First Run wizard (recommended)** box to use the default First Run wizard in IE.
Clearing this box lets you use the IE11 **Welcome** page or your custom **Welcome** page.
diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-admin-guide-for-it-pros.md b/browsers/internet-explorer/ie11-ieak/ieak11-admin-guide-for-it-pros.md
deleted file mode 100644
index b8b5064c08..0000000000
--- a/browsers/internet-explorer/ie11-ieak/ieak11-admin-guide-for-it-pros.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-localizationpriority: low
-ms.mktglfcycl: plan
-description: IEAK 11 - Internet Explorer Administration Kit 11 Users Guide
-author: eross-msft
-ms.prod: ie11
-ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
-title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
----
-
-
-# Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
-Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
-
-**Important**
-Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
-
-## IEAK 11 users
-IEAK 11 includes programs and tools that enterprises can use to customize, deploy, and administer Internet Explorer 11 for employee devices, while Internet service and content providers can use the same programs and tools to customize, deploy, and administer Internet Explorer 11 for customers.
-
-IEAK 11 works in network environments, with or without Microsoft Active Directory service.
-
-## Naming conventions
-IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 Update and newer versions of the Windows operating system:
-
-|Name |Description |
-|-----|-----------------------------------------------------------|
-|IE |The immersive browser, or IE, without a specific version. |
-|Internet Explorer for the desktop |The desktop browser. This is the only experience available when running IE11 on Windows 7 SP1. |
-|IE11 |The whole browser, which includes both IE and Internet Explorer for the desktop. |
-|Internet Explorer Customization Wizard 11 |Step-by-step wizard screens that help you create custom IE11 installation packages. |
-
diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
index 7d15c80a0e..74acabee72 100644
--- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard
The **Important URLS – Home Page and Support** page of the Internet Explorer Customization Wizard 11 lets you choose one or more **Home** pages and an online support page for your customized version of IE.
- **To use the Important URLS – Home Page and Support page**
+**To use the Important URLS – Home Page and Support page**
1. In the **Add a homepage URL** box, type the URL to the page your employees go to when they click the **Home** button, and then click **Add**.
If you add multiple **Home** pages, each page appears on a separate tab in the browser. If you don’t add a custom **Home** page, IE uses http://www.msn.com by default. If you want to delete an existing page, click the URL and then click **Remove**.
diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
index f96568d6ab..22e16c2e81 100644
--- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Internal Install** page of the Internet Explorer Customization Wizard 11 l
**Note** The customizations made on this page only apply to Internet Explorer for the desktop on Windows 7.
- **To use the Internal Install page**
+**To use the Internal Install page**
1. Pick either:
diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
index cbd3082236..625df35a75 100644
--- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Language Selection** page of the Internet Explorer Customization Wizard 11
**Important** Make sure that the language of your IEAK 11 installation matches the language of your custom IE11 package. If the languages don’t match, IEAK 11 won’t work properly.
- **To use the Language Selection page**
+**To use the Language Selection page**
1. Pick the language you want your custom IE11 installation package to use.
You can support as many languages as you want, but each localized version must be in its own install package.
diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
index 02429b575c..83b0d79dd5 100644
--- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Package Type Selection** page of the Internet Explorer Customization Wizar
**Important** You can't create a full installation package for deployment to Windows 10 computers. That option only works for computers running Windows 7 or Windows 8.1.
- **To use the File Locations page**
+**To use the File Locations page**
1. Check the **Full Installation Package** box if you’re going to build your package on, or move your package to, a local area network (LAN). This media package includes the Internet Explorer 11 installation files, and is named **IE11-Setup-Full.exe**, in the `\\FLAT\\` folder.
-OR-
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index f6b5085ea3..0edf5578ef 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Use the Platform Selection page in the IEAK 11 Wizard
The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
- **To use the Platform Selection page**
+**To use the Platform Selection page**
1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.
You must create individual packages for each supported operating system.
diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
index cf4de55861..5b0a24fd55 100644
--- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Before you install your package over your network using IEAK 11
Employees can install the custom browser package using a network server. However, you must either lower the intranet security level or make the server a trusted site.
- **To lower your intranet security**
+**To lower your intranet security**
1. In Internet Explorer 11, click **Tools**, **Internet Options**, and then the **Security** tab.
@@ -21,7 +21,7 @@ Employees can install the custom browser package using a network server. However
3. Uncheck **Automatically detect intranet network**, uncheck **Include all network paths (UNC)**, and then click **OK**.
- **To make your server a trusted site**
+**To make your server a trusted site**
1. From the **Security** tab, click **Trusted sites**, and then **Sites**.
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index 947b670ab7..5cc0312c67 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Programs** page of the Internet Explorer Customization Wizard 11 lets you
**Important** The customizations you make on this page only apply to Internet Explorer for the desktop.
- **To use the Programs page**
+**To use the Programs page**
1. Determine whether you want to customize your connection settings. You can pick:
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
index c758d7acbf..3a1e0162be 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Proxy Settings** page of the Internet Explorer Customization Wizard 11 let
Using a proxy server lets you limit access to the Internet. You can also use the **Additional Settings** page of the wizard to further restrict your employees from changing the proxy settings.
- **To use the Proxy Settings page**
+**To use the Proxy Settings page**
1. Check the **Enable proxy settings** box if you want to use proxy servers for any of your services.
diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
index 0760b36184..c8c82c121b 100644
--- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Using the Resultant Set of Policy (RSoP) snap-in to review policy settings
After you’ve deployed your custom Internet Explorer package to your employees, you can use the Resultant Set of Policy (RSoP) snap-in to view your created policy settings. The RSoP snap-in is a two-step process. First, you run the RSoP wizard to determine what information should be viewed. Second, you open the specific items in the console window to view the settings. For complete instructions about how to use RSoP, see [Resultant Set of Policy](https://go.microsoft.com/fwlink/p/?LinkId=259479).
- **To add the RSoP snap-in**
+**To add the RSoP snap-in**
1. On the **Start** screen, type *MMC*.
The Microsoft Management Console opens.
@@ -23,7 +23,7 @@ The Microsoft Management Console opens.
3. In the **Available snap-ins** window, go down to the **Resultant Set of Policy** snap-in option, click **Add**, and then click **OK**.
You’re now ready to use the RSoP snap-in from the console.
- **To use the RSoP snap-in**
+**To use the RSoP snap-in**
1. Right-click **Resultant Set of Policy** and then click **Generate RSoP Data**.
You’ll only need to go through the resulting RSoP Wizard first time you run the snap-in.
diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
index d58f446135..f8816f6d9a 100644
--- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **Search Providers** page of the Internet Explorer Customization Wizard 11 l
**Note** The Internet Explorer Customization Wizard 11 offers improved and extended search settings. However, you can still optionally include support for Search Suggestions and Favicons, as well as Accelerator previews by using an .ins file from a previous version of IEAK.
- **To use the Search Providers page**
+**To use the Search Providers page**
1. Click **Import** to automatically import your existing search providers from your current version of IE into this list.
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
index a59c87f2d8..d88993dbe2 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
@@ -13,7 +13,7 @@ ms.sitesec: library
# Use the Security and Privacy Settings page in the IEAK 11 Wizard
The **Security and Privacy Settings** page of the Internet Explorer Customization Wizard 11 lets you manage your security zones, privacy settings, and content ratings. These settings help restrict the types of content your employees can access from the Internet, including any content that might be considered offensive or otherwise inappropriate in a corporate setting.
- **To use the Security and Privacy Settings page**
+**To use the Security and Privacy Settings page**
1. Decide if you want to customize your security zones and privacy settings. You can pick:
diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
index 11278110c1..2417baf652 100644
--- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
@@ -15,7 +15,7 @@ The **User Experience** page of the Internet Explorer Customization Wizard 11 le
**Note** You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.
The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7.
- **To use the User Experience page**
+**To use the User Experience page**
1. Choose how your employee should interact with Setup, including:
diff --git a/devices/hololens/breadcrumb/toc.yml b/devices/hololens/breadcrumb/toc.yml
new file mode 100644
index 0000000000..2ac60b3585
--- /dev/null
+++ b/devices/hololens/breadcrumb/toc.yml
@@ -0,0 +1,7 @@
+- name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Hololens
+ tocHref: /hololens
+ topicHref: /hololens/index
\ No newline at end of file
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
index c6dc9e418d..e3ef216bfb 100644
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@@ -3,7 +3,8 @@
"content": [
{
"files": [
- "**/*.md"
+ "**/*.md",
+ "**/**.yml"
],
"exclude": [
"**/obj/**",
@@ -27,7 +28,13 @@
],
"overwrite": [],
"externalReference": [],
- "globalMetadata": {},
+ "globalMetadata": {
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/hololens/breadcrumb/toc.json",
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "jdecker"
+ },
"fileMetadata": {},
"template": [
null
diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md
index ddd3a6d6b5..7bdd9bd3f8 100644
--- a/devices/hololens/hololens-install-apps.md
+++ b/devices/hololens/hololens-install-apps.md
@@ -62,15 +62,14 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft.
## Use the Windows Device Portal to install apps on HoloLens.
+1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
-1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/holographic/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
+2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_usb).
-2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_usb).
-
-3. [Create a user name and password](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
+3. [Create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
>[!TIP]
- >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#security_certificate).
+ >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate).
4. In the Windows Device Portal, click **Apps**.
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 54d65e5489..4674584a48 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -15,17 +15,17 @@ localizationpriority: medium
Kiosk mode limits the user's ability to launch new apps or change the running app. When kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings.
-1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/holographic/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
+1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
>[!IMPORTANT]
>When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
-2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_usb).
+2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_usb).
-3. [Create a user name and password](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
+3. [Create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
>[!TIP]
- >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#security_certificate).
+ >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate).
4. In the Windows Device Portal, click **Kiosk Mode**.
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index c077292864..0b887cc940 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -47,7 +47,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
7. Expand **Runtime settings** and customize the package with any of the settings [described below](#what-you-can-configure).
>[!IMPORTANT]
- >If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/holographic/reset_or_recover_your_hololens#perform_a_full_device_recovery).
+ >If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery).
8. On the **File** menu, click **Save**.
@@ -107,7 +107,7 @@ In Windows ICD, when you create a provisioning package for Windows Holographic,
| Setting | Description |
| --- | --- |
-| **Accounts** | Create a local account. HoloLens currently supports a single user only. Creating multiple local accounts in a provisioning package is not supported.
**IMPORTANT** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/holographic/reset_or_recover_your_hololens#perform_a_full_device_recovery). |
+| **Accounts** | Create a local account. HoloLens currently supports a single user only. Creating multiple local accounts in a provisioning package is not supported.
**IMPORTANT** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery). |
| **Certificates** | Deploy a certificate to HoloLens. |
| **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens. |
| **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens-upgrade-enterprise.md) |
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index d8a1c1b901..11331b62f4 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -11,7 +11,7 @@ localizationpriority: medium
# Microsoft HoloLens in the enterprise: requirements
-When you develop for HoloLens, there are [system requirements and tools](https://developer.microsoft.com/windows/holographic/install_the_tools) that you need. In an enterprise environment, there are also a few requirements to use and manage HoloLens which are listed below.
+When you develop for HoloLens, there are [system requirements and tools](https://developer.microsoft.com/windows/mixed-reality/install_the_tools) that you need. In an enterprise environment, there are also a few requirements to use and manage HoloLens which are listed below.
## General use
- Microsoft account or Azure Active Directory (Azure AD) account
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index bcc472ca43..8963cea7f3 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -11,7 +11,7 @@ localizationpriority: medium
# Unlock Windows Holographic for Business features
-Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/holographic/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business.
+Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/mixed-reality/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business.
When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index b57a42f178..698a2db7c4 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -33,8 +33,8 @@ localizationpriority: medium
- [Help for using HoloLens](https://support.microsoft.com/products/hololens)
-- [Documentation for Holographic app development](https://developer.microsoft.com/windows/holographic/documentation)
+- [Documentation for Holographic app development](https://developer.microsoft.com/windows/mixed-reality/documentation)
- [HoloLens Commercial Suite](https://www.microsoft.com/microsoft-hololens/hololens-commercial)
-- [HoloLens release notes](https://developer.microsoft.com/en-us/windows/holographic/release_notes)
\ No newline at end of file
+- [HoloLens release notes](https://developer.microsoft.com/en-us/windows/mixed-reality/release_notes)
\ No newline at end of file
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 5d807a4e97..a9cde81f15 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -1,41 +1,42 @@
# [Microsoft Surface Hub](index.md)
-## [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md)
-## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
-## [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
-### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
-### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
-#### [Online deployment](online-deployment-surface-hub-device-accounts.md)
-#### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md)
-#### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md)
-#### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)
-#### [Create a device account using UI](create-a-device-account-using-office-365.md)
-#### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
-#### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)
-#### [Password management](password-management-for-surface-hub-device-accounts.md)
-### [Create provisioning packages](provisioning-packages-for-surface-hub.md)
-### [Admin group management](admin-group-management-for-surface-hub.md)
-## [Set up Microsoft Surface Hub](set-up-your-surface-hub.md)
-### [Setup worksheet](setup-worksheet-surface-hub.md)
-### [First-run program](first-run-program-surface-hub.md)
-## [Manage Microsoft Surface Hub](manage-surface-hub.md)
-### [Remote Surface Hub management](remote-surface-hub-management.md)
-#### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
-#### [Monitor your Surface Hub](monitor-surface-hub.md)
-#### [Windows updates](manage-windows-updates-for-surface-hub.md)
-### [Manage Surface Hub settings](manage-surface-hub-settings.md)
-#### [Local management for Surface Hub settings](local-management-surface-hub-settings.md)
-#### [Accessibility](accessibility-surface-hub.md)
-#### [Change the Surface Hub device account](change-surface-hub-device-account.md)
-#### [Device reset](device-reset-surface-hub.md)
-#### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
-#### [Wireless network management](wireless-network-management-for-surface-hub.md)
-### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
-### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md)
-### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
-### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
-### [Using a room control system](use-room-control-system-with-surface-hub.md)
-## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md)
-## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
-## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
+## [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
+### [Intro to Microsoft Surface Hub](intro-to-surface-hub.md)
+### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
+#### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
+#### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
+##### [Online deployment](online-deployment-surface-hub-device-accounts.md)
+##### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md)
+##### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md)
+##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)
+##### [Create a device account using UI](create-a-device-account-using-office-365.md)
+##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
+##### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)
+##### [Password management](password-management-for-surface-hub-device-accounts.md)
+#### [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md)
+#### [Admin group management](admin-group-management-for-surface-hub.md)
+### [Set up Microsoft Surface Hub](set-up-your-surface-hub.md)
+#### [Setup worksheet](setup-worksheet-surface-hub.md)
+#### [First-run program](first-run-program-surface-hub.md)
+### [Manage Microsoft Surface Hub](manage-surface-hub.md)
+#### [Remote Surface Hub management](remote-surface-hub-management.md)
+##### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
+##### [Monitor your Surface Hub](monitor-surface-hub.md)
+##### [Windows updates](manage-windows-updates-for-surface-hub.md)
+#### [Manage Surface Hub settings](manage-surface-hub-settings.md)
+##### [Local management for Surface Hub settings](local-management-surface-hub-settings.md)
+##### [Accessibility](accessibility-surface-hub.md)
+##### [Change the Surface Hub device account](change-surface-hub-device-account.md)
+##### [Device reset](device-reset-surface-hub.md)
+##### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
+##### [Wireless network management](wireless-network-management-for-surface-hub.md)
+#### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
+#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md)
+#### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
+#### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
+#### [Using a room control system](use-room-control-system-with-surface-hub.md)
+### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
+### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md)
+## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
+## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
## [Change history for Surface Hub](change-history-surface-hub.md)
\ No newline at end of file
diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md
index 7ea46504e4..46348c087d 100644
--- a/devices/surface-hub/accessibility-surface-hub.md
+++ b/devices/surface-hub/accessibility-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surfacehub
ms.sitesec: library
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -30,7 +30,7 @@ The full list of accessibility settings are available to IT admins in the **Sett
| Mouse | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
| Other options | Defaults selected for **Visual options** and **Touch feedback**. |
-Additionally, these accessibility features and apps are returned to default settings when users press [End session](finishing-your-surface-hub-meeting.md):
+Additionally, these accessibility features and apps are returned to default settings when users press [I'm Done](i-am-done-finishing-your-surface-hub-meeting.md):
- Narrator
- Magnifier
- High contrast
diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md
index 2abc8df009..7607199209 100644
--- a/devices/surface-hub/admin-group-management-for-surface-hub.md
+++ b/devices/surface-hub/admin-group-management-for-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub, security
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index b04dd91222..76275e3ec8 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -1,5 +1,5 @@
---
-title: PowerShell for Surface Hub (Surface Hub)
+title: Appendix PowerShell (Surface Hub)
description: PowerShell scripts to help set up and manage your Microsoft Surface Hub .
ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784
keywords: PowerShell, set up Surface Hub, manage Surface Hub
@@ -7,14 +7,14 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
-# PowerShell for Surface Hub
+# Appendix: PowerShell (Surface Hub)
-PowerShell scripts to help set up and manage your Microsoft Surface Hub.
+PowerShell scripts to help set up and manage your Microsoft Surface Hub .
- [PowerShell scripts for Surface Hub admins](#scripts-for-admins)
- [Create an on-premise account](#create-on-premise-ps-scripts)
@@ -43,8 +43,7 @@ What do you need in order to run the scripts?
- Remote PowerShell access to your organization's domain or tenant, Exchange servers, and Skype for Business servers.
- Admin credentials for your organization's domain or tenant, Exchange servers, and Skype for Business servers.
->[!NOTE]
->Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.
+>**Note** Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.
diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
index e49731d001..f6cad56654 100644
--- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/breadcrumb/toc.yml b/devices/surface-hub/breadcrumb/toc.yml
new file mode 100644
index 0000000000..d846a15189
--- /dev/null
+++ b/devices/surface-hub/breadcrumb/toc.yml
@@ -0,0 +1,7 @@
+- name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Surface Hub
+ tocHref: /surface-hub
+ topicHref: /surface-hub/index
\ No newline at end of file
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index d8d69bb450..74ee57c2f5 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -14,10 +14,6 @@ localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
-## RELEASE: Windows 10, version 1703
-
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update).
-
## February 2017
| New or changed topic | Description |
diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md
index 2ad7a30571..6dc6bf7016 100644
--- a/devices/surface-hub/change-surface-hub-device-account.md
+++ b/devices/surface-hub/change-surface-hub-device-account.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index b6719175f5..914b6136e6 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index 5c6ab373e5..b06c909230 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -50,7 +50,8 @@ For detailed steps using PowerShell to provision a device account, choose an opt
| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a multi-forest environment. |
| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
-If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell.
+
+If you prefer to use a graphical user interface (UI), some steps can be done using UI instead of PowerShell.
For more information, see [Creating a device account using UI](create-a-device-account-using-office-365.md).
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index 0d070c1ae5..f2cb38c5f2 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -49,49 +49,21 @@ If you see a blank screen for long periods of time during the **Reset device** p
-3. Click **Recovery**, and then, under **Reset device**, click **Get started**.
+3. Click **Recovery**, and then click **Get started**.
-
-## Recover a Surface Hub from the cloud
+## Reset a Surface Hub from Windows Recovery Environment
-In the Windows Recovery Environment (Windows RE), you can recover your device by downloading a factory build from the cloud and installing it on the Surface Hub. This allows devices in an unusable state to recover without requiring assistance from Microsoft Support.
+On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from [Windows Recovery Environment](https://technet.microsoft.com/library/cc765966.aspx) (Windows RE).
-### Recover a Surface Hub in a bad state
-
-If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem.
-
-1. On your Surface Hub, go to **Settings** > **Update & security** > **Recovery**.
-
-2. Under **Recover from the cloud**, click **Restart now**.
-
- 
-
-### Recover a locked Surface Hub
-
-On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx).
+**To reset a Surface Hub from Windows Recovery Environment**
1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch.
-2. The device should automatically boot into Windows RE.
-3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.)
- >[!NOTE]
- >When using **Recover from the cloud**, an ethernet connection is recommended.
-
- 
-
-4. Enter the Bitlocker key (if prompted).
-5. When prompted, select **Reinstall**.
+2. The device should automatically boot into Windows RE. Select **Advanced Repair**.
+3. Select **Reset**.
+4. If prompted, enter your device's BitLocker key.
- 
-
-6. Select **Yes** to repartition the disk.
-
- 
-
-Reset will begin after the image is downloaded from the cloud. You will see progress indicators.
-
-
## Related topics
diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
index e6d812ea78..73557c1f2c 100644
--- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@@ -33,7 +33,7 @@ Surface Hub doesn't have a lock screen or a screen saver, but it has a similar f
Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without logging on. The system always runs as a local, auto logged-in, low-privilege user. It doesn't support logging in any additional users - including admin users.
> [!NOTE]
-> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **End session**.
+> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **I'm done**.
*Organization policies that this may affect:* Generally, Surface Hub uses lockdown features rather than user access control to enforce security. Policies related to password requirements, interactive logon, user accounts, and access control don't apply for Surface Hub.
@@ -46,7 +46,7 @@ Users have access to a limited set of directories on the Surface Hub:
- Pictures
- Downloads
-Files saved locally in these directories are deleted when users press **End session**. To save content created during a meeting, users should save files to a USB drive or to OneDrive.
+Files saved locally in these directories are deleted when users press **I'm done**. To save content created during a meeting, users should save files to a USB drive or to OneDrive.
*Organization policies that this may affect:* Policies related to access permissions and ownership of files and folders don't apply for Surface Hub. Users can't browse and save files to system directories and network folders.
diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json
index 11bc1cdc40..df5f770c84 100644
--- a/devices/surface-hub/docfx.json
+++ b/devices/surface-hub/docfx.json
@@ -3,7 +3,7 @@
"content":
[
{
- "files": ["**/**.md"],
+ "files": ["**/**.md", "**/**.yml"],
"exclude": ["**/obj/**"]
}
],
@@ -13,8 +13,16 @@
"exclude": ["**/obj/**"]
}
],
- "globalMetadata": {
- "ROBOTS": "INDEX, FOLLOW"
+ "globalMetadata": {
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
+ "ROBOTS": "INDEX, FOLLOW",
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.mktglfcycl": "manage",
+ "author": "jdeckerms",
+ "ms.sitesec": "library",
+ "ms.author": "jdecker"
},
"externalReference": [
],
diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
index 527eaf6198..3e9df023a1 100644
--- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md
deleted file mode 100644
index 8733038060..0000000000
--- a/devices/surface-hub/finishing-your-surface-hub-meeting.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: End session - ending a Surface Hub meeting
-description: To end a Surface Hub meeting, tap End session. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting.
-keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: surfacehub
-author: jdeckerMS
-localizationpriority: medium
----
-
-# End a Surface Hub meeting with End session
-Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states:
-- Applications
-- Operating system
-- User interface
-
-This topic explains what **End session** resets for each of these states.
-
-## Applications
-When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **End session** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs.
-
-### Close applications
-Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**.
-
-### Delete browser history
-Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **End session** also ensures that application states are cleared and data is removed before the next session, or meeting, starts.
-
-### Reset applications
-**End session** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub.
-
-### Remove Skype logs
-Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **End session** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs.
-
-## Operating System
-The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting.
-
-### File System
-Meeting attendees have access to a limited set of directories on the Surface Hub. When **End session** is selected, Surface Hub clears these directories:
-- Music
-- Videos
-- Documents
-- Pictures
-- Downloads
-
-Surface Hub also clears these directories, since many applications often write to them:
-- Desktop
-- Favorites
-- Recent
-- Public Documents
-- Public Music
-- Public Videos
-- Public Downloads
-
-### Credentials
-User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **End session**.
-
-## User interface
-User interface (UI) settings are returned to their default values when **End session** is selected.
-
-### UI items
-- Reset Quick Actions to default state
-- Clear Toast notifications
-- Reset volume levels
-- Reset sidebar width
-- Reset tablet mode layout
-- Sign user out of Office 365 meetings and files
-
-### Accessibility
-Accessibility features and apps are returned to default settings when **End session** is selected.
-- Filter keys
-- High contrast
-- Sticky keys
-- Toggle keys
-- Mouse keys
-- Magnifier
-- Narrator
-
-### Clipboard
-The clipboard is cleared to remove data that was copied to the clipboard during the session.
-
-## Frequently asked questions
-**What happens if I forget to tap End session at the end of a meeting, and someone else uses the Surface Hub later?**
-Surface Hub only cleans up meeting content when users tap **End session**. If you leave the meeting without tapping **End session**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one. You can also disable the ability to resume a session if **End session** is not pressed.
-
-**Are documents recoverable?**
-Removing files from the hard drive when **End session** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting.
-
-**Do the clean-up actions from End session comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
-No. Currently, the clean-up actions from **End session** do not comply with this standard.
-
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index 4e6ceac8b8..6ee36023cc 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -43,10 +43,9 @@ Each of these sections also contains information about paths you might take when
This is the first screen you'll see when you power up the Surface Hub for the first time. It's where you input localization information for your device.
->[!NOTE]
->This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing.
+>**Note** This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing.
- Select a language and the initial setup options are displayed.
+
@@ -327,9 +326,6 @@ This is what happens when you choose an option.
- **Use Microsoft Azure Active Directory**
Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. After joining, admins from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization.
-
- >[!IMPORTANT]
- >If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually.
- **Use Active Directory Domain Services**
@@ -386,7 +382,7 @@ Once the device has been domain joined, you must specify a security group from t
The following input is required:
- **Domain:** This is the fully qualified domain name (FQDN) of the domain that you want to join. A security group from this domain can be used to manage the device.
-- **User name:** The user name of an account that has sufficient permission to join the specified domain. This account must be a computer object.
+- **User name:** The user name of an account that has sufficient permission to join the specified domain.
- **Password:** The password for the account.
After the credentials are verified, you will be asked to type a security group name. This input is required.
diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
new file mode 100644
index 0000000000..ccf99db112
--- /dev/null
+++ b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
@@ -0,0 +1,91 @@
+---
+title: I am done - ending a Surface Hub meeting
+description: To end a Surface Hub meeting, tap I am Done. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting.
+keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# End a Surface Hub meeting with I'm Done
+Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **I'm Done** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states:
+- Applications
+- Operating system
+- User interface
+
+This topic explains what **I'm Done** resets for each of these states.
+
+## Applications
+When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **I'm done** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs.
+
+### Close applications
+Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**.
+
+### Delete browser history
+Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **I'm Done** also ensures that application states are cleared and data is removed before the next session, or meeting, starts.
+
+### Reset applications
+**I'm Done** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub.
+
+### Remove Skype logs
+Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **I'm Done** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs.
+
+## Operating System
+The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting.
+
+### File System
+Meeting attendees have access to a limited set of directories on the Surface Hub. When **I'm Done** is selected, Surface Hub clears these directories:
+- Music
+- Videos
+- Documents
+- Pictures
+- Downloads
+
+Surface Hub also clears these directories, since many applications often write to them:
+- Desktop
+- Favorites
+- Recent
+- Public Documents
+- Public Music
+- Public Videos
+- Public Downloads
+
+### Credentials
+User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **I’m done**.
+
+## User interface
+User interface (UI) settings are returned to their default values when **I'm Done** is selected.
+
+### UI items
+- Reset Quick Actions to default state
+- Clear Toast notifications
+- Reset volume levels
+- Reset sidebar width
+- Reset tablet mode layout
+
+### Accessibility
+Accessibility features and apps are returned to default settings when **I'm Done** is selected.
+- Filter keys
+- High contrast
+- Sticky keys
+- Toggle keys
+- Mouse keys
+- Magnifier
+- Narrator
+
+### Clipboard
+The clipboard is cleared to remove data that was copied to the clipboard during the session.
+
+## Frequently asked questions
+**What happens if I forget to tap I'm Done at the end of a meeting, and someone else uses the Surface Hub later?**
+Surface Hub only cleans up meeting content when users tap **I'm Done**. If you leave the meeting without tapping **I'm Done**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one.
+
+**Are documents recoverable?**
+Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting.
+
+**Do the clean-up actions from I'm Done comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
+No. Currently, the clean-up actions from **I'm Done** do not comply with this standard.
+
diff --git a/devices/surface-hub/images/OOBE-2.jpg b/devices/surface-hub/images/OOBE-2.jpg
deleted file mode 100644
index 0c615a2ec4..0000000000
Binary files a/devices/surface-hub/images/OOBE-2.jpg and /dev/null differ
diff --git a/devices/surface-hub/images/account-management-details.PNG b/devices/surface-hub/images/account-management-details.PNG
deleted file mode 100644
index 66712394ec..0000000000
Binary files a/devices/surface-hub/images/account-management-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/add-config-file-details.PNG b/devices/surface-hub/images/add-config-file-details.PNG
deleted file mode 100644
index c7b4db97e6..0000000000
Binary files a/devices/surface-hub/images/add-config-file-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/add-config-file.PNG b/devices/surface-hub/images/add-config-file.PNG
deleted file mode 100644
index 5b779509d9..0000000000
Binary files a/devices/surface-hub/images/add-config-file.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/end-session.png b/devices/surface-hub/images/end-session.png
deleted file mode 100644
index 4b28583af4..0000000000
Binary files a/devices/surface-hub/images/end-session.png and /dev/null differ
diff --git a/devices/surface-hub/images/enroll-mdm-details.PNG b/devices/surface-hub/images/enroll-mdm-details.PNG
deleted file mode 100644
index f3a7fea8da..0000000000
Binary files a/devices/surface-hub/images/enroll-mdm-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/enroll-mdm.PNG b/devices/surface-hub/images/enroll-mdm.PNG
deleted file mode 100644
index b7cfdbc767..0000000000
Binary files a/devices/surface-hub/images/enroll-mdm.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/icd-simple-edit.png b/devices/surface-hub/images/icd-simple-edit.png
deleted file mode 100644
index aea2e24c8a..0000000000
Binary files a/devices/surface-hub/images/icd-simple-edit.png and /dev/null differ
diff --git a/devices/surface-hub/images/one.png b/devices/surface-hub/images/one.png
deleted file mode 100644
index 42b4742c49..0000000000
Binary files a/devices/surface-hub/images/one.png and /dev/null differ
diff --git a/devices/surface-hub/images/ppkg-config.png b/devices/surface-hub/images/ppkg-config.png
deleted file mode 100644
index 10a2b7de58..0000000000
Binary files a/devices/surface-hub/images/ppkg-config.png and /dev/null differ
diff --git a/devices/surface-hub/images/ppkg-csv.png b/devices/surface-hub/images/ppkg-csv.png
deleted file mode 100644
index 0648f555e1..0000000000
Binary files a/devices/surface-hub/images/ppkg-csv.png and /dev/null differ
diff --git a/devices/surface-hub/images/proxy-details.PNG b/devices/surface-hub/images/proxy-details.PNG
deleted file mode 100644
index fcc7b06a41..0000000000
Binary files a/devices/surface-hub/images/proxy-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/proxy.PNG b/devices/surface-hub/images/proxy.PNG
deleted file mode 100644
index cdfc02c454..0000000000
Binary files a/devices/surface-hub/images/proxy.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/recover-from-cloud.png b/devices/surface-hub/images/recover-from-cloud.png
deleted file mode 100644
index 7d409edc5f..0000000000
Binary files a/devices/surface-hub/images/recover-from-cloud.png and /dev/null differ
diff --git a/devices/surface-hub/images/recover-from-the-cloud.png b/devices/surface-hub/images/recover-from-the-cloud.png
deleted file mode 100644
index 07c1e22851..0000000000
Binary files a/devices/surface-hub/images/recover-from-the-cloud.png and /dev/null differ
diff --git a/devices/surface-hub/images/recover-progress.png b/devices/surface-hub/images/recover-progress.png
deleted file mode 100644
index 316d830a57..0000000000
Binary files a/devices/surface-hub/images/recover-progress.png and /dev/null differ
diff --git a/devices/surface-hub/images/reinstall.png b/devices/surface-hub/images/reinstall.png
deleted file mode 100644
index 2f307841aa..0000000000
Binary files a/devices/surface-hub/images/reinstall.png and /dev/null differ
diff --git a/devices/surface-hub/images/repartition.png b/devices/surface-hub/images/repartition.png
deleted file mode 100644
index 26725a8c54..0000000000
Binary files a/devices/surface-hub/images/repartition.png and /dev/null differ
diff --git a/devices/surface-hub/images/set-up-device-admins-details.PNG b/devices/surface-hub/images/set-up-device-admins-details.PNG
deleted file mode 100644
index 42c04b4b3b..0000000000
Binary files a/devices/surface-hub/images/set-up-device-admins-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/set-up-device-admins.PNG b/devices/surface-hub/images/set-up-device-admins.PNG
deleted file mode 100644
index e0e037903c..0000000000
Binary files a/devices/surface-hub/images/set-up-device-admins.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/set-up-device-details.PNG b/devices/surface-hub/images/set-up-device-details.PNG
deleted file mode 100644
index be565ac8d9..0000000000
Binary files a/devices/surface-hub/images/set-up-device-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/set-up-network-details.PNG b/devices/surface-hub/images/set-up-network-details.PNG
deleted file mode 100644
index 7e1391326c..0000000000
Binary files a/devices/surface-hub/images/set-up-network-details.PNG and /dev/null differ
diff --git a/devices/surface-hub/images/sh-quick-action.png b/devices/surface-hub/images/sh-quick-action.png
index 3003e464b3..cb072a9793 100644
Binary files a/devices/surface-hub/images/sh-quick-action.png and b/devices/surface-hub/images/sh-quick-action.png differ
diff --git a/devices/surface-hub/images/sh-settings-reset-device.png b/devices/surface-hub/images/sh-settings-reset-device.png
index f3a9a6dc5c..b3e35bb385 100644
Binary files a/devices/surface-hub/images/sh-settings-reset-device.png and b/devices/surface-hub/images/sh-settings-reset-device.png differ
diff --git a/devices/surface-hub/images/sh-settings-update-security.png b/devices/surface-hub/images/sh-settings-update-security.png
index 59212d1805..a10d4ffb51 100644
Binary files a/devices/surface-hub/images/sh-settings-update-security.png and b/devices/surface-hub/images/sh-settings-update-security.png differ
diff --git a/devices/surface-hub/images/sh-settings.png b/devices/surface-hub/images/sh-settings.png
index 0134fda740..03125b3419 100644
Binary files a/devices/surface-hub/images/sh-settings.png and b/devices/surface-hub/images/sh-settings.png differ
diff --git a/devices/surface-hub/images/six.png b/devices/surface-hub/images/six.png
deleted file mode 100644
index 2816328ec3..0000000000
Binary files a/devices/surface-hub/images/six.png and /dev/null differ
diff --git a/devices/surface-hub/images/surfacehub.png b/devices/surface-hub/images/surfacehub.png
deleted file mode 100644
index 1b9b484ab8..0000000000
Binary files a/devices/surface-hub/images/surfacehub.png and /dev/null differ
diff --git a/devices/surface-hub/images/wcd-wizard.PNG b/devices/surface-hub/images/wcd-wizard.PNG
deleted file mode 100644
index 706771f756..0000000000
Binary files a/devices/surface-hub/images/wcd-wizard.PNG and /dev/null differ
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index dabf0f1f6e..22e94d2746 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -12,36 +12,19 @@ localizationpriority: medium
# Microsoft Surface Hub
->[Looking for the user's guide for Surface Hub?](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf)
-
-
Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. The documentation in this library describes what needs to be done both before and during setup in order to help you optimize your use of the device.
-
-
-## Surface Hub setup process
-
-In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need:
-
-1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md)
-2. [Gather the information listed in the Setup worksheet](setup-worksheet-surface-hub.md)
-2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md)
-3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md)
+Documents related to deploying and managing the Microsoft Surface Hub in your organization.
+>[Looking for the user's guide for Surface Hub?](https://www.microsoft.com/surface/support/surface-hub)
## In this section
| Topic | Description |
| --- | --- |
-| [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md) | Discover the changes and improvements for Microsoft Surface Hub in the Windows 10, version 1703 release (also known as Creators Update). |
+| [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) | This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.|
| [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise. |
-| [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) | This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. |
-| [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) | Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. |
-| [Manage Microsoft Surface Hub](manage-surface-hub.md) | How to manage your Surface Hub after finishing the first-run program. |
-| [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) |
-| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. | PowerShell scripts to help set up and manage your Surface Hub. |
-| [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. |
+| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. |
| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. |
-| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation library. |
-
+| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation. |
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index dea976e29f..d26712627a 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: surfacehub, store
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/intro-to-surface-hub.md b/devices/surface-hub/intro-to-surface-hub.md
new file mode 100644
index 0000000000..eb48a1fb78
--- /dev/null
+++ b/devices/surface-hub/intro-to-surface-hub.md
@@ -0,0 +1,28 @@
+---
+title: Intro to Microsoft Surface Hub
+description: Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations.
+ms.assetid: 5DAD4489-81CF-47ED-9567-A798B90C7E76
+keywords: Surface Hub, productivity, collaboration, presentations, setup
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Intro to Microsoft Surface Hub
+
+
+Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device.
+
+You’ll need to understand how each of these services interacts with Surface Hub. See [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) for details.
+
+## Surface Hub setup process
+
+In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need:
+
+1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md)
+2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md)
+3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md)
+
diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md
index 7d17d33c38..dea2a514bd 100644
--- a/devices/surface-hub/local-management-surface-hub-settings.md
+++ b/devices/surface-hub/local-management-surface-hub-settings.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -16,38 +16,29 @@ After initial setup of Microsoft Surface Hub, the device’s settings can be loc
## Surface Hub settings
-Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only configurable on Surface Hubs.
+Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only cofigurable on Surface Hubs.
| Setting | Location | Description |
| ------- | -------- | ----------- |
-| Device account | Surface Hub > Accounts | Set or change the Surface Hub's device account. |
-| Device account sync status | Surface Hub > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. |
-| Password rotation | Surface Hub > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. |
-| Change admin account password | Surface Hub > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. |
-| Device Management | Surface Hub > Device management | Manage policies and business applications using mobile device management (MDM). |
-| Provisioning packages | Surface Hub > Device management | Set or change provisioning packages installed on the Surface Hub. |
-| Configure Operations Management Suite (OMS) | Surface Hub > Device management | Set up monitoring for your Surface Hub using OMS. |
-| Open the Windows Store app | Surface Hub > Apps & features | The Windows Store app is only available to admins through the Settings app. |
-| Skype for Business domain name | Surface Hub > Calling & Audio | Configure a domain name for your Skype for Business server. |
-| Default Speaker volume | Surface Hub > Calling & Audio | Configure the default speaker volume for the Surface Hub when it starts a session. |
-| Default microphone and speaker settings | Surface Hub > Calling & Audio | Configure a default microphone and speaker for calls, and a default speaker for media playback. |
-| Enable Dolby Audio X2 | Surface Hub > Calling & Audio | Configure the Dolby Audio X2 speaker enhancements. |
-| Open Connect App automatically | Surface Hub > Projection | Choose whether projection will automatically open the Connect app or wait for user input before opening. |
-| Turn off wireless projection using Miracast | Surface Hub > Projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. |
-| Require a PIN for wireless projection | Surface Hub > Projection | Choose whether people are required to enter a PIN before they use wireless projection. |
-| Wireless projection (Miracast) channel | Surface Hub > Projection | Set the channel for Miracast projection. |
-| Meeting info shown on the welcome screen | Surface Hub > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. |
-| Welcome screen background | Surface Hub > Welcome screen | Choose a background image for the welcome screen. |
-| Idle timeout to Welcome screen | Surface Hub > Session & Power | Choose how long until the Surface Hub returns to the welcome screen after no motion is detected. |
-| Resume session | Surface Hub > Session & Power | Choose to allow users to resume a session after no motion is detected or to automatically clean up a session. |
-| Access to Office 365 meetings and files | Surface Hub > Session & Power | Choose whether a user can sign in to Office 365 to get access to their meetings and files. |
-| Turn on screen with motion sensors | Surface Hub > Session & clean up | Choose whether the screen turns on when motion is detected. |
-| Session time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. |
-| Sleep time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. |
-| Friendly name | Surface Hub > About | Set the Surface Hub name that people will see when connecting wirelessly. |
+| Device account | This device > Accounts | Set or change the Surface Hub's device account. |
+| Device account sync status | This device > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. |
+| Password rotation | This device > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. |
+| Change admin account password | This device > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. |
+| Configure Operations Management Suite (OMS) | This device > Device management | Set up monitoring for your Surface Hub using OMS. |
+| Open the Windows Store app | This device > Apps & features | The Windows Store app is only available to admins through the Settings app. |
+| Skype for Business domain name | This device > Calling | Configure a domain name for your Skype for Business server. |
+| Default microphone and speaker settings | This device > Calling | Configure a default microphone and speaker for calls, and a default speaker for media playback. |
+| Turn off wireless projection using Miracast | This device > Wireless projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. |
+| Require a PIN for wireless projection | This device > Wireless projection | Choose whether people are required to enter a PIN before they use wireless projection. |
+| Wireless projection (Miracast) channel | This device > Wireless projection | Set the channel for Miracast projection. |
+| Meeting info shown on the welcome screen | This device > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. |
+| Welcome screen background | This device > Welcome screen | Choose a background image for the welcome screen. |
+| Turn on screen with motion sensors | This device > Session & clean up | Choose whether the screen turns on when motion is detected. |
+| Session time out | This device > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. |
+| Sleep time out | This device > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. |
+| Friendly name | This device > About | Set the Surface Hub name that people will see when connecting wirelessly. |
| Maintenance hours | Update & security > Windows Update > Advanced options | Configure when updates can be installed. |
| Configure Windows Server Update Services (WSUS) server | Update & security > Windows Update > Advanced options | Change whether Surface Hub receives updates from a WSUS server instead of Windows Update. |
-| Recover from the cloud | Update & security > Recovery | Reinstall the operating system on Surface Hub to a manufacturer build from the cloud. |
| Save BitLocker key | Update & security > Recovery | Backup your Surface Hub's BitLocker key to a USB drive. |
| Collect logs | Update & security > Recovery | Save logs to a USB drive to send to Microsoft later. |
diff --git a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
new file mode 100644
index 0000000000..db9230f9ad
--- /dev/null
+++ b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
@@ -0,0 +1,13 @@
+---
+title: Manage settings with a local admin account (Surface Hub)
+description: A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.
+ms.assetid: B4B3668B-985D-427E-8495-E30ABEECA679
+redirect_url: https://technet.microsoft.com/itpro/surface-hub/admin-group-management-for-surface-hub
+keywords: local admin account, Surface Hub, change local admin options
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 1954027d43..8cadcb7309 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -65,23 +65,13 @@ For more information, see [SurfaceHub configuration service provider](https://ms
| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
+| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes. Use a custom setting. | Yes |
| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID MOMAgent/WorkspaceKey | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Friendly name for wireless projection | Properties/FriendlyName | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
+| Friendly name for wireless projection | Properties/FriendlyName | Yes. [Use a custom policy.](#example-intune)) | Yes. [Use a custom setting.](#example-sccm) | Yes |
| Device account, including password rotation | DeviceAccount/*``* See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
-| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Set default volume | Properties/DefaultVolume | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Set screen timeout | Properties/ScreenTimeout | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Set session timeout | Properties/SessionTimeout | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Set sleep timeout | Properties/SleepTimeout | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes | Yes. [Use a custom setting.](#example-sccm) | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
### Supported Windows 10 settings
@@ -92,57 +82,57 @@ The following tables include info on Windows 10 settings that have been validate
#### Security settings
| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML\*? |
| -------- | -------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``* See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. . | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. | Yes. [Use a custom setting.](#example-sccm) | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``* See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
#### Browser settings
| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML\*? |
| -------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
#### Windows Update settings
| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML*? |
| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes|
-| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``* See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes|
+| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``* See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
#### Windows Defender settings
| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML\*? |
| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``* See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
+| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``* See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
| Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
#### Remote reboot
| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML\*? |
| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes |
-| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes [Use a custom policy.](#example-intune) | Yes. [Use a custom setting.](#example-sccm) | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
#### Install certificates
@@ -152,7 +142,7 @@ The following tables include info on Windows 10 settings that have been validate
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
#### Collect logs
@@ -161,7 +151,7 @@ The following tables include info on Windows 10 settings that have been validate
| Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes |
-\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
+\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package.
### Generate OMA URIs for settings
You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.
@@ -262,7 +252,7 @@ For more information, see [Create configuration items for Windows 8.1 and Window
[Manage Microsoft Surface Hub](manage-surface-hub.md)
-
+[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md
index ecfbb7c584..5413d28a30 100644
--- a/devices/surface-hub/manage-surface-hub-settings.md
+++ b/devices/surface-hub/manage-surface-hub-settings.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index 95b3b394bd..b464c430f2 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -30,7 +30,7 @@ Learn about managing and updating Surface Hub.
| [Remote Surface Hub management](remote-surface-hub-management.md) |Topics related to managing your Surface Hub remotely. Include install apps, managing settings with MDM and monitoring with Operations Management Suite. |
| [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network |
| [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Windows Store or the Windows Store for Business.|
-| [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.|
+| [End a meeting with I’m done](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap I'm Done to clean up any sensitive data and prepare the device for the next meeting.|
| [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.|
| [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.|
| [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index f54bd79038..659e2a6ae5 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index 27f722e175..4b96956704 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 7a4a8ed551..8914899056 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
index 08688230d6..d3d6ab6871 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
@@ -1,7 +1,6 @@
---
title: On-premises deployment multi-forest (Surface Hub)
description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
-ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
keywords: multi forest deployment, on prem deployment, device account, Surface Hub
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 0c25519753..6510d41971 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
index 851ae60a58..c6c3db5d36 100644
--- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub, security
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md
index 3ea7a56b63..489e6a03a3 100644
--- a/devices/surface-hub/physically-install-your-surface-hub-device.md
+++ b/devices/surface-hub/physically-install-your-surface-hub-device.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub, readiness
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index 9ae8f829c5..f5c342d43d 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -27,12 +27,11 @@ Review these dependencies to make sure Surface Hub features will work in your IT
| Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. |
| Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
| Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
-| Network and Internet access |
In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1x Authentication is supported for both wired and wireless connections.
**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.
**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. |
+| Network and Internet access |
In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.
**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.
**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. |
Additionally, note that Surface Hub requires the following open ports:
- HTTPS: 443
- HTTP: 80
-- NTP: 123
Depending on your environment, access to additional ports may be needed:
- For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
@@ -42,20 +41,6 @@ Microsoft collects telemetry to help improve your Surface Hub experience. Add th
- Telemetry client endpoint: `https://vortex.data.microsoft.com/`
- Telemetry settings endpoint: `https://settings.data.microsoft.com/`
-### Proxy configuration
-
-If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Store for Business. Some of the Store for Business features use Windows Store app and Windows Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
-
-- login.live.com
-- login.windows.net
-- account.live.com
-- clientconfig.passport.net
-- windowsphone.com
-- *.wns.windows.com
-- *.microsoft.com
-- www.msftncsi.com (prior to Windows 10, version 1607)
-- www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com starting with Windows 10, version 1607)
-
## Work with other admins
@@ -64,7 +49,7 @@ Surface Hub interacts with a few different products and services. Depending on t
## Create and verify device account
-A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
+A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
After you've created your device account, there are a couple of ways to verify that it's setup correctly.
- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.
diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
new file mode 100644
index 0000000000..73dd21ac2e
--- /dev/null
+++ b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
@@ -0,0 +1,221 @@
+---
+title: Create provisioning packages (Surface Hub)
+description: For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning.
+ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345
+keywords: add certificate, provisioning package
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Create provisioning packages (Surface Hub)
+
+This topic explains how to create a provisioning package using the Windows Imaging and Configuration Designer (ICD), and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings.
+
+You can apply a provisioning package using a USB during first run, or through the **Settings** app.
+
+
+## Advantages
+- Quickly configure devices without using a MDM provider.
+
+- No network connectivity required.
+
+- Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/whats-new/new-provisioning-packages)
+
+
+## Requirements
+
+To create and apply a provisioning package to a Surface Hub, you'll need the following:
+
+- Windows Imaging and Configuration Designer (ICD), which is installed as a part of the [Windows 10 Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740).
+- A PC running Windows 10.
+- A USB flash drive.
+- If you apply the package using the **Settings** app, you'll need device admin credentials.
+
+You'll create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub.
+
+
+## Supported items for Surface Hub provisioning packages
+
+Currently, you can add these items to provisioning packages for Surface Hub:
+- **Certificates** - You can add certificates, if needed, to authenticate to Microsoft Exchange.
+- **Universal Windows Platform (UWP) apps** - You can install UWP apps. This can be an offline-licensed app from the Windows Store for Business, or an app created by an in-house dev.
+- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
+- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx).
+
+
+## Create the provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. When you install the ADK, you can choose to install only the Imaging and Configuration Designer (ICD). [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`).
+
+2. Click **Advanced provisioning**.
+
+ 
+
+3. Name your project and click **Next**.
+
+4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**.
+
+ 
+
+5. In the project, under **Available customizations**, select **Common Team edition settings**.
+
+ 
+
+
+### Add a certificate to your package
+You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange.
+
+> [!NOTE]
+> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
+
+2. Enter a **CertificateName** and then click **Add**.
+
+2. Enter the **CertificatePassword**.
+
+3. For **CertificatePath**, browse and select the certificate.
+
+4. Set **ExportCertificate** to **False**.
+
+5. For **KeyLocation**, select **Software only**.
+
+
+### Add a Universal Windows Platform (UWP) app to your package
+Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business.
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**.
+
+2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \...\ tags.
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies.
+
+If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package.
+
+1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license".
+
+2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**.
+
+3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \ tag, use the value in the **LicenseID** attribute.
+
+4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1.
+
+
+### Add a policy to your package
+Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**.
+
+2. Select one of the available policy areas.
+
+3. Select and set the policy you want to add to your provisioning package.
+
+
+### Add Surface Hub settings to your package
+
+You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package.
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**.
+
+2. Select one of the available setting areas.
+
+3. Select and set the setting you want to add to your provisioning package.
+
+
+## Build your package
+
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+
+2. Read the warning that project files may contain sensitive information, and click **OK**.
+
+ > [!IMPORTANT]
+ > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources.
+
+5. Set a value for **Package Version**, and then select **Next.**
+
+ > [!TIP]
+ > You can make changes to existing packages and change the version number to update previously applied packages.
+
+6. Optional: You can choose to encrypt the package and enable package signing.
+
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package.
+
+ > [!IMPORTANT]
+ > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
+
+7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+Optionally, you can click **Browse** to change the default output location.
+
+8. Click **Next**.
+
+9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive.
+
+
+## Apply a provisioning package to Surface Hub
+
+There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings).
+
+
+### Apply a provisioning package during first run
+
+> [!IMPORTANT]
+> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings.
+
+1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding.
+
+2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run.
+
+ 
+
+5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. The package will be applied, and you'll be taken to the next page in the first-run program.
+
+ 
+
+
+### Apply a package using Settings
+
+1. Insert the USB flash drive containing the .ppkg file into the Surface Hub.
+
+2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted.
+
+3. Navigate to **This device** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**.
+
+4. Select **Add a package**.
+
+5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted.
+
+6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**.
diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md
deleted file mode 100644
index 0d3604f6ad..0000000000
--- a/devices/surface-hub/provisioning-packages-for-surface-hub.md
+++ /dev/null
@@ -1,319 +0,0 @@
----
-title: Create provisioning packages (Surface Hub)
-description: For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages.
-ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345
-keywords: add certificate, provisioning package
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: surfacehub
-author: jdeckerMS
-localizationpriority: medium
----
-
-# Create provisioning packages (Surface Hub)
-
-This topic explains how to create a provisioning package using the Windows Configuration Designer, and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings.
-
-You can apply a provisioning package using a USB stick during first-run setup, or through the **Settings** app.
-
-
-## Advantages
-- Quickly configure devices without using a mobile device management (MDM) provider.
-
-- No network connectivity required.
-
-- Simple to apply.
-
-[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/configure/provisioning-packages)
-
-
-## Requirements
-
-To create and apply a provisioning package to a Surface Hub, you'll need the following:
-
-- Windows Configuration Designer, which can be installed from Windows Store or from the Windows 10 Assessment and Deployment Kit (ADK). [Learn how to install Windows Configuration Designer.](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd)
-- A USB stick.
-- If you apply the package using the **Settings** app, you'll need device admin credentials.
-
-You create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub.
-
-
-## Supported items for Surface Hub provisioning packages
-
-Using the **Provision Surface Hub devices** wizard, you can:
-
-- Enroll in Active Directory, Azure Active Directory, or MDM
-- Create an device administrator account
-- Add applications and certificates
-- Configure proxy settings
-- Add a Surface Hub configuration file
-
->[!WARNING]
->You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using the wizard.
-
-Using the advanced provisioning editor, you can add these items to provisioning packages for Surface Hub:
-
-- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#surfacehubpolicies).
-- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx).
-
->[!TIP]
-> Use the wizard to create a package with the common settings, then switch to the advanced editor to add other settings.
->
->
-
-## Use the Surface Hub provisioning wizard
-
-After you [install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd), you can create a provisioning package.
-
-### Create the provisioning package
-
-1. Open Windows Configuration Designer:
- - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut,
-
- or
-
- - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
-
-2. Click **Provision Surface Hub devices**.
-
-3. Name your project and click **Next**.
-
-### Configure settings
-
-
-
 To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.
-
 Toggle **Yes** or **No** for proxy settings. The default configuration for Surface Hub is to automatically detect proxy settings, so you can select **No** if that is the setting that you want. However, if your infrastructure previously required using a proxy server and has changed to not require a proxy server, you can use a provisioning package to revert your Surface Hub devices to the default settings by selecting **Yes** and **Automatically detect settings**. If you toggle **Yes**, you can select to automatically detect proxy settings, or you can manually configure the settings by entering a URL to a setup script, or a static proxy server address. You can also identify whether to use the proxy server for local addresses, and enter exceptions (addresses that Surface Hub should connect to directly without using the proxy server).
 You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Azure Active Directory to allow global admins to use the Settings app, or create a local administrator account on the device.To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain, and specify the security group to have admin credentials on Surface Hub. If a provisioning package that enrolls a device in Active Directory is going to be applied to a Surface Hub that was reset, the same domain account can only be used if the account listed is a domain administrator or is the same account that set up the Surface Hub initially. Otherwise, a different domain account must be used in the provisioning package.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.To create a local administrator account, select that option and enter a user name and password. **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.
-
 Toggle **Yes** or **No** for enrollment in MDM. If you toggle **Yes**, you must provide a service account and password or certificate thumbprint that is authorized to enroll the device, and also specify the authentication type. If required by your MDM provider, also enter the URLs for the discovery service, enrollment service, and policy service. [Learn more about managing Surface Hub with MDM.](manage-settings-with-mdm-for-surface-hub.md)
-
 You can install multiple Universal Windows Platform (UWP) apps in a provisioning package. For help with the settings, see [Provision PCs with apps](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-with-apps). **Important:** Although the wizard interface allows you to select a Classic Win32 app, only include UWP apps in a provisioning package that will be applied to Surface Hub. If you include a Classic Win32 app, provisioning will fail.
-
 You don't configure any settings in this step. It provides instructions for including a configuration file that contains a list of device accounts. The configuration file must not contain column headers. When you apply the provisioning package to Surface Hub, if a Surface Hub configuration file is included on the USB drive, you can select the account and friendly name for the device from the file. See [Sample configuration file](#sample-configuration-file) for an example.**Important:** The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703.
-
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
-
-
-After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
-
-## Sample configuration file
-
-A Surface Hub configuration file contains a list of device accounts that your device can use to connect to Exchange and Skype for Business. When you apply a provisioning package to Surface Hub, you can include a configuration file in the root directory of the USB flash drive, and then select the desired account to apply to that device. The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703.
-
-Use Microsoft Excel or other CSV editor to create a CSV file named `SurfaceHubConfiguration.csv`. In the file, enter a list of device accounts and friendly names in this format:
-
-```
-,,
-```
->[!IMPORTANT]
->Because the configuration file stores the device account passwords in plaintext, we recommend that you update the passwords after you've applied the provisioning package to your devices. You can use the [DeviceAccount node](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp#deviceaccount) in the [Surface Hub configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp) to update the passwords via MDM.
-
-
-The following is an example of `SurfaceHubConfiguration.csv`.
-
-```
-Rainier@contoso.com,password,Rainier Surface Hub
-Adams@contoso.com,password,Adams Surface Hub
-Baker@contoso.com,password,Baker Surface Hub
-Glacier@constoso.com,password,Glacier Surface Hub
-Stuart@contoso.com,password,Stuart Surface Hub
-Fernow@contoso.com,password,Fernow Surface Hub
-Goode@contoso.com,password,Goode Surface Hub
-Shuksan@contoso.com,password,Shuksan Surface Hub
-Buckner@contoso.com,password,Buckner Surface Hub
-Logan@contoso.com,password,Logan Surface Hub
-Maude@consoto.com,password,Maude Surface hub
-Spickard@contoso.com,password,Spickard Surface Hub
-Redoubt@contoso.com,password,Redoubt Surface Hub
-Dome@contoso.com,password,Dome Surface Hub
-Eldorado@contoso.com,password,Eldorado Surface Hub
-Dragontail@contoso.com,password,Dragontail Surface Hub
-Forbidden@contoso.com,password,Forbidden Surface Hub
-Oval@contoso.com,password,Oval Surface Hub
-StHelens@contoso.com,password,St Helens Surface Hub
-Rushmore@contoso.com,password,Rushmore Surface Hub
-```
-
-## Use advanced provisioning
-
-After you [install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd), you can create a provisioning package.
-
-### Create the provisioning package (advanced)
-
-1. Open Windows Configuration Designer:
- - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut,
-
- or
-
- - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
-
-2. Click **Advanced provisioning**.
-
-3. Name your project and click **Next**.
-
-4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**.
-
- 
-
-5. In the project, under **Available customizations**, select **Common Team edition settings**.
-
- 
-
-
-### Add a certificate to your package
-You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange.
-
-> [!NOTE]
-> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
-
-2. Enter a **CertificateName** and then click **Add**.
-
-2. Enter the **CertificatePassword**.
-
-3. For **CertificatePath**, browse and select the certificate.
-
-4. Set **ExportCertificate** to **False**.
-
-5. For **KeyLocation**, select **Software only**.
-
-
-### Add a Universal Windows Platform (UWP) app to your package
-Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business.
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**.
-
-2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \...\ tags.
-
-3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
-
-4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies.
-
-If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package.
-
-1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license".
-
-2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**.
-
-3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \ tag, use the value in the **LicenseID** attribute.
-
-4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1.
-
-
-### Add a policy to your package
-Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**.
-
-2. Select one of the available policy areas.
-
-3. Select and set the policy you want to add to your provisioning package.
-
-
-### Add Surface Hub settings to your package
-
-You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package.
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**.
-
-2. Select one of the available setting areas.
-
-3. Select and set the setting you want to add to your provisioning package.
-
-
-## Build your package
-
-1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
-
-2. Read the warning that project files may contain sensitive information, and click **OK**.
-
- > [!IMPORTANT]
- > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-
-3. On the **Export** menu, click **Provisioning package**.
-
-4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources.
-
-5. Set a value for **Package Version**, and then select **Next.**
-
- > [!TIP]
- > You can make changes to existing packages and change the version number to update previously applied packages.
-
-6. Optional: You can choose to encrypt the package and enable package signing.
-
- - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
-
- - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package.
-
- > [!IMPORTANT]
- > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
-
-7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
-Optionally, you can click **Browse** to change the default output location.
-
-8. Click **Next**.
-
-9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
-If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-
-10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-
- - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
-
- - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-
-11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive.
-
-
-## Apply a provisioning package to Surface Hub
-
-There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings).
-
-
-### Apply a provisioning package during first run
-
-> [!IMPORTANT]
-> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings.
-
-1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding.
-
-2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**.
-
- 
-
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
- 
-
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run.
-
- 
-
-5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**.
-
- 
-
-6. If a configuration file is included in the root directory of the USB flash drive, you will see **Select a configuration**. The first device account in the configuration file will be shown with a summary of the account information that will be applied to the Surface Hub.
-
- 
-
-7. In **Select a configuration**, select the device name to apply, and then click **Next**.
-
- 
-
-The settings from the provisioning package will be applied to the device and OOBE will be complete. After the device restarts, you can remove the USB flash drive.
-
-### Apply a package using Settings
-
-1. Insert the USB flash drive containing the .ppkg file into the Surface Hub.
-
-2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted.
-
-3. Navigate to **Surface Hub** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**.
-
-4. Select **Add a package**.
-
-5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted.
-
-6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**.
-
-
diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md
index 57bd619f8b..41588251fe 100644
--- a/devices/surface-hub/remote-surface-hub-management.md
+++ b/devices/surface-hub/remote-surface-hub-management.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md
index 6e6b8b5317..2354de0f40 100644
--- a/devices/surface-hub/save-bitlocker-key-surface-hub.md
+++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub, security
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md
index 96310f473c..95b7c2c92f 100644
--- a/devices/surface-hub/set-up-your-surface-hub.md
+++ b/devices/surface-hub/set-up-your-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md
index d8e7f921c0..a77cf5850f 100644
--- a/devices/surface-hub/setup-worksheet-surface-hub.md
+++ b/devices/surface-hub/setup-worksheet-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
diff --git a/devices/surface-hub/surface-hub-administrators-guide.md b/devices/surface-hub/surface-hub-administrators-guide.md
new file mode 100644
index 0000000000..4786082d45
--- /dev/null
+++ b/devices/surface-hub/surface-hub-administrators-guide.md
@@ -0,0 +1,76 @@
+---
+title: Microsoft Surface Hub administrator's guide
+description: This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
+ms.assetid: e618aab7-3a94-4159-954e-d455ef7b8839
+keywords: Surface Hub, installation, administration, administrator's guide
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Microsoft Surface Hub administrator's guide
+
+
+This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
+
+Before you power on Microsoft Surface Hub for the first time, make sure you've [completed preparation items](prepare-your-environment-for-surface-hub.md), and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
+
+## In this section
+
+
+
+
+
+
+
+
+
+
Topic
+
Description
+
+
+
+
+
[Intro to Microsoft Surface Hub](intro-to-surface-hub.md)
+
Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device.
+
+
+
[Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
+
The Surface Hub Readiness Guide will help make sure that your site is ready for the installation. You can download the Guide from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718144). It includes planning information for both the 55" and 84" devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box.
+
+
+
[Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
+
This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment.
+
+
+
[Set up Microsoft Surface Hub](set-up-your-surface-hub.md)
+
Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program.
+
+
+
[Manage Microsoft Surface Hub](manage-surface-hub.md)
+
How to manage your Surface Hub after finishing the first-run program.
+
+
+
[Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
+
Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
PowerShell scripts to help set up and manage your Surface Hub .
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
deleted file mode 100644
index d05ed24b2a..0000000000
--- a/devices/surface-hub/surfacehub-whats-new-1703.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: What's new in Windows 10, version 1703 for Surface Hub
-description: Windows 10, version 1703 (Creators Update) brings new features to Microsoft Surface Hub.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.pagetype: devices
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: medium
----
-
-# What's new in Windows 10, version 1703 for Microsoft Surface Hub?
-
-Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub:
-
-## New settings
-
-Settings have been added to mobile device management (MDM) and configuration service providers (CSPs) to expand the Surface Hub management capabilities. [New settings include](manage-settings-with-mdm-for-surface-hub.md):
-
-- InBoxApps/SkypeForBusiness/DomainName
-- InBoxApps/Connect/AutoLaunch
-- Properties/DefaultVolume
-- Properties/ScreenTimeout
-- Properties/SessionTimeout
-- Properties/SleepTimeout
-- Properties/AllowSessionResume
-- Properties/AllowAutoProxyAuth
-- Properties/DisableSigninSuggestions
-- Properties/DoNotShowMyMeetingsAndFiles
-
-
-## Provizioning wizard
-
-An easy-to-use wizard helps you quickly create provisioning packages that you can apply to multiple Surface Hub devices, and includes bulk join to Azure Active Directory. [Learn how to create a provisioning package for Surface Hub.](provisioning-packages-for-certificates-surface-hub.md)
-
-
-
-## Cloud recovery
-
-When you reset a Surface Hub device, you now have the ability to download and install a factory build of the operating system from the cloud. [Learn more about cloud recovery.](device-reset-surface-hub.md#cloud-recovery)
-
->[!NOTE]
->Cloud recovery doesn't work if you use proxy servers.
-
-
-
-## End session
-
-**I'm done** is now **End session**. [Learn how to use End session.](i-am-done-finishing-your-surface-hub-meeting.md)
-
-
-
-
-
-
-
-
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index 678d06e664..cc3bd57b95 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: support
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -622,9 +622,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca
-## Related content
-- [Troubleshooting Miracast connection to the Surface Hub](https://blogs.msdn.microsoft.com/surfacehub/2017/01/30/troubleshooting-miracast-connection-to-the-surface-hub/)
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index 512cf6b4bf..3347918660 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -1,10 +1,13 @@
---
title: Use fully qualified doman name with Surface Hub
description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
-ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"]
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
+ms.prod: w10
+ms.mktglfcycl: support
+ms.sitesec: library
+ms.pagetype: surfacehub
---
# Configure domain name for Skype for Business
@@ -16,10 +19,10 @@ There are a few scenarios where you need to specify the domain name of your Skyp
**To configure the domain name for your Skype for Business server**
1. On Surface Hub, open **Settings**.
-2. Click **Surface Hub**, and then click **Calling & Audio**.
+2. Click **This device**, and then click **Calling**.
3. Under **Skype for Business configuration**, click **Configure domain name**.
4. Type the domain name for your Skype for Business server, and then click **Ok**.
> [!TIP]
> You can type multiple domain names, separated by commas. For example: lync.com, outlook.com, lync.glbdns.microsoft.com
- 
\ No newline at end of file
+ 
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index 4ff4665c6a..056064b880 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
-author: jdeckerMS
+author: jdeckerms
localizationpriority: medium
---
@@ -22,45 +22,14 @@ Using a room control system with your Surface Hub involves connecting room contr
To connect to a room control system control panel, you don't need to configure any terminal settings on the Surface Hub. If you want to connect a PC or laptop to your Surface Hub and send serial commands from the Surface Hub, you can use a terminal emulator program like Tera Term or PuTTY.
-
-
-
-
-
-
-
-
Setting
-
Value
-
-
-
-
-
Baud rate
-
115200
-
-
-
Data bits
-
8
-
-
-
Stop bits
-
1
-
-
-
Parity
-
none
-
-
-
Flow control
-
none
-
-
-
Line feed
-
every carriage return
-
-
-
-
+| Setting | Value |
+| --- | --- |
+| Baud rate | 115200 |
+| Data bits | 8 |
+| Stop bits | 1 |
+| Parity | none |
+| Flow control | none |
+| Line feed | every carriage return |
## Wiring diagram
@@ -77,153 +46,41 @@ Room control systems use common meeting-room scenarios for commands. Commands or
The following command modifiers are available. Commands terminate with a new line character (/n). Responses can come at any time in response to state changes not triggered directly by a management port command.
-
-
-
-
-
-
-
-
Modifier
-
Result
-
-
-
-
-
+
-
Increment a value
-
-
-
-
-
Decrease a value
-
-
-
=
-
Set a discrete value
-
-
-
?
-
Queries for a current value
-
-
-
-
+| Modifier | Result |
+| --- | --- |
+| + | Increment a value |
+| - | Decrease a value |
+| = | Set a discrete value |
+| ? | Queries for a current value |
## Power
Surface Hub can be in one of these power states.
-
-
-
-
-
-
-
-
-
State
-
Energy Star state
-
Description
-
-
-
-
-
0
-
S5
-
Off
-
-
-
1
-
-
-
Power up (indeterminate)
-
-
-
2
-
S3
-
Sleep
-
-
-
3
-
S0
-
Resting
-
-
-
4
-
S0
-
Ambient
-
-
-
5
-
S0
-
Ready
-
-
-
+| State | Energy Star state| Description |
+| --- | --- | --- |
+| 0 | S5 | Off |
+| 1 | - | Power up (indeterminate) |
+| 2 | S3 | Sleep |
+| 5 | S0 | Ready |
+
In Replacement PC mode, the power states are only Ready and Off and only change the display. The management port can't be used to power on the replacement PC.
-
-
-
-
-
-
-
-
-
State
-
Energy Star state
-
Description
-
-
-
-
-
0
-
S5
-
Off
-
-
-
5
-
S0
-
Ready
-
-
-
+| State | Energy Star state| Description |
+| --- | --- | --- |
+| 0 | S5 | Off |
+| 5 | S0 | Ready |
For a control device, anything other than 5 / Ready should be considered off. Each PowerOn command results in two state changes and reponses.
-
-
-
-
-
-
-
-
-
Command
-
State change
-
Response
-
-
-
-
-
PowerOn
-
Device turns on (display + PC).
PC service notifies SMC that the PC is ready.
-
Power=0
Power=5
-
+| Command | State change| Response |
+| --- | --- | --- |
+| PowerOn | Device turns on (display + PC).PC service notifies SMC that the PC is ready. | Power=0Power=5 |
+| PowerOff | Device transitions to ambient state (PC on, display dim). | Power=0 |
+| Power? | SMC reports the last-known power state. | Power=<#> |
-
-
PowerOff
-
Device transitions to ambient state (PC on, display dim).
-
Power=0
-
-
-
Power?
-
SMC reports the last-known power state.
-
Power=<#>
-
-
-
## Brightness
@@ -232,34 +89,10 @@ The current brightness level is a range from 0 to 100.
Changes to brightness levels can be sent by a room control system, or other system.
-
-
-
-
-
-
-
-
-
Command
-
State change
-
Response
-
-
-
-
-
Brightness+
-
System management controller (SMC) sends the brightness up command.
-
PC service on the room control system notifies SMC of new brightness level.
-
Brightness = 51
-
-
-
Brightness-
-
SMC sends the brightness down command.
-
PC service notifies SMC of new brightness level.
-
Brightness = 50
-
-
-
+| Command | State change |Response |
+| --- | --- | --- |
+| Brightness+ | System management controller (SMC) sends the brightness up command.PC service on the room control system notifies SMC of new brightness level. | Brightness = 51 |
+| Brightness- | SMC sends the brightness down command.PC service notifies SMC of new brightness level. | Brightness = 50 |
## Volume
@@ -270,34 +103,11 @@ Changes to volume levels can be sent by a room control system, or other system.
>[!NOTE]
>The Volume command will only control the volume for embedded or Replacement PC mode, not from [Guest sources](connect-and-display-with-surface-hub.md).
-
-
-
-
-
-
-
-
-
Command
-
State change
-
Response(On in [Replacement PC mode](connect-and-display-with-surface-hub.md#replacement-pc-mode))
-
-
-
-
-
Volume+
-
SMC sends the volume up command.
-
PC service notifies SMC of new volume level.
-
Volume = 51
-
-
-
Volume-
-
SMC sends the volume down command.
-
PC service notifies SMC of new volume level.
-
Volume = 50
-
-
-
+| Command | State change | Response(On in [Replacement PC mode](connect-and-display-with-surface-hub.md#replacement-pc-mode)) |
+| --- | --- | --- |
+| Volume+ | SMC sends the volume up command.PC service notifies SMC of new volume level. | Volume = 51 |
+| Volume- | SMC sends the volume down command.PC service notifies SMC of new volume level. | Volume = 50 |
+
@@ -305,28 +115,10 @@ Changes to volume levels can be sent by a room control system, or other system.
Audio can be muted.
-
-
-
-
-
-
-
-
-
Command
-
State change
-
Response
-
-
-
-
-
AudioMute+
-
SMC sends the audio mute command.
-
PC service notifies SMC that audio is muted.
-
none
-
-
-
+| Command | State change | Response |
+| --- | --- | --- |
+| AudioMute+ | SMC sends the audio mute command.PC service notifies SMC that audio is muted. | none |
+
@@ -334,116 +126,36 @@ Audio can be muted.
Several display sources can be used.
-
-
-
-
-
-
-
-
State
-
Description
-
-
-
-
-
0
-
Onboard PC
-
-
-
1
-
DisplayPort
-
-
-
2
-
HDMI
-
-
-
3
-
VGA
-
-
-
+| State | Description |
+| --- | --- |
+| 0 | Onboard PC |
+| 1 | DisplayPort |
+| 2 | HDMI |
+| 3 | VGA |
+
Changes to display source can be sent by a room control system, or other system.
-
-
-
-
-
-
-
-
-
Command
-
State change
-
Response
-
-
-
-
-
Source=#
-
SMC changes to the desired source.
-
PC service notifies SMC that the display source has switched.
-
Source=<#>
-
-
-
Source+
-
SMC cycles to the next active input source.
-
PC service notifies SMC of the current input source.
-
Source=<#>
-
-
-
Source-
-
SMC cycles to the previous active input source.
-
PC service notifies SMC of the current input source.
-
Source=<#>
-
-
-
Source?
-
SMC queries PC service for the active input source.
-
PC service notifies SMC of the current in;put source.
-
Source=<#>
-
-
-
+| Command | State change | Response |
+| --- | --- | --- |
+| Source=# | SMC changes to the desired source.PC service notifies SMC that the display source has switched. | Source=<#> |
+| Source+ | SMC cycles to the next active input source.PC service notifies SMC of the current input source. | Source=<#> |
+| Source- | SMC cycles to the previous active input source.PC service notifies SMC of the current input source. | Source=<#> |
+| Source? | SMC queries PC service for the active input source.PC service notifies SMC of the current in;put source. | Source=<#> |
## Errors
Errors are returned following the format in this table.
-
-
-
-
-
-
-
-
Error
-
Notes
-
-
-
-
-
Error: Unknown command '<input>'.
-
The instruction contains an unknown initial command. For example, "VOL+" would be invalid and return " Error: Unknown command 'VOL'".
-
-
-
Error: Unknown operator '<input>'.
-
The instruction contains an unknown operator. For example, "Volume!" would be invalid and return " Error: Unknown operator '!'".
-
-
-
Error: Unknown parameter '<input>'.
-
The instruction contains an unknown parameter. For example, "Volume=abc" would be invalid and return " Error: Unknown parameter 'abc'".
-
-
-
Error: Command not available when off '<input>'.
-
When the Surface Hub is off, commands other than Power return this error. For example, "Volume+" would be invalid and return " Error: Command not available when off 'Volume'".
-
-
-
+| Error | Notes |
+| --- | --- |
+| Error: Unknown command '<input>'. | The instruction contains an unknown initial command. For example, "VOL+" would be invalid and return " Error: Unknown command 'VOL'". |
+| Error: Unknown operator '<input>'. | The instruction contains an unknown operator. For example, "Volume!" would be invalid and return " Error: Unknown operator '!'". |
+| Error: Unknown parameter '<input>'. | The instruction contains an unknown parameter. For example, "Volume=abc" would be invalid and return " Error: Unknown parameter 'abc'". |
+| Error: Command not available when off '<input>'. | When the Surface Hub is off, commands other than Power return this error. For example, "Volume+" would be invalid and return " Error: Command not available when off 'Volume'". |
+
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index db080ce397..0ccd6ad70d 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub, networking
-author: jdeckerMS
+author: TrudyHa
localizationpriority: medium
---
@@ -24,7 +24,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele
### Choose a wireless access point
1. On the Surface Hub, open **Settings** and enter your admin credentials.
-2. Click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**.
+2. Click **System**, and then click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**.
@@ -35,7 +35,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele
### Review wireless settings
1. On the Surface Hub, open **Settings** and enter your admin credentials.
-2. Click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
+2. Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
3. Surface Hub shows you the properties for the wireless network connection.
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 0ce34a2dfe..2fc832d764 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -1,6 +1,7 @@
# [Surface](index.md)
## [Deploy Surface devices](deploy.md)
-### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md)
+### [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md)
+#### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md)
### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
diff --git a/devices/surface/breadcrumb/toc.yml b/devices/surface/breadcrumb/toc.yml
new file mode 100644
index 0000000000..1ab1f047c2
--- /dev/null
+++ b/devices/surface/breadcrumb/toc.yml
@@ -0,0 +1,7 @@
+- name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Surface
+ tocHref: /surface
+ topicHref: /surface/index
\ No newline at end of file
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index a6195be9e0..09cfde4e61 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -11,6 +11,14 @@ author: jdeckerMS
This topic lists new and updated topics in the Surface documentation library.
+
+## April 2017
+
+|New or changed topic | Description |
+| --- | --- |
+|[Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md) | New (supersedes [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md))|
+
+
## January 2017
|New or changed topic | Description |
diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md
index 03cdc49f49..3753718aef 100644
--- a/devices/surface/deploy.md
+++ b/devices/surface/deploy.md
@@ -16,7 +16,7 @@ Get deployment guidance for your Surface devices including information about MDT
| Topic | Description |
| --- | --- |
-| [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md) | Explains that LTSB is not supported for general-purpose Surface devices and should be used for specialized devices only. |
+| [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md) | Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSB edition. |
| [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.|
| [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. |
| [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.|
diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json
index 7d2f4404d8..e14912dea9 100644
--- a/devices/surface/docfx.json
+++ b/devices/surface/docfx.json
@@ -3,7 +3,7 @@
"content":
[
{
- "files": ["**/**.md"],
+ "files": ["**/**.md", "**/**.yml"],
"exclude": ["**/obj/**"]
}
],
@@ -14,7 +14,12 @@
}
],
"globalMetadata": {
- "ROBOTS": "INDEX, FOLLOW"
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/surface/breadcrumb/toc.json",
+ "ROBOTS": "INDEX, FOLLOW",
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "jdecker"
},
"externalReference": [
],
diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md
index 91ae3a566b..5482418741 100644
--- a/devices/surface/ltsb-for-surface.md
+++ b/devices/surface/ltsb-for-surface.md
@@ -10,6 +10,8 @@ author: jdeckerMS
# Long-Term Servicing Branch (LTSB) for Surface devices
+>[!WARNING]
+>For updated information on this topic, see [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md). For additional information on this update, see the [Documentation Updates for Surface and Windows 10 LTSB Compatibility](https://blogs.technet.microsoft.com/surface/2017/04/11/documentation-updates-for-surface-and-windows-10-ltsb-compatibility) post on the Surface Blog for IT Pros.
General-purpose Surface devices running Long-Term Servicing Branch (LTSB) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSB and should instead run Current Branch (CB) or Current Branch for Business (CBB).
diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md
new file mode 100644
index 0000000000..f1f5afdf72
--- /dev/null
+++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md
@@ -0,0 +1,58 @@
+---
+title: Surface device compatibility with Windows 10 Long-Term Servicing Branch (Surface)
+description: Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSB edition.
+keywords: ltsb, update, surface servicing options
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: DavbeaMSFT
+---
+
+# Surface device compatibility with Windows 10 Long-Term Servicing Branch (LTSB)
+
+Surface devices are designed to provide best-in-class experiences in productivity and general-purpose scenarios. Regular updates enable Surface devices to bring to life new innovations and to evolve with the new capabilities delivered by Windows 10 Feature Updates. Feature Updates are available only in Windows 10 Pro or Windows 10 Enterprise editions that receive continuous updates through the Current Branch (CB) or Current Branch for Business (CBB) servicing options.
+
+In contrast to the CB and CBB servicing options, you cannot select the Long-Term Servicing Branch (LTSB) option in Windows 10 settings. To use the LTSB servicing option, you must install a separate edition of Windows 10 Enterprise, known as *Windows 10 Enterprise LTSB*. In addition to providing an extended servicing model, the Windows 10 Enterprise LTSB edition also provides an environment with several Windows components removed. The core Surface experiences that are impacted by LTSB include:
+
+* Windows Feature Updates, including enhancements such as:
+
+ * Improvements to Direct Ink and palm rejection provided in Windows 10, version 1607 (also referred to as the Anniversary Update)
+ * Improved support for high DPI applications provided in Windows 10, version 1703 (also referred to as the Creators Update)
+
+* Pressure sensitivity settings provided by the Surface app
+
+* The Windows Ink Workspace
+
+* Key touch-optimized in-box applications including Microsoft Edge, OneNote, Calendar, and Camera
+
+The use of the Windows 10 Enterprise LTSB environment on Surface devices results in sub-optimal end-user experiences and you should avoid using it in environments where users want and expect a premium, up-to-date user experience.
+
+The LTSB servicing option is designed for device types and scenarios where the key attribute is for features or functionality to never change. Examples include systems that power manufacturing or medical equipment, or embedded systems in kiosks, such as ATMs or airport ticketing systems.
+
+>[!NOTE]
+>For general information about Windows servicing branches, including LTSB, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/update/waas-overview#long-term-servicing-branch).
+
+>[!NOTE]
+>As a general guideline, devices that fulfill the following criteria are considered general-purpose devices and should be paired with Windows 10 Pro or Windows 10 Enterprise using the CB or CBB servicing option:
+
+* Devices that run productivity software such as Microsoft Office
+
+* Devices that use Windows Store applications
+
+* Devices that are used for general Internet browsing (for example, research or access to social media)
+
+Before you choose to use Windows 10 Enterprise LTSB edition on Surface devices, consider the following limitations:
+
+* Driver and firmware updates are not explicitly tested against releases of Windows 10 Enterprise LTSB.
+
+* If you encounter problems, Microsoft Support will provide troubleshooting assistance. However, due to the servicing nature of the Windows LTSB, issue resolution may require that devices be upgraded to a more recent version of Windows 10 Enterprise LTSB, or to Windows 10 Pro or Enterprise with the CB or CBB servicing option.
+
+* Surface device replacements (for example, devices replaced under warranty) may contain subtle variations in hardware components that require updated device drivers and firmware. Compatibility with these updates may require the installation of a more recent version of Windows 10 Enterprise LTSB or Windows 10 Pro or Enterprise with the CB or CBB servicing option.
+
+>[!NOTE]
+>Organizations that standardize on a specific version of Windows 10 Enterprise LTSB may be unable to adopt new generations of Surface hardware without also updating to a later version of Windows 10 Enterprise LTSB or Windows 10 Pro or Enterprise. For more information, see the **How will Windows 10 LTSBs be supported?** topic in the **Supporting the latest processor and chipsets on Windows** section of [Lifecycle Policy FAQ—Windows products](https://support.microsoft.com/help/18581/lifecycle-policy-faq-windows-products#b4).
+
+Surface devices running Windows 10 Enterprise LTSB edition will not receive new features. In many cases these features are requested by customers to improve the usability and capabilities of Surface hardware. For example, new improvements for High DPI applications in Windows 10, version 1703. Customers that use Surface devices in the LTSB configuration will not see the improvements until they either update to a new Windows 10 Enterprise LTSB release or upgrade to a version of Windows 10 with support for the CB and CBB servicing options.
+
+Devices can be changed from Windows 10 Enterprise LTSB to a more recent version of Windows 10 Enterprise, with support for the CB and CBB servicing options, without the loss of user data by performing an upgrade installation. You can also perform an upgrade installation on multiple devices by leveraging the Upgrade Task Sequence Templates available in the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. For more information, see [Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/upgrade-surface-devices-to-windows-10-with-mdt).
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index 875fe51b0c..ae5f54addb 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -104,6 +104,33 @@ Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in
*Figure 8. Surface Dock Updater events in Event Viewer*
+## Changes and updates
+
+Microsoft periodically updates Surface Dock Updater. To learn more about the application of firmware by Surface Dock Updater, see [Manage Surface Dock firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-dock-firmware-updates).
+
+>[!Note]
+>Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater.
+
+### Version 1.0.8.0
+
+This version of Surface Dock Updater adds support for the following:
+
+* Update for Surface Dock Main Chipset firmware
+* Update for Surface Dock DisplayPort firmware
+
+### Version 2.0.22.0
+
+This version of Surface Dock Updater adds support for the following:
+
+* Update for Surface Dock USB firmware
+* Improved reliability of Ethernet, audio, and USB ports
+
+### Version 2.1.6.0
+
+This version of Surface Dock Updater adds support for the following:
+
+* Updated firmware for Surface Dock DisplayPort
+
## Related topics
diff --git a/education/breadcrumb/toc.yml b/education/breadcrumb/toc.yml
new file mode 100644
index 0000000000..acc2508932
--- /dev/null
+++ b/education/breadcrumb/toc.yml
@@ -0,0 +1,7 @@
+- name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /education/windows
+ topicHref: /education/windows/index
\ No newline at end of file
diff --git a/education/docfx.json b/education/docfx.json
index cc09ff86a7..d0d03f4aea 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -3,7 +3,7 @@
"content":
[
{
- "files": ["**/**.md"],
+ "files": ["**/**.md", "**/**.yml"],
"exclude": ["**/obj/**"]
}
],
@@ -14,7 +14,12 @@
}
],
"globalMetadata": {
- "ROBOTS": "INDEX, FOLLOW"
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "ROBOTS": "INDEX, FOLLOW",
+ "ms.author": "celested",
+ "audience": "windows-education",
+ "ms.topic": "article",
+ "breadcrumb_path": "/education/breadcrumb/toc.json"
},
"externalReference": [
],
diff --git a/education/index.md b/education/index.md
index f468605351..83b0b7e49c 100644
--- a/education/index.md
+++ b/education/index.md
@@ -1,3 +1,3 @@
---
-redirect_url: https://technet.microsoft.com/edu/windows/
+redirect_url: https://docs.microsoft.com/education/windows/
---
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index f47b4a68e2..4575df5963 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -1,19 +1,20 @@
# [Windows 10 for Education](index.md)
## [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
-## [Setup options for Windows 10](set-up-windows-10.md)
-### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
+## [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)
+## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
+## [Set up Windows devices for education](set-up-windows-10.md)
### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
+### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
-## [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
-## [Get Minecraft Education Edition](get-minecraft-for-education.md)
-### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
-### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
## [Take tests in Windows 10 ](take-tests-in-windows-10.md)
### [Set up Take a Test on a single PC](take-a-test-single-pc.md)
### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
### [Take a Test app technical reference](take-a-test-app-technical.md)
-## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
+## [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
+## [Get Minecraft Education Edition](get-minecraft-for-education.md)
+### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
+### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
## [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index e83f98b49f..44f87ac341 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -12,12 +12,25 @@ author: CelesteDG
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+## RELEASE: Windows 10, version 1703 (Creators Update)
+
+| New or changed topic | Description|
+| --- | --- |
+| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school. |
+| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Updated the screenshots and related instructions to reflect the current UI and experience. |
+| [Set up Windows devices for education](set-up-windows-10.md) | Updated for Windows 10, version 1703. |
+| Set up School PCs app: [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated. Describes the school-specific settings and policies that Set up School PC configures. Also provides step-by-step instructions for using the latest version of the app to create a provisioning package that you can use to set up student PCs. |
+| Set up using Windows Configuration Designer: [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) [Provision student PCs with apps](set-up-students-pcs-with-apps.md) | Updated the information for Windows 10, version 1703. |
+| [Take tests in Windows 10 ](take-tests-in-windows-10.md) [Set up Take a Test on a single PC](take-a-test-single-pc.md) [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) [Take a Test app technical reference](take-a-test-app-technical.md) | Updated. Includes new information on ways you can set up the test account and assessment URL and methods for creating and distributing the link. Methods available to you vary depending on whether you're setting up Take a Test on a single PC or multiple PCs. |
+
## January 2017
+
| New or changed topic | Description |
| --- | --- |
| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Learn how schools can use invoices to pay for Minecraft: Education Edition. |
## December 2016
+
| New or changed topic | Description |
| --- | --- |
| [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. |
@@ -30,13 +43,8 @@ This topic lists new and updated topics in the [Windows 10 for Education](index.
| [For teachers - get Minecraft: Education Edition](teacher-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. |
| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. |
-## September 2016
-| New or changed topic | Description|
-| --- | --- |
-| [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md) | New. Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. |
-
-## RELEASE: Windows 10, version 1607
+## RELEASE: Windows 10, version 1607 (Anniversary Update)
The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
- [Set up Windows 10](set-up-windows-10.md)
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index bcf28c02a2..27bf9b1c63 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu, devices
+localizationpriority: high
author: craigash
---
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
new file mode 100644
index 0000000000..897f7df8c4
--- /dev/null
+++ b/education/windows/configure-windows-for-education.md
@@ -0,0 +1,186 @@
+---
+title: Windows 10 configuration recommendations for education customers
+description: Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
+keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school", "education", "configurations"]
+ms.mktglfcycl: plan
+ms.sitesec: library
+localizationpriority: high
+author: CelesteDG
+---
+
+# Windows 10 configuration recommendations for education customers
+**Applies to:**
+
+- Windows 10
+
+
+Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
+
+In Windows 10, version 1703 (Creators Update), it is straightforward to configure Windows to be education ready.
+
+| Area | How to configure | What this does | Notes |
+| --- | --- | --- | --- |
+| **Diagnostic Data** | **SetEduPolicies** | Sets Diagnostic Data to [Basic](https://technet.microsoft.com/itpro/windows/configure/configure-windows-telemetry-in-your-organization) | On Windows 10 Education or Windows 10 Pro Education, this is already set |
+| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | On Windows 10 Education or Windows 10 Pro Education, this is already set |
+| **Cortana** | **AllowCortana** | Disables Cortana | * Cortana is enabled by default on all editions in Windows 10, version 1703 * If using Windows 10 Pro Education or Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. You can use the **AllowCortana** policy to turn it off. |
+| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | On Windows 10 Education or Windows 10 Pro Education, this is already set |
+| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) |
+| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready | * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](https://docs.microsoft.com/en-us/uwp/api/windows.system.profile.educationsettings) * On Windows 10 Education or Windows 10 Pro Education, this is already set |
+
+
+## Recommended configuration
+It is easy to be education ready when using Microsoft products. We recommend the following configuration:
+
+1. Use an Office 365 Education tenant.
+
+ With Office 365, you also have Azure Active Directory (Azure AD). To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
+
+2. Activate Intune for Education in your tenant.
+
+ You can [sign up to learn more about Intune for Education](https://info.microsoft.com/US-WNDWS-CNTNT-FY17-01Jan-17-IntuneforEducationlandingpageandnurture292531_01Registration-ForminBody.html).
+
+3. On PCs running Windows 10, version 1703 (Windows 10 Pro Education or Windows 10 Education):
+ 1. Provision the PC using one of these methods:
+ * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - This will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
+ * [Provision PCs with a custom package created with Windows Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
+ 2. Join the PC to Azure Active Directory.
+ * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Azure AD.
+ * Manually Azure AD join the PC during the Windows device setup experience.
+ 3. Enroll the PCs in MDM.
+ * If you have activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
+
+4. Distribute the PCs to students.
+
+ Students sign in with their Azure AD/Office 365 identity, which enables single sign-on to Bing in Microsoft Edge, enabling an ad-free search experience with Bing in Microsoft Edge.
+
+5. Ongoing management through Intune for Education.
+
+ You can set many policies through Intune for Education, including **SetEduPolicies** and **AllowCortana**, for ongoing management of the PCs.
+
+## Configuring Windows
+You can configure Windows through provisioning or management tools including industry standard MDM.
+- Provisioning - A one-time setup process.
+- Management - A one-time and/or ongoing management of a PC by setting policies.
+
+You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
+- [Set up School PCs](use-set-up-school-pcs-app.md)
+- Intune for Education (coming soon)
+
+## AllowCortana
+**AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana).
+
+Use one of these methods to set this policy.
+
+### MDM
+- Intune for Education automatically sets this policy in the **All devices** group policy configuration.
+- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
+ - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
+
+ For example, in Intune, create a new configuration policy and add an OMA-URI.
+ - OMA-URI: ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
+ - Data type: Integer
+ - Value: 0
+
+ 
+
+### Group Policy
+Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
+
+
+
+### Provisioning tools
+- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
+- [Windows Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package)
+ - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
+
+ 
+
+## SetEduPolicies
+**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/sharedpc-csp).
+
+Use one of these methods to set this policy.
+
+### MDM
+- Intune for Education automatically sets this policy in the **All devices** group policy configuration.
+- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
+ - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
+
+ For example, in Intune, create a new configuration policy and add an OMA-URI.
+ - OMA-URI: ./Vendor/MSFT/SharedPC/SetEduPolicies
+ - Data type: Boolean
+ - Value: true
+
+ 
+
+### Group Policy
+**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/dn905224(v=vs.85).aspx) to set the policy in [MDM SharedPC](https://msdn.microsoft.com/en-us/library/windows/desktop/mt779129(v=vs.85).aspx).
+
+For example:
+
+- Open PowerShell as an administrator and enter the following:
+
+ ```
+ $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
+
+ $sharedPC.SetEduPolicies = $True
+
+ Set-CimInstance -CimInstance $sharedPC
+
+ Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass
+ ```
+
+### Provisioning tools
+- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
+- [Windows Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package)
+ - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
+
+ 
+
+## Ad-free search with Bing
+Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. Additional information is available at http://www.bing.com/classroom/about-us.
+
+> [!NOTE]
+> If you enable the guest account in shared PC mode, students using the guest account will not have an ad-free experience searching with Bing in Microsoft Edge unless the PC is connected to your school network and your school network has been configured as described in [IP registration for entire school network using Microsoft Edge](#ip-registration-for-entire-school-network-using-microsoft-edge).
+
+### Configurations
+
+#### IP registration for entire school network using Microsoft Edge
+Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bicteam@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email.
+
+**District information**
+- **District or School Name:**
+- **Outbound IP Addresses (IP Range + CIDR):**
+- **Address:**
+- **City:**
+- **State Abbreviation:**
+- **Zip Code:**
+
+**Registrant information**
+- **First Name:**
+- **Last Name:**
+- **Job Title:**
+- **Email Address:**
+- **Opt-In for Email Announcements?:**
+- **Phone Number:**
+
+This will suppress ads when searching with Bing on Microsoft Edge when the PC is connected to the school network.
+
+#### Azure AD and Office 365 Education tenant
+To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
+
+1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
+2. Domain join the Windows 10 PCs to your Azure AD tenant (this is the same as your Office 365 tenant).
+3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
+4. Have students sign in with their Azure AD identity, which is the same as your Office 365 identity, to use the PC.
+
+#### Office 365 sign-in to Bing
+To suppress ads only when the student signs into Bing with their Office 365 account in Microsoft Edge, follow these steps:
+
+1. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
+2. Have students sign into Bing with their Office 365 account.
+
+### More information
+For more information on all the possible Bing configuration methods, see https://aka.ms/e4ahor.
+
+## Related topics
+[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 89225a2609..4037a7093e 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu
ms.sitesec: library
+localizationpriority: high
author: craigash
---
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 3f1dad3d00..e81b0dbbd7 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu
ms.sitesec: library
+localizationpriority: high
author: craigash
---
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index 20539db158..ceecbfb175 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -4,7 +4,9 @@ description: Provides guidance on ways to customize the OS privacy settings, as
keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school"]
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: CelesteDG
+ms.prod: W10
---
# Deployment recommendations for school IT administrators
@@ -15,7 +17,7 @@ author: CelesteDG
Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, as well as some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
-Here are some best practices and specific privacy settings we’d like you to be aware of.
+Here are some best practices and specific privacy settings we’d like you to be aware of. Also see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) for more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search.
## Deployment best practices
@@ -41,11 +43,11 @@ To change the setting, you can:
To turn off access to contacts for all apps on individual Windows devices:
1. On the computer, go to **Settings** and select **Privacy**.
- 
+ 
2. Under the list of **Privacy** areas, select **Contacts**.
- 
+ 
3. Turn off **Let apps access my contacts**.
@@ -56,7 +58,7 @@ For IT-managed Windows devices, you can use a Group Policy to turn off the setti
### Choose the apps that you want to allow access to contacts
If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off.
-
+
The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts.
@@ -64,11 +66,11 @@ To allow only certain apps to have access to contacts, you can:
* Configure each app individually using the **Settings** > **Contacts** option in the Windows UI
* Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce.
- 
+ 
## Skype and Xbox settings
-Skype Preview (a Universal Windows Platform [UWP] preview app) and Xbox are preinstalled as part of Windows 10.
+Skype (a Universal Windows Platform [UWP]) and Xbox are preinstalled as part of Windows 10.
The Skype app replaces the integration of Skype features into Skype video and Messaging apps on Windows PCs and large tablets. The Skype app provides all these features in one place and lets users have a single place to manage both their chat and voice conversations so they can take better advantage of their screen. For information about the new Skype UWP app preview, see this [FAQ](https://go.microsoft.com/fwlink/?LinkId=821441).
@@ -85,21 +87,24 @@ If the school allows the use of personal or Microsoft account in addition to org
Skype uses the user’s contact details to deliver important information about the account and it also lets friends find each other on Skype.
To manage and edit your profile in the Skype UWP app, follow these steps:
-1. In the Skype UWP app, select the user profile icon  to go to the user’s profile page.
-2. In the **Accounts** section, select **Manage** for the Skype account that you want to change. This will take you to the online Skype portal.
-3. In the online Skype portal, scroll down to the Account details section. In Settings and preferences, select Edit profile.
-The profile page includes these sections:
- * Profile completeness
- * Personal information
- * Contact details
-4. Review the information in each section and click **Edit** to change the information being shared.
-5. If you do not wish your name to be included, replace the fields with **XXX**.
-6. To change your profile picture, simply click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
+1. In the Skype UWP app, select the user profile icon  to go to the user’s profile page.
+2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal.
+3. In the online Skype portal, scroll down to the **Account details** section. In **Settings and preferences**, click **Edit profile**.
- 
+ The profile page includes these sections:
+
+ * Personal information
+ * Contact details
+ * Profile settings
+
+4. Review the information in each section and click **Edit profile** in either or both the **Personal information** and **Contact details** sections to change the information being shared. You can also remove the checks in the **Profile settings** section to change settings on discoverability, notifications, and staying in touch.
+5. If you do not wish the name to be included, edit the fields and replace the fields with **XXX**.
+6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
+
+ 
* To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**).
- * You can also change the visibility of your profile picture between public (everyone) or your contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only**.
+ * You can also change the visibility of the profile picture between public (everyone) or for contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only**.
#### Xbox
A user’s Xbox friends and their friends’ friends can see their real name and profile. By default, the Xbox privacy settings enforce that no personal identifying information of a minor is shared on the Xbox Live network, although adults in the child’s family can change these default settings to allow it to be more permissive.
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index ce335d4357..a06a16e9e1 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -1,10 +1,11 @@
---
title: Education scenarios Windows Store for Business
description: Learn how IT admins and teachers can use Windows Store for Business to acquire and manage apps in schools.
-keywords: ["school"]
+keywords: ["school", "store for business"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: trudyha
---
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 91345b72c1..1e81d3437e 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -1,10 +1,11 @@
---
title: Get Minecraft Education Edition
description: Learn how to get and distribute Minecraft Education Edition.
-keywords: school
+keywords: school, minecraft
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: trudyha
---
diff --git a/education/windows/images/allowcortana_gp.PNG b/education/windows/images/allowcortana_gp.PNG
new file mode 100644
index 0000000000..7adf1b7594
Binary files /dev/null and b/education/windows/images/allowcortana_gp.PNG differ
diff --git a/education/windows/images/allowcortana_omauri.PNG b/education/windows/images/allowcortana_omauri.PNG
new file mode 100644
index 0000000000..303c89ed5f
Binary files /dev/null and b/education/windows/images/allowcortana_omauri.PNG differ
diff --git a/education/windows/images/allowcortana_wcd.PNG b/education/windows/images/allowcortana_wcd.PNG
new file mode 100644
index 0000000000..5e62e0bb01
Binary files /dev/null and b/education/windows/images/allowcortana_wcd.PNG differ
diff --git a/education/windows/images/azuread_usersandgroups_allusers_automaticaccounts.png b/education/windows/images/azuread_usersandgroups_allusers_automaticaccounts.png
new file mode 100644
index 0000000000..f0549797a0
Binary files /dev/null and b/education/windows/images/azuread_usersandgroups_allusers_automaticaccounts.png differ
diff --git a/education/windows/images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png b/education/windows/images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png
new file mode 100644
index 0000000000..37ea63cda2
Binary files /dev/null and b/education/windows/images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png differ
diff --git a/education/windows/images/azuread_usersandgroups_devicesettings_requiremultifactorauth.png b/education/windows/images/azuread_usersandgroups_devicesettings_requiremultifactorauth.png
new file mode 100644
index 0000000000..1b8389b1f5
Binary files /dev/null and b/education/windows/images/azuread_usersandgroups_devicesettings_requiremultifactorauth.png differ
diff --git a/education/windows/images/azuread_usersandgroups_devicesettings_usersmayjoin.png b/education/windows/images/azuread_usersandgroups_devicesettings_usersmayjoin.png
new file mode 100644
index 0000000000..40a603cf64
Binary files /dev/null and b/education/windows/images/azuread_usersandgroups_devicesettings_usersmayjoin.png differ
diff --git a/education/windows/images/gp_letwinappsaccesscontacts.PNG b/education/windows/images/gp_letwinappsaccesscontacts.PNG
new file mode 100644
index 0000000000..0228c9474b
Binary files /dev/null and b/education/windows/images/gp_letwinappsaccesscontacts.PNG differ
diff --git a/education/windows/images/i4e_takeatestprofile_accountsummary.PNG b/education/windows/images/i4e_takeatestprofile_accountsummary.PNG
new file mode 100644
index 0000000000..e8feb9b5d7
Binary files /dev/null and b/education/windows/images/i4e_takeatestprofile_accountsummary.PNG differ
diff --git a/education/windows/images/i4e_takeatestprofile_addnewprofile.PNG b/education/windows/images/i4e_takeatestprofile_addnewprofile.PNG
new file mode 100644
index 0000000000..401bccef4a
Binary files /dev/null and b/education/windows/images/i4e_takeatestprofile_addnewprofile.PNG differ
diff --git a/education/windows/images/i4e_takeatestprofile_changegroup_selectgroup.PNG b/education/windows/images/i4e_takeatestprofile_changegroup_selectgroup.PNG
new file mode 100644
index 0000000000..4c8f0705ce
Binary files /dev/null and b/education/windows/images/i4e_takeatestprofile_changegroup_selectgroup.PNG differ
diff --git a/education/windows/images/i4e_takeatestprofile_groupassignment_selected.PNG b/education/windows/images/i4e_takeatestprofile_groupassignment_selected.PNG
new file mode 100644
index 0000000000..8431e1d0cf
Binary files /dev/null and b/education/windows/images/i4e_takeatestprofile_groupassignment_selected.PNG differ
diff --git a/education/windows/images/i4e_takeatestprofile_groups_changegroupassignments.PNG b/education/windows/images/i4e_takeatestprofile_groups_changegroupassignments.PNG
new file mode 100644
index 0000000000..914f0b4edd
Binary files /dev/null and b/education/windows/images/i4e_takeatestprofile_groups_changegroupassignments.PNG differ
diff --git a/education/windows/images/i4e_takeatestprofile_newtestaccount.PNG b/education/windows/images/i4e_takeatestprofile_newtestaccount.PNG
new file mode 100644
index 0000000000..1ec2f0a2e2
Binary files /dev/null and b/education/windows/images/i4e_takeatestprofile_newtestaccount.PNG differ
diff --git a/education/windows/images/setedupolicies_omauri.PNG b/education/windows/images/setedupolicies_omauri.PNG
new file mode 100644
index 0000000000..eb3d9e216c
Binary files /dev/null and b/education/windows/images/setedupolicies_omauri.PNG differ
diff --git a/education/windows/images/setedupolicies_wcd.PNG b/education/windows/images/setedupolicies_wcd.PNG
new file mode 100644
index 0000000000..e240063f68
Binary files /dev/null and b/education/windows/images/setedupolicies_wcd.PNG differ
diff --git a/education/windows/images/skype_uwp_manageprofilepic.PNG b/education/windows/images/skype_uwp_manageprofilepic.PNG
new file mode 100644
index 0000000000..bdcf23dbc2
Binary files /dev/null and b/education/windows/images/skype_uwp_manageprofilepic.PNG differ
diff --git a/education/windows/images/skype_uwp_userprofile_icon.PNG b/education/windows/images/skype_uwp_userprofile_icon.PNG
new file mode 100644
index 0000000000..ad36c7f886
Binary files /dev/null and b/education/windows/images/skype_uwp_userprofile_icon.PNG differ
diff --git a/education/windows/images/suspc_account_signin.PNG b/education/windows/images/suspc_account_signin.PNG
new file mode 100644
index 0000000000..d045cff914
Binary files /dev/null and b/education/windows/images/suspc_account_signin.PNG differ
diff --git a/education/windows/images/suspc_and_wcd_comparison.png b/education/windows/images/suspc_and_wcd_comparison.png
new file mode 100644
index 0000000000..cff874ceb8
Binary files /dev/null and b/education/windows/images/suspc_and_wcd_comparison.png differ
diff --git a/education/windows/images/suspc_choosesettings_apps.PNG b/education/windows/images/suspc_choosesettings_apps.PNG
new file mode 100644
index 0000000000..babb55a445
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_apps.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_settings.PNG b/education/windows/images/suspc_choosesettings_settings.PNG
new file mode 100644
index 0000000000..bd556c0892
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_settings.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_settings_updated.PNG b/education/windows/images/suspc_choosesettings_settings_updated.PNG
new file mode 100644
index 0000000000..c62b4fa86f
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_settings_updated.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_setuptakeatest.PNG b/education/windows/images/suspc_choosesettings_setuptakeatest.PNG
new file mode 100644
index 0000000000..8ffc3fe3e6
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_setuptakeatest.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_signin.PNG b/education/windows/images/suspc_choosesettings_signin.PNG
new file mode 100644
index 0000000000..a45a12fbf5
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_signin.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_signin_final.PNG b/education/windows/images/suspc_choosesettings_signin_final.PNG
new file mode 100644
index 0000000000..3ec997cb73
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_signin_final.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_summary.PNG b/education/windows/images/suspc_choosesettings_summary.PNG
new file mode 100644
index 0000000000..c659a579e4
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_summary.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_takeatest.PNG b/education/windows/images/suspc_choosesettings_takeatest.PNG
new file mode 100644
index 0000000000..9f9f028852
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_takeatest.PNG differ
diff --git a/education/windows/images/suspc_choosesettings_takeatest_updated.png b/education/windows/images/suspc_choosesettings_takeatest_updated.png
new file mode 100644
index 0000000000..e44dd21207
Binary files /dev/null and b/education/windows/images/suspc_choosesettings_takeatest_updated.png differ
diff --git a/education/windows/images/suspc_getpcsready.PNG b/education/windows/images/suspc_getpcsready.PNG
new file mode 100644
index 0000000000..1e2bfae0ff
Binary files /dev/null and b/education/windows/images/suspc_getpcsready.PNG differ
diff --git a/education/windows/images/suspc_getpcsready_getpcsready.PNG b/education/windows/images/suspc_getpcsready_getpcsready.PNG
new file mode 100644
index 0000000000..6bb9ec078b
Binary files /dev/null and b/education/windows/images/suspc_getpcsready_getpcsready.PNG differ
diff --git a/education/windows/images/suspc_getpcsready_installpackage.PNG b/education/windows/images/suspc_getpcsready_installpackage.PNG
new file mode 100644
index 0000000000..c12bbe4de9
Binary files /dev/null and b/education/windows/images/suspc_getpcsready_installpackage.PNG differ
diff --git a/education/windows/images/suspc_getstarted.PNG b/education/windows/images/suspc_getstarted.PNG
new file mode 100644
index 0000000000..cbb3d4977c
Binary files /dev/null and b/education/windows/images/suspc_getstarted.PNG differ
diff --git a/education/windows/images/suspc_getstarted_final.PNG b/education/windows/images/suspc_getstarted_final.PNG
new file mode 100644
index 0000000000..d533536ad1
Binary files /dev/null and b/education/windows/images/suspc_getstarted_final.PNG differ
diff --git a/education/windows/images/suspc_getstarted_resized.png b/education/windows/images/suspc_getstarted_resized.png
new file mode 100644
index 0000000000..c9c99d8555
Binary files /dev/null and b/education/windows/images/suspc_getstarted_resized.png differ
diff --git a/education/windows/images/suspc_installsetupfile.PNG b/education/windows/images/suspc_installsetupfile.PNG
new file mode 100644
index 0000000000..61d0d9a3ad
Binary files /dev/null and b/education/windows/images/suspc_installsetupfile.PNG differ
diff --git a/education/windows/images/suspc_ppkg_isready.PNG b/education/windows/images/suspc_ppkg_isready.PNG
new file mode 100644
index 0000000000..e601a05a0f
Binary files /dev/null and b/education/windows/images/suspc_ppkg_isready.PNG differ
diff --git a/education/windows/images/suspc_ppkgready.PNG b/education/windows/images/suspc_ppkgready.PNG
new file mode 100644
index 0000000000..e285acdaee
Binary files /dev/null and b/education/windows/images/suspc_ppkgready.PNG differ
diff --git a/education/windows/images/suspc_reviewsettings.PNG b/education/windows/images/suspc_reviewsettings.PNG
new file mode 100644
index 0000000000..0948dbccb1
Binary files /dev/null and b/education/windows/images/suspc_reviewsettings.PNG differ
diff --git a/education/windows/images/suspc_reviewsettings_bluelinks.png b/education/windows/images/suspc_reviewsettings_bluelinks.png
new file mode 100644
index 0000000000..46c07c7a1a
Binary files /dev/null and b/education/windows/images/suspc_reviewsettings_bluelinks.png differ
diff --git a/education/windows/images/suspc_savepackage_insertusb.PNG b/education/windows/images/suspc_savepackage_insertusb.PNG
new file mode 100644
index 0000000000..e5f9968d7e
Binary files /dev/null and b/education/windows/images/suspc_savepackage_insertusb.PNG differ
diff --git a/education/windows/images/suspc_savesettings.PNG b/education/windows/images/suspc_savesettings.PNG
new file mode 100644
index 0000000000..f8338d3dec
Binary files /dev/null and b/education/windows/images/suspc_savesettings.PNG differ
diff --git a/education/windows/images/suspc_setup_removemediamessage.png b/education/windows/images/suspc_setup_removemediamessage.png
new file mode 100644
index 0000000000..94e9ddb900
Binary files /dev/null and b/education/windows/images/suspc_setup_removemediamessage.png differ
diff --git a/education/windows/images/suspc_setupfile_reviewsettings.PNG b/education/windows/images/suspc_setupfile_reviewsettings.PNG
new file mode 100644
index 0000000000..c5f3425ff5
Binary files /dev/null and b/education/windows/images/suspc_setupfile_reviewsettings.PNG differ
diff --git a/education/windows/images/suspc_setupfile_savesettings.PNG b/education/windows/images/suspc_setupfile_savesettings.PNG
new file mode 100644
index 0000000000..97ba234b8e
Binary files /dev/null and b/education/windows/images/suspc_setupfile_savesettings.PNG differ
diff --git a/education/windows/images/suspc_setupfileready.PNG b/education/windows/images/suspc_setupfileready.PNG
new file mode 100644
index 0000000000..349acbaf9d
Binary files /dev/null and b/education/windows/images/suspc_setupfileready.PNG differ
diff --git a/education/windows/images/suspc_signin_account.PNG b/education/windows/images/suspc_signin_account.PNG
new file mode 100644
index 0000000000..3f8b040f45
Binary files /dev/null and b/education/windows/images/suspc_signin_account.PNG differ
diff --git a/education/windows/images/suspc_signin_addapps.PNG b/education/windows/images/suspc_signin_addapps.PNG
new file mode 100644
index 0000000000..93e572a043
Binary files /dev/null and b/education/windows/images/suspc_signin_addapps.PNG differ
diff --git a/education/windows/images/suspc_signin_allowguests.PNG b/education/windows/images/suspc_signin_allowguests.PNG
new file mode 100644
index 0000000000..0bd0f69680
Binary files /dev/null and b/education/windows/images/suspc_signin_allowguests.PNG differ
diff --git a/education/windows/images/suspc_signin_setuptakeatest.PNG b/education/windows/images/suspc_signin_setuptakeatest.PNG
new file mode 100644
index 0000000000..6c8ba1799b
Binary files /dev/null and b/education/windows/images/suspc_signin_setuptakeatest.PNG differ
diff --git a/education/windows/images/suspc_start.PNG b/education/windows/images/suspc_start.PNG
new file mode 100644
index 0000000000..ab34f99a6b
Binary files /dev/null and b/education/windows/images/suspc_start.PNG differ
diff --git a/education/windows/images/suspc_studentpcsetup_installingsetupfile.png b/education/windows/images/suspc_studentpcsetup_installingsetupfile.png
new file mode 100644
index 0000000000..bbd10c89c4
Binary files /dev/null and b/education/windows/images/suspc_studentpcsetup_installingsetupfile.png differ
diff --git a/education/windows/images/suspc_wcd_featureslist.png b/education/windows/images/suspc_wcd_featureslist.png
new file mode 100644
index 0000000000..32b9211799
Binary files /dev/null and b/education/windows/images/suspc_wcd_featureslist.png differ
diff --git a/education/windows/images/suspc_wcd_sidebyside.png b/education/windows/images/suspc_wcd_sidebyside.png
new file mode 100644
index 0000000000..7fc108133e
Binary files /dev/null and b/education/windows/images/suspc_wcd_sidebyside.png differ
diff --git a/education/windows/images/suspc_win10v1703_getstarted.PNG b/education/windows/images/suspc_win10v1703_getstarted.PNG
new file mode 100644
index 0000000000..2777edfef9
Binary files /dev/null and b/education/windows/images/suspc_win10v1703_getstarted.PNG differ
diff --git a/education/windows/images/take_a_test_flow_dark.png b/education/windows/images/take_a_test_flow_dark.png
new file mode 100644
index 0000000000..98255e8694
Binary files /dev/null and b/education/windows/images/take_a_test_flow_dark.png differ
diff --git a/education/windows/images/tat_settingsapp_setupaccount_addtestaccount.PNG b/education/windows/images/tat_settingsapp_setupaccount_addtestaccount.PNG
new file mode 100644
index 0000000000..66c28eccc7
Binary files /dev/null and b/education/windows/images/tat_settingsapp_setupaccount_addtestaccount.PNG differ
diff --git a/education/windows/images/tat_settingsapp_setuptesttakingaccount.PNG b/education/windows/images/tat_settingsapp_setuptesttakingaccount.PNG
new file mode 100644
index 0000000000..70a917d836
Binary files /dev/null and b/education/windows/images/tat_settingsapp_setuptesttakingaccount.PNG differ
diff --git a/education/windows/images/tat_settingsapp_setuptesttakingaccount_1703.PNG b/education/windows/images/tat_settingsapp_setuptesttakingaccount_1703.PNG
new file mode 100644
index 0000000000..deb04f2e74
Binary files /dev/null and b/education/windows/images/tat_settingsapp_setuptesttakingaccount_1703.PNG differ
diff --git a/education/windows/images/tat_settingsapp_workorschoolaccess_setuptestaccount.PNG b/education/windows/images/tat_settingsapp_workorschoolaccess_setuptestaccount.PNG
new file mode 100644
index 0000000000..c9221ed95a
Binary files /dev/null and b/education/windows/images/tat_settingsapp_workorschoolaccess_setuptestaccount.PNG differ
diff --git a/education/windows/images/wcd_accountmanagement.PNG b/education/windows/images/wcd_accountmanagement.PNG
new file mode 100644
index 0000000000..071522f906
Binary files /dev/null and b/education/windows/images/wcd_accountmanagement.PNG differ
diff --git a/education/windows/images/wcd_exportpackage.PNG b/education/windows/images/wcd_exportpackage.PNG
new file mode 100644
index 0000000000..19a1c89703
Binary files /dev/null and b/education/windows/images/wcd_exportpackage.PNG differ
diff --git a/education/windows/images/wcd_settings_assignedaccess.PNG b/education/windows/images/wcd_settings_assignedaccess.PNG
new file mode 100644
index 0000000000..443a5d0688
Binary files /dev/null and b/education/windows/images/wcd_settings_assignedaccess.PNG differ
diff --git a/education/windows/images/wcd_setupdevice.PNG b/education/windows/images/wcd_setupdevice.PNG
new file mode 100644
index 0000000000..01422870d4
Binary files /dev/null and b/education/windows/images/wcd_setupdevice.PNG differ
diff --git a/education/windows/images/wcd_setupnetwork.PNG b/education/windows/images/wcd_setupnetwork.PNG
new file mode 100644
index 0000000000..f0be6908f5
Binary files /dev/null and b/education/windows/images/wcd_setupnetwork.PNG differ
diff --git a/education/windows/images/wcd_win10v1703_start_newdesktopproject.PNG b/education/windows/images/wcd_win10v1703_start_newdesktopproject.PNG
new file mode 100644
index 0000000000..f0ce8f6b93
Binary files /dev/null and b/education/windows/images/wcd_win10v1703_start_newdesktopproject.PNG differ
diff --git a/education/windows/images/win10_1703_oobe_firstscreen.png b/education/windows/images/win10_1703_oobe_firstscreen.png
new file mode 100644
index 0000000000..0d5343d0b4
Binary files /dev/null and b/education/windows/images/win10_1703_oobe_firstscreen.png differ
diff --git a/education/windows/images/win10_settings_privacy.PNG b/education/windows/images/win10_settings_privacy.PNG
new file mode 100644
index 0000000000..5285ce94f2
Binary files /dev/null and b/education/windows/images/win10_settings_privacy.PNG differ
diff --git a/education/windows/images/win10_settings_privacy_contacts.PNG b/education/windows/images/win10_settings_privacy_contacts.PNG
new file mode 100644
index 0000000000..f17ef60de0
Binary files /dev/null and b/education/windows/images/win10_settings_privacy_contacts.PNG differ
diff --git a/education/windows/images/win10_settings_privacy_contacts_apps.png b/education/windows/images/win10_settings_privacy_contacts_apps.png
new file mode 100644
index 0000000000..774f18fad9
Binary files /dev/null and b/education/windows/images/win10_settings_privacy_contacts_apps.png differ
diff --git a/education/windows/images/windows-ad-connect.png b/education/windows/images/windows-ad-connect.png
index 195058f6f6..97a69d1a6c 100644
Binary files a/education/windows/images/windows-ad-connect.png and b/education/windows/images/windows-ad-connect.png differ
diff --git a/education/windows/index.md b/education/windows/index.md
index 6ee2d1946a..218a13938e 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -19,12 +19,9 @@ author: CelesteDG
###  Learn
-
-
[Windows 10 editions for education customers](windows-editions-for-education-customers.md) Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
[Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) Find out more about the features and functionality we support in each edition of Windows.
-
[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools) When you've made your decision, find out how to buy Windows for your school.
-
+
[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools) When you've made your decision, find out how to buy Windows for your school.
###  Plan
-
-
-[Provisioning options for Windows 10](set-up-windows-10.md) Depending on your school's device management needs, you can use **Set up School PCs** or the *Provision school devices* option in **Windows Imaging and Configuration Designer** to quickly set up student PCs.
+
[Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
+
[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
[Get Minecraft Education Edition](get-minecraft-for-education.md) Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
[Take tests in Windows 10](take-tests-in-windows-10.md) Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
-
[Chromebook migration guide](chromebook-migration-guide.md) Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
-
+
[Chromebook migration guide](chromebook-migration-guide.md) Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
- ###  Deploy
+###  Deploy
-
-
-
[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
-
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) Get step-by-step guidance to help you deploy Windows 10 in a school environment.
-
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
-
-
+
[Set up Windows devices for education](set-up-windows-10.md) Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
+
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) Get step-by-step guidance to help you deploy Windows 10 in a school environment.
+
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
Try it out: Windows 10 deployment (for education) Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.
###  Upgrade
-
-
[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.
-
-
-
-
+
[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.
## Windows 8.1
Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in an academic environment.
-
-
Windows 8.1 deployment planning Explore key considerations and questions that should be answered when planning for Windows 8.1 deployment.
BYOD Explore Bring Your Own Device (BYOD) considerations, including device types, infrastructure, and deployment models.
Deploying Windows RT 8.1 Get step-by-step instructions on how to configure and deploy Windows RT devices (like Surface and other tablets) in educational environments.
-
-
Virtual Desktop Infrastructure Learn how to address challenges related to BYOD scenarios using Virtual Desktop Infrastructure (VDI).
Windows Store apps Explore Windows Store app deployment strategies and considerations for educational institutions running Windows 8.1.
Windows To Go Learn about the benefits, limitations, and processes involved in deploying Windows To Go.
-
-
+
## Related topics
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index b065ab2c96..f385bbbcd2 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -5,6 +5,7 @@ keywords: ["school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: trudyha
---
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index bb0dc144ae..7c998c3e0b 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -1,11 +1,12 @@
---
title: Set up School PCs app technical reference
description: Describes the changes that the Set up School PCs app makes to a PC.
-keywords: shared cart, shared PC, school
+keywords: shared cart, shared PC, school, set up school pcs
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -16,51 +17,94 @@ author: CelesteDG
-The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic.
+The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode. The latest Set up School PCs app is available for Windows 10, version 1703 (Creators Update). Set up School PCs also configures school-specific settings and policies, described in this topic.
-If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity.
+If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up School PCs app will create a setup file that joins the PC to your Azure Active Directory tenant. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity.
-The following table tells you what you get using the **Set up School PCs** app in your school.
+Here's a list of what you get when using the Set up School PCs app in your school.
| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium |
| --- | :---: | :---: | :---: | :---: |
| **Fast sign-in** Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X |
| **Custom Start experience** The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X |
-| **Temporary access, no sign-in required** This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X |
+| **Guest account, no sign-in required** This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X |
| **School policies** Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X |
| **Azure AD Join** The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X |
-| **Single sign-on to Office 365** By signing on with student IDs, students have fast access to Office 365 web apps. | | | X | X |
+| **Single sign-on to Office 365** By signing on with student IDs, students have fast access to Office 365 web apps or installed Office apps. | | | X | X |
+| **Take a Test** Configure the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. | | | | X |
| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD** Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X |
-| | | | | |
-> **Note**: If your school uses Active Directory, use Windows Imaging and Configuration Designer to configure your PCs to join the domain. You can only use the **Set up School PCs** app to set up PCs that are not connected to your traditional domain.
+> [!NOTE]
+> If your school uses Active Directory, use [Windows Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the Set up School PCs app to set up PCs that are connected to Azure AD.
-## Prerequisites for IT
+## Automated Azure AD join
+One of the most important features in Set up School PCs is the ability to create a provisioning package that performs automated Azure AD join. With this feature, you no longer have to spend minutes going through Windows setup, manually connecting to a network, and manually joining your Azure AD domain. With the automated Azure AD join feature in Set up School School PCs, this process is reduced to zero clicks! You can skip all of the Windows setup experience and the OS automatically joins the PC to your Azure AD domain and enrolls it into MDM if you have a MDM provider activated.
-* If your school uses Azure AD, [configure your directory to allow devices to join](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/). If the teacher is going to set up a lot of devices, give the teacher appropriate privileges for joining devices or make a special account.
-* Office 365, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/en-us/academic/office-365-education-plan)
-* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
-* After you set up your Office 365 Education tenant, use [Microsoft School Data Sync Preview](https://sis.microsoft.com/) to sync user profiles and class rosters from your Student Information System (SIS).
+To make this as seamless as possible, in your Azure AD tenant:
+- Allow your teacher and other IT staff to join devices to Azure AD so they can sucessfully request an automated Azure AD join token.
+
+ In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and in **Users may join devices to Azure AD**, click **Selected** and choose the members you want to enable to join devices to Azure AD.
+
+ **Figure 1** - Select the users you want to enable to join devices to Azure AD
+
+ 
+
+- Consider creating a special account that uses a username and password that you provide, and which has the rights to join devices if you don't want to add all teachers and IT staff.
+ - When teachers or IT staff need to set up PCs, they can use this account in the Set up School PCs app.
+ - If you use a service to set up PCs for you, you can give them this special account so they can deliver PCs to you that are already Azure AD joined and ready to be given to a student.
+
+- Turn off multifactor authentication.
+
+ In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Require Multi-Factor Auth to join devices** to **No**.
+
+ **Figure 2** - Turn off multi-factor authentication in Azure AD
+
+ 
+
+- Set the maximum number of devices a user can add to unlimited.
+
+ In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Maximum number of devices per user** to **Unlimited**.
+
+ **Figure 3** - Set maximum number of devices per user to unlimited
+
+ 
+
+- Clear your Azure AD tokens from time to time. Your tenant can only have 50 automated Azure AD tokens active at any one time.
+
+ In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these.
+
+ **Figure 4** - Delete the accounts automatically created for the Azure AD tokens
+
+ 
+
+- Note that automated Azure AD tokens have expiration dates. Set up School PCs creates them with an expiration date of one month. You will see the specific expiration date for the package in the **Review package summary** page in Set up School PCs.
+
+ **Figure 5** - Sample summary page showing the expiration date
+
+ 
+
+
+
## Information about Windows Update
-Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the **Set up School PCs** app, shared PC mode sets the power states and Windows Update to:
+Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the Set up School PCs app, shared PC mode sets the power states and Windows Update to:
* Wake nightly
* Check and install updates
* Forcibly reboot if necessary to finish applying updates
-The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots.
+The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. Notfications are also blocked.
## Guidance for accounts on shared PCs
* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
-* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out.
+* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** or **Kiosk** will also be deleted automatically at sign out.
* On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
-* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out.
+* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts created through **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** or **Kiosk** selection on the sign-in screen, if enabled, will automatically be deleted at sign-out.
* If admin accounts are necessary on the PC
* Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
* Create admin accounts before setting up shared PC mode, or
@@ -68,6 +112,7 @@ The PC is also configured to not interrupt the user during normal daytime hours
* The account management service supports accounts that are exempt from deletion.
* An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
* To add the account SID to the registry key using PowerShell:
+
```
$adminName = "LocalAdmin"
$adminPass = 'Pa$$word123'
@@ -78,24 +123,22 @@ The PC is also configured to not interrupt the user during normal daytime hours
New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
```
-
## Custom images
-Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the **Set up School PCs** provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx).
+Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the Set up School PCs provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx).
## Provisioning package details
-The **Set up School PCs** app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx).
+The Set up School PCs app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx).
-### Education customizations
+### Education customizations set by local MDM policy
-- Saving content locally to the PC is disabled. This prevents data loss by forcing students to save to the cloud.
-- A custom Start layout and sign in background image are set.
+- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud.
+- A custom Start layout, taskbar layout, and lock screen image are set.
- Prohibits unlocking the PC to developer mode.
- Prohibits untrusted Windows Store apps from being installed.
- Prohibits students from removing MDM.
- Prohibits students from adding new provisioning packages.
-- Prohibits student from removing existing provisioning packages (including the one set by **Set up School PCs**).
-- Sets active hours from 6 AM to 6 PM.
+- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs).
- Sets Windows Update to update nightly.
@@ -103,19 +146,18 @@ The **Set up School PCs** app produces a specialized provisioning package that m
- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe)
- Weather (Microsoft.BingWeather_8wekyb3d8bbwe)
-- Get Started (Microsoft.Getstarted_8wekyb3d8bbwe)
+- Tips (Microsoft.Getstarted_8wekyb3d8bbwe)
- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe)
- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe)
- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe)
- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe)
- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe)
-- Groove Music (Microsoft.ZuneMusic_8wekyb3d8bbwe)
-- Movies & TV (Microsoft.ZuneVideo_8wekyb3d8bbwe)
- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe)
### Local Group Policies
-> **Important**: It is not recommended to set additional policies on PCs configured with the **Set up School PCs** app. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
+> [!IMPORTANT]
+> We do not recommend setting additional policies on PCs configured with the Set up School PCs app. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required.
Policy path
@@ -171,6 +213,9 @@ The **Set up School PCs** app produces a specialized provisioning package that m
@@ -212,36 +257,32 @@ The **Set up School PCs** app produces a specialized provisioning package that m
Do not show feedback notifications
Enabled
+
Allow Telemetry
Basic, 0
+
Admin Templates > Windows Components > File Explorer
Show lock in the user tile menu
Disabled
Admin Templates > Windows Components > Maintenance Scheduler
-
Automatic Maintenance Activation Boundary
12am
+
Automatic Maintenance Activation Boundary
*MaintenanceStartTime*
Automatic Maintenance Random Delay
Enabled, 2 hours
Automatic Maintenance WakeUp Policy
Enabled
-
Admin Templates > Windows Components > Microsoft Edge
-
-
Open a new tab with an empty tab
Disabled
-
-
Configure corporate home pages
Enabled, about:blank
-
Admin Templates > Windows Components > OneDrive
Prevent the usage of OneDrive for file storage
Enabled
-
Admin Templates > Windows Components > Search
-
-
Allow Cortana
Disabled
-
Admin Templates > Windows Components > Windows Hello for Business
+
Use phone sign-in
Disabled
+
Use Windows Hello for Business
Disabled
+
Use biometrics
Disabled
+
Windows Settings > Security Settings > Local Policies > Security Options
Accounts: Block Microsoft accounts
**Note** Microsoft accounts can still be used in apps.
Enabled
@@ -256,9 +297,13 @@ The **Set up School PCs** app produces a specialized provisioning package that m
+## Use the app
+When you're ready to use the app, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
+
## Related topics
-[Use Set up School PCs app](use-set-up-school-pcs-app.md)
+[Set up Windows devices for education](set-up-windows-10.md)
+
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index 1c3d6361e1..9a8c59b2c6 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -1,10 +1,11 @@
---
title: Set up student PCs to join domain
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
-keywords: ["shared cart", "shared PC", "school"]
+keywords: school
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: CelesteDG
---
@@ -13,81 +14,57 @@ author: CelesteDG
- Windows 10
-If your school uses Active Directory, use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package that will configure a PC for student use that is joined to the Active Directory domain. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+If your school uses Active Directory, use the Windows Configuration Designer tool to create a provisioning package that will configure a PC for student use that is joined to the Active Directory domain.
+
+## Install Windows Configuration Designer
+Follow the instructions in [Install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd).
## Create the provisioning package
+Follow the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-for-initial-deployment). However, make a note of these steps to further customize the provisioning package for use in a school that will join a student PC to a domain:
-1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+1. In the **Account Management** step:
-2. Click **Provision school devices**.
+ > [!WARNING]
+ > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
+ > - Use a least-privileged domain account to join the device to the domain.
+ > - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
+ > - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
- 
+2. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtine settings**.
+3. Find the **SharedPC** settings group.
+ - Set **EnableSharedPCMode** to **TRUE** to configure the PC for shared use.
+4. (Optional) To configure the PC for secure testing, follow these steps.
+ 1. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
+ 2. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
-3. Name your project and click **Finish**. The screens for school provisioning will walk you through the following steps.
+ **Figure 7** - Add the account to use for test-taking
- 
+ 
-4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
+ The account can be in one of the following formats:
+ - username
+ - domain\username
+ - computer name\\username
+ - username@tenant.com
-5. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
- - Home to Education
- - Pro to Education
- - Pro to Enterprise
- - Enterprise to Education
-
-6. Click **Set up network**.
+ 3. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
+ 1. In **LaunchURI**, enter the assessment URL.
+ 2. In **TesterAccount**, enter the test account you entered in the previous step.
-7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
+5. To configure other settings to make Windows education ready, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) and follow the guidance on what settings you can set using Windows Configuration Designer.
-8. Click **Enroll into Active Directory**.
+6. Follow the steps to [build a package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package#build-package).
+ - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username*\Windows Imaging and Configuration Designer (WICD)\*Project name*).
+ - Copy the provisioning package to a USB drive.
-9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
+ > [!IMPORTANT]
+ > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
- > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
- - Use a least-privileged domain account to join the device to the domain.
- - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
- - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
-
-10. Click **Set up school settings**.
-
-11. Toggle **Yes** or **No** to configure the PC for shared use.
-
-12. (Optional) Toggle **Yes** or **No** to configure the PC for secure testing. If you select **Yes**, you must also enter the test account to be used and the URL for the test. If you don't configure the test account and URL in this provisioning package, you can do so after the PC is configured; for more information, see [Take tests in Windows 10](take-tests-in-windows-10.md).
-
-10. Click **Finish**.
-
-11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
-
-12. Click **Create**.
-
-13. You will see the file path for your provisioning package (by default, %windir%\Users\*your alias*\Windows Imaging and Configuration Designer (WICD)\*Project name*). Copy the provisioning package to a USB drive.
-
-> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
## Apply package
+Follow the steps in [Apply a provisioning package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-apply-package) to apply the package that you created.
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-
- 
-
-2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
-
- 
-
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
- 
-
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
-
- 
-
-5. Select **Yes, add it**.
-
- 
-
-When you see the progress ring, you can remove the USB drive.
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 55da4e77f5..401f60f084 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -5,6 +5,7 @@ keywords: ["shared cart", "shared PC", "school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: CelesteDG
---
@@ -14,16 +15,19 @@ author: CelesteDG
- Windows 10
-This topic explains how to create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-with-apps).
+
+Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
+- If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-with-apps).
+- If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package.
-If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Add apps to a provisioning package](#add-apps-to-a-provisioning-package). If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md), and then follow the steps in [Create a provisioning package to add apps after initial setup](#create-a-provisioning-package-to-add-apps-after-initial-setup).
-
+
## Learn more
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index 16a30c38bc..1d43aed651 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -1,28 +1,35 @@
---
-title: Provisioning options for Windows 10
+title: Set up Windows devices for education
description: Decide which option for setting up Windows 10 is right for you.
-keywords: shared cart, shared PC, school
+keywords: school, Windows device setup, education device setup
ms.prod: w10
-ms.mktglfcycl: plan
+ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
-# Provisioning options for Windows 10
+# Set up Windows devices for education
**Applies to:**
- Windows 10
-You have two tools to choose from to set up PCs for your classroom: **Set up School PCs** app and the **Provision school devices** option in Windows Imaging and Configuration Designer (ICD). Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account). The following diagram compares the tools.
+You have two tools to choose from to set up PCs for your classroom:
+ * Set up School PCs
+ * Windows Configuration Designer
+
+Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account).
-
+You can use the following diagram to compare the tools.
+
+
## In this section
-- [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
-- [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
+- [Use the Set up School PCs app](use-set-up-school-pcs-app.md)
+- [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index 32d45fb353..5aa6b3ed7b 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -1,11 +1,12 @@
---
title: Take a Test app technical reference
description: The policies and settings applied by the Take a Test app.
-keywords: shared cart, shared PC, school
+keywords: take a test, test taking, school
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -20,7 +21,7 @@ Take a Test is an app that locks down the PC and displays an online assessment w
Whether you are a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments
-Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](http://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. (Link to Javascript API when available)
+Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](http://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api).
## PC lockdown for assessment
@@ -28,17 +29,11 @@ Assessment vendors can use Take a Test as a platform to lock down the operating
When running above the lock screen:
- The app runs full screen with no chrome
-
- The hardware print screen button is disabled
-
-- Content within the app will show up as black in screen capturing/sharing software
-
+- Depending on the parameter you set through the schema or dedicated account, content within the app will show up as black in screen capturing/sharing software
- System clipboard is cleared
-
- Web apps can query the processes currently running in the user’s device
-
- Extended display shows up as black
-
- Auto-fill is disabled
## Mobile device management (MDM) policies
@@ -59,9 +54,7 @@ When Take a Test is running, the following MDM policies are applied to lock down
When Take a Test is running, the following functionality is available to students:
- Assistive technology that is configured to run above the lock screen should run as expected
-
- Narrator is available through Windows key + Enter
-
- Magnifier is available through Windows key + "+" key
- Full screen mode is compatible
@@ -70,14 +63,15 @@ When Take a Test is running, the following functionality is available to student
- Take a Test
- Assistive technology that may be running
- - Lock Screen (not available if student is using a dedicated test account)
- > **Note** The app will exit if the student signs in to an account from the lock screen. Progress made in the test may be lost or invalidated.
+ - Lock screen (not available if student is using a dedicated test account)
+
+ > [!NOTE]
+ > The app will exit if the student signs in to an account from the lock screen. Progress made in the test may be lost or invalidated.
- The student can exit the test by pressing one of the following key combinations:
- Ctrl+Alt+Del
-
- - Alt+F4 (**Take a Test** will restart if the student is using a dedicated test account)
+ - Alt+F4 (Take a Test will restart if the student is using a dedicated test account)
## Learn more
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index caa227ea97..18d4fc79ab 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -1,11 +1,12 @@
---
title: Set up Take a Test on multiple PCs
description: Learn how to set up and use the Take a Test app on multiple PCs.
-keywords: ["shared cart", "shared PC", "school"]
+keywords: ["take a test", "test taking", "school"]
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -15,127 +16,158 @@ author: CelesteDG
- Windows 10
-Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
+Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test.
-- Take a Test shows just the test and nothing else.
-- Take a Test clears the clipboard.
-- Students aren’t able to go to other websites.
-- Students can’t open or access other apps.
-- Students can't share, print, or record their screens.
-- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
-- Cortana is turned off.
-
-## How to use Take a Test
-
-
-
-- **Use an assessment URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
-- **[Put an assessment URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+Follow the guidance in this topic to set up Take a Test on multiple PCs.
## Set up a dedicated test account
-To configure a dedicated test account on multiple PCs, you can use:
+To configure a dedicated test account on multiple PCs, select any of the following methods:
+- [Provisioning package created through the Set up School PCs app](#set-up-a-test-account-in-the-set-up-school-pcs-app)
+- [Configuration in Intune for Education](#set-up-a-test-account-in-intune-for-education)
- [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager)
-- [A provisioning package](#set-up-a-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD)
-- [Group Policy](#set-up-a-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script
+- [Provisioning package created through Windows Configuration Designer](#set-up-a-test-account-through-windows-configuration-designer)
+- [Group Policy to deploy a scheduled task that runs a Powershell script](#set-up-a-test-account-in-group-policy)
+
+### Set up a test account in the Set up School PCs app
+If you want to set up a test account using the Set up School PCs app, configure the settings in the **Set up the Take a Test app** page in the Set up School PCs app. Follow the instructions in [Use the Set up School PCs app](use-set-up-school-pcs-app.md) to configure the test-taking account and create a provisioning package.
+
+If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
+
+**Figure 1** - Configure Take a Test in the Set up School PCs app
+
+
+
+### Set up a test account in Intune for Education
+You can set up a test-taking account in Intune for Education. To do this, follow these steps:
+
+1. In Intune for Education, select **Take a Test profiles** from the menu.
+2. Click **+ Add Test Profile** to create an account.
+
+ **Figure 2** - Add a test profile in Intune for Education
+
+ 
+
+3. In the new profile page:
+ 1. Enter a name for the profile.
+ 2. Enter the assessment URL.
+ 3. Toggle the switch to **Allow screen capture**.
+ 4. Select a user account to use as the test-taking account.
+ 5. Click **Save**.
+
+ **Figure 3** - Add information about the test profile
+
+ 
+
+ After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account.
+
+4. In the test account page, click **Groups**.
+
+ **Figure 4** - Assign the test account to a group
+
+ 
+
+5. In the **Groups** page, click **Change group assignments**.
+
+ **Figure 5** - Change group assignments
+
+ 
+
+6. In the **Change group assignments** page:
+ 1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group.
+ 2. Click **OK** when you're done making your selection.
+
+ **Figure 6** - Select the group(s) that will use the test account
+
+ 
+
+And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests.
### Set up a test account in MDM or Configuration Manager
+You can configure a dedicated testing account through MDM or Configuration Manager by specifying a single account in the directory to be the test-taking account. Devices that have the test-taking policies can sign into the specified account to take the test.
+
+**Best practice**
+- Create a single account in the directory specifically for test taking
+ - Active Directory example: Contoso\TestAccount
+ - Azure Active Directory example: testaccount@contoso.com
+
+- Deploy the policies to the group of test-taking devices
+
+**To enable this configuration**
+
1. Launch your management console.
-2. Create a policy to set up single app kiosk mode, using the following values:
+2. Create a policy to set up single app kiosk mode using the following values:
- **Custom OMA-DM URI** = ./Vendor/MSFT/AssignedAccess/KioskModeApp
- - **String value** = {"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}
+ - **String value** = {"*Account*":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}
- Account can be in one of the following formats:
- - username
+ *Account* can be in one of the following formats:
+ - username (not recommended)
- domain\username
- - computer name\\username
+ - computer name\\username (not recommended)
- username@tenant.com
-3. Create a policy to configure the assessment URL, using the following values:
+3. Create a policy to configure the assessment URL using the following values:
- **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI
- **String value** = *assessment URL*
See [Assessment URLs](#assessment-urls) for more information.
-4. Create a policy that associates the assessment URL to the account, using the following values:
+4. Create a policy that associates the assessment URL to the account using the following values:
- **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/TesterAccount
- **String value** = Enter the account that you specified in step 2, using the same account format.
-5. To take the test, the student signs in to the test account.
+5. Deploy the policies to the test-taking devices.
+6. To take the test, the student signs in to the test account.
-### Set up a test account in a provisioning package
+### Set up a test account through Windows Configuration Designer
+To set up a test account through Windows Configuration Designer, follow these steps.
-**Prerequisite:** You must first download the Windows ADK for Windows 10, Version 1607, and install Windows Imaging and Configuration Designer (ICD). For more info, see [Install Windows Imaging and Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/deploy/provisioning-install-icd).
+1. [Install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd).
+2. Create a provisioning package by following the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-for-initial-deployment). However, make a note of these other settings to customize the test account.
+ 1. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtine settings**.
+ 2. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
+ 3. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
-**Create a provisioning package to set up a test account**
+ **Figure 7** - Add the account to use for test-taking
-1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
-2. Select **Advanced provisioning**.
-3. Name your project, and click **Next**.
-4. Select **All Windows desktop editions**, and click **Next**.
-5. Click **Finish**.
-6. Go to **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**.
-7. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up, as shown in the following image.
+ 
- 
-
- Account can be in one of the following formats:
+ The account can be in one of the following formats:
- username
- domain\username
- computer name\\username
- username@tenant.com
-8. Go to **Runtime settings** > **TakeATest**.
-9. Enter the assessment URL in **LaunchURI**.
-10. Enter the test account from step 7 in **TesterAccount**.
-On the **File** menu, select **Save.**
-9. On the **Export** menu, select **Provisioning package**.
-10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
-11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+ 4. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
+ 1. In **LaunchURI**, enter the assessment URL.
+ 2. In **TesterAccount**, enter the test account you entered in step 3.
-12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
+3. Follow the steps to [build a package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package#build-package).
- Optionally, you can click **Browse** to change the default output location.
+ - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username*\Windows Imaging and Configuration Designer (WICD)\*Project name*).
+ - Copy the provisioning package to a USB drive.
-13. Click **Next**.
-14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
-
- If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-
-15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-
- If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-
- - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-
-**Apply the provisioning package**
-
-1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges.
-2. Consent to allow the package to be installed.
-
- After you allow the package to be installed, the settings will be applied to the device. [Learn how to apply a provisioning package in audit mode or OOBE](https://go.microsoft.com/fwlink/p/?LinkID=692012).
+4. Follow the steps in [Apply a provisioning package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-apply-package) to apply the package that you created.
### Set up a test account in Group Policy
To set up a test account using Group Policy, first create a Powershell script that configures the test account and assessment URL, and then create a scheduled task to run the script.
#### Create a PowerShell script
This sample PowerShell script configures the test account and the assessment URL. Edit the sample to:
-- Use your test account for **$obj.LaunchURI**
-- Use your assessment URL for **$obj.TesterAccount**
+
+- Use your assessment URL for **$obj.LaunchURI**
+- Use your test account for **$obj.TesterAccount**
- Use your test account for **-UserName**
-```
-$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
-$obj.LaunchURI='http://www.foo.com';
-$obj.TesterAccount='TestAccount';
-$obj.put()
-Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount
-```
+ ```
+ $obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
+ $obj.LaunchURI='http://www.foo.com';
+ $obj.TesterAccount='TestAccount';
+ $obj.put()
+ Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount
+ ```
#### Create a scheduled task in Group Policy
1. Open the Group Policy Management Console.
@@ -165,15 +197,62 @@ Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5
## Provide link to test
Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
-1. Create a link to the assessment URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL.
- ```
- ms-edu-secureassessment:!enforceLockdown
- ```
- > [!NOTE]
- > You may want to remove !enforceLockdown for tests that utilizes our lockdown API that checks for running processes before locking down. Removing !enforceLockdown will result in the app not locking down immediately which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
+**To provide a link to the test**
+
+1. Create the link to the test using schema activation.
+ - Create a link using a web UI
+
+ For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
+
+ To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link).
+
+ - Create a link using schema activation
+
+ You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable.
+
+ For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation).
+
+2. Distribute the link.
+
+ Once the links are created, you can distribute them through the web, email, OneNote, or any other method of your choosing. You can also create shortcuts to distribute the link. For more info, see [Create a shortcut for the test link](#create-a-shortcut-for-the-test-link).
+
+3. To take the test, have the students click on the link and provide user consent.
+
+### Create a link using schema activation
+One of the ways you can present content in a locked down manner is by embedding a URL with a specific prefix. Once users click the URL, devices will be locked down.
+
+**To enable schema activation for assessment URLs**
+
+1. Embed a link or create a desktop shortcut with:
+
+ ```
+ ms-edu-secureassessment:#enforceLockdown
+ ```
+
+2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
+
+ - `&enableTextSuggestions` - Enables text suggestions
+ - `&enablePrint` - Enables printing
+ - `&enableScreenCapture` - Enables screen capture
+ - `&enablePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&enablePrint`, and `&enableScreenCapture` if you want to enable more than one capability.
+
+ If you exclude these parameters, the default behavior is disabled.
+
+ For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
+
+ > [!NOTE]
+ > The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:!enforcelockdown` is still supported, but not in combination with the new parameters.
+
+### Create a shortcut for the test link
+You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
+
+1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
+2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
+3. Click **Next**.
+4. Type a name for the shortcut and then click **Finish**.
+
+Once the shortcut is created, you can copy it and distribute it to students.
-2. Distribute the link. You can use the web, email, OneNote, or any other method of your choosing.
-3. To take the test, the student clicks on the link and provides user consent.
## Assessment URLs
This assessment URL uses our lockdown API:
@@ -186,6 +265,4 @@ This assessment URL uses our lockdown API:
[Set up Take a Test on a single PC](take-a-test-single-pc.md)
-[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
-
[Take a Test app technical reference](take-a-test-app-technical.md)
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 52a6636b7d..c7b5339f40 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -1,11 +1,12 @@
---
title: Set up Take a Test on a single PC
description: Learn how to set up and use the Take a Test app on a single PC.
-keywords: shared cart, shared PC, school
+keywords: take a test, test taking, school
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -14,54 +15,108 @@ author: CelesteDG
- Windows 10
-
-The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
-
-- Take a Test shows just the test and nothing else.
-- Take a Test clears the clipboard.
-- Students aren’t able to go to other websites.
-- Students can’t open or access other apps.
-- Students can't share, print, or record their screens.
-- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
-- Cortana is turned off.
-
-> [!TIP]
-> To exit **Take a Test**, press Ctrl+Alt+Delete.
-
-
-## How to use Take a Test
-
-
-
-- **Use an assessment URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
-- **[Put an assessment URL with an included prefix](#provide-a-link-to-the-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+To configure [Take a Test](take-tests-in-windows-10.md) on a single PC, follow the guidance in this topic.
## Set up a dedicated test account
-1. Sign into the device with an administrator account.
-2. Go to **Settings** > **Accounts** > **Work or school access** > **Set up an account for taking tests**.
-3. Select an existing account to use as the dedicated testing account.
+To configure the assessment URL and a dedicated testing account on a single PC, follow these steps.
- > [!NOTE]
- > If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**.
+1. Sign into the Windows 10 device with an administrator account.
+2. Open the **Settings** app and go to **Accounts > Access work or school**.
+3. Click **Set up an account for taking tests**.
-4. Specify an assessment URL.
-5. Click **Save**.
-6. To take the test, the student signs in to the selected account.
+ **Figure 1** - Use the Settings app to set up a test-taking account
+
+ 
+
+4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account.
+
+ **Figure 2** - Choose the test-taking account
+
+ 
+
+ > [!NOTE]
+ > If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I don’t have this person’s sign-in information > Add a user without a Microsoft account**.
+
+5. In the **Set up an account for taking tests**, enter the assessment URL in the field under **Enter the test's web address**.
+6. Select the options you want to enable during the test.
+ - To enable printing, select **Require printing**.
+
+ > [!NOTE]
+ > Make sure a printer is preconfigured on the Take a Test account if you're enabling this option.
+
+ - To enable teachers to monitor screens, select **Allow screen monitoring**.
+ - To allow text suggestions, select **Allow text suggestions**.
+
+6. Click **Save**.
+7. To take the test, the student must sign in using the test-taking account that you created.
## Provide a link to the test
-
Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
-1. Create a link to the assessment URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL.
+**To provide a link to the test**
+
+1. Create the link to the test.
+
+ There are different ways you can do this:
+ - Create a link using a web UI
+
+ For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
+
+ To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link).
+
+ - Create a link using schema activation
+
+ You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable.
+
+ For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation).
+
+2. Distribute the link.
+
+ Once the links are created, you can distribute them through the web, email, OneNote, or any other method of your choosing.
+
+ You can also create shortcuts to distribute the link. For more info, see [Create a shortcut for the test link](#create-a-shortcut-for-the-test-link).
+
+3. To take the test, have the students click on the link and provide user consent.
+
+ > [!NOTE]
+ > If you enabled printing, the printer must be preconfigured for the account before the student takes the test.
+
+
+### Create a link using schema activation
+One of the ways you can present content in a locked down manner is by embedding a URL with a specific prefix. Once users click the URL, devices will be locked down.
+
+**To enable schema activation for assessment URLs**
+
+1. Embed a link or create a desktop shortcut with:
```
- ms-edu-secureassessment:!enforceLockdown
+ ms-edu-secureassessment:#enforceLockdown
```
- > [!NOTE]
- > You may want to remove !enforceLockdown for tests that utilizes our lockdown API that checks for running processes before locking down. Removing !enforceLockdown will result in the app not locking down immediately which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
-2. Distribute the link. You can use the web, email, OneNote, or any other method of your choosing.
-3. To take the test, the student clicks on the link and provides user consent.
+2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
+
+ - `&enableTextSuggestions` - Enables text suggestions
+ - `&enablePrint` - Enables printing
+ - `&enableScreenCapture` - Enables screen capture
+ - `&enablePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&enablePrint`, and `&enableScreenCapture` if you want to enable more than one capability.
+
+ If you exclude these parameters, the default behavior is disabled.
+
+ For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
+
+ > [!NOTE]
+ > The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:!enforcelockdown` is still supported, but not in combination with the new parameters.
+
+
+### Create a shortcut for the test link
+You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
+
+1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
+2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
+3. Click **Next**.
+4. Type a name for the shortcut and then click **Finish**.
+
+Once the shortcut is created, you can copy it and distribute it to students.
## Related topics
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 6ba8afa38c..361dbff702 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -1,11 +1,12 @@
---
title: Take tests in Windows 10
description: Learn how to set up and use the Take a Test app.
-keywords: shared cart, shared PC, school
+keywords: take a test, test taking, school
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -15,32 +16,55 @@ author: CelesteDG
- Windows 10
-Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
+Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10 creates the right environment for taking a test:
-- **Take a Test** shows just the test and nothing else.
-- **Take a Test** clears the clipboard.
+- Take a Test shows just the test and nothing else.
+- Take a Test clears the clipboard.
- Students aren’t able to go to other websites.
- Students can’t open or access other apps.
-- Students can't share, print, or record their screens.
+- Students can't share, print, or record their screens unless enabled by the teacher or IT administrator
- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
-
-
## How to use Take a Test
-
+
-- **Use an assessment URL and a dedicated testing account** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
-- **Put an assessment URL with an included prefix on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+There are several ways to configure devices for assessments. You can:
+- **Configure an assessment URL and a dedicated testing account**
-## How to set up Take a Test on PCs
-You can use Take a Test to set up a test for a single PC or multiple PCs. Follow these links to learn how:
-- [Set up Take a Test on a single PC](take-a-test-single-pc.md)
-- [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
+ In this configuration, a user signs into in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
-## Related topics
+ There are different methods to configure the assessment URL and a dedicated testing account depending on whether you're setting up Take a Test on a single PC or multiple PCs.
-[Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md)
+ - **For a single PC**
+
+ You can use the Windows 10 **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md).
-[Take a Test app technical reference](take-a-test-app-technical.md)
+ - **For multiple PCs**
+
+ You can use any of these methods:
+ - Mobile device management (MDM) or Microsoft System Center Configuration Manager
+ - A provisioning package created in Windows Configuration Designer
+ - Group Policy to deploy a scheduled task that runs a Powershell script
+
+ Beginning with Windows 10 Creators Update (version 1703), you can also configure Take a Test using these options:
+ - Set up School PCs app
+ - Intune for Education
+
+ For more info about these methods, see [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md).
+
+- **Distribute the assessment URL through the web, email, OneNote, or any other method of your choosing. You can also create shortcuts to distribute the link**
+
+ This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+
+ You can enable this using a schema activation.
+
+
+## How to exit Take a Test
+To exit the Take a Test app at any time, press Ctrl+Alt+Delete.
+
+
+## Get more info
+- Teachers can use Microsoft Forms to create tests. See [Create tests using Microsoft Forms](https://support.microsoft.com/en-us/help/4000711/windows-10-create-tests-using-microsoft-forms) to find out how.
+- To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 211c2913d0..e5ce0def1b 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -1,10 +1,11 @@
---
title: For teachers get Minecraft Education Edition
description: Learn how teachers can get and distribute Minecraft.
-keywords: ["school"]
+keywords: ["school", "minecraft"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
+localizationpriority: high
author: trudyha
---
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index b6303d21a2..d8aae145f6 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -1,11 +1,12 @@
---
title: Use Set up School PCs app
description: Learn how the Set up School PCs app works and how to use it.
-keywords: shared cart, shared PC, school
+keywords: shared cart, shared PC, school, set up school pcs
ms.prod: w10
-ms.mktglfcycl: plan
+ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -14,131 +15,262 @@ author: CelesteDG
- Windows 10
+IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
-
-Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
-
-[Download the Set up School PCs app from the Windows Store](https://www.microsoft.com/store/apps/9nblggh4ls40)
-
-
+
## What does this app do?
-The Set up School PCs app helps you set up new computers running Windows 10, version 1607. Some benefits of using this app to set up your students' PCs:
-* A computer set up this way is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
- * Places tiles for OneNote, Office 365 web apps, Sway, and Microsoft Classroom on the Start menu
- * Installs OneDrive for cloud-based documents and places it on the Start menu and taskbar
- * Sets Microsoft Edge as the default browser
- * Uninstalls apps not specific to education, such as Solitaire and Sports
- * Turns off Offers and tips
- * Prevents students from adding personal Microsoft accounts to the computer
-* Significantly improves how fast students sign-in.
-* The app connects the PCs to your school’s cloud so IT can manage them (optional).
-* Windows 10 automatically manages accounts no matter how many students use the PC.
-* Keeps computers up-to-date without interfering with class time using Windows Update and maintenance hours (by default, 12 AM).
-* Customizes the sign-in screen to support students with IDs and temporary users.
-* Locks down the computer to prevent mischievous activity:
- * Prevents students from installing apps
- * Prevents students from removing the computer from the school's device management system
+Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically:
+- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant
+- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM.
+- Removes OEM preinstalled software from each student PC
+- Auto-configures and saves a wireless network profile on each student PC
+- Gives a friendly and unique name to each student device for future management
+- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup
+- Enables optional guest account for younger students, lost passwords, or visitors
+- Enables optional secure testing account
+- Locks down the student PC to prevent mischievous activity:
+ * Prevents students from removing the PC from the school's device management system
* Prevents students from removing the Set up School PCs settings
+- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours
+A student PC that's set up using the Set up School PCs provisioning package is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
+ * Customizes the Start layout with Office
+ * Installs OneDrive for cloud-based documents and places it on the Start menu and taskbar
+ * Uninstalls apps not specific to education, such as Solitaire
+ * [Gets the student PC ready for use in an education environment](configure-windows-for-education.md)
+ * Prevents students from adding personal Microsoft accounts to the PC
## Tips for success
-* **Run the app at work**: For the best results, run the **Set up School PCs** app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions.
- > **Note**: Don't use **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open wi-fi networks that require the user to accept Terms of Use.
-* **Apply to new computers**: The setup file that the **Set up School PCs** app creates should be used on new computers that haven't been set up for accounts yet. If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
-> **Warning**: Only use the setup file on computers that you want to configure and lock down for students. After you apply the setup file to a computer, the computer must be reset to remove the settings.
-* **Turn on student PCs and stay on first screen**: The computer must be on this screen when you insert the USB key.
+* **Run the same Windows 10 build on the admin device and the student PCs**
-
+ It's critical that the IT administrator's or technical teacher's device is running the same Windows 10 build (Windows 10, version 1607 or Windows 10, version 1703) as the student PCs that you're provisioning.
+
+ > [!NOTE]
+ > If you're using the Windows 10, version 1607 build of the Set up School PCs app, do not use it to provision student PCs with Windows 10, version 1703 images. Conversely, if you're using the Windows 10, version 1703 build of Set up School PCs, do not use it to provision student PCs with Windows 10, version 1607 images. We recommend using the latest Set up School PCs app (for Windows 10, version 1703) along with Windows 10, version 1703 images on the student PCs that you're provisioning.
+
+* **Run the app at work**
+
+ For the best results, run the Set up School PCs app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions.
+
+ > [!NOTE]
+ > Don't use the **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open Wi-Fi networks that require the user to accept Terms of Use.
+
+* **Network tips**
+ * You cannot use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. You can only connect to an open network, or one with a basic password.
+ * If you need to set up a lot of devices over Wi-Fi, make sure that your network configuration can support it.
+ - We recommend configuring your DHCP so you have a good set of IP addresses available (about 100-200). These IP addresses will expire after a short amount of time (about 30 minutes). This allows you set up many devices simultaneously, and the IP addresses will be freed up quick so you can continue to set up devices without risk of crashing your network.
+
+* **Apply to new student PCs**
+ * The provisioning package that the Set up School PCs app creates should be used on new PCs that haven't been set up for accounts yet. If you apply the provisioning package to a student PC that has already been set up, existing accounts and data might be lost.
+
+ > [!WARNING]
+ > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.
+
+ * If the PC has already been set up and you want to return to the first-run experience to apply a new package, you can reset the PC to get to a clean state and get it back to the first-run experience and ready to provision again.
+
+ To do this:
+ - Go to **Settings > Update & security > Recovery**. In the **Reset this PC** section of the **Recovery** page, click **Get started**.
+ - Or, hit **Shift** + click **Restart** in the **Power** menu to load the Windows boot user experience. From there, follow these steps:
+ 1. Click **Troubleshoot** and then choose **Reset this PC**.
+ 2. Select **Remove everything**.
+ 3. Select **No - remove provisioning packages**.
+ 4. Select **Only the drive where Windows is installed** (this may not always show up).
+ 5. Click **Just remove my files**.
+ 6. Click **Reset**.
+
+* **Use more than one USB key**
+
+ If you are setting up multiple PCs, you can set them up at the same time. Just save the provisioning package to another USB drive. Create two keys and you can run it on two PCs at once, and so on.
+
+* **Keep it clean**
+
+ We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md).
+
+* **Get more info**
+
+ Learn more about what Set up School PCs does, including provisioning details, in [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
-If you have gone past this screen, you may have to reset your PC to start over. To reset your PC after you have completed the first run experience, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-* **Use more than one USB key**: If you are setting up multiple PCs, you can set them up at the same time. Just run the **Set up School PCs** app again and save the same settings to another key. That way you can run set up on more than one PC at once. Create three keys and you can run it on three PCs at once, etc.
-* **Start fresh**: If the PC has already been set up and you want to return to the first-run-experience to apply a new package, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-* **Keep it clean**: We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md).
## Set up School PCs app step-by-step
What you need:
-- The **Set up School PCs** app, installed on your work computer, connected to your school's network
-- A USB drive, 1 GB or larger
+- The **Set up School PCs** app, installed on your work PC and connected to your school's network.
-### Create the setup file in the app
+ To get started, [download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40).
+
+- A USB drive, 1 GB or larger. We recommend an 8 GB or larger USB drive if you're installing Office.
+
+### Create the provisioning package in the app
The **Set up School PCs** app guides you through the configuration choices for the student PCs.
-1. Open the **Set up School PCs** app and select **Start**.
+1. Launch the Set up School PCs app.
- 
-
-2. Choose **No** to require students to sign in only with an account, or choose **Yes** to allow students to use the PC without an account too, and then select **Next**.
+ **Figure 1** - Launch the Set up School PCs app
- 
+ 
-3. Choose a Wi-Fi network from the list and then select **Next**, or choose **Manually connect to a wireless network** to enter the network information yourself.
+2. Click **Get started**.
+3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
- 
+ To get the best option for setup and enable student PCs to automatically be connected to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**.
- - For a manual network connection, enter the network name, security type, and password (if required), and then select **Next**.
-
- 
-
-4. Insert a USB drive, select it in the app, and then select **Save**.
+ To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later.
- 
+ If you opt to sign in, follow these steps:
+
+ 1. Choose the account from the list. If you don't see the account, select **Work or school account**, click **Continue**, and enter the account details.
+ 2. Click **Next** once you've specified the account.
+ 3. If you added an account, you may be asked to provide the user account and password. You will get a notification to allow the app to access your account. This will give Set up School PCs permission to access Store for Business, read memberships, sign you in and read your profile, and more.
+ 4. Click **Accept**.
+
+ The account will show up as the account that Set up School PCs will use to connect the school PCs to the cloud.
+
+ **Figure 2** - Verify that the account you selected shows up
+
+ 
+
+ 5. Click **Next**.
+
+4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
+ 1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network.
+ 2. Click **Next**.
+
+5. To assign a name to the student PCs, in the **Assign a name to these student PCs** page:
+ 1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client.
+
+ > [!NOTE]
+ > The name must be five (5) characters or less. Set up School PCs automatically appends `_%SERIAL%` to the prefix that you specify. `_%SERIAL%` ensures that all device names are unique.
+
+ For example, if you add *Math4* as the prefix, the device names will be *Math4* followed by a random string of letters and numbers.
+
+ 2. Click **Next**.
+
+6. To specify other settings for the student PC, in the **Configure student PC settings** page:
+ - Select **Remove apps pre-installed by the device manufacturer** to install only the base Windows image.
+
+ > [!NOTE]
+ > If you select this option, the provisioning process will take longer (about 30 minutes).
+
+ - Select **Allow local storage (not recommended for shared devices)** to let students save files to the **Desktop** and **Documents** folder on the student PC. We don't recommend this option if the device will be part of a shared cart or lab.
+ - Select **Optimize device for a single student, instead of a shared cart or lab** to optimize the device for use by a single student (1:1).
+ - Check this option if the device will not be part of a shared cart or lab.
+ - Set up School PCs will change some account management logic so that it sets the expiration time for an account to 180 days (without requiring sign-in).
+ - This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data, or if the student doesn't use the PC over a prolonged period.
+
+ - Select **Let guests sign-in to these PCs** to allow guests to use student PCs without a school account. For example, if the device will be in a library and you want other users (like visiting students or teachers) to be able to use the device, you can select this option.
+
+ If you select this option, this adds a **Guest** account button in the PC's sign-in screen to allow anyone to use the PC.
+
+ - To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background.
+
+ **Figure 3** - Configure student PC settings
+
+ 
+
+ When you're doing configuring the student PC settings, click **Next**.
+
+7. If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page.
+ 1. Enter the assessment URL.
+ 2. Check the options whether to allow keyboard text suggestions to appear and to allow teachers to monitor online tests.
+
+ If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
+
+ **Figure 4** - Configure the Take a Test app
+
+ 
+
+ 3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
+
+
+
+8. In the **Review package summary** page, make sure that all the settings you configured appear correctly.
+ 1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes.
+
+ **Figure 5** - Review your settings and change them as needed
+
+ 
+
+ 2. Click **Accept**.
+
+9. In the **Insert a USB drive now** page:
+ 1. Insert a USB drive to save your settings and create a provisioning package on the USB drive.
+ 2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list.
+ 3. Click **Save** to save the provisioning package to the USB drive.
+
+ **Figure 6** - Select the USB drive and save the provisioning package
+
+ 
+
+10. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
+
+ **Figure 7** - Provisioning package is ready
+
+ 
+
+12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs.
+
+ **Figure 8** - Line up the student PCs and get them ready for setup
+
+ 
+
+13. Click **Next**.
+14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs.
+
+ Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package.
+
+ **Figure 9** - Install the provisioning package on the student PCs
+
+ 
+### Apply the provisioning package to the student PCs
-### Apply the setup file to PCs
+The provisioning package on your USB drive is named `Set up School PCs.ppkg`. A provisioning package is a method for applying settings to Windows 10 without needing to reimage the device. When Windows 10 refers to *package*, it means your provisioning package, and when it refers to *provisioning*, it means applying the provisioning package to the student PC.
-The setup file on your USB drive is named `SetupSchoolPCs.ppkg`, which is a provisioning package. A provisioning package is a method for applying settings to Windows 10. When Windows 10 refers to *package*, it means your setup file, and when it refers to *provisioning*, it means applying the setup file to the computer.
+> [!NOTE]
+> The student PC must contain a new or reset image and the PC must not already have been through first-run setup (OOBE).
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+**To set up the student PC using the Set up School PCs provisioning package**
- 
+1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 Creators Update (version 1703), this first-run setup screen says **Let's start with region. Is this right?**.
-2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+ If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
- 
+ **Figure 10** - The first screen during first-run setup in Windows 10 Creators Update (version 1703)
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+ 
- 
-
-4. Select `SetupSchoolPCs.ppkg` and tap **Next**.
+2. Insert the USB drive. Windows will recognize the drive and automatically install the provisioning package.
- 
+ **Figure 11** - Windows automatically detects the provisioning package and installs it
-5. Select **Yes, add it**.
+ 
- 
-
-6. Read and accept the Microsoft Software License Terms.
+3. You can remove the USB drive when you see the message that you can remove the removable media. You can then use the USB drive to start provisioning another student PC.
- 
-
-7. Select **Use Express settings**.
+ **Figure 12** - Remove the USB drive when you see the message that the media can be removed
- 
+ 
+
+4. If you set up the package to do Azure AD Join, that's it! You're done, and the PC is now ready for students to use.
-8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+ If you did not set up the package to do Azure AD Join, go through the rest of the Windows device setup experience.
- 
+## Related topics
-9. On the **Choose how you'll connect** screen, select **Join Azure AD** and tap **Next**.
-
- 
-
-10. Your last step is to sign in. Use your Azure AD or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
-
- 
-
-
-That's it! Sign out and the computer is now ready for students.
-
-## Learn more
-
-See [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) for prerequisites and provisioning details.
+[Set up Windows devices for education](set-up-windows-10.md)
diff --git a/education/windows/windows-10-pro-to-pro-edu-upgrade.md b/education/windows/windows-10-pro-to-pro-edu-upgrade.md
index cb88389ec9..0e2befd5c6 100644
--- a/education/windows/windows-10-pro-to-pro-edu-upgrade.md
+++ b/education/windows/windows-10-pro-to-pro-edu-upgrade.md
@@ -1,30 +1,32 @@
---
-title: Windows 10 Pro to Pro Education upgrade
-description: Describes how IT Pros can opt into a Windows 10 Pro Education upgrade from the Windows Store for Business.
+title: Switch Windows 10 Pro to Pro Education
+description: Describes how IT Pros can opt into switching from Windows 10 Pro to Windows 10 Pro Education from the Windows Store for Business.
+keywords: switch, Pro to Pro Education, education customers
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
-# Upgrade Windows 10 Pro to Pro Education from Windows Store for Business
+# Switch Windows 10 Pro to Pro Education from Windows Store for Business
Windows 10 Pro Education is a new offering in Windows 10 Anniversary Update (Windows 10, version 1607). This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings.
-If you have an education tenant and use Windows 10 Pro in your schools now, global administrators can opt-in to a free upgrade to Windows 10 Pro Education through the Windows Store for Business. To take advantage of this offering, make sure you meet the [requirements for upgrade](#requirements-for-upgrade).
+If you have an education tenant and use Windows 10 Pro in your schools now, global administrators can opt-in to a free switch to Windows 10 Pro Education through the Windows Store for Business. To take advantage of this offering, make sure you meet the [requirements for switching](#requirements-for-switching).
Starting with Windows 10, version 1607, academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Pro Education license, the operating system turns from Windows 10 Pro to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. When a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro.
Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have a Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features.
-When you upgrade to Windows 10 Pro Education, you get the following benefits:
+When you switch to Windows 10 Pro Education, you get the following benefits:
- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB).
- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have.
-- **Roll back to Windows 10 Pro at any time**. When a user leaves the domain or you turn off the setting to automatic upgrade to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days).
+- **Roll back to Windows 10 Pro at any time**. When a user leaves the domain or you turn off the setting to automatic switch to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days).
-In summary, the Windows 10 Pro Education free upgrade through the Windows Store for Business is an upgrade offering that provides organizations easier, more flexible access to the benefits of Windows 10 Pro Education edition.
+In summary, the Windows 10 Pro Education free switch through the Windows Store for Business is an offering that provides organizations easier, more flexible access to the benefits of Windows 10 Pro Education edition.
## Compare Windows 10 Pro and Pro Education editions
@@ -35,9 +37,9 @@ In Windows 10, version 1607, the Windows 10 Pro Education edition contains the
See [Windows 10 editions for education customers](windows-editions-for-education-customers.md) for more info about Windows 10 Pro Education and you can also [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10.
-## Requirements for upgrade
+## Requirements for switching
-Before you upgrade from Windows 10 Pro to Windows 10 Pro Education, make sure you meet these requirements:
+Before you switch from Windows 10 Pro to Windows 10 Pro Education, make sure you meet these requirements:
- Devices must be:
- Running Windows 10 Pro, version 1607
- Must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices).
@@ -47,59 +49,59 @@ Before you upgrade from Windows 10 Pro to Windows 10 Pro Education, make sure yo
- The Azure AD tenant must be recognized as an education approved tenant.
- You must have a Windows Store for Business account.
-## Upgrade from Windows 10 Pro to Windows 10 Pro Education
-Once you enable the setting to upgrade Windows 10 Pro to Windows 10 Pro Education, the upgrade will begin only after a user signs in to their device. The setting applies to the entire organization so you cannot select which users will receive the upgrade.
+## Switch from Windows 10 Pro to Windows 10 Pro Education
+Once you enable the setting to switch Windows 10 Pro to Windows 10 Pro Education, the switch will begin only after a user signs in to their device. The setting applies to the entire organization so you cannot select which users will receive the switch.
-**To turn on the automatic upgrade from Windows 10 Pro to Windows 10 Pro Education**
+**To turn on the automatic switch from Windows 10 Pro to Windows 10 Pro Education**
1. Sign in to [Windows Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your work or school account.
If this is the first time you're signing into the Store, you'll be prompted to accept the Windows Store for Business Terms of Use.
2. Go to **Manage > Account information**.
3. In the **Account information** page, look for the **Automatic Windows 10 Pro Education upgrade** section and follow the link.
- You will see the following page informing you that your school is eligible for a free automatic upgrade from Windows 10 Pro to Windows 10 Pro Education.
+ You will see the following page informing you that your school is eligible for a free automatic switch from Windows 10 Pro to Windows 10 Pro Education.
- 
+ 
- **Figure 1** - Upgrade Windows 10 Pro to Windows 10 Pro Education
+ **Figure 1** - Switch Windows 10 Pro to Windows 10 Pro Education
4. Select **I understand enabling this setting will impact all devices running Windows 10 Pro in my organization**.
-5. Click **Send me email with a link to enable this upgrade** to receive an email with a link to the upgrade.
+5. Click **Send me email with a link to enable this upgrade** to receive an email with a link to the switch.
- 
+ 
- **Figure 2** - Email notification with a link to enable the upgrade
+ **Figure 2** - Email notification with a link to enable the switch
-6. Click **Enable the automatic upgrade now** to turn on automatic upgrades.
+6. Click **Enable the automatic upgrade now** to turn on automatic switches.
- .
+ .
- **Figure 3** - Enable the automatic upgrade
+ **Figure 3** - Enable the automatic switch
- Enabling the automatic upgrade also triggers an email message notifying all global administrators in your organization about the upgrade. It also contains a link that enables any global administrators to cancel the upgrade, if they choose. For more info about rolling back or canceling the upgrade, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
+ Enabling the automatic switch also triggers an email message notifying all global administrators in your organization about the switch. It also contains a link that enables any global administrators to cancel the switch, if they choose. For more info about rolling back or canceling the switch, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
- .
+ .
**Figure 4** - Notification email sent to all global administrators
7. Click **Close** in the **Success** page.
- In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see a message informing you when the upgrade was enabled and the name of the admin who enabled the upgrade.
+ In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see a message informing you when the switch was enabled and the name of the admin who enabled the switch.
- 
+ 
- **Figure 5** - Details about the automatic upgrade
+ **Figure 5** - Details about the automatic switch
-## Explore the upgrade experience
+## Explore the switch experience
-So what will the users experience? How will they upgrade their devices?
+So what will the users experience? How will they switch their devices?
### For existing Azure AD domain joined devices
-Existing Azure AD domain joined devices will be upgraded from Windows 10 Pro to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed.
+Existing Azure AD domain joined devices will be switched from Windows 10 Pro to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed.
### For new devices that are not Azure AD domain joined
-Now that you've turned on the setting to automatically upgrade Windows 10 Pro to Windows 10 Pro Education, the users are ready to upgrade their devices running Windows 10 Pro, version 1607 edition to Windows 10 Pro Education edition.
+Now that you've turned on the setting to automatically switch Windows 10 Pro to Windows 10 Pro Education, the users are ready to switch their devices running Windows 10 Pro, version 1607 edition to Windows 10 Pro Education edition.
#### Step 1: Join users’ devices to Azure AD
@@ -171,23 +173,23 @@ If there are any problems with the Windows 10 Pro Education license or the acti
## Troubleshoot the user experience
-In some instances, users may experience problems with the Windows 10 Pro Education upgrade. The most common problems that users may experience are as follows:
+In some instances, users may experience problems with the Windows 10 Pro Education switch. The most common problems that users may experience are as follows:
- The existing Windows 10 Pro, version 1607 operating system is not activated.
-- The Windows 10 Pro Education upgrade has lapsed or has been removed.
+- The Windows 10 Pro Education switch has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
-**Figure 13** - Illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Pro Education upgrade is active.
+**Figure 13** - Illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Pro Education switch is active.
-**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education upgrade is active.
+**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education switch is active.
@@ -209,30 +211,30 @@ Devices must be running Windows 10 Pro, version 1607, and be Azure Active Direct
A popup window will display the Windows 10 version number and detailed OS build information.
- If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
+ If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be switched to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
## Roll back Windows 10 Pro Education to Windows 10 Pro
-If your organization has the Windows 10 Pro to Windows 10 Pro Education upgrade enabled, and you decide to roll back to Windows 10 Pro or to cancel the upgrade, you can do this by:
-- Logging into Windows Store for Business page and turning off the automatic upgrade.
-- Selecting the link to turn off the automatic upgrade from the notification email sent to all global administrators.
+If your organization has the Windows 10 Pro to Windows 10 Pro Education switch enabled, and you decide to roll back to Windows 10 Pro or to cancel the switch, you can do this by:
+- Logging into Windows Store for Business page and turning off the automatic switch.
+- Selecting the link to turn off the automatic switch from the notification email sent to all global administrators.
-Once the automatic upgrade to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were upgraded will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was upgraded may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that an upgrade was enabled and then turned off will never see their device change from Windows 10 Pro.
+Once the automatic switch to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were switched will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was switched may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that an switch was enabled and then turned off will never see their device change from Windows 10 Pro.
**To roll back Windows 10 Pro Education to Windows 10 Pro**
-1. Log in to [Windows Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic upgrade.
+1. Log in to [Windows Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic switch.
2. Select **Manage > Account information** and locate the section **Automatic Windows 10 Pro Education upgrade** and follow the link.
3. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, select **Turn off the automatic upgrade to Windows 10 Pro Education**.
- 
+ 
- **Figure 15** - Link to turn off the automatic upgrade
+ **Figure 15** - Link to turn off the automatic switch
-4. You will be asked if you're sure that you want to turn off automatic upgrades to Windows 10 Pro Education. Click **Yes**.
+4. You will be asked if you're sure that you want to turn off automatic switches to Windows 10 Pro Education. Click **Yes**.
5. Click **Close** in the **Success** page.
-6. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see information on when the upgrade was disabled.
+6. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see information on when the switch was disabled.
- If you decide later that you want to turn on automatic upgrades again, you can do this from the **Upgrade Windows 10 Pro to Windows 10 Pro Education**.
+ If you decide later that you want to turn on automatic switches again, you can do this from the **Upgrade Windows 10 Pro to Windows 10 Pro Education**.
## Preparing for deployment of Windows 10 Pro Education licenses
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index ed22802caa..99a438e0b9 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
+localizationpriority: high
author: CelesteDG
---
@@ -14,9 +15,10 @@ author: CelesteDG
- Windows 10
+
Windows 10 Anniversary Update (Windows 10, version 1607) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](https://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620).
-Windows 10, version 1607 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information about Windows 10, version 1607 on [windows.com](http://www.windows.com/).
+Windows 10, version 1607 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Configuration Designer](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information about Windows 10, version 1607 on [windows.com](http://www.windows.com/).
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
@@ -24,7 +26,11 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o
Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings, including the removal of Cortana1. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
-Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future).
+> [!NOTE]
+> If using Windows 10 Pro Education or Windows 10 Education, upgrading from Windows 10, version 1607 (Anniversary Update) to Windows 10, version 1703 (Creators Update) will enable Cortana. You can use the **AllowCortana** policy to turn it off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
+
+
+Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 or newer versions that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future).
Existing devices running Windows 10 Pro, currently activated with the original OEM digital product key and purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future), will upgrade automatically to Windows 10 Pro Education as part of the Windows 10, version 1607 installation.
@@ -36,13 +42,18 @@ Customers that deploy Windows 10 Pro are able to configure the product to have s
Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings, including the removal of Cortana1. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
-Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you do not have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628).
+> [!NOTE]
+> If using Windows 10 Pro Education or Windows 10 Education, upgrading from Windows 10, version 1607 (Anniversary Update) to Windows 10, version 1703 (Creators Update) will enable Cortana. You can use the **AllowCortana** policy to turn it off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
+
+
+Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 or newer versions through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you do not have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628).
Customers that deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
## Related topics
+* [Switch Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
* [Windows deployment for education](http://aka.ms/edudeploy)
* [Windows 10 upgrade paths](https://go.microsoft.com/fwlink/?LinkId=822787)
* [Volume Activation for Windows 10](https://go.microsoft.com/fwlink/?LinkId=822788)
diff --git a/images/contribute-link.png b/images/contribute-link.png
index 6b17e6dd56..4cf685e54e 100644
Binary files a/images/contribute-link.png and b/images/contribute-link.png differ
diff --git a/images/preview-changes.png b/images/preview-changes.png
index f98b2c6443..cb4ecab594 100644
Binary files a/images/preview-changes.png and b/images/preview-changes.png differ
diff --git a/mdop/agpm/choosing-which-version-of-agpm-to-install.md b/mdop/agpm/choosing-which-version-of-agpm-to-install.md
index e79ec15b6e..a3062b6238 100644
--- a/mdop/agpm/choosing-which-version-of-agpm-to-install.md
+++ b/mdop/agpm/choosing-which-version-of-agpm-to-install.md
@@ -50,31 +50,37 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
Supported
+
Windows Server 2012 R2
+
Windows 10
+
Supported with the caveats outlined in [KB 4015786](https://support.microsoft.com/en-us/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv)
+
+
+
Windows Server 2012 R2 or Windows 8.1
Windows Server 2012 R2 or Windows 8.1
Supported
-
+
Windows Server 2012 R2, Windows Server 2012, or Windows 8.1
Windows Server 2012 or Windows 8.1
Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1
-
+
Windows Server 2008 R2 or Windows 7
Windows Server 2008 R2 or Windows 7
Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1
-
+
Windows Server 2012, Windows Server 2008 R2, or Windows 7
Windows Server 2008 or Windows Vista with Service Pack 1 (SP1)
Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7
-
+
Windows Server 2008 or Windows Vista with SP1
Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7
Not supported
-
+
Windows Server 2008 or Windows Vista with SP1
Windows Server 2008 or Windows Vista with SP1
Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
index 4dba1a2a53..20edf8efe4 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
@@ -85,7 +85,7 @@ Before you deploy Office by using App-V, review the following requirements.
All of the Office applications that you want to deploy to users must be in a single package.
In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.
-
If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office).
+
If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project).
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
index bd506092d0..dbad00b772 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
@@ -85,7 +85,7 @@ Before you deploy Office by using App-V, review the following requirements.
All of the Office applications that you want to deploy to users must be in a single package.
In App-V 5.1 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.
-
If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office).
+
If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project).
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md b/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md
deleted file mode 100644
index 27edd9b8c5..0000000000
--- a/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md
+++ /dev/null
@@ -1,274 +0,0 @@
----
-title: How to Deploy the App-V 5.1 Server
-description: How to Deploy the App-V 5.1 Server
-author: jamiejdt
-ms.assetid: 4729beda-b98f-481b-ae74-ad71c59b1d69
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.prod: w10
----
-
-
-# How to Deploy the App-V 5.1 Server
-
-
-Use the following procedure to install the Microsoft Application Virtualization (App-V) 5.1 server. For information about deploying the App-V 5.1 Server, see [About App-V 5.1](about-app-v-51.md#bkmk-migrate-to-51).
-
-**Before you start:**
-
-- Ensure that you’ve installed prerequisite software. See [App-V 5.1 Prerequisites](app-v-51-prerequisites.md).
-
-- Review the server section of [App-V 5.1 Security Considerations](app-v-51-security-considerations.md).
-
-- Specify a port where each component will be hosted.
-
-- Add firewall rules to allow incoming requests to access the specified ports.
-
-- If you use SQL scripts, instead of the Windows Installer, to set up the Management database or Reporting database, you must run the SQL scripts before installing the Management Server or Reporting Server. See [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md).
-
-**To install the App-V 5.1 server**
-
-1. Copy the App-V 5.1 server installation files to the computer on which you want to install it.
-
-2. Start the App-V 5.1 server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**.
-
-3. Review and accept the license terms, and choose whether to enable Microsoft updates.
-
-4. On the **Feature Selection** page, select all of the following components.
-
-
-
-
-
-
-
-
-
Component
-
Description
-
-
-
-
-
Management server
-
Provides overall management functionality for the App-V infrastructure.
-
-
-
Management database
-
Facilitates database predeployments for App-V management.
-
-
-
Publishing server
-
Provides hosting and streaming functionality for virtual applications.
-
-
-
Reporting server
-
Provides App-V 5.1 reporting services.
-
-
-
Reporting database
-
Facilitates database predeployments for App-V reporting.
-
-
-
-
-
-
-5. On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line.
-
-6. On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below.
-
-
-
-
-
-
-
-
-
Method
-
What you need to do
-
-
-
-
-
You are using a custom Microsoft SQL Server instance.
-
Select Use the custom instance, and type the name of the instance.
-
Use the format INSTANCENAME. The assumed installation location is the local computer.
-
Not supported: A server name using the format ServerName\INSTANCE.
-
-
-
You are using a custom database name.
-
Select Custom configuration and type the database name.
-
The database name must be unique, or the installation will fail.
-
-
-
-
-
-
-7. On the **Configure** page, accept the default value **Use this local computer**.
-
- **Note**
- If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
-
-
-
-8. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below.
-
-
-
-
-
-
-
-
-
Method
-
What you need to do
-
-
-
-
-
You are using a custom Microsoft SQL Server instance.
-
Select Use the custom instance, and type the name of the instance.
-
Use the format INSTANCENAME. The assumed installation location is the local computer.
-
Not supported: A server name using the format ServerName\INSTANCE.
-
-
-
You are using a custom database name.
-
Select Custom configuration and type the database name.
-
The database name must be unique, or the installation will fail.
-
-
-
-
-
-
-9. On the **Configure** page, accept the default value: **Use this local computer**.
-
- **Note**
- If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
-
-
-
-10. On the **Configure** (Management Server Configuration) page, specify the following:
-
-
-
-
-
-
-
-
-
Item to configure
-
Description and examples
-
-
-
-
-
Type the AD group with sufficient permissions to manage the App-V environment.
-
Example: MyDomain\MyUser
-
After installation, you can add additional users or groups by using the Management console. However, global security groups and Active Directory Domain Services (AD DS) distribution groups are not supported. You must use Domain local or Universal groups are required to perform this action.
-
-
-
Website name: Specify the custom name that will be used to run the publishing service.
-
If you do not have a custom name, do not make any changes.
-
-
-
Port binding: Specify a unique port number that will be used by App-V.
-
Example: 12345
-
Ensure that the port specified is not being used by another website.
-
-
-
-
-
-
-11. On the **Configure** **Publishing Server Configuration** page, specify the following:
-
-
-
-
-
-
-
-
-
Item to configure
-
Description and examples
-
-
-
-
-
Specify the URL for the management service.
-
Example: http://localhost:12345
-
-
-
Website name: Specify the custom name that will be used to run the publishing service.
-
If you do not have a custom name, do not make any changes.
-
-
-
Port binding: Specify a unique port number that will be used by App-V.
-
Example: 54321
-
Ensure that the port specified is not being used by another website.
-
-
-
-
-
-
-12. On the **Reporting Server** page, specify the following:
-
-
-
-
-
-
-
-
-
Item to configure
-
Description and examples
-
-
-
-
-
Website name: Specify the custom name that will be used to run the Reporting Service.
-
If you do not have a custom name, do not make any changes.
-
-
-
Port binding: Specify a unique port number that will be used by App-V.
-
Example: 55555
-
Ensure that the port specified is not being used by another website.
-
-
-
-
-
-
-13. To start the installation, click **Install** on the **Ready** page, and then click **Close** on the **Finished** page.
-
-14. To verify that the setup completed successfully, open a web browser, and type the following URL:
-
- **http://<Management server machine name>:<Management service port number>/Console.html**.
-
- Example: **http://localhost:12345/console.html**. If the installation succeeded, the App-V Management console is displayed with no errors.
-
- **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
-
-## Related topics
-
-
-[Deploying App-V 5.1](deploying-app-v-51.md)
-
-[How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md)
-
-[How to Install the Publishing Server on a Remote Computer](how-to-install-the-publishing-server-on-a-remote-computer51.md)
-
-[How to Deploy the App-V 5.1 Server Using a Script](how-to-deploy-the-app-v-51-server-using-a-script.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v5/index.md b/mdop/appv-v5/index.md
index 32649ad47e..b481245f67 100644
--- a/mdop/appv-v5/index.md
+++ b/mdop/appv-v5/index.md
@@ -41,7 +41,7 @@ View updated product information and known issues for App-V 5.0.
Learn about the latest MDOP information and resources.
[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
-Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com%29 or learn about updates by following us on [Facebook]%28https://go.microsoft.com/fwlink/p/?LinkId=242445%29 or [Twitter]%28https://go.microsoft.com/fwlink/p/?LinkId=242447).
+Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
## Got a suggestion for App-V?
diff --git a/mdop/breadcrumb/toc.yml b/mdop/breadcrumb/toc.yml
new file mode 100644
index 0000000000..904b8033a1
--- /dev/null
+++ b/mdop/breadcrumb/toc.yml
@@ -0,0 +1,7 @@
+- name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Microsoft Desktop Optimization Pack
+ tocHref: /microsoft-desktop-optimization-pack
+ topicHref: /microsoft-desktop-optimization-pack/index
\ No newline at end of file
diff --git a/mdop/dart-v10/index.md b/mdop/dart-v10/index.md
index 403e85d410..cb6a5f3b9e 100644
--- a/mdop/dart-v10/index.md
+++ b/mdop/dart-v10/index.md
@@ -49,7 +49,7 @@ View updated product information and known issues for DaRT 10.
Learn about the latest MDOP information and resources.
[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
-Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com%29 or learn about updates by following us on [Facebook]%28https://go.microsoft.com/fwlink/p/?LinkId=242445%29 or [Twitter]%28https://go.microsoft.com/fwlink/p/?LinkId=242447).
+Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
diff --git a/mdop/dart-v65.md b/mdop/dart-v65.md
index 335e945881..02c3b02f9b 100644
--- a/mdop/dart-v65.md
+++ b/mdop/dart-v65.md
@@ -2,6 +2,10 @@
title: Diagnostics and Recovery Toolset 6.5
description: Diagnostics and Recovery Toolset 6.5
author: jamiejdt
+ms.pagetype: mdop
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.prod: w10
---
# Diagnostics and Recovery Toolset 6.5
diff --git a/mdop/dart-v7/index.md b/mdop/dart-v7/index.md
index 4a73455bd5..b65a749ad2 100644
--- a/mdop/dart-v7/index.md
+++ b/mdop/dart-v7/index.md
@@ -46,7 +46,7 @@ View updated product information and known issues for DaRT 7.
Learn about the latest MDOP information and resources.
[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
-Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com%29 or learn about updates by following us on [Facebook]%28https://go.microsoft.com/fwlink/p/?LinkId=242445%29 or [Twitter]%28https://go.microsoft.com/fwlink/p/?LinkId=242447).
+Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
diff --git a/mdop/dart-v8/index.md b/mdop/dart-v8/index.md
index aa7739f75f..f521934a32 100644
--- a/mdop/dart-v8/index.md
+++ b/mdop/dart-v8/index.md
@@ -53,7 +53,7 @@ View updated product information and known issues for DaRT 8.0.
Learn about the latest MDOP information and resources.
[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
-Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com%29 or learn about updates by following us on [Facebook]%28https://go.microsoft.com/fwlink/p/?LinkId=242445%29 or [Twitter]%28https://go.microsoft.com/fwlink/p/?LinkId=242447).
+Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
diff --git a/mdop/docfx.json b/mdop/docfx.json
index 85c859a765..5b4039884d 100644
--- a/mdop/docfx.json
+++ b/mdop/docfx.json
@@ -3,7 +3,7 @@
"content":
[
{
- "files": ["**/**.md"],
+ "files": ["**/**.md", "**/**.yml"],
"exclude": ["**/obj/**"]
}
],
@@ -14,7 +14,13 @@
}
],
"globalMetadata": {
- "ROBOTS": "INDEX, FOLLOW"
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json",
+ "ROBOTS": "INDEX, FOLLOW",
+ "ms.technology": "mdop",
+ "ms.sitesec": "library",
+ "ms.topic": "article",
+ "ms.author": "jamiet"
},
"externalReference": [
],
diff --git a/mdop/index.md b/mdop/index.md
index 0863054ac2..2453bf950e 100644
--- a/mdop/index.md
+++ b/mdop/index.md
@@ -3,6 +3,10 @@ title: MDOP Information Experience
description: MDOP Information Experience
ms.assetid: 12b8ab56-3267-450d-bb22-1c7e44cb8e52
author: jamiejdt
+ms.pagetype: mdop
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.prod: w10
---
# MDOP Information Experience
diff --git a/mdop/mbam-v1/index.md b/mdop/mbam-v1/index.md
index e1d4cafd4f..69f6a9bb70 100644
--- a/mdop/mbam-v1/index.md
+++ b/mdop/mbam-v1/index.md
@@ -42,7 +42,7 @@ View updated product information and known issues for MBAM 1.0.
Learn about the latest MDOP information and resources.
[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
-Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com%29 or learn about updates by following us on [Facebook]%28https://go.microsoft.com/fwlink/p/?LinkId=242445%29 or [Twitter]%28https://go.microsoft.com/fwlink/p/?LinkId=242447).
+Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
diff --git a/mdop/mbam-v2/index.md b/mdop/mbam-v2/index.md
index 6bb7ed3791..3da1392117 100644
--- a/mdop/mbam-v2/index.md
+++ b/mdop/mbam-v2/index.md
@@ -45,7 +45,7 @@ Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 provides a simpl
- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
- Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com%29 or learn about updates by following us on [Facebook]%28https://go.microsoft.com/fwlink/p/?LinkId=242445%29 or [Twitter]%28https://go.microsoft.com/fwlink/p/?LinkId=242447).
+ Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
diff --git a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
index 9c4d42d879..8991e9e68f 100644
--- a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
+++ b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
@@ -22,7 +22,8 @@ MDOP Group Policy templates are available for download in a self-extracting, com
**How to download and deploy the MDOP Group Policy templates**
-1. Download the MDOP Group Policy templates from [How to Get MDOP Group Policy (.admx) Templates](https://go.microsoft.com/fwlink/p/?LinkId=393941) .
+1. Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates
+](https://www.microsoft.com/en-us/download/details.aspx?id=54957).
2. Run the downloaded file to extract the template folders.
diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
index d95b1e0364..30cbb3e856 100644
--- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
+++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
@@ -43,7 +43,10 @@ This topic explains how to enable BitLocker on an end user's computer by using M
- Optionally encrypt FDDs
- - Escrow TPM OwnerAuth, even on Windows 8 or higher (MBAM still must own the TPM on Windows 7 for escrow to occur)
+ - Escrow TPM OwnerAuth
+ For Windows 7, MBAM must own the TPM for escrow to occur.
+ For Windows 8.1, Windows 10 RTM and Windows 10 version 1511, escrow of TPM OwnerAuth is supported.
+ For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
- Escrow recovery keys and recovery key packages
@@ -62,6 +65,8 @@ This topic explains how to enable BitLocker on an end user's computer by using M
**MBAM\_Machine WMI Class**
**PrepareTpmAndEscrowOwnerAuth:** Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting.
+ **Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
+
| Parameter | Description |
| -------- | ----------- |
| RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. |
@@ -172,7 +177,8 @@ Here are a list of common error messages:
3. Name the step **Persist TPM OwnerAuth**
- 4. Set the command line to `cscript.exe "%SCRIPTROOT%/SaveWinPETpmOwnerAuth.wsf"`
+ 4. Set the command line to `cscript.exe "%SCRIPTROOT%/SaveWinPETpmOwnerAuth.wsf"`
+ **Note:** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
3. In the **State Restore** folder, delete the **Enable BitLocker** task.
diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md
index fd60429382..f5b0d8670e 100644
--- a/mdop/mbam-v25/index.md
+++ b/mdop/mbam-v25/index.md
@@ -51,7 +51,7 @@ To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlin
- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
- Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com%29 or learn about updates by following us on [Facebook]%28https://go.microsoft.com/fwlink/p/?LinkId=242445%29 or [Twitter]%28https://go.microsoft.com/fwlink/p/?LinkId=242447).
+ Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
- [MBAM Deployment Guide](http://www.microsoft.com/download/details.aspx?id=38398)
diff --git a/mdop/mbam-v25/mbam-25-security-considerations.md b/mdop/mbam-v25/mbam-25-security-considerations.md
index 533102fb68..033a2d65dc 100644
--- a/mdop/mbam-v25/mbam-25-security-considerations.md
+++ b/mdop/mbam-v25/mbam-25-security-considerations.md
@@ -31,6 +31,7 @@ This topic contains the following information about how to secure Microsoft BitL
## Configure MBAM to escrow the TPM and store OwnerAuth passwords
+**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
Depending on its configuration, the Trusted Platform Module (TPM) will lock itself in certain situations ─ such as when too many incorrect passwords are entered ─ and can remain locked for a period of time. During TPM lockout, BitLocker cannot access the encryption keys to perform unlock or decryption operations, requiring the user to enter their BitLocker recovery key to access the operating system drive. To reset TPM lockout, you must provide the TPM OwnerAuth password.
@@ -38,6 +39,8 @@ MBAM can store the TPM OwnerAuth password in the MBAM database if it owns the TP
### Escrowing TPM OwnerAuth in Windows 8 and higher
+**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
+
In Windows 8 or higher, MBAM no longer must own the TPM to store the OwnerAuth password, as long as the OwnerAuth is available on the local machine.
To enable MBAM to escrow and then store TPM OwnerAuth passwords, you must configure these Group Policy settings.
diff --git a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
index 7779461ff4..aba77d5ac9 100644
--- a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
+++ b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
@@ -40,19 +40,26 @@ Before you install the MBAM Client software on end users' computers, ensure that
-
For Windows 8 and Windows 8.1 client computers only: If you want MBAM to be able to store and manage the TPM recovery keys, TPM auto-provisioning must be turned off, and MBAM must be set as the owner of the TPM before you deploy MBAM.
+
For Windows 8.1, Windows 10 RTM or Windows 10 version 1511 client computers only: If you want MBAM to be able to store and manage the TPM recovery keys, TPM auto-provisioning must be turned off, and MBAM must be set as the owner of the TPM before you deploy MBAM.
In MBAM 2.5 SP1 only, you no longer need to turn off TPM auto-provisioning, but you must make sure that the TPM Group Policy Objects are set to not escrow TPM OwnerAuth to Active Directory.
For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM.
+
In MBAM 2.5 SP1, you must turn on auto-provisioning.
+
+
See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
+
+
+
The TPM chip must be turned on in the BIOS and be resettable from the operating system.
See the BIOS documentation for more information.
-
+
The computer’s hard disk must have at least two partitions and must be formatted with the NTFS file system.
-
+
The computer’s hard disk must have a BIOS that is compatible with TPM and that supports USB devices during computer startup.
Note
diff --git a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
index b52e59331b..a0c7a80e05 100644
--- a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
+++ b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
@@ -119,13 +119,7 @@ If Internet Explorer Enhanced Security Configuration (ESC) is turned on, an "Acc
**Workaround:** If the "Access Denied" error message appears when you try to view reports on the MBAM Server, you can set a Group Policy Object or change the default manually in your image to disable Enhanced Security Configuration. You can also alternatively view the reports from another computer on which ESC is not enabled.
### Support for Bitlocker XTS-AES encryption algorithm
-Bitlocker added support for the XTS-AES encryption algorithm in Windows 10, version 1511.
-As of HF02, MBAM now supports this Bitlocker option and is a client-only update.
-However, there are two known limitations:
-
-* MBAM will correctly report compliance status but the **Cipher Strength** field in MBAM reports will be empty.
-MBAM pre-built reports and compliance charts won’t break but the **Cipher Strength** column will be empty for XTS machines.
-Also, if a customer has a custom report that uses this particular field, they may have to make adjustments to accommodate this update.
+Bitlocker added support for the XTS-AES encryption algorithm in Windows 10, version 1511. With HF02, MBAM added client support for this Bitlocker option and in HF04, the server-side support was added. However, there is one known limitation:
* Customers must use the same encryption strength for OS and data volumes on the same machine.
If different encryption strengths are used, MBAM will report the machine as **non-compliant**.
diff --git a/mdop/softgrid-application-virtualization.md b/mdop/softgrid-application-virtualization.md
index fd762e0136..cb5773b982 100644
--- a/mdop/softgrid-application-virtualization.md
+++ b/mdop/softgrid-application-virtualization.md
@@ -2,6 +2,10 @@
title: SoftGrid Application Virtualization
description: SoftGrid Application Virtualization
author: jamiejdt
+ms.pagetype: mdop
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.prod: w10
---
# SoftGrid Application Virtualization
diff --git a/mdop/uev-v1/index.md b/mdop/uev-v1/index.md
index ce46b1dc0d..22361e39d3 100644
--- a/mdop/uev-v1/index.md
+++ b/mdop/uev-v1/index.md
@@ -42,7 +42,7 @@ View updated product information and known issues for UE-V 1.0.
Learn about the latest MDOP information and resources.
[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
-Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com%29 or learn about updates by following us on [Facebook]%28https://go.microsoft.com/fwlink/p/?LinkId=242445%29 or [Twitter]%28https://go.microsoft.com/fwlink/p/?LinkId=242447).
+Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
diff --git a/mdop/uev-v2/index.md b/mdop/uev-v2/index.md
index 6eeef89ebe..4873df96b5 100644
--- a/mdop/uev-v2/index.md
+++ b/mdop/uev-v2/index.md
@@ -304,7 +304,7 @@ For more information, and for late-breaking news that did not make it into the d
Learn about the latest MDOP information and resources.
[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
-Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com%29 or learn about updates by following us on [Facebook]%28https://go.microsoft.com/fwlink/p/?LinkId=242445%29 or [Twitter]%28https://go.microsoft.com/fwlink/p/?LinkId=242447).
+Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
## Got a suggestion for UE-V?
diff --git a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
index c1ae38e981..dce11abb18 100644
--- a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
+++ b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
@@ -17,7 +17,7 @@ There is some planning and preparation to do before you deploy Microsoft User Ex
First, let’s look at the tasks you’ll do to deploy UE-V:
-- [Plan your UE-V Deployment](#planning)
+- Plan your UE-V Deployment
Before you deploy anything, a good first step is to do a little bit of planning so that you can determine which UE-V features you’ll deploy. So if you leave this page, make sure you come back and read through the planning information below.
diff --git a/smb/breadcrumb/toc.yml b/smb/breadcrumb/toc.yml
new file mode 100644
index 0000000000..08883fd504
--- /dev/null
+++ b/smb/breadcrumb/toc.yml
@@ -0,0 +1,11 @@
+- name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /windows
+ topicHref: https://docs.microsoft.com/en-us/windows/#pivot=it-pro
+ items:
+ - name: SMB
+ tocHref: /windows/smb
+ topicHref: /windows/smb/index
\ No newline at end of file
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index 5c56cb0492..60c537b382 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -12,13 +12,16 @@ ms.pagetype: smb
author: CelesteDG
---
-
-
# Get started: Deploy and manage a full cloud IT solution for your business
+
+
+
**Applies to:**
- Office 365 Business Premium, Azure AD Premium, Intune, Windows Store for Business, Windows 10
+Are you ready to move your business to the cloud or wondering what it takes to make this happen with Microsoft cloud services and tools?
+
In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Office 365 Business Premium, Microsoft Azure AD, Intune, Windows Store for Business, and Windows 10. We'll show you the basics on how to:
- Acquire an Office 365 business domain
- Add Microsoft Intune and Azure Active Directory (AD) Premium licenses to your business tenant
diff --git a/smb/docfx.json b/smb/docfx.json
index 033a3552a9..2e849d2d22 100644
--- a/smb/docfx.json
+++ b/smb/docfx.json
@@ -3,7 +3,8 @@
"content": [
{
"files": [
- "**/*.md"
+ "**/*.md",
+ "**/*.yml"
],
"exclude": [
"**/obj/**",
@@ -27,7 +28,10 @@
],
"overwrite": [],
"externalReference": [],
- "globalMetadata": {},
+ "globalMetadata": {
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/windows/smb/breadcrumb/toc.json"
+ },
"fileMetadata": {},
"template": [],
"dest": "smb"
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
new file mode 100644
index 0000000000..81657682cf
--- /dev/null
+++ b/store-for-business/TOC.md
@@ -0,0 +1,30 @@
+# [Windows Store for Business](index.md)
+## [Sign up and get started](sign-up-windows-store-for-business-overview.md)
+###[Windows Store for Business overview](windows-store-for-business-overview.md)
+### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
+### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
+### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
+### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)
+## [Find and acquire apps](find-and-acquire-apps-overview.md)
+### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)
+### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md)
+### [Working with line-of-business apps](working-with-line-of-business-apps.md)
+## [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
+### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
+### [Assign apps to employees](assign-apps-to-employees.md)
+### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
+### [Distribute offline apps](distribute-offline-apps.md)
+## [Manage apps](manage-apps-windows-store-for-business-overview.md)
+### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md)
+### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md)
+### [Manage access to private store](manage-access-to-private-store.md)
+### [Manage private store settings](manage-private-store-settings.md)
+### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
+## [Device Guard signing portal](device-guard-signing-portal.md)
+### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
+### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
+## [Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md)
+### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
+### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
+## [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
+
diff --git a/windows/manage/acquire-apps-windows-store-for-business.md b/store-for-business/acquire-apps-windows-store-for-business.md
similarity index 100%
rename from windows/manage/acquire-apps-windows-store-for-business.md
rename to store-for-business/acquire-apps-windows-store-for-business.md
diff --git a/windows/manage/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
similarity index 100%
rename from windows/manage/add-unsigned-app-to-code-integrity-policy.md
rename to store-for-business/add-unsigned-app-to-code-integrity-policy.md
diff --git a/windows/manage/app-inventory-management-windows-store-for-business.md b/store-for-business/app-inventory-management-windows-store-for-business.md
similarity index 100%
rename from windows/manage/app-inventory-management-windows-store-for-business.md
rename to store-for-business/app-inventory-management-windows-store-for-business.md
diff --git a/windows/manage/apps-in-windows-store-for-business.md b/store-for-business/apps-in-windows-store-for-business.md
similarity index 100%
rename from windows/manage/apps-in-windows-store-for-business.md
rename to store-for-business/apps-in-windows-store-for-business.md
diff --git a/windows/manage/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md
similarity index 100%
rename from windows/manage/assign-apps-to-employees.md
rename to store-for-business/assign-apps-to-employees.md
diff --git a/store-for-business/breadcrumb/toc.yml b/store-for-business/breadcrumb/toc.yml
new file mode 100644
index 0000000000..104d0bb7a6
--- /dev/null
+++ b/store-for-business/breadcrumb/toc.yml
@@ -0,0 +1,7 @@
+- name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows Store for Business
+ tocHref: /microsoft-store
+ topicHref: /microsoft-store/index
\ No newline at end of file
diff --git a/windows/manage/configure-mdm-provider-windows-store-for-business.md b/store-for-business/configure-mdm-provider-windows-store-for-business.md
similarity index 88%
rename from windows/manage/configure-mdm-provider-windows-store-for-business.md
rename to store-for-business/configure-mdm-provider-windows-store-for-business.md
index d4c07de29f..8d22548f35 100644
--- a/windows/manage/configure-mdm-provider-windows-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-windows-store-for-business.md
@@ -30,7 +30,7 @@ Your management tool needs to be installed and configured with Azure AD, in the
3. Click **Applications**, find the application, and add it to your directory.
-After your management tool is added to your Azure AD directory, you can configure it to work with Store for Business.
+After your management tool is added to your Azure AD directory, you can configure it to work with Store for Business. You can configure multiple management tools - just repeat the following procedure.
**To configure a management tool in Store for Business**
@@ -40,7 +40,7 @@ After your management tool is added to your Azure AD directory, you can configur
You'll see a list of available MDM tools.
- 
+ 
3. Choose the MDM tool you want to synchronize with Store for Business, and then click **Activate.**
diff --git a/windows/manage/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
similarity index 100%
rename from windows/manage/device-guard-signing-portal.md
rename to store-for-business/device-guard-signing-portal.md
diff --git a/windows/manage/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
similarity index 96%
rename from windows/manage/distribute-apps-from-your-private-store.md
rename to store-for-business/distribute-apps-from-your-private-store.md
index 828dc965f4..8c53c8e10d 100644
--- a/windows/manage/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -63,7 +63,7 @@ Employees can claim apps that admins added to the private store by doing the fol
[Manage access to private store](manage-access-to-private-store.md)
-[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
+[Configure access to Windows Store](/windows/configuration/stop-employees-from-using-the-windows-store)
diff --git a/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
similarity index 100%
rename from windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
rename to store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
diff --git a/windows/manage/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
similarity index 97%
rename from windows/manage/distribute-apps-with-management-tool.md
rename to store-for-business/distribute-apps-with-management-tool.md
index 891c3c0ccc..f030d0d1ce 100644
--- a/windows/manage/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -61,7 +61,7 @@ This diagram shows how you can use a management tool to distribute an online-lic
## Related topics
-[Configure MDM Provider](../manage/configure-mdm-provider-windows-store-for-business.md)
+[Configure MDM Provider](configure-mdm-provider-windows-store-for-business.md)
[Manage apps you purchased from the Windows Store for Business with Microsoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
diff --git a/windows/manage/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
similarity index 100%
rename from windows/manage/distribute-offline-apps.md
rename to store-for-business/distribute-offline-apps.md
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
new file mode 100644
index 0000000000..05874cfbb2
--- /dev/null
+++ b/store-for-business/docfx.json
@@ -0,0 +1,44 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md",
+ "**/**.yml"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {
+ "breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "ms.author": "trudyha",
+ "ms.technology": "windows",
+ "ms.topic": "article"
+ },
+ "fileMetadata": {},
+ "template": [],
+ "dest": "store-for-business"
+ }
+}
\ No newline at end of file
diff --git a/windows/manage/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md
similarity index 100%
rename from windows/manage/find-and-acquire-apps-overview.md
rename to store-for-business/find-and-acquire-apps-overview.md
diff --git a/windows/configure/images/aadjwsfb.jpg b/store-for-business/images/aadjwsfb.jpg
similarity index 100%
rename from windows/configure/images/aadjwsfb.jpg
rename to store-for-business/images/aadjwsfb.jpg
diff --git a/windows/configure/images/wsfb-distribute.png b/store-for-business/images/wsfb-distribute.png
similarity index 100%
rename from windows/configure/images/wsfb-distribute.png
rename to store-for-business/images/wsfb-distribute.png
diff --git a/windows/configure/images/wsfb-firstrun.png b/store-for-business/images/wsfb-firstrun.png
similarity index 100%
rename from windows/configure/images/wsfb-firstrun.png
rename to store-for-business/images/wsfb-firstrun.png
diff --git a/windows/configure/images/wsfb-inventory-viewlicense.png b/store-for-business/images/wsfb-inventory-viewlicense.png
similarity index 100%
rename from windows/configure/images/wsfb-inventory-viewlicense.png
rename to store-for-business/images/wsfb-inventory-viewlicense.png
diff --git a/windows/configure/images/wsfb-inventory.png b/store-for-business/images/wsfb-inventory.png
similarity index 100%
rename from windows/configure/images/wsfb-inventory.png
rename to store-for-business/images/wsfb-inventory.png
diff --git a/windows/configure/images/wsfb-inventoryaddprivatestore.png b/store-for-business/images/wsfb-inventoryaddprivatestore.png
similarity index 100%
rename from windows/configure/images/wsfb-inventoryaddprivatestore.png
rename to store-for-business/images/wsfb-inventoryaddprivatestore.png
diff --git a/windows/configure/images/wsfb-landing.png b/store-for-business/images/wsfb-landing.png
similarity index 100%
rename from windows/configure/images/wsfb-landing.png
rename to store-for-business/images/wsfb-landing.png
diff --git a/windows/configure/images/wsfb-licenseassign.png b/store-for-business/images/wsfb-licenseassign.png
similarity index 100%
rename from windows/configure/images/wsfb-licenseassign.png
rename to store-for-business/images/wsfb-licenseassign.png
diff --git a/windows/configure/images/wsfb-licensedetails.png b/store-for-business/images/wsfb-licensedetails.png
similarity index 100%
rename from windows/configure/images/wsfb-licensedetails.png
rename to store-for-business/images/wsfb-licensedetails.png
diff --git a/windows/configure/images/wsfb-licensereclaim.png b/store-for-business/images/wsfb-licensereclaim.png
similarity index 100%
rename from windows/configure/images/wsfb-licensereclaim.png
rename to store-for-business/images/wsfb-licensereclaim.png
diff --git a/windows/configure/images/wsfb-manageinventory.png b/store-for-business/images/wsfb-manageinventory.png
similarity index 100%
rename from windows/configure/images/wsfb-manageinventory.png
rename to store-for-business/images/wsfb-manageinventory.png
diff --git a/windows/configure/images/wsfb-offline-distribute-mdm.png b/store-for-business/images/wsfb-offline-distribute-mdm.png
similarity index 100%
rename from windows/configure/images/wsfb-offline-distribute-mdm.png
rename to store-for-business/images/wsfb-offline-distribute-mdm.png
diff --git a/windows/configure/images/wsfb-onboard-1.png b/store-for-business/images/wsfb-onboard-1.png
similarity index 100%
rename from windows/configure/images/wsfb-onboard-1.png
rename to store-for-business/images/wsfb-onboard-1.png
diff --git a/windows/configure/images/wsfb-onboard-2.png b/store-for-business/images/wsfb-onboard-2.png
similarity index 100%
rename from windows/configure/images/wsfb-onboard-2.png
rename to store-for-business/images/wsfb-onboard-2.png
diff --git a/windows/configure/images/wsfb-onboard-3.png b/store-for-business/images/wsfb-onboard-3.png
similarity index 100%
rename from windows/configure/images/wsfb-onboard-3.png
rename to store-for-business/images/wsfb-onboard-3.png
diff --git a/windows/configure/images/wsfb-onboard-4.png b/store-for-business/images/wsfb-onboard-4.png
similarity index 100%
rename from windows/configure/images/wsfb-onboard-4.png
rename to store-for-business/images/wsfb-onboard-4.png
diff --git a/windows/configure/images/wsfb-onboard-5.png b/store-for-business/images/wsfb-onboard-5.png
similarity index 100%
rename from windows/configure/images/wsfb-onboard-5.png
rename to store-for-business/images/wsfb-onboard-5.png
diff --git a/windows/configure/images/wsfb-onboard-7.png b/store-for-business/images/wsfb-onboard-7.png
similarity index 100%
rename from windows/configure/images/wsfb-onboard-7.png
rename to store-for-business/images/wsfb-onboard-7.png
diff --git a/windows/configure/images/wsfb-online-distribute-mdm.png b/store-for-business/images/wsfb-online-distribute-mdm.png
similarity index 100%
rename from windows/configure/images/wsfb-online-distribute-mdm.png
rename to store-for-business/images/wsfb-online-distribute-mdm.png
diff --git a/windows/configure/images/wsfb-paid-app-temp.png b/store-for-business/images/wsfb-paid-app-temp.png
similarity index 100%
rename from windows/configure/images/wsfb-paid-app-temp.png
rename to store-for-business/images/wsfb-paid-app-temp.png
diff --git a/windows/configure/images/wsfb-permissions-assignrole.png b/store-for-business/images/wsfb-permissions-assignrole.png
similarity index 100%
rename from windows/configure/images/wsfb-permissions-assignrole.png
rename to store-for-business/images/wsfb-permissions-assignrole.png
diff --git a/windows/configure/images/wsfb-private-store-gpo.PNG b/store-for-business/images/wsfb-private-store-gpo.PNG
similarity index 100%
rename from windows/configure/images/wsfb-private-store-gpo.PNG
rename to store-for-business/images/wsfb-private-store-gpo.PNG
diff --git a/windows/configure/images/wsfb-privatestore.png b/store-for-business/images/wsfb-privatestore.png
similarity index 100%
rename from windows/configure/images/wsfb-privatestore.png
rename to store-for-business/images/wsfb-privatestore.png
diff --git a/windows/configure/images/wsfb-privatestoreapps.png b/store-for-business/images/wsfb-privatestoreapps.png
similarity index 100%
rename from windows/configure/images/wsfb-privatestoreapps.png
rename to store-for-business/images/wsfb-privatestoreapps.png
diff --git a/windows/configure/images/wsfb-renameprivatestore.png b/store-for-business/images/wsfb-renameprivatestore.png
similarity index 100%
rename from windows/configure/images/wsfb-renameprivatestore.png
rename to store-for-business/images/wsfb-renameprivatestore.png
diff --git a/windows/configure/images/wsfb-settings-mgmt.png b/store-for-business/images/wsfb-settings-mgmt.png
similarity index 100%
rename from windows/configure/images/wsfb-settings-mgmt.png
rename to store-for-business/images/wsfb-settings-mgmt.png
diff --git a/windows/configure/images/wsfb-settings-permissions.png b/store-for-business/images/wsfb-settings-permissions.png
similarity index 100%
rename from windows/configure/images/wsfb-settings-permissions.png
rename to store-for-business/images/wsfb-settings-permissions.png
diff --git a/windows/configure/images/wsfb-wsappaddacct.png b/store-for-business/images/wsfb-wsappaddacct.png
similarity index 100%
rename from windows/configure/images/wsfb-wsappaddacct.png
rename to store-for-business/images/wsfb-wsappaddacct.png
diff --git a/windows/configure/images/wsfb-wsappprivatestore.png b/store-for-business/images/wsfb-wsappprivatestore.png
similarity index 100%
rename from windows/configure/images/wsfb-wsappprivatestore.png
rename to store-for-business/images/wsfb-wsappprivatestore.png
diff --git a/windows/configure/images/wsfb-wsappsignin.png b/store-for-business/images/wsfb-wsappsignin.png
similarity index 100%
rename from windows/configure/images/wsfb-wsappsignin.png
rename to store-for-business/images/wsfb-wsappsignin.png
diff --git a/windows/configure/images/wsfb-wsappworkacct.png b/store-for-business/images/wsfb-wsappworkacct.png
similarity index 100%
rename from windows/configure/images/wsfb-wsappworkacct.png
rename to store-for-business/images/wsfb-wsappworkacct.png
diff --git a/windows/manage/windows-store-for-business.md b/store-for-business/index.md
similarity index 99%
rename from windows/manage/windows-store-for-business.md
rename to store-for-business/index.md
index 67a6d43bab..7db0654659 100644
--- a/windows/manage/windows-store-for-business.md
+++ b/store-for-business/index.md
@@ -66,13 +66,3 @@ Welcome to the Windows Store for Business! You can use the Store for Business, t
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/manage/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md
similarity index 94%
rename from windows/manage/manage-access-to-private-store.md
rename to store-for-business/manage-access-to-private-store.md
index 3c7b9b2b79..248ea4396f 100644
--- a/windows/manage/manage-access-to-private-store.md
+++ b/store-for-business/manage-access-to-private-store.md
@@ -59,14 +59,14 @@ If you're using Windows Store for Business and you want employees to only see ap
4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**.
-You can also prevent employees from using the Windows Store. For more information, see [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md).
+You can also prevent employees from using the Windows Store. For more information, see [Configure access to Windows Store](/windows/configuration/stop-employees-from-using-the-windows-store).
## Related topics
[Distribute apps using your private store](distribute-apps-from-your-private-store.md)
-[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
+[Configure access to Windows Store](/windows/configuration/stop-employees-from-using-the-windows-store)
diff --git a/windows/manage/manage-apps-windows-store-for-business-overview.md b/store-for-business/manage-apps-windows-store-for-business-overview.md
similarity index 96%
rename from windows/manage/manage-apps-windows-store-for-business-overview.md
rename to store-for-business/manage-apps-windows-store-for-business-overview.md
index 76b2ee98e8..f4248b9b04 100644
--- a/windows/manage/manage-apps-windows-store-for-business-overview.md
+++ b/store-for-business/manage-apps-windows-store-for-business-overview.md
@@ -40,7 +40,7 @@ Manage settings and access to apps in Windows Store for Business.
You can manage access to your private store in Store for Business.
-
[App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md)
+
[App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md)
You can manage all apps that you've acquired on your Inventory page.
diff --git a/windows/manage/manage-orders-windows-store-for-business.md b/store-for-business/manage-orders-windows-store-for-business.md
similarity index 100%
rename from windows/manage/manage-orders-windows-store-for-business.md
rename to store-for-business/manage-orders-windows-store-for-business.md
diff --git a/windows/manage/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
similarity index 100%
rename from windows/manage/manage-private-store-settings.md
rename to store-for-business/manage-private-store-settings.md
diff --git a/windows/manage/manage-settings-windows-store-for-business.md b/store-for-business/manage-settings-windows-store-for-business.md
similarity index 100%
rename from windows/manage/manage-settings-windows-store-for-business.md
rename to store-for-business/manage-settings-windows-store-for-business.md
diff --git a/windows/manage/manage-users-and-groups-windows-store-for-business.md b/store-for-business/manage-users-and-groups-windows-store-for-business.md
similarity index 100%
rename from windows/manage/manage-users-and-groups-windows-store-for-business.md
rename to store-for-business/manage-users-and-groups-windows-store-for-business.md
diff --git a/windows/manage/prerequisites-windows-store-for-business.md b/store-for-business/prerequisites-windows-store-for-business.md
similarity index 100%
rename from windows/manage/prerequisites-windows-store-for-business.md
rename to store-for-business/prerequisites-windows-store-for-business.md
diff --git a/windows/manage/roles-and-permissions-windows-store-for-business.md b/store-for-business/roles-and-permissions-windows-store-for-business.md
similarity index 100%
rename from windows/manage/roles-and-permissions-windows-store-for-business.md
rename to store-for-business/roles-and-permissions-windows-store-for-business.md
diff --git a/windows/manage/settings-reference-windows-store-for-business.md b/store-for-business/settings-reference-windows-store-for-business.md
similarity index 100%
rename from windows/manage/settings-reference-windows-store-for-business.md
rename to store-for-business/settings-reference-windows-store-for-business.md
diff --git a/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
similarity index 100%
rename from windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
rename to store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
diff --git a/windows/manage/sign-up-windows-store-for-business-overview.md b/store-for-business/sign-up-windows-store-for-business-overview.md
similarity index 100%
rename from windows/manage/sign-up-windows-store-for-business-overview.md
rename to store-for-business/sign-up-windows-store-for-business-overview.md
diff --git a/windows/manage/sign-up-windows-store-for-business.md b/store-for-business/sign-up-windows-store-for-business.md
similarity index 100%
rename from windows/manage/sign-up-windows-store-for-business.md
rename to store-for-business/sign-up-windows-store-for-business.md
diff --git a/windows/manage/troubleshoot-windows-store-for-business.md b/store-for-business/troubleshoot-windows-store-for-business.md
similarity index 100%
rename from windows/manage/troubleshoot-windows-store-for-business.md
rename to store-for-business/troubleshoot-windows-store-for-business.md
diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md
similarity index 89%
rename from windows/manage/update-windows-store-for-business-account-settings.md
rename to store-for-business/update-windows-store-for-business-account-settings.md
index dbf68b6bad..43a9468143 100644
--- a/windows/manage/update-windows-store-for-business-account-settings.md
+++ b/store-for-business/update-windows-store-for-business-account-settings.md
@@ -31,7 +31,7 @@ We need an email address in case we need to contact you about your Store for Bus
To update Organization information, click **Edit organization information**.
-## Organization tax information ##
+## Organization tax information
Taxes for Windows Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent:
- Austria
- Belgium
@@ -96,7 +96,7 @@ For example:
($1.29 X .095) X 100 = $12.25
-##Payment options##
+## Payment options
You can purchase apps from the Windows Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards:
1. VISA
2. MasterCard
@@ -104,8 +104,8 @@ You can purchase apps from the Windows Store for Business using your credit card
4. American Express
5. Japan Commercial Bureau (JCB)
-**Note**:
-Not all cards available in all countries. When you add a payment option, Store for Business shows which cards are available in your region.
+> [!NOTE]
+> Not all cards available in all countries. When you add a payment option, Store for Business shows which cards are available in your region.
**To add a new payment option**
@@ -116,7 +116,8 @@ Not all cards available in all countries. When you add a payment option, Store f
Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
-**Note**: When adding credit or debit cards, you may be prompted to enter a CVV . The CVV is only used for verification purposes and is not stored in our systems after validation.
+> [!NOTE]
+> When adding credit or debit cards, you may be prompted to enter a CVV . The CVV is only used for verification purposes and is not stored in our systems after validation
**To update a payment option**
@@ -126,9 +127,10 @@ Once you click Next, the information you provided will be validated with a tes
4. Enter any updated information in the appropriate fields, and then click **Next**.
Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
-**Note**: Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time or have a low balance.
+> [!NOTE]
+> Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance.
-##Offline licensing##
+## Offline licensing
Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on the Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).
diff --git a/windows/manage/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md
similarity index 96%
rename from windows/manage/windows-store-for-business-overview.md
rename to store-for-business/windows-store-for-business-overview.md
index a3a565c261..fa37237c48 100644
--- a/windows/manage/windows-store-for-business-overview.md
+++ b/store-for-business/windows-store-for-business-overview.md
@@ -81,7 +81,7 @@ While not required, you can use a management tool to distribute and manage apps.
The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
-For more information, see [Sign up for the Store for Business](../manage/sign-up-windows-store-for-business.md).
+For more information, see [Sign up for the Store for Business](sign-up-windows-store-for-business.md).
### Set up
@@ -93,7 +93,7 @@ After your admin signs up for the Store for Business, they can assign roles to o
| Purchaser | | X | X | |
| Device Guard signer | | | | X |
-In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
+In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-windows-store-for-business.md).
Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
@@ -115,7 +115,7 @@ Line-of-business (LOB) apps are also supported via the Business store. You can i
The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
-For more information, see [Apps in the Store for Business](../manage/apps-in-windows-store-for-business.md#licensing-model).
+For more information, see [Apps in the Store for Business](apps-in-windows-store-for-business.md#licensing-model).
### Distribute apps and content
@@ -137,7 +137,7 @@ App distribution is handled through two channels, either through the Store for B
Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps.
-For more information, see [Distribute apps to your employees from the Store for Business](../manage/distribute-apps-to-your-employees-windows-store-for-business.md).
+For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md).
### Manage Store for Business settings and content
@@ -167,7 +167,7 @@ Once you are signed up with the Business store and have purchased apps, Admins c
- Download apps for offline installs
-For more information, see [Manage settings in the Store for Business](../manage/manage-settings-windows-store-for-business.md) and [Manage apps](../manage/manage-apps-windows-store-for-business-overview.md).
+For more information, see [Manage settings in the Store for Business](manage-settings-windows-store-for-business.md) and [Manage apps](manage-apps-windows-store-for-business-overview.md).
## Supported markets
@@ -353,4 +353,4 @@ Developers in your organization, or ISVs can create content specific to your org
Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in the Store for Business. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in the Store for Business will work only on Windows 10.
-For more information on line-of-business apps, see [Working with Line-of-Business apps](../manage/working-with-line-of-business-apps.md).
+For more information on line-of-business apps, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
diff --git a/windows/manage/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
similarity index 100%
rename from windows/manage/working-with-line-of-business-apps.md
rename to store-for-business/working-with-line-of-business-apps.md
diff --git a/windows/TOC.md b/windows/TOC.md
deleted file mode 100644
index 7167858dab..0000000000
--- a/windows/TOC.md
+++ /dev/null
@@ -1,8 +0,0 @@
-# [Windows 10 and Windows 10 Mobile](index.md)
-## [What's new in Windows 10](whats-new/index.md)
-## [Plan for Windows 10 deployment](plan/index.md)
-## [Deploy Windows 10](deploy/index.md)
-## [Configure Windows 10](configure/index.md)
-## [Update Windows 10](update/index.md)
-## [Keep Windows 10 secure](keep-secure/index.md)
-## [Manage Windows 10](manage/index.md)
\ No newline at end of file
diff --git a/windows/access-protection/TOC.md b/windows/access-protection/TOC.md
new file mode 100644
index 0000000000..16b848c11f
--- /dev/null
+++ b/windows/access-protection/TOC.md
@@ -0,0 +1,190 @@
+# [Access protection](access-control/access-control.md)
+
+## [Access Control Overview](access-control/access-control.md)
+### [Dynamic Access Control Overview](access-control/dynamic-access-control.md)
+### [Security identifiers](access-control/security-identifiers.md)
+### [Security Principals](access-control/security-principals.md)
+### [Local Accounts](access-control/local-accounts.md)
+### [Active Directory Accounts](access-control/active-directory-accounts.md)
+### [Microsoft Accounts](access-control/microsoft-accounts.md)
+### [Service Accounts](access-control/service-accounts.md)
+### [Active Directory Security Groups](access-control/active-directory-security-groups.md)
+### [Special Identities](access-control/special-identities.md)
+
+## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
+
+## [Enterprise Certificate Pinning](enterprise-certificate-pinning.md)
+
+## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
+
+## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
+### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
+### [Credential Guard Requirements](credential-guard/credential-guard-requirements.md)
+### [Manage Credential Guard](credential-guard/credential-guard-manage.md)
+### [Credential Guard protection limits](credential-guard/credential-guard-protection-limits.md)
+### [Considerations when using Credential Guard](credential-guard/credential-guard-considerations.md)
+### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)
+### [Credential Guard: Known issues](credential-guard/credential-guard-known-issues.md)
+
+
+## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
+
+## [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md)
+### [How Smart Card Sign-in Works in Windows](smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md)
+#### [Smart Card Architecture](smart-cards/smart-card-architecture.md)
+#### [Certificate Requirements and Enumeration](smart-cards/smart-card-certificate-requirements-and-enumeration.md)
+#### [Smart Card and Remote Desktop Services](smart-cards/smart-card-and-remote-desktop-services.md)
+#### [Smart Cards for Windows Service](smart-cards/smart-card-smart-cards-for-windows-service.md)
+#### [Certificate Propagation Service](smart-cards/smart-card-certificate-propagation-service.md)
+#### [Smart Card Removal Policy Service](smart-cards/smart-card-removal-policy-service.md)
+### [Smart Card Tools and Settings](smart-cards/smart-card-tools-and-settings.md)
+#### [Smart Cards Debugging Information](smart-cards/smart-card-debugging-information.md)
+#### [Smart Card Group Policy and Registry Settings](smart-cards/smart-card-group-policy-and-registry-settings.md)
+#### [Smart Card Events](smart-cards/smart-card-events.md)
+
+### [User Account Control](user-account-control\user-account-control-overview.md)
+#### [How User Account Control works](user-account-control\how-user-account-control-works.md)
+#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
+#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
+
+### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
+### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
+#### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md)
+##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-cards\virtual-smart-card-get-started.md)
+##### [Use Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-use-virtual-smart-cards.md)
+##### [Deploy Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-deploy-virtual-smart-cards.md)
+##### [Evaluate Virtual Smart Card Security](virtual-smart-cards\virtual-smart-card-evaluate-security.md)
+#### [Tpmvscmgr](virtual-smart-cards\virtual-smart-card-tpmvscmgr.md)
+
+
+## [VPN technical guide](vpn\vpn-guide.md)
+### [VPN connection types](vpn\vpn-connection-type.md)
+### [VPN routing decisions](vpn\vpn-routing.md)
+### [VPN authentication options](vpn\vpn-authentication.md)
+### [VPN and conditional access](vpn\vpn-conditional-access.md)
+### [VPN name resolution](vpn\vpn-name-resolution.md)
+### [VPN auto-triggered profile options](vpn\vpn-auto-trigger-profile.md)
+### [VPN security features](vpn\vpn-security-features.md)
+### [VPN profile options](vpn\vpn-profile-options.md)
+### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
+### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
+
+## [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md)
+### [Isolating Windows Store Apps on Your Network](windows-firewall/isolating-apps-on-your-network.md)
+### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md)
+### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+### [Windows Firewall with Advanced Security Design Guide](windows-firewall/windows-firewall-with-advanced-security-design-guide.md)
+#### [Understanding the Windows Firewall with Advanced Security Design Process](windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md)
+#### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+##### [Protect Devices from Unwanted Network Traffic](windows-firewall/protect-devices-from-unwanted-network-traffic.md)
+##### [Restrict Access to Only Trusted Devices](windows-firewall/restrict-access-to-only-trusted-devices.md)
+##### [Require Encryption When Accessing Sensitive Network Resources](windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md)
+##### [Restrict Access to Only Specified Users or Computers](windows-firewall/restrict-access-to-only-specified-users-or-devices.md)
+#### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+##### [Basic Firewall Policy Design](windows-firewall/basic-firewall-policy-design.md)
+##### [Domain Isolation Policy Design](windows-firewall/domain-isolation-policy-design.md)
+##### [Server Isolation Policy Design](windows-firewall/server-isolation-policy-design.md)
+##### [Certificate-based Isolation Policy Design](windows-firewall/certificate-based-isolation-policy-design.md)
+#### [Evaluating Windows Firewall with Advanced Security Design Examples](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
+##### [Firewall Policy Design Example](windows-firewall/firewall-policy-design-example.md)
+##### [Domain Isolation Policy Design Example](windows-firewall/domain-isolation-policy-design-example.md)
+##### [Server Isolation Policy Design Example](windows-firewall/server-isolation-policy-design-example.md)
+##### [Certificate-based Isolation Policy Design Example](windows-firewall/certificate-based-isolation-policy-design-example.md)
+#### [Designing a Windows Firewall with Advanced Security Strategy](windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md)
+##### [Gathering the Information You Need](windows-firewall/gathering-the-information-you-need.md)
+###### [Gathering Information about Your Current Network Infrastructure](windows-firewall/gathering-information-about-your-current-network-infrastructure.md)
+###### [Gathering Information about Your Active Directory Deployment](windows-firewall/gathering-information-about-your-active-directory-deployment.md)
+###### [Gathering Information about Your Computers](windows-firewall/gathering-information-about-your-devices.md)
+###### [Gathering Other Relevant Information](windows-firewall/gathering-other-relevant-information.md)
+##### [Determining the Trusted State of Your Computers](windows-firewall/determining-the-trusted-state-of-your-devices.md)
+#### [Planning Your Windows Firewall with Advanced Security Design](windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md)
+##### [Planning Settings for a Basic Firewall Policy](windows-firewall/planning-settings-for-a-basic-firewall-policy.md)
+##### [Planning Domain Isolation Zones](windows-firewall/planning-domain-isolation-zones.md)
+###### [Exemption List](windows-firewall/exemption-list.md)
+###### [Isolated Domain](windows-firewall/isolated-domain.md)
+###### [Boundary Zone](windows-firewall/boundary-zone.md)
+###### [Encryption Zone](windows-firewall/encryption-zone.md)
+##### [Planning Server Isolation Zones](windows-firewall/planning-server-isolation-zones.md)
+##### [Planning Certificate-based Authentication](windows-firewall/planning-certificate-based-authentication.md)
+###### [Documenting the Zones](windows-firewall/documenting-the-zones.md)
+###### [Planning Group Policy Deployment for Your Isolation Zones](windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md)
+####### [Planning Isolation Groups for the Zones](windows-firewall/planning-isolation-groups-for-the-zones.md)
+####### [Planning Network Access Groups](windows-firewall/planning-network-access-groups.md)
+####### [Planning the GPOs](windows-firewall/planning-the-gpos.md)
+######## [Firewall GPOs](windows-firewall/firewall-gpos.md)
+######### [GPO_DOMISO_Firewall](windows-firewall/gpo-domiso-firewall.md)
+######## [Isolated Domain GPOs](windows-firewall/isolated-domain-gpos.md)
+######### [GPO_DOMISO_IsolatedDomain_Clients](windows-firewall/gpo-domiso-isolateddomain-clients.md)
+######### [GPO_DOMISO_IsolatedDomain_Servers](windows-firewall/gpo-domiso-isolateddomain-servers.md)
+######## [Boundary Zone GPOs](windows-firewall/boundary-zone-gpos.md)
+######### [GPO_DOMISO_Boundary](windows-firewall/gpo-domiso-boundary.md)
+######## [Encryption Zone GPOs](windows-firewall/encryption-zone-gpos.md)
+######### [GPO_DOMISO_Encryption](windows-firewall/gpo-domiso-encryption.md)
+######## [Server Isolation GPOs](windows-firewall/server-isolation-gpos.md)
+####### [Planning GPO Deployment](windows-firewall/planning-gpo-deployment.md)
+#### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
+### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
+#### [Planning to Deploy Windows Firewall with Advanced Security](windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md)
+#### [Implementing Your Windows Firewall with Advanced Security Design Plan](windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md)
+#### [Checklist: Creating Group Policy Objects](windows-firewall/checklist-creating-group-policy-objects.md)
+#### [Checklist: Implementing a Basic Firewall Policy Design](windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md)
+#### [Checklist: Configuring Basic Firewall Settings](windows-firewall/checklist-configuring-basic-firewall-settings.md)
+#### [Checklist: Creating Inbound Firewall Rules](windows-firewall/checklist-creating-inbound-firewall-rules.md)
+#### [Checklist: Creating Outbound Firewall Rules](windows-firewall/checklist-creating-outbound-firewall-rules.md)
+#### [Checklist: Implementing a Domain Isolation Policy Design](windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md)
+##### [Checklist: Configuring Rules for the Isolated Domain](windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md)
+##### [Checklist: Configuring Rules for the Boundary Zone](windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md)
+##### [Checklist: Configuring Rules for the Encryption Zone](windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md)
+##### [Checklist: Configuring Rules for an Isolated Server Zone](windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md)
+#### [Checklist: Implementing a Standalone Server Isolation Policy Design](windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md)
+##### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
+##### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
+#### [Checklist: Implementing a Certificate-based Isolation Policy Design](windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md)
+#### [Procedures Used in This Guide](windows-firewall/procedures-used-in-this-guide.md)
+##### [Add Production Devices to the Membership Group for a Zone](windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md)
+##### [Add Test Devices to the Membership Group for a Zone](windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md)
+##### [Assign Security Group Filters to the GPO](windows-firewall/assign-security-group-filters-to-the-gpo.md)
+##### [Change Rules from Request to Require Mode](windows-firewall/change-rules-from-request-to-require-mode.md)
+##### [Configure Authentication Methods](windows-firewall/configure-authentication-methods.md)
+##### [Configure Data Protection (Quick Mode) Settings](windows-firewall/configure-data-protection-quick-mode-settings.md)
+##### [Configure Group Policy to Autoenroll and Deploy Certificates](windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md)
+##### [Configure Key Exchange (Main Mode) Settings](windows-firewall/configure-key-exchange-main-mode-settings.md)
+##### [Configure the Rules to Require Encryption](windows-firewall/configure-the-rules-to-require-encryption.md)
+##### [Configure the Windows Firewall Log](windows-firewall/configure-the-windows-firewall-log.md)
+##### [Configure the Workstation Authentication Certificate Template](windows-firewall/configure-the-workstation-authentication-certificate-template.md)
+##### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+##### [Confirm That Certificates Are Deployed Correctly](windows-firewall/confirm-that-certificates-are-deployed-correctly.md)
+##### [Copy a GPO to Create a New GPO](windows-firewall/copy-a-gpo-to-create-a-new-gpo.md)
+##### [Create a Group Account in Active Directory](windows-firewall/create-a-group-account-in-active-directory.md)
+##### [Create a Group Policy Object](windows-firewall/create-a-group-policy-object.md)
+##### [Create an Authentication Exemption List Rule](windows-firewall/create-an-authentication-exemption-list-rule.md)
+##### [Create an Authentication Request Rule](windows-firewall/create-an-authentication-request-rule.md)
+##### [Create an Inbound ICMP Rule](windows-firewall/create-an-inbound-icmp-rule.md)
+##### [Create an Inbound Port Rule](windows-firewall/create-an-inbound-port-rule.md)
+##### [Create an Inbound Program or Service Rule](windows-firewall/create-an-inbound-program-or-service-rule.md)
+##### [Create an Outbound Port Rule](windows-firewall/create-an-outbound-port-rule.md)
+##### [Create an Outbound Program or Service Rule](windows-firewall/create-an-outbound-program-or-service-rule.md)
+##### [Create Inbound Rules to Support RPC](windows-firewall/create-inbound-rules-to-support-rpc.md)
+##### [Create WMI Filters for the GPO](windows-firewall/create-wmi-filters-for-the-gpo.md)
+##### [Enable Predefined Inbound Rules](windows-firewall/enable-predefined-inbound-rules.md)
+##### [Enable Predefined Outbound Rules](windows-firewall/enable-predefined-outbound-rules.md)
+##### [Exempt ICMP from Authentication](windows-firewall/exempt-icmp-from-authentication.md)
+##### [Link the GPO to the Domain](windows-firewall/link-the-gpo-to-the-domain.md)
+##### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
+##### [Open the Group Policy Management Console to IP Security Policies](windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md)
+##### [Open the Group Policy Management Console to Windows Firewall](windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md)
+##### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+##### [Open Windows Firewall with Advanced Security](windows-firewall/open-windows-firewall-with-advanced-security.md)
+##### [Restrict Server Access to Members of a Group Only](windows-firewall/restrict-server-access-to-members-of-a-group-only.md)
+##### [Turn on Windows Firewall and Configure Default Behavior](windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md)
+##### [Verify That Network Traffic Is Authenticated](windows-firewall/verify-that-network-traffic-is-authenticated.md)
+
+## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)
+### [How Windows Hello for Business works](hello-for-business/hello-how-it-works.md)
+### [Manage Windows Hello for Business in your organization](hello-for-business/hello-manage-in-organization.md)
+### [Why a PIN is better than a password](hello-for-business/hello-why-pin-is-better-than-password.md)
+### [Prepare people to use Windows Hello](hello-for-business/hello-prepare-people-to-use.md)
+### [Windows Hello and password changes](hello-for-business/hello-and-password-changes.md)
+### [Windows Hello errors during PIN creation](hello-for-business/hello-errors-during-pin-creation.md)
+### [Event ID 300 - Windows Hello successfully created](hello-for-business/hello-event-300.md)
+### [Windows Hello biometrics in the enterprise](hello-for-business/hello-biometrics-in-enterprise.md)
diff --git a/windows/keep-secure/access-control.md b/windows/access-protection/access-control/access-control.md
similarity index 98%
rename from windows/keep-secure/access-control.md
rename to windows/access-protection/access-control/access-control.md
index 969bd01684..006ffb29ab 100644
--- a/windows/keep-secure/access-control.md
+++ b/windows/access-protection/access-control/access-control.md
@@ -114,14 +114,14 @@ User rights grant specific privileges and sign-in rights to users and groups in
User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
-For more information about user rights, see [User Rights Assignment](user-rights-assignment.md).
+For more information about user rights, see [User Rights Assignment](/windows/device-security/security-policy-settings/access-user-rights-assignment).
## Object auditing
With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer.
-For more information about auditing, see [Security Auditing Overview](security-auditing-overview.md).
+For more information about auditing, see [Security Auditing Overview](/windows/device-security/auditing/security-auditing-overview).
## See also
diff --git a/windows/keep-secure/active-directory-accounts.md b/windows/access-protection/access-control/active-directory-accounts.md
similarity index 99%
rename from windows/keep-secure/active-directory-accounts.md
rename to windows/access-protection/access-control/active-directory-accounts.md
index 3b4ee0e979..1791e02a32 100644
--- a/windows/keep-secure/active-directory-accounts.md
+++ b/windows/access-protection/access-control/active-directory-accounts.md
@@ -176,7 +176,7 @@ Because the Guest account can provide anonymous access, it is a security risk. I
When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access:
-- Do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
+- Do not grant the Guest account the [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
- Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
@@ -571,7 +571,7 @@ If the administrators in your environment can sign in locally to managed servers
- **Better**. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections.
-- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](applocker-overview.md).
+- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](/windows/device-security/applocker/applocker-overview).
The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings.
diff --git a/windows/keep-secure/active-directory-security-groups.md b/windows/access-protection/access-control/active-directory-security-groups.md
similarity index 94%
rename from windows/keep-secure/active-directory-security-groups.md
rename to windows/access-protection/access-control/active-directory-security-groups.md
index 552c86b75a..772a0ebb67 100644
--- a/windows/keep-secure/active-directory-security-groups.md
+++ b/windows/access-protection/access-control/active-directory-security-groups.md
@@ -50,7 +50,7 @@ Security groups can provide an efficient way to assign access to resources on yo
For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain. This is possible because, by default, the user rights **Backup files and directories** and **Restore files and directories** are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group.
- You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](user-rights-assignment.md).
+ You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
- Assign permissions to security groups for resources.
@@ -650,7 +650,7 @@ This security group has not changed since Windows Server 2008.
Default User Rights
-
[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight
+
[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight
@@ -672,9 +672,9 @@ Membership can be modified by members of the following groups: the default servi
This security group includes the following changes since Windows Server 2008:
-- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md).
+- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services).
-- [Remove computer from docking station](remove-computer-from-docking-station.md) was removed in Windows Server 2012 R2.
+- [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station) was removed in Windows Server 2012 R2.
@@ -722,33 +722,33 @@ This security group includes the following changes since Windows Server 2008:
Default User Rights
-
[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege
-
[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight
-
[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight
-
[Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md): SeRemoteInteractiveLogonRight
-
[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege
[Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md): SeEnableDelegationPrivilege
-
[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md): SeRemoteShutdownPrivilege
-
[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege
[Profile system performance](profile-system-performance.md): SeSystemProfilePrivilege
-
[Profile single process](profile-single-process.md): SeProfileSingleProcessPrivilege
-
[Remove computer from docking station](remove-computer-from-docking-station.md): SeUndockPrivilege
-
[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege
-
[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege
-
[Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md): SeTakeOwnershipPrivilege
+
[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege
+
[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
+
[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight
+
[Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services): SeRemoteInteractiveLogonRight
+
[Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege
[Enable computer and user accounts to be trusted for delegation](/windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation): SeEnableDelegationPrivilege
+
[Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege
+
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
[Profile system performance](/windows/device-security/security-policy-settings/profile-system-performance): SeSystemProfilePrivilege
+
[Profile single process](/windows/device-security/security-policy-settings/profile-single-process): SeProfileSingleProcessPrivilege
+
[Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station): SeUndockPrivilege
+
[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege
+
[Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege
+
[Take ownership of files or other objects](/windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects): SeTakeOwnershipPrivilege
@@ -870,11 +870,11 @@ This security group has not changed since Windows Server 2008.
Default User Rights
-
[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight
-
[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege
-
[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight
-
[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege
-
[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege
+
[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight
+
[Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege
+
[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight
+
[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege
+
[Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege
@@ -2330,7 +2330,7 @@ Members of the Performance Log Users group can manage performance counters, logs
- Can use all the features that are available to the Performance Monitor Users group.
-- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](log-on-as-a-batch-job.md) user right.
+- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right.
**Warning**
If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
@@ -2339,7 +2339,7 @@ Members of the Performance Log Users group can manage performance counters, logs
- Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
-For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](log-on-as-a-batch-job.md) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
+For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
**Note**
This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
@@ -2401,7 +2401,7 @@ This security group has not changed since Windows Server 2008.
Default User Rights
-
[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight
+
[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight
@@ -2548,8 +2548,8 @@ This security group has not changed since Windows Server 2008.
Default User Rights
-
[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight
@@ -2612,9 +2612,9 @@ This security group has not changed since Windows Server 2008. However, in Windo
Default User Rights
-
[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight
-
[Load and unload device drivers](load-and-unload-device-drivers.md): SeLoadDriverPrivilege
-
[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege
+
[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight
+
[Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege
+
[Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege
@@ -3327,13 +3327,13 @@ This security group has not changed since Windows Server 2008.
Default User Rights
-
[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight
-
[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege
-
[Change the system time](change-the-system-time.md): SeSystemTimePrivilege
-
[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege
-
[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md): SeRemoteShutdownPrivilege
-
[Restore files and directories](restore-files-and-directories.md): Restore files and directories SeRestorePrivilege
-
[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege
+
[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight
+
[Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege
+
[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege
+
[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
+
[Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege
+
[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): Restore files and directories SeRestorePrivilege
+
[Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege
diff --git a/windows/keep-secure/dynamic-access-control.md b/windows/access-protection/access-control/dynamic-access-control.md
similarity index 100%
rename from windows/keep-secure/dynamic-access-control.md
rename to windows/access-protection/access-control/dynamic-access-control.md
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample1.gif b/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample1.gif
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc1-sample1.gif
rename to windows/access-protection/access-control/images/adlocalaccounts-proc1-sample1.gif
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample2.png b/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample2.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc1-sample2.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc1-sample2.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample3.png b/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample3.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc1-sample3.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc1-sample3.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample4.png b/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample4.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc1-sample4.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc1-sample4.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample5.png b/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample5.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc1-sample5.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc1-sample5.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample6.png b/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample6.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc1-sample6.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc1-sample6.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample7.png b/windows/access-protection/access-control/images/adlocalaccounts-proc1-sample7.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc1-sample7.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc1-sample7.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample1.png b/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample1.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc2-sample1.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc2-sample1.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample2.png b/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample2.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc2-sample2.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc2-sample2.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample3.png b/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample3.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc2-sample3.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc2-sample3.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample4.png b/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample4.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc2-sample4.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc2-sample4.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample5.png b/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample5.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc2-sample5.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc2-sample5.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample6.png b/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample6.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc2-sample6.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc2-sample6.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample7.png b/windows/access-protection/access-control/images/adlocalaccounts-proc2-sample7.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc2-sample7.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc2-sample7.png
diff --git a/windows/keep-secure/images/adlocalaccounts-proc3-sample1.png b/windows/access-protection/access-control/images/adlocalaccounts-proc3-sample1.png
similarity index 100%
rename from windows/keep-secure/images/adlocalaccounts-proc3-sample1.png
rename to windows/access-protection/access-control/images/adlocalaccounts-proc3-sample1.png
diff --git a/windows/keep-secure/images/authorizationandaccesscontrolprocess.gif b/windows/access-protection/access-control/images/authorizationandaccesscontrolprocess.gif
similarity index 100%
rename from windows/keep-secure/images/authorizationandaccesscontrolprocess.gif
rename to windows/access-protection/access-control/images/authorizationandaccesscontrolprocess.gif
diff --git a/windows/keep-secure/images/corpnet.gif b/windows/access-protection/access-control/images/corpnet.gif
similarity index 100%
rename from windows/keep-secure/images/corpnet.gif
rename to windows/access-protection/access-control/images/corpnet.gif
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample1.png b/windows/access-protection/access-control/images/localaccounts-proc1-sample1.png
similarity index 100%
rename from windows/keep-secure/images/localaccounts-proc1-sample1.png
rename to windows/access-protection/access-control/images/localaccounts-proc1-sample1.png
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample2.png b/windows/access-protection/access-control/images/localaccounts-proc1-sample2.png
similarity index 100%
rename from windows/keep-secure/images/localaccounts-proc1-sample2.png
rename to windows/access-protection/access-control/images/localaccounts-proc1-sample2.png
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample3.png b/windows/access-protection/access-control/images/localaccounts-proc1-sample3.png
similarity index 100%
rename from windows/keep-secure/images/localaccounts-proc1-sample3.png
rename to windows/access-protection/access-control/images/localaccounts-proc1-sample3.png
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample4.png b/windows/access-protection/access-control/images/localaccounts-proc1-sample4.png
similarity index 100%
rename from windows/keep-secure/images/localaccounts-proc1-sample4.png
rename to windows/access-protection/access-control/images/localaccounts-proc1-sample4.png
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample5.png b/windows/access-protection/access-control/images/localaccounts-proc1-sample5.png
similarity index 100%
rename from windows/keep-secure/images/localaccounts-proc1-sample5.png
rename to windows/access-protection/access-control/images/localaccounts-proc1-sample5.png
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample6.png b/windows/access-protection/access-control/images/localaccounts-proc1-sample6.png
similarity index 100%
rename from windows/keep-secure/images/localaccounts-proc1-sample6.png
rename to windows/access-protection/access-control/images/localaccounts-proc1-sample6.png
diff --git a/windows/keep-secure/images/localaccounts-proc2-sample1.png b/windows/access-protection/access-control/images/localaccounts-proc2-sample1.png
similarity index 100%
rename from windows/keep-secure/images/localaccounts-proc2-sample1.png
rename to windows/access-protection/access-control/images/localaccounts-proc2-sample1.png
diff --git a/windows/keep-secure/images/localaccounts-proc2-sample2.png b/windows/access-protection/access-control/images/localaccounts-proc2-sample2.png
similarity index 100%
rename from windows/keep-secure/images/localaccounts-proc2-sample2.png
rename to windows/access-protection/access-control/images/localaccounts-proc2-sample2.png
diff --git a/windows/keep-secure/images/localaccounts-proc2-sample3.png b/windows/access-protection/access-control/images/localaccounts-proc2-sample3.png
similarity index 100%
rename from windows/keep-secure/images/localaccounts-proc2-sample3.png
rename to windows/access-protection/access-control/images/localaccounts-proc2-sample3.png
diff --git a/windows/keep-secure/images/security-identifider-architecture.jpg b/windows/access-protection/access-control/images/security-identifider-architecture.jpg
similarity index 100%
rename from windows/keep-secure/images/security-identifider-architecture.jpg
rename to windows/access-protection/access-control/images/security-identifider-architecture.jpg
diff --git a/windows/keep-secure/local-accounts.md b/windows/access-protection/access-control/local-accounts.md
similarity index 97%
rename from windows/keep-secure/local-accounts.md
rename to windows/access-protection/access-control/local-accounts.md
index 3e50de5cc8..d0998ff99e 100644
--- a/windows/keep-secure/local-accounts.md
+++ b/windows/access-protection/access-control/local-accounts.md
@@ -123,7 +123,7 @@ By default, the Guest account is the only member of the default Guests group, wh
When an administrator enables the Guest account, it is a best practice to create a strong password for this account. In addition, the administrator on the computer should also grant only limited rights and permissions for the Guest account. For security reasons, the Guest account should not be used over the network and made accessible to other computers.
-When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right.
+When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system) user right.
In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
@@ -200,7 +200,7 @@ In addition, UAC can require administrators to specifically approve applications
For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but with the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration.
-For more information about UAC, see [User Account Control](user-account-control-overview.md).
+For more information about UAC, see [User Account Control](/windows/access-protection/user-account-control/user-account-control-overview).
The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
@@ -224,7 +224,7 @@ The following table shows the Group Policy and registry settings that are used t
1
Policy name
-
[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)
+
[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)
@@ -239,7 +239,7 @@ The following table shows the Group Policy and registry settings that are used t
Policy name
-
[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)
+
[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)
@@ -368,7 +368,7 @@ The following table shows the Group Policy settings that are used to deny networ
1
Policy name
-
[Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)
+
[Deny access to this computer from the network](/windows/device-security/security-policy-settings/deny-access-to-this-computer-from-the-network)
@@ -384,7 +384,7 @@ The following table shows the Group Policy settings that are used to deny networ
Policy name
-
[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)
+
[Deny log on through Remote Desktop Services](/windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services)
diff --git a/windows/keep-secure/microsoft-accounts.md b/windows/access-protection/access-control/microsoft-accounts.md
similarity index 95%
rename from windows/keep-secure/microsoft-accounts.md
rename to windows/access-protection/access-control/microsoft-accounts.md
index 6bea7ac9aa..4b54894c21 100644
--- a/windows/keep-secure/microsoft-accounts.md
+++ b/windows/access-protection/access-control/microsoft-accounts.md
@@ -118,7 +118,7 @@ Depending on your IT and business models, introducing Microsoft accounts into yo
### Restrict the use of the Microsoft account
-If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
+If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can:
@@ -151,7 +151,7 @@ Only the owner of the Microsoft account can change the password. Passwords can b
### Restrict app installation and usage
-Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](applocker-overview.md) and [Packaged Apps and Packaged App Installer Rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](/windows/device-security/applocker/applocker-overview) and [Packaged Apps and Packaged App Installer Rules in AppLocker](/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker).
## See also
diff --git a/windows/keep-secure/security-identifiers.md b/windows/access-protection/access-control/security-identifiers.md
similarity index 100%
rename from windows/keep-secure/security-identifiers.md
rename to windows/access-protection/access-control/security-identifiers.md
diff --git a/windows/keep-secure/security-principals.md b/windows/access-protection/access-control/security-principals.md
similarity index 98%
rename from windows/keep-secure/security-principals.md
rename to windows/access-protection/access-control/security-principals.md
index 8bf4f7abd7..0efda2d6b6 100644
--- a/windows/keep-secure/security-principals.md
+++ b/windows/access-protection/access-control/security-principals.md
@@ -83,7 +83,7 @@ Permissions are different from user rights in that permissions are attached to o
On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers.
-For information about which user rights are available and how they can be implemented, see [User Rights Assignment](user-rights-assignment.md).
+For information about which user rights are available and how they can be implemented, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
### Security context in authentication
diff --git a/windows/keep-secure/service-accounts.md b/windows/access-protection/access-control/service-accounts.md
similarity index 100%
rename from windows/keep-secure/service-accounts.md
rename to windows/access-protection/access-control/service-accounts.md
diff --git a/windows/keep-secure/special-identities.md b/windows/access-protection/access-control/special-identities.md
similarity index 86%
rename from windows/keep-secure/special-identities.md
rename to windows/access-protection/access-control/special-identities.md
index 2e3aa71e3e..dde80b2a45 100644
--- a/windows/keep-secure/special-identities.md
+++ b/windows/access-protection/access-control/special-identities.md
@@ -145,9 +145,9 @@ Any user who accesses the system through a sign-in process has the Authenticated
Default User Rights
-
[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight
-
[Add workstations to domain](add-workstations-to-domain.md): SeMachineAccountPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
+
[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
@@ -617,13 +617,13 @@ The Network Service account is similar to an Authenticated User account. The Net
Default User Rights
-
[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
+
[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege
+
[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
@@ -885,8 +885,8 @@ Any service that accesses the system has the Service identity. This identity gro
Default User Rights
-
[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege
-
[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege
+
[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
+
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
@@ -996,8 +996,8 @@ Any user accessing the system through Terminal Services has the Terminal Server
[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
diff --git a/windows/access-protection/change-history-for-access-protection.md b/windows/access-protection/change-history-for-access-protection.md
new file mode 100644
index 0000000000..84f9f86663
--- /dev/null
+++ b/windows/access-protection/change-history-for-access-protection.md
@@ -0,0 +1,17 @@
+---
+title: Change history for access protection (Windows 10)
+description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Change history for access protection
+This topic lists new and updated topics in the [Access protection](index.md) documentation.
+
+## March 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
diff --git a/windows/keep-secure/configure-s-mime.md b/windows/access-protection/configure-s-mime.md
similarity index 100%
rename from windows/keep-secure/configure-s-mime.md
rename to windows/access-protection/configure-s-mime.md
diff --git a/windows/access-protection/credential-guard/additional-mitigations.md b/windows/access-protection/credential-guard/additional-mitigations.md
new file mode 100644
index 0000000000..706bdef10b
--- /dev/null
+++ b/windows/access-protection/credential-guard/additional-mitigations.md
@@ -0,0 +1,612 @@
+---
+title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10)
+description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+## Additional mitigations
+
+Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
+
+### Restricting domain users to specific domain-joined devices
+
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+
+#### Kerberos armoring
+
+Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
+
+**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
+
+- Users need to be in domains that are running Windows Server 2012 R2 or higher
+- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
+- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
+
+#### Protecting domain-joined device secrets
+
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+
+Domain-joined device certificate authentication has the following requirements:
+- Devices' accounts are in Windows Server 2012 domain functional level or higher.
+- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
+ - KDC EKU present
+ - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
+- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
+- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
+
+##### Deploying domain-joined device certificates
+
+To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
+
+For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
+
+**Creating a new certificate template**
+
+1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
+2. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
+3. Right-click the new template, and then click **Properties**.
+4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
+5. Click **Client Authentication**, and then click **Remove**.
+6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
+ - Name: Kerberos Client Auth
+ - Object Identifier: 1.3.6.1.5.2.3.4
+7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
+8. Under **Issuance Policies**, click**High Assurance**.
+9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
+
+Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+
+**Enrolling devices in a certificate**
+
+Run the following command:
+``` syntax
+CertReq -EnrollCredGuardCert MachineAuthentication
+```
+
+> [!NOTE]
+> You must restart the device after enrolling the machine authentication certificate.
+
+##### How a certificate issuance policy can be used for access control
+
+Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
+
+**To see the issuance policies available**
+
+- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
+ From a Windows PowerShell command prompt, run the following command:
+
+ ``` syntax
+ .\get-IssuancePolicy.ps1 –LinkedToGroup:All
+ ```
+
+**To link an issuance policy to a universal security group**
+
+- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
+ From a Windows PowerShell command prompt, run the following command:
+
+ ``` syntax
+ .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
+ ```
+
+#### Restricting user sign on
+
+So we now have completed the following:
+
+- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
+- Mapped that policy to a universal security group or claim
+- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
+
+Authentication policies have the following requirements:
+- User accounts are in a Windows Server 2012 domain functional level or higher domain.
+
+**Creating an authentication policy restricting users to the specific universal security group**
+
+1. Open Active Directory Administrative Center.
+2. Click **Authentication**, click **New**, and then click **Authentication Policy**.
+3. In the **Display name** box, enter a name for this authentication policy.
+4. Under the **Accounts** heading, click **Add**.
+5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
+6. Under the **User Sign On** heading, click the **Edit** button.
+7. Click **Add a condition**.
+8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**.
+9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
+10. Click **OK** to close the **Edit Access Control Conditions** box.
+11. Click **OK** to create the authentication policy.
+12. Close Active Directory Administrative Center.
+
+> [!NOTE]
+> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
+
+##### Discovering authentication failures due to authentication policies
+
+To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
+
+To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
+
+### Appendix: Scripts
+
+Here is a list of scripts mentioned in this topic.
+
+#### Get the available issuance policies on the certificate authority
+
+Save this script file as get-IssuancePolicy.ps1.
+
+``` syntax
+#######################################
+## Parameters to be defined ##
+## by the user ##
+#######################################
+Param (
+$Identity,
+$LinkedToGroup
+)
+#######################################
+## Strings definitions ##
+#######################################
+Data getIP_strings {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted.
+help2 = Usage:
+help3 = The following parameter is mandatory:
+help4 = -LinkedToGroup:
+help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
+help6 = "no" will return only Issuance Policies that are not currently linked to any group.
+help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
+help8 = The following parameter is optional:
+help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
+help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
+help11 = Examples:
+errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
+ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
+ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
+ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
+LinkedIPs = The following Issuance Policies are linked to groups:
+displayName = displayName : {0}
+Name = Name : {0}
+dn = distinguishedName : {0}
+ InfoName = Linked Group Name: {0}
+ InfoDN = Linked Group DN: {0}
+NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
+'@
+}
+##Import-LocalizedData getIP_strings
+import-module ActiveDirectory
+#######################################
+## Help ##
+#######################################
+function Display-Help {
+ ""
+ $getIP_strings.help1
+ ""
+$getIP_strings.help2
+""
+$getIP_strings.help3
+" " + $getIP_strings.help4
+" " + $getIP_strings.help5
+ " " + $getIP_strings.help6
+ " " + $getIP_strings.help7
+""
+$getIP_strings.help8
+ " " + $getIP_strings.help9
+ ""
+ $getIP_strings.help10
+""
+""
+$getIP_strings.help11
+ " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
+ " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
+ " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
+""
+}
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+$configNCDN = [String]$root.configurationNamingContext
+if ( !($Identity) -and !($LinkedToGroup) ) {
+display-Help
+break
+}
+if ($Identity) {
+ $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
+ if ($OIDs -eq $null) {
+$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
+write-host $errormsg -ForegroundColor Red
+ }
+ foreach ($OID in $OIDs) {
+ if ($OID."msDS-OIDToGroupLink") {
+# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
+ $groupDN = $OID."msDS-OIDToGroupLink"
+ $group = get-adgroup -Identity $groupDN
+ $groupName = $group.Name
+# Analyze the group
+ if ($group.groupCategory -ne "Security") {
+$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ if ($group.groupScope -ne "Universal") {
+ $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+ }
+ $members = Get-ADGroupMember -Identity $group
+ if ($members) {
+ $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+ foreach ($member in $members) {
+ write-host " " $member -ForeGroundColor Red
+ }
+ }
+ }
+ }
+ return $OIDs
+ break
+}
+if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
+ $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
+ $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+ write-host ""
+ write-host "*****************************************************"
+ write-host $getIP_strings.LinkedIPs
+ write-host "*****************************************************"
+ write-host ""
+ if ($LinkedOIDs -ne $null){
+ foreach ($OID in $LinkedOIDs) {
+# Display basic information about the Issuance Policies
+ ""
+ $getIP_strings.displayName -f $OID.displayName
+ $getIP_strings.Name -f $OID.Name
+ $getIP_strings.dn -f $OID.distinguishedName
+# Get the linked group.
+ $groupDN = $OID."msDS-OIDToGroupLink"
+ $group = get-adgroup -Identity $groupDN
+ $getIP_strings.InfoName -f $group.Name
+ $getIP_strings.InfoDN -f $groupDN
+# Analyze the group
+ $OIDName = $OID.displayName
+ $groupName = $group.Name
+ if ($group.groupCategory -ne "Security") {
+ $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ if ($group.groupScope -ne "Universal") {
+ $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ $members = Get-ADGroupMember -Identity $group
+ if ($members) {
+ $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ foreach ($member in $members) {
+ write-host " " $member -ForeGroundColor Red
+ }
+ }
+ write-host ""
+ }
+ }else{
+write-host "There are no issuance policies that are mapped to a group"
+ }
+ if ($LinkedToGroup -eq "yes") {
+ return $LinkedOIDs
+ break
+ }
+}
+if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {
+ $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
+ $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+ write-host ""
+ write-host "*********************************************************"
+ write-host $getIP_strings.NonLinkedIPs
+ write-host "*********************************************************"
+ write-host ""
+ if ($NonLinkedOIDs -ne $null) {
+ foreach ($OID in $NonLinkedOIDs) {
+# Display basic information about the Issuance Policies
+write-host ""
+$getIP_strings.displayName -f $OID.displayName
+$getIP_strings.Name -f $OID.Name
+$getIP_strings.dn -f $OID.distinguishedName
+write-host ""
+ }
+ }else{
+write-host "There are no issuance policies which are not mapped to groups"
+ }
+ if ($LinkedToGroup -eq "no") {
+ return $NonLinkedOIDs
+ break
+ }
+}
+```
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+#### Link an issuance policy to a group
+
+Save the script file as set-IssuancePolicyToGroupLink.ps1.
+
+``` syntax
+#######################################
+## Parameters to be defined ##
+## by the user ##
+#######################################
+Param (
+$IssuancePolicyName,
+$groupOU,
+$groupName
+)
+#######################################
+## Strings definitions ##
+#######################################
+Data ErrorMsg {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
+help2 = Usage:
+help3 = The following parameters are required:
+help4 = -IssuancePolicyName:
+help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy.
+help6 = The following parameter is optional:
+help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container.
+help8 = Examples:
+help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
+help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
+MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
+NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
+IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
+MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
+confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
+OUCreationSuccess = Organizational Unit "{0}" successfully created.
+OUcreationError = Error: Organizational Unit "{0}" could not be created.
+OUFoundSuccess = Organizational Unit "{0}" was successfully found.
+multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".
+confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
+groupCreationSuccess = Univeral Security group "{0}" successfully created.
+groupCreationError = Error: Univeral Security group "{0}" could not be created.
+GroupFound = Group "{0}" was successfully found.
+confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
+UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
+UnlinkError = Removing the link failed.
+UnlinkExit = Exiting without removing the link from the issuance policy to the group.
+IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
+ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
+ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
+ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
+ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
+LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
+LinkError = The certificate issuance policy could not be linked to the specified group.
+ExitNoLinkReplacement = Exiting without setting the new link.
+'@
+}
+# import-localizeddata ErrorMsg
+function Display-Help {
+""
+write-host $ErrorMsg.help1
+""
+write-host $ErrorMsg.help2
+""
+write-host $ErrorMsg.help3
+write-host "`t" $ErrorMsg.help4
+write-host "`t" $ErrorMsg.help5
+""
+write-host $ErrorMsg.help6
+write-host "`t" $ErrorMsg.help7
+""
+""
+write-host $ErrorMsg.help8
+""
+write-host $ErrorMsg.help9
+".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
+""
+write-host $ErrorMsg.help10
+'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
+""
+}
+# Assumption: The group to which the Issuance Policy is going
+# to be linked is (or is going to be created) in
+# the domain the user running this script is a member of.
+import-module ActiveDirectory
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+if ( !($IssuancePolicyName) ) {
+display-Help
+break
+}
+#######################################
+## Find the OID object ##
+## (aka Issuance Policy) ##
+#######################################
+$searchBase = [String]$root.configurationnamingcontext
+$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
+if ($OID -eq $null) {
+$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($OID.GetType().IsArray) {
+$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+else {
+$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
+write-host $tmp -ForeGroundColor Green
+}
+#######################################
+## Find the container of the group ##
+#######################################
+if ($groupOU -eq $null) {
+# default to the Users container
+$groupContainer = $domain.UsersContainer
+}
+else {
+$searchBase = [string]$domain.DistinguishedName
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+if ($groupContainer.count -gt 1) {
+$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
+write-host $tmp -ForegroundColor Red
+break;
+}
+elseif ($groupContainer -eq $null) {
+$tmp = $ErrorMsg.confirmOUcreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
+if ($?){
+$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
+write-host $tmp -ForegroundColor Green
+}
+else{
+$tmp = $ErrorMsg.OUCreationError -f $groupOU
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
+write-host $tmp -ForegroundColor Green
+}
+}
+#######################################
+## Find the group ##
+#######################################
+if (($groupName -ne $null) -and ($groupName -ne "")){
+##$searchBase = [String]$groupContainer.DistinguishedName
+$searchBase = $groupContainer
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+if ($group -ne $null -and $group.gettype().isarray) {
+$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($group -eq $null) {
+$tmp = $ErrorMsg.confirmGroupCreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
+if ($?){
+$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
+write-host $tmp -ForegroundColor Green
+}else{
+$tmp = $ErrorMsg.groupCreationError -f $groupName
+write-host $tmp -ForeGroundColor Red
+break
+}
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.GroupFound -f $group.Name
+write-host $tmp -ForegroundColor Green
+}
+}
+else {
+#####
+## If the group is not specified, we should remove the link if any exists
+#####
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
+if ($?) {
+$tmp = $ErrorMsg.UnlinkSuccess
+write-host $tmp -ForeGroundColor Green
+}else{
+$tmp = $ErrorMsg.UnlinkError
+write-host $tmp -ForeGroundColor Red
+}
+}
+else {
+$tmp = $ErrorMsg.UnlinkExit
+write-host $tmp
+break
+}
+}
+else {
+$tmp = $ErrorMsg.IPNotLinked
+write-host $tmp -ForeGroundColor Yellow
+}
+break;
+}
+#######################################
+## Verify that the group is ##
+## Universal, Security, and ##
+## has no members ##
+#######################################
+if ($group.GroupScope -ne "Universal") {
+$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+if ($group.GroupCategory -ne "Security") {
+$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$members = Get-ADGroupMember -Identity $group
+if ($members -ne $null) {
+$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red}
+break;
+}
+#######################################
+## We have verified everything. We ##
+## can create the link from the ##
+## Issuance Policy to the group. ##
+#######################################
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
+write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Replace $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+} else {
+$tmp = $Errormsg.ExitNoLinkReplacement
+write-host $tmp
+break
+}
+}
+else {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Add $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+}
+```
+
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+## See also
+
+**Deep Dive into Credential Guard: Related videos**
+
+[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/keep-secure/credential-guard-considerations.md b/windows/access-protection/credential-guard/credential-guard-considerations.md
similarity index 68%
rename from windows/keep-secure/credential-guard-considerations.md
rename to windows/access-protection/credential-guard/credential-guard-considerations.md
index c2bc39226d..0adc21dd7f 100644
--- a/windows/keep-secure/credential-guard-considerations.md
+++ b/windows/access-protection/credential-guard/credential-guard-considerations.md
@@ -1,4 +1,4 @@
----
+---
title: Considerations when using Credential Guard (Windows 10)
description: Considerations and recommendations for certain scenarios when using Credential Guard in Windows 10.
ms.prod: w10
@@ -17,19 +17,8 @@ author: brianlic-msft
Prefer video? See [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
in the Deep Dive into Credential Guard video series.
-
-- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain.
-- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
- - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
- - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
- - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
- - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
- You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
-- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
+
+- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
@@ -38,7 +27,6 @@ in the Deep Dive into Credential Guard video series.
- Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
- Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
-
## NTLM and CHAP Considerations
diff --git a/windows/keep-secure/credential-guard-how-it-works.md b/windows/access-protection/credential-guard/credential-guard-how-it-works.md
similarity index 100%
rename from windows/keep-secure/credential-guard-how-it-works.md
rename to windows/access-protection/credential-guard/credential-guard-how-it-works.md
diff --git a/windows/access-protection/credential-guard/credential-guard-known-issues.md b/windows/access-protection/credential-guard/credential-guard-known-issues.md
new file mode 100644
index 0000000000..b9cacf0bc7
--- /dev/null
+++ b/windows/access-protection/credential-guard/credential-guard-known-issues.md
@@ -0,0 +1,70 @@
+---
+title: Credential Guard Known issues (Windows 10)
+description: Credential Guard - Known issues in Windows 10 Enterprise
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Credential Guard: Known issues
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
+
+The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
+
+- KB4015217: [Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/en-us/help/4015217/windows-10-update-kb4015217)
+
+ This issue can potentially lead to unexpected account lockouts.
+See also Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us/help/4015219/windows-10-update-kb4015219) and
+[KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221)
+
+The following issue is under investigation. For available workarounds, see the following Knowledge Base article:
+- [Installing AppSense Environment Manager on Windows 10 machines causes LsaIso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) *
+
+ *Registration required to access this article.
+
+- [Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)**
+
+ **Registration required to access this article.
+
+Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base articles:
+
+- KB88869: [Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869)
+
+
+- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled.
+
+ Microsoft is currently working with Citrix to investigate this issue.
+
+
+## Vendor support
+
+- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
+
+Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
+
+- For Credential Guard on Windows 10 with McAfee Encryption products, see:
+[Support for Device Guard and Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
+
+- For Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
+[Check Point Endpoint Security Client support for Microsoft Windows 10 Credential Guard and Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
+
+- For Credential Guard on Windows 10 with VMWare Workstation
+[Windows 10 host fails when running VMWare Workstation when Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
+
+- For Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
+[ThinkPad support for Device Guard and Credential Guard in Microsoft Windows 10 – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
+
+- For Credential Guard on Windows 10 with Symantec Endpoint Protection
+[Windows 10 with Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
+
+ This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Credential guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Credential Guard.
+
+ Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
\ No newline at end of file
diff --git a/windows/keep-secure/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md
similarity index 67%
rename from windows/keep-secure/credential-guard-manage.md
rename to windows/access-protection/credential-guard/credential-guard-manage.md
index a70d85eb17..9396f2dd47 100644
--- a/windows/keep-secure/credential-guard-manage.md
+++ b/windows/access-protection/credential-guard/credential-guard-manage.md
@@ -1,4 +1,4 @@
----
+---
title: Manage Credential Guard (Windows 10)
description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
ms.prod: w10
@@ -15,11 +15,12 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-Prefer video? See [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
-in the Deep Dive into Credential Guard video series.
+Prefer video? See [Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Credential Guard video series.
## Enable Credential Guard
-Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
+Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
+The same set of procedures used to enable Credential Guard on physical machines applies also to virtual machines.
+
### Enable Credential Guard by using Group Policy
@@ -41,7 +42,7 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
-### Add the virtualization-based security features
+#### Add the virtualization-based security features
Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
@@ -74,7 +75,7 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window
> [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager.
-### Enable virtualization-based security and Credential Guard
+#### Enable virtualization-based security and Credential Guard
1. Open Registry Editor.
2. Enable virtualization-based security:
@@ -101,22 +102,18 @@ DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
### Credential Guard deployment in virtual machines
-Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
+Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
-Credential Guard protects secrets from non-privileged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
+#### Requirements for running Credential Guard in Hyper-V virtual machines
-``` PowerShell
-Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
-```
-
-Requirements for running Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
+### Review Credential Guard performance
-### Check that Credential Guard is running
+**Is Credential Guard running?**
-You can use System Information to ensure that Credential Guard is running on a PC.
+You can view System Information to check that Credential Guard is running on a PC.
1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
2. Click **System Summary**.
@@ -132,10 +129,26 @@ You can also check that Credential Guard is running by using the [Device Guard a
DG_Readiness_Tool_v3.0.ps1 -Ready
```
+> [!NOTE]
-### Remove Credential Guard
+For client machines that are running Windows 10 1703, LSAIso is running whenever Virtualization based security is enabled for other features.
-If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
+- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard should be enabled before the PC is joined to a domain.
+
+- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
+ - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
+ - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
+ - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
+ - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
+ - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
+ - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
+ - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
+ You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+ - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+
+## Disable Credential Guard
+
+If you have to disable Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
2. Delete the following registry settings:
@@ -146,11 +159,7 @@ If you have to remove Credential Guard on a PC, you can use the following set of
> [!IMPORTANT]
> If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
-3. Delete the Credential Guard EFI variables by using bcdedit.
-
-**Delete the Credential Guard EFI variables**
-
-1. From an elevated command prompt, type the following commands:
+3. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
``` syntax
mountvol X: /s
@@ -177,10 +186,10 @@ If you have to remove Credential Guard on a PC, you can use the following set of
> [!NOTE]
> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
-For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
+For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
-#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+#### Disable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
@@ -188,5 +197,15 @@ You can also disable Credential Guard by using the [Device Guard and Credential
DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
```
+#### Disable Credential Guard for a virtual machine
+
+From the host, you can disable Credential Guard for a virtual machine:
+
+``` PowerShell
+Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
+```
+
+
+
diff --git a/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
new file mode 100644
index 0000000000..bce8580dfb
--- /dev/null
+++ b/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -0,0 +1,641 @@
+---
+title: Credential Guard protection limits (Windows 10)
+description: Scenarios not protected by Credential Guard in Windows 10.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Credential Guard protection limits
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+in the Deep Dive into Credential Guard video series.
+
+Some ways to store credentials are not protected by Credential Guard, including:
+
+- Software that manages credentials outside of Windows feature protection
+- Local accounts and Microsoft Accounts
+- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+- Key loggers
+- Physical attacks
+- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
+- Third-party security packages
+- Digest and CredSSP credentials
+ - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
+- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
+- When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+- Windows logon cached password verifiers (commonly called "cached credentials")
+do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
+
+## Additional mitigations
+
+Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
+
+### Restricting domain users to specific domain-joined devices
+
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+
+#### Kerberos armoring
+
+Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
+
+**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
+
+- Users need to be in domains that are running Windows Server 2012 R2 or higher
+- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
+- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
+
+#### Protecting domain-joined device secrets
+
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+
+Domain-joined device certificate authentication has the following requirements:
+- Devices' accounts are in Windows Server 2012 domain functional level or higher.
+- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
+ - KDC EKU present
+ - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
+- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
+- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
+
+##### Deploying domain-joined device certificates
+
+To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
+
+For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
+
+**Creating a new certificate template**
+
+1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
+2. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
+3. Right-click the new template, and then click **Properties**.
+4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
+5. Click **Client Authentication**, and then click **Remove**.
+6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
+ - Name: Kerberos Client Auth
+ - Object Identifier: 1.3.6.1.5.2.3.4
+7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
+8. Under **Issuance Policies**, click**High Assurance**.
+9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
+
+Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+
+**Enrolling devices in a certificate**
+
+Run the following command:
+``` syntax
+CertReq -EnrollCredGuardCert MachineAuthentication
+```
+
+> [!NOTE]
+> You must restart the device after enrolling the machine authentication certificate.
+
+##### How a certificate issuance policy can be used for access control
+
+Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
+
+**To see the issuance policies available**
+
+- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
+ From a Windows PowerShell command prompt, run the following command:
+
+ ``` syntax
+ .\get-IssuancePolicy.ps1 –LinkedToGroup:All
+ ```
+
+**To link an issuance policy to a universal security group**
+
+- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
+ From a Windows PowerShell command prompt, run the following command:
+
+ ``` syntax
+ .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
+ ```
+
+#### Restricting user sign on
+
+So we now have completed the following:
+
+- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
+- Mapped that policy to a universal security group or claim
+- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
+
+Authentication policies have the following requirements:
+- User accounts are in a Windows Server 2012 domain functional level or higher domain.
+
+**Creating an authentication policy restricting users to the specific universal security group**
+
+1. Open Active Directory Administrative Center.
+2. Click **Authentication**, click **New**, and then click **Authentication Policy**.
+3. In the **Display name** box, enter a name for this authentication policy.
+4. Under the **Accounts** heading, click **Add**.
+5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
+6. Under the **User Sign On** heading, click the **Edit** button.
+7. Click **Add a condition**.
+8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**.
+9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
+10. Click **OK** to close the **Edit Access Control Conditions** box.
+11. Click **OK** to create the authentication policy.
+12. Close Active Directory Administrative Center.
+
+> [!NOTE]
+> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
+
+##### Discovering authentication failures due to authentication policies
+
+To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
+
+To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
+
+
+
+
+### Appendix: Scripts
+
+
+Here is a list of scripts mentioned in this topic.
+
+#### Get the available issuance policies on the certificate authority
+
+Save this script file as get-IssuancePolicy.ps1.
+
+``` syntax
+#######################################
+## Parameters to be defined ##
+## by the user ##
+#######################################
+Param (
+$Identity,
+$LinkedToGroup
+)
+#######################################
+## Strings definitions ##
+#######################################
+Data getIP_strings {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted.
+help2 = Usage:
+help3 = The following parameter is mandatory:
+help4 = -LinkedToGroup:
+help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
+help6 = "no" will return only Issuance Policies that are not currently linked to any group.
+help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
+help8 = The following parameter is optional:
+help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
+help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
+help11 = Examples:
+errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
+ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
+ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
+ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
+LinkedIPs = The following Issuance Policies are linked to groups:
+displayName = displayName : {0}
+Name = Name : {0}
+dn = distinguishedName : {0}
+ InfoName = Linked Group Name: {0}
+ InfoDN = Linked Group DN: {0}
+NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
+'@
+}
+##Import-LocalizedData getIP_strings
+import-module ActiveDirectory
+#######################################
+## Help ##
+#######################################
+function Display-Help {
+ ""
+ $getIP_strings.help1
+ ""
+$getIP_strings.help2
+""
+$getIP_strings.help3
+" " + $getIP_strings.help4
+" " + $getIP_strings.help5
+ " " + $getIP_strings.help6
+ " " + $getIP_strings.help7
+""
+$getIP_strings.help8
+ " " + $getIP_strings.help9
+ ""
+ $getIP_strings.help10
+""
+""
+$getIP_strings.help11
+ " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
+ " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
+ " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
+""
+}
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+$configNCDN = [String]$root.configurationNamingContext
+if ( !($Identity) -and !($LinkedToGroup) ) {
+display-Help
+break
+}
+if ($Identity) {
+ $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
+ if ($OIDs -eq $null) {
+$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
+write-host $errormsg -ForegroundColor Red
+ }
+ foreach ($OID in $OIDs) {
+ if ($OID."msDS-OIDToGroupLink") {
+# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
+ $groupDN = $OID."msDS-OIDToGroupLink"
+ $group = get-adgroup -Identity $groupDN
+ $groupName = $group.Name
+# Analyze the group
+ if ($group.groupCategory -ne "Security") {
+$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ if ($group.groupScope -ne "Universal") {
+ $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+ }
+ $members = Get-ADGroupMember -Identity $group
+ if ($members) {
+ $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+ foreach ($member in $members) {
+ write-host " " $member -ForeGroundColor Red
+ }
+ }
+ }
+ }
+ return $OIDs
+ break
+}
+if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
+ $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
+ $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+ write-host ""
+ write-host "*****************************************************"
+ write-host $getIP_strings.LinkedIPs
+ write-host "*****************************************************"
+ write-host ""
+ if ($LinkedOIDs -ne $null){
+ foreach ($OID in $LinkedOIDs) {
+# Display basic information about the Issuance Policies
+ ""
+ $getIP_strings.displayName -f $OID.displayName
+ $getIP_strings.Name -f $OID.Name
+ $getIP_strings.dn -f $OID.distinguishedName
+# Get the linked group.
+ $groupDN = $OID."msDS-OIDToGroupLink"
+ $group = get-adgroup -Identity $groupDN
+ $getIP_strings.InfoName -f $group.Name
+ $getIP_strings.InfoDN -f $groupDN
+# Analyze the group
+ $OIDName = $OID.displayName
+ $groupName = $group.Name
+ if ($group.groupCategory -ne "Security") {
+ $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ if ($group.groupScope -ne "Universal") {
+ $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ $members = Get-ADGroupMember -Identity $group
+ if ($members) {
+ $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ foreach ($member in $members) {
+ write-host " " $member -ForeGroundColor Red
+ }
+ }
+ write-host ""
+ }
+ }else{
+write-host "There are no issuance policies that are mapped to a group"
+ }
+ if ($LinkedToGroup -eq "yes") {
+ return $LinkedOIDs
+ break
+ }
+}
+if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {
+ $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
+ $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+ write-host ""
+ write-host "*********************************************************"
+ write-host $getIP_strings.NonLinkedIPs
+ write-host "*********************************************************"
+ write-host ""
+ if ($NonLinkedOIDs -ne $null) {
+ foreach ($OID in $NonLinkedOIDs) {
+# Display basic information about the Issuance Policies
+write-host ""
+$getIP_strings.displayName -f $OID.displayName
+$getIP_strings.Name -f $OID.Name
+$getIP_strings.dn -f $OID.distinguishedName
+write-host ""
+ }
+ }else{
+write-host "There are no issuance policies which are not mapped to groups"
+ }
+ if ($LinkedToGroup -eq "no") {
+ return $NonLinkedOIDs
+ break
+ }
+}
+```
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+#### Link an issuance policy to a group
+
+Save the script file as set-IssuancePolicyToGroupLink.ps1.
+
+``` syntax
+#######################################
+## Parameters to be defined ##
+## by the user ##
+#######################################
+Param (
+$IssuancePolicyName,
+$groupOU,
+$groupName
+)
+#######################################
+## Strings definitions ##
+#######################################
+Data ErrorMsg {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
+help2 = Usage:
+help3 = The following parameters are required:
+help4 = -IssuancePolicyName:
+help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy.
+help6 = The following parameter is optional:
+help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container.
+help8 = Examples:
+help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
+help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
+MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
+NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
+IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
+MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
+confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
+OUCreationSuccess = Organizational Unit "{0}" successfully created.
+OUcreationError = Error: Organizational Unit "{0}" could not be created.
+OUFoundSuccess = Organizational Unit "{0}" was successfully found.
+multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".
+confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
+groupCreationSuccess = Univeral Security group "{0}" successfully created.
+groupCreationError = Error: Univeral Security group "{0}" could not be created.
+GroupFound = Group "{0}" was successfully found.
+confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
+UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
+UnlinkError = Removing the link failed.
+UnlinkExit = Exiting without removing the link from the issuance policy to the group.
+IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
+ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
+ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
+ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
+ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
+LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
+LinkError = The certificate issuance policy could not be linked to the specified group.
+ExitNoLinkReplacement = Exiting without setting the new link.
+'@
+}
+# import-localizeddata ErrorMsg
+function Display-Help {
+""
+write-host $ErrorMsg.help1
+""
+write-host $ErrorMsg.help2
+""
+write-host $ErrorMsg.help3
+write-host "`t" $ErrorMsg.help4
+write-host "`t" $ErrorMsg.help5
+""
+write-host $ErrorMsg.help6
+write-host "`t" $ErrorMsg.help7
+""
+""
+write-host $ErrorMsg.help8
+""
+write-host $ErrorMsg.help9
+".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
+""
+write-host $ErrorMsg.help10
+'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
+""
+}
+# Assumption: The group to which the Issuance Policy is going
+# to be linked is (or is going to be created) in
+# the domain the user running this script is a member of.
+import-module ActiveDirectory
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+if ( !($IssuancePolicyName) ) {
+display-Help
+break
+}
+#######################################
+## Find the OID object ##
+## (aka Issuance Policy) ##
+#######################################
+$searchBase = [String]$root.configurationnamingcontext
+$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
+if ($OID -eq $null) {
+$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($OID.GetType().IsArray) {
+$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+else {
+$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
+write-host $tmp -ForeGroundColor Green
+}
+#######################################
+## Find the container of the group ##
+#######################################
+if ($groupOU -eq $null) {
+# default to the Users container
+$groupContainer = $domain.UsersContainer
+}
+else {
+$searchBase = [string]$domain.DistinguishedName
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+if ($groupContainer.count -gt 1) {
+$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
+write-host $tmp -ForegroundColor Red
+break;
+}
+elseif ($groupContainer -eq $null) {
+$tmp = $ErrorMsg.confirmOUcreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
+if ($?){
+$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
+write-host $tmp -ForegroundColor Green
+}
+else{
+$tmp = $ErrorMsg.OUCreationError -f $groupOU
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
+write-host $tmp -ForegroundColor Green
+}
+}
+#######################################
+## Find the group ##
+#######################################
+if (($groupName -ne $null) -and ($groupName -ne "")){
+##$searchBase = [String]$groupContainer.DistinguishedName
+$searchBase = $groupContainer
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+if ($group -ne $null -and $group.gettype().isarray) {
+$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($group -eq $null) {
+$tmp = $ErrorMsg.confirmGroupCreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
+if ($?){
+$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
+write-host $tmp -ForegroundColor Green
+}else{
+$tmp = $ErrorMsg.groupCreationError -f $groupName
+write-host $tmp -ForeGroundColor Red
+break
+}
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.GroupFound -f $group.Name
+write-host $tmp -ForegroundColor Green
+}
+}
+else {
+#####
+## If the group is not specified, we should remove the link if any exists
+#####
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
+if ($?) {
+$tmp = $ErrorMsg.UnlinkSuccess
+write-host $tmp -ForeGroundColor Green
+}else{
+$tmp = $ErrorMsg.UnlinkError
+write-host $tmp -ForeGroundColor Red
+}
+}
+else {
+$tmp = $ErrorMsg.UnlinkExit
+write-host $tmp
+break
+}
+}
+else {
+$tmp = $ErrorMsg.IPNotLinked
+write-host $tmp -ForeGroundColor Yellow
+}
+break;
+}
+#######################################
+## Verify that the group is ##
+## Universal, Security, and ##
+## has no members ##
+#######################################
+if ($group.GroupScope -ne "Universal") {
+$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+if ($group.GroupCategory -ne "Security") {
+$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$members = Get-ADGroupMember -Identity $group
+if ($members -ne $null) {
+$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red}
+break;
+}
+#######################################
+## We have verified everything. We ##
+## can create the link from the ##
+## Issuance Policy to the group. ##
+#######################################
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
+write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Replace $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+} else {
+$tmp = $Errormsg.ExitNoLinkReplacement
+write-host $tmp
+break
+}
+}
+else {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Add $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+}
+```
+
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+## See also
+
+**Deep Dive into Credential Guard: Related videos**
+
+[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/access-protection/credential-guard/credential-guard-protection-limits.md b/windows/access-protection/credential-guard/credential-guard-protection-limits.md
new file mode 100644
index 0000000000..f159c931c3
--- /dev/null
+++ b/windows/access-protection/credential-guard/credential-guard-protection-limits.md
@@ -0,0 +1,41 @@
+---
+title: Credential Guard protection limits (Windows 10)
+description: Scenarios not protected by Credential Guard in Windows 10.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Credential Guard protection limits
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+in the Deep Dive into Credential Guard video series.
+
+Some ways to store credentials are not protected by Credential Guard, including:
+
+- Software that manages credentials outside of Windows feature protection
+- Local accounts and Microsoft Accounts
+- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+- Key loggers
+- Physical attacks
+- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
+- Third-party security packages
+- Digest and CredSSP credentials
+ - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
+- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
+- When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+- Windows logon cached password verifiers (commonly called "cached credentials")
+do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
+
+## See also
+
+**Deep Dive into Credential Guard: Related videos**
+
+[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/keep-secure/credential-guard-requirements.md b/windows/access-protection/credential-guard/credential-guard-requirements.md
similarity index 100%
rename from windows/keep-secure/credential-guard-requirements.md
rename to windows/access-protection/credential-guard/credential-guard-requirements.md
diff --git a/windows/keep-secure/credential-guard-scripts.md b/windows/access-protection/credential-guard/credential-guard-scripts.md
similarity index 100%
rename from windows/keep-secure/credential-guard-scripts.md
rename to windows/access-protection/credential-guard/credential-guard-scripts.md
diff --git a/windows/keep-secure/credential-guard.md b/windows/access-protection/credential-guard/credential-guard.md
similarity index 97%
rename from windows/keep-secure/credential-guard.md
rename to windows/access-protection/credential-guard/credential-guard.md
index b36d3a7301..82c1f6b546 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/access-protection/credential-guard/credential-guard.md
@@ -37,7 +37,7 @@ By enabling Credential Guard, the following features and solutions are provided:
- [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
- [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)
-- [Trusted Platform Module](trusted-platform-module-overview.md)
+- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
## See also
diff --git a/windows/keep-secure/images/credguard-gp.png b/windows/access-protection/credential-guard/images/credguard-gp.png
similarity index 100%
rename from windows/keep-secure/images/credguard-gp.png
rename to windows/access-protection/credential-guard/images/credguard-gp.png
diff --git a/windows/keep-secure/images/credguard-msinfo32.png b/windows/access-protection/credential-guard/images/credguard-msinfo32.png
similarity index 100%
rename from windows/keep-secure/images/credguard-msinfo32.png
rename to windows/access-protection/credential-guard/images/credguard-msinfo32.png
diff --git a/windows/keep-secure/images/credguard.png b/windows/access-protection/credential-guard/images/credguard.png
similarity index 100%
rename from windows/keep-secure/images/credguard.png
rename to windows/access-protection/credential-guard/images/credguard.png
diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json
new file mode 100644
index 0000000000..627724bbe5
--- /dev/null
+++ b/windows/access-protection/docfx.json
@@ -0,0 +1,41 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg",
+ "**/*.gif"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ },
+ "fileMetadata": {},
+ "template": [],
+ "dest": "win-access-protection"
+ }
+}
\ No newline at end of file
diff --git a/windows/keep-secure/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md
similarity index 99%
rename from windows/keep-secure/enterprise-certificate-pinning.md
rename to windows/access-protection/enterprise-certificate-pinning.md
index b6b15f7df9..26876a7fac 100644
--- a/windows/keep-secure/enterprise-certificate-pinning.md
+++ b/windows/access-protection/enterprise-certificate-pinning.md
@@ -5,7 +5,6 @@ ms.author: mstephens
author: MikeStephens-MS
description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name.
manager: alanth
-ms.date: 2016-12-27
ms.prod: w10
ms.technology: security
ms.sitesec: library
diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/access-protection/hello-for-business/hello-and-password-changes.md
similarity index 96%
rename from windows/keep-secure/hello-and-password-changes.md
rename to windows/access-protection/hello-for-business/hello-and-password-changes.md
index 336c82005d..33bc609550 100644
--- a/windows/keep-secure/hello-and-password-changes.md
+++ b/windows/access-protection/hello-for-business/hello-and-password-changes.md
@@ -25,7 +25,7 @@ Because you were using **Device A** when you changed your password, the PIN on *
Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
>[!NOTE]
->This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
+>This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](hello-manage-in-organization.md).
## How to update Hello after you change your password on another device
diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
similarity index 98%
rename from windows/keep-secure/hello-biometrics-in-enterprise.md
rename to windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
index c57043af82..cb9bfb63dd 100644
--- a/windows/keep-secure/hello-biometrics-in-enterprise.md
+++ b/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -35,7 +35,7 @@ Windows Hello provides many benefits, including:
- Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords!
-- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies. For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.
+- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies. For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic.
## Where is Microsoft Hello data stored?
The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
similarity index 100%
rename from windows/keep-secure/hello-errors-during-pin-creation.md
rename to windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
diff --git a/windows/keep-secure/hello-event-300.md b/windows/access-protection/hello-for-business/hello-event-300.md
similarity index 100%
rename from windows/keep-secure/hello-event-300.md
rename to windows/access-protection/hello-for-business/hello-event-300.md
diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/access-protection/hello-for-business/hello-how-it-works.md
similarity index 100%
rename from windows/keep-secure/hello-how-it-works.md
rename to windows/access-protection/hello-for-business/hello-how-it-works.md
diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md
similarity index 100%
rename from windows/keep-secure/hello-identity-verification.md
rename to windows/access-protection/hello-for-business/hello-identity-verification.md
diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/access-protection/hello-for-business/hello-manage-in-organization.md
similarity index 97%
rename from windows/keep-secure/hello-manage-in-organization.md
rename to windows/access-protection/hello-for-business/hello-manage-in-organization.md
index 44cef02636..165f6259f6 100644
--- a/windows/keep-secure/hello-manage-in-organization.md
+++ b/windows/access-protection/hello-for-business/hello-manage-in-organization.md
@@ -307,7 +307,7 @@ You’ll need this software to set Windows Hello for Business policies in your e
Windows Hello for Business mode
Azure AD
-
Active Directory (AD) on-premises (available with production release of Windows Server 2016)
+
Active Directory (AD) on-premises (only supported with Windows 10, version 1703 clients)
Azure AD/AD hybrid (available with production release of Windows Server 2016)
@@ -318,7 +318,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
Active Directory Federation Service (AD FS) (Windows Server 2016)
A few Windows Server 2016 domain controllers on-site
-
Microsoft System Center 2012 R2 Configuration Manager SP2
Azure AD subscription
@@ -339,7 +338,6 @@ You’ll need this software to set Windows Hello for Business policies in your e
ADFS (Windows Server 2016)
Active Directory Domain Services (AD DS) Windows Server 2016 schema
PKI infrastructure
-
Configuration Manager SP2, Intune, or non-Microsoft MDM solution
Azure AD subscription
@@ -355,7 +353,8 @@ Configuration Manager and MDM provide the ability to manage Windows Hello for Bu
Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
-
+>[!IMPORTANT]
+>Active Directory on-premises deployment **is not currently available** and will become available with a future update of ADFS on Windows Server 2016. The requirements listed in the above table will apply when this deployment type becomes available.
## How to use Windows Hello for Business with Azure Active Directory
diff --git a/windows/keep-secure/hello-prepare-people-to-use.md b/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
similarity index 100%
rename from windows/keep-secure/hello-prepare-people-to-use.md
rename to windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
similarity index 96%
rename from windows/keep-secure/hello-why-pin-is-better-than-password.md
rename to windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 516d264bef..00ead3c640 100644
--- a/windows/keep-secure/hello-why-pin-is-better-than-password.md
+++ b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -44,7 +44,7 @@ The TPM protects against a variety of known and potential attacks, including PIN
## PIN can be complex
-The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
+The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](hello-manage-in-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
## What if someone steals the laptop or phone?
diff --git a/windows/keep-secure/images/authflow.png b/windows/access-protection/hello-for-business/images/authflow.png
similarity index 100%
rename from windows/keep-secure/images/authflow.png
rename to windows/access-protection/hello-for-business/images/authflow.png
diff --git a/windows/keep-secure/images/connect.png b/windows/access-protection/hello-for-business/images/connect.png
similarity index 100%
rename from windows/keep-secure/images/connect.png
rename to windows/access-protection/hello-for-business/images/connect.png
diff --git a/windows/keep-secure/images/corpown.png b/windows/access-protection/hello-for-business/images/corpown.png
similarity index 100%
rename from windows/keep-secure/images/corpown.png
rename to windows/access-protection/hello-for-business/images/corpown.png
diff --git a/windows/keep-secure/images/hellosettings.png b/windows/access-protection/hello-for-business/images/hellosettings.png
similarity index 100%
rename from windows/keep-secure/images/hellosettings.png
rename to windows/access-protection/hello-for-business/images/hellosettings.png
diff --git a/windows/keep-secure/images/passport-fig3-logicalcontainer.png b/windows/access-protection/hello-for-business/images/passport-fig3-logicalcontainer.png
similarity index 100%
rename from windows/keep-secure/images/passport-fig3-logicalcontainer.png
rename to windows/access-protection/hello-for-business/images/passport-fig3-logicalcontainer.png
diff --git a/windows/keep-secure/images/pinerror.png b/windows/access-protection/hello-for-business/images/pinerror.png
similarity index 100%
rename from windows/keep-secure/images/pinerror.png
rename to windows/access-protection/hello-for-business/images/pinerror.png
diff --git a/windows/keep-secure/images/whfb-intune-reset-pin.jpg b/windows/access-protection/hello-for-business/images/whfb-intune-reset-pin.jpg
similarity index 100%
rename from windows/keep-secure/images/whfb-intune-reset-pin.jpg
rename to windows/access-protection/hello-for-business/images/whfb-intune-reset-pin.jpg
diff --git a/windows/keep-secure/images/whfb-pin-reset-phone-notification.png b/windows/access-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png
similarity index 100%
rename from windows/keep-secure/images/whfb-pin-reset-phone-notification.png
rename to windows/access-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png
diff --git a/windows/keep-secure/images/whfb-reset-pin-prompt.jpg b/windows/access-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg
similarity index 100%
rename from windows/keep-secure/images/whfb-reset-pin-prompt.jpg
rename to windows/access-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg
diff --git a/windows/keep-secure/images/whfb-reset-pin-settings.jpg b/windows/access-protection/hello-for-business/images/whfb-reset-pin-settings.jpg
similarity index 100%
rename from windows/keep-secure/images/whfb-reset-pin-settings.jpg
rename to windows/access-protection/hello-for-business/images/whfb-reset-pin-settings.jpg
diff --git a/windows/keep-secure/images/emailsecurity.png b/windows/access-protection/images/emailsecurity.png
similarity index 100%
rename from windows/keep-secure/images/emailsecurity.png
rename to windows/access-protection/images/emailsecurity.png
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-converting-a-duration.png b/windows/access-protection/images/enterprise-certificate-pinning-converting-a-duration.png
similarity index 100%
rename from windows/keep-secure/images/enterprise-certificate-pinning-converting-a-duration.png
rename to windows/access-protection/images/enterprise-certificate-pinning-converting-a-duration.png
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png b/windows/access-protection/images/enterprise-certificate-pinning-converting-an-xml-date.png
similarity index 100%
rename from windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png
rename to windows/access-protection/images/enterprise-certificate-pinning-converting-an-xml-date.png
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-pinrules-properties.png b/windows/access-protection/images/enterprise-certificate-pinning-pinrules-properties.png
similarity index 100%
rename from windows/keep-secure/images/enterprise-certificate-pinning-pinrules-properties.png
rename to windows/access-protection/images/enterprise-certificate-pinning-pinrules-properties.png
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-date.png b/windows/access-protection/images/enterprise-certificate-pinning-representing-a-date.png
similarity index 100%
rename from windows/keep-secure/images/enterprise-certificate-pinning-representing-a-date.png
rename to windows/access-protection/images/enterprise-certificate-pinning-representing-a-date.png
diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-duration.png b/windows/access-protection/images/enterprise-certificate-pinning-representing-a-duration.png
similarity index 100%
rename from windows/keep-secure/images/enterprise-certificate-pinning-representing-a-duration.png
rename to windows/access-protection/images/enterprise-certificate-pinning-representing-a-duration.png
diff --git a/windows/keep-secure/images/enterprise-pinning-registry-binary-information.png b/windows/access-protection/images/enterprise-pinning-registry-binary-information.png
similarity index 100%
rename from windows/keep-secure/images/enterprise-pinning-registry-binary-information.png
rename to windows/access-protection/images/enterprise-pinning-registry-binary-information.png
diff --git a/windows/keep-secure/images/installcert.png b/windows/access-protection/images/installcert.png
similarity index 100%
rename from windows/keep-secure/images/installcert.png
rename to windows/access-protection/images/installcert.png
diff --git a/windows/keep-secure/images/mailsettings.png b/windows/access-protection/images/mailsettings.png
similarity index 100%
rename from windows/keep-secure/images/mailsettings.png
rename to windows/access-protection/images/mailsettings.png
diff --git a/windows/keep-secure/images/remote-credential-guard-gp.png b/windows/access-protection/images/remote-credential-guard-gp.png
similarity index 100%
rename from windows/keep-secure/images/remote-credential-guard-gp.png
rename to windows/access-protection/images/remote-credential-guard-gp.png
diff --git a/windows/keep-secure/images/remote-credential-guard.png b/windows/access-protection/images/remote-credential-guard.png
similarity index 100%
rename from windows/keep-secure/images/remote-credential-guard.png
rename to windows/access-protection/images/remote-credential-guard.png
diff --git a/windows/keep-secure/images/security-stages.png b/windows/access-protection/images/security-stages.png
similarity index 100%
rename from windows/keep-secure/images/security-stages.png
rename to windows/access-protection/images/security-stages.png
diff --git a/windows/keep-secure/images/signencrypt.png b/windows/access-protection/images/signencrypt.png
similarity index 100%
rename from windows/keep-secure/images/signencrypt.png
rename to windows/access-protection/images/signencrypt.png
diff --git a/windows/access-protection/index.md b/windows/access-protection/index.md
new file mode 100644
index 0000000000..04b1311ba7
--- /dev/null
+++ b/windows/access-protection/index.md
@@ -0,0 +1,28 @@
+---
+title: Access protection (Windows 10)
+description: Learn more about access protection technologies in Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Access protection
+
+Learn more about access protection technologies in Windows 10 and Windows 10 Mobile.
+
+| Section | Description |
+|-|-|
+| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
+| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
+| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
+| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
+| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
+| [User Account Control](user-account-control/user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
+| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
+| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
+| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
+| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
+| [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md) | Provides information about Windows Firewall with Advanced Security, which is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |
+| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |
diff --git a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md b/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md
similarity index 100%
rename from windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
rename to windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md
diff --git a/windows/keep-secure/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md
similarity index 100%
rename from windows/keep-secure/remote-credential-guard.md
rename to windows/access-protection/remote-credential-guard.md
diff --git a/windows/keep-secure/images/sc-image101.png b/windows/access-protection/smart-cards/images/sc-image101.png
similarity index 100%
rename from windows/keep-secure/images/sc-image101.png
rename to windows/access-protection/smart-cards/images/sc-image101.png
diff --git a/windows/keep-secure/images/sc-image201.gif b/windows/access-protection/smart-cards/images/sc-image201.gif
similarity index 100%
rename from windows/keep-secure/images/sc-image201.gif
rename to windows/access-protection/smart-cards/images/sc-image201.gif
diff --git a/windows/keep-secure/images/sc-image203.gif b/windows/access-protection/smart-cards/images/sc-image203.gif
similarity index 100%
rename from windows/keep-secure/images/sc-image203.gif
rename to windows/access-protection/smart-cards/images/sc-image203.gif
diff --git a/windows/keep-secure/images/sc-image205.png b/windows/access-protection/smart-cards/images/sc-image205.png
similarity index 100%
rename from windows/keep-secure/images/sc-image205.png
rename to windows/access-protection/smart-cards/images/sc-image205.png
diff --git a/windows/keep-secure/images/sc-image206.gif b/windows/access-protection/smart-cards/images/sc-image206.gif
similarity index 100%
rename from windows/keep-secure/images/sc-image206.gif
rename to windows/access-protection/smart-cards/images/sc-image206.gif
diff --git a/windows/keep-secure/images/sc-image302.gif b/windows/access-protection/smart-cards/images/sc-image302.gif
similarity index 100%
rename from windows/keep-secure/images/sc-image302.gif
rename to windows/access-protection/smart-cards/images/sc-image302.gif
diff --git a/windows/keep-secure/images/sc-image402.png b/windows/access-protection/smart-cards/images/sc-image402.png
similarity index 100%
rename from windows/keep-secure/images/sc-image402.png
rename to windows/access-protection/smart-cards/images/sc-image402.png
diff --git a/windows/keep-secure/images/sc-image403.png b/windows/access-protection/smart-cards/images/sc-image403.png
similarity index 100%
rename from windows/keep-secure/images/sc-image403.png
rename to windows/access-protection/smart-cards/images/sc-image403.png
diff --git a/windows/keep-secure/images/sc-image404.png b/windows/access-protection/smart-cards/images/sc-image404.png
similarity index 100%
rename from windows/keep-secure/images/sc-image404.png
rename to windows/access-protection/smart-cards/images/sc-image404.png
diff --git a/windows/keep-secure/images/sc-image405.png b/windows/access-protection/smart-cards/images/sc-image405.png
similarity index 100%
rename from windows/keep-secure/images/sc-image405.png
rename to windows/access-protection/smart-cards/images/sc-image405.png
diff --git a/windows/keep-secure/images/sc-image406.png b/windows/access-protection/smart-cards/images/sc-image406.png
similarity index 100%
rename from windows/keep-secure/images/sc-image406.png
rename to windows/access-protection/smart-cards/images/sc-image406.png
diff --git a/windows/keep-secure/images/sc-image407.png b/windows/access-protection/smart-cards/images/sc-image407.png
similarity index 100%
rename from windows/keep-secure/images/sc-image407.png
rename to windows/access-protection/smart-cards/images/sc-image407.png
diff --git a/windows/keep-secure/images/sc-image501.gif b/windows/access-protection/smart-cards/images/sc-image501.gif
similarity index 100%
rename from windows/keep-secure/images/sc-image501.gif
rename to windows/access-protection/smart-cards/images/sc-image501.gif
diff --git a/windows/keep-secure/smart-card-and-remote-desktop-services.md b/windows/access-protection/smart-cards/smart-card-and-remote-desktop-services.md
similarity index 100%
rename from windows/keep-secure/smart-card-and-remote-desktop-services.md
rename to windows/access-protection/smart-cards/smart-card-and-remote-desktop-services.md
diff --git a/windows/keep-secure/smart-card-architecture.md b/windows/access-protection/smart-cards/smart-card-architecture.md
similarity index 100%
rename from windows/keep-secure/smart-card-architecture.md
rename to windows/access-protection/smart-cards/smart-card-architecture.md
diff --git a/windows/keep-secure/smart-card-certificate-propagation-service.md b/windows/access-protection/smart-cards/smart-card-certificate-propagation-service.md
similarity index 100%
rename from windows/keep-secure/smart-card-certificate-propagation-service.md
rename to windows/access-protection/smart-cards/smart-card-certificate-propagation-service.md
diff --git a/windows/keep-secure/smart-card-certificate-requirements-and-enumeration.md b/windows/access-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
similarity index 100%
rename from windows/keep-secure/smart-card-certificate-requirements-and-enumeration.md
rename to windows/access-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
diff --git a/windows/keep-secure/smart-card-debugging-information.md b/windows/access-protection/smart-cards/smart-card-debugging-information.md
similarity index 100%
rename from windows/keep-secure/smart-card-debugging-information.md
rename to windows/access-protection/smart-cards/smart-card-debugging-information.md
diff --git a/windows/keep-secure/smart-card-events.md b/windows/access-protection/smart-cards/smart-card-events.md
similarity index 100%
rename from windows/keep-secure/smart-card-events.md
rename to windows/access-protection/smart-cards/smart-card-events.md
diff --git a/windows/keep-secure/smart-card-group-policy-and-registry-settings.md b/windows/access-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
similarity index 100%
rename from windows/keep-secure/smart-card-group-policy-and-registry-settings.md
rename to windows/access-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
diff --git a/windows/keep-secure/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/access-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
similarity index 100%
rename from windows/keep-secure/smart-card-how-smart-card-sign-in-works-in-windows.md
rename to windows/access-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
diff --git a/windows/keep-secure/smart-card-removal-policy-service.md b/windows/access-protection/smart-cards/smart-card-removal-policy-service.md
similarity index 100%
rename from windows/keep-secure/smart-card-removal-policy-service.md
rename to windows/access-protection/smart-cards/smart-card-removal-policy-service.md
diff --git a/windows/keep-secure/smart-card-smart-cards-for-windows-service.md b/windows/access-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
similarity index 100%
rename from windows/keep-secure/smart-card-smart-cards-for-windows-service.md
rename to windows/access-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
diff --git a/windows/keep-secure/smart-card-tools-and-settings.md b/windows/access-protection/smart-cards/smart-card-tools-and-settings.md
similarity index 100%
rename from windows/keep-secure/smart-card-tools-and-settings.md
rename to windows/access-protection/smart-cards/smart-card-tools-and-settings.md
diff --git a/windows/keep-secure/smart-card-windows-smart-card-technical-reference.md b/windows/access-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
similarity index 97%
rename from windows/keep-secure/smart-card-windows-smart-card-technical-reference.md
rename to windows/access-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index bb376178cb..ce2419f808 100644
--- a/windows/keep-secure/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/access-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -36,7 +36,7 @@ Smart cards provide:
Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
-**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. For information about virtual smart card technology, see [Virtual Smart Card Overview](virtual-smart-card-overview.md).
+**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. For information about virtual smart card technology, see [Virtual Smart Card Overview](../virtual-smart-cards/virtual-smart-card-overview.md).
## In this technical reference
diff --git a/windows/keep-secure/how-user-account-control-works.md b/windows/access-protection/user-account-control/how-user-account-control-works.md
similarity index 100%
rename from windows/keep-secure/how-user-account-control-works.md
rename to windows/access-protection/user-account-control/how-user-account-control-works.md
diff --git a/windows/keep-secure/images/uacarchitecture.gif b/windows/access-protection/user-account-control/images/uacarchitecture.gif
similarity index 100%
rename from windows/keep-secure/images/uacarchitecture.gif
rename to windows/access-protection/user-account-control/images/uacarchitecture.gif
diff --git a/windows/keep-secure/images/uacconsentprompt.gif b/windows/access-protection/user-account-control/images/uacconsentprompt.gif
similarity index 100%
rename from windows/keep-secure/images/uacconsentprompt.gif
rename to windows/access-protection/user-account-control/images/uacconsentprompt.gif
diff --git a/windows/keep-secure/images/uaccredentialprompt.gif b/windows/access-protection/user-account-control/images/uaccredentialprompt.gif
similarity index 100%
rename from windows/keep-secure/images/uaccredentialprompt.gif
rename to windows/access-protection/user-account-control/images/uaccredentialprompt.gif
diff --git a/windows/keep-secure/images/uacshieldicon.png b/windows/access-protection/user-account-control/images/uacshieldicon.png
similarity index 100%
rename from windows/keep-secure/images/uacshieldicon.png
rename to windows/access-protection/user-account-control/images/uacshieldicon.png
diff --git a/windows/keep-secure/images/uacwindowslogonprocess.gif b/windows/access-protection/user-account-control/images/uacwindowslogonprocess.gif
similarity index 100%
rename from windows/keep-secure/images/uacwindowslogonprocess.gif
rename to windows/access-protection/user-account-control/images/uacwindowslogonprocess.gif
diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
similarity index 99%
rename from windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
rename to windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index 2aa91da1a1..6ee117c85f 100644
--- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -22,7 +22,7 @@ There are 10 Group Policy settings that can be configured for User Account Contr
| Group Policy setting | Registry key | Default |
| - | - | - | - |
| [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled |
-| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
+| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries |
| [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials on the secure desktop |
| [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home) Disabled (default for enterprise) |
diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/access-protection/user-account-control/user-account-control-overview.md
similarity index 95%
rename from windows/keep-secure/user-account-control-overview.md
rename to windows/access-protection/user-account-control/user-account-control-overview.md
index 66f1abdc16..a273e12688 100644
--- a/windows/keep-secure/user-account-control-overview.md
+++ b/windows/access-protection/user-account-control/user-account-control-overview.md
@@ -28,9 +28,6 @@ When an app needs to run with more than standard user rights, UAC can restore ad
Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
-## New and changed functionality
-
-To find out what's new in UAC for Windows 10, see [User Account Control](../whats-new/user-account-control.md).
## In this section
| Topic | Description |
diff --git a/windows/keep-secure/user-account-control-security-policy-settings.md b/windows/access-protection/user-account-control/user-account-control-security-policy-settings.md
similarity index 100%
rename from windows/keep-secure/user-account-control-security-policy-settings.md
rename to windows/access-protection/user-account-control/user-account-control-security-policy-settings.md
diff --git a/windows/keep-secure/images/vsc-02-mmc-add-snap-in.png b/windows/access-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png
similarity index 100%
rename from windows/keep-secure/images/vsc-02-mmc-add-snap-in.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png
diff --git a/windows/keep-secure/images/vsc-03-add-certificate-templates-snap-in.png b/windows/access-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png
similarity index 100%
rename from windows/keep-secure/images/vsc-03-add-certificate-templates-snap-in.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png
diff --git a/windows/keep-secure/images/vsc-04-right-click-smartcard-logon-template.png b/windows/access-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png
similarity index 100%
rename from windows/keep-secure/images/vsc-04-right-click-smartcard-logon-template.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png
diff --git a/windows/keep-secure/images/vsc-05-certificate-template-compatibility.png b/windows/access-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png
similarity index 100%
rename from windows/keep-secure/images/vsc-05-certificate-template-compatibility.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png
diff --git a/windows/keep-secure/images/vsc-06-add-certification-authority-snap-in.png b/windows/access-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png
similarity index 100%
rename from windows/keep-secure/images/vsc-06-add-certification-authority-snap-in.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png
diff --git a/windows/keep-secure/images/vsc-07-right-click-certificate-templates.png b/windows/access-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png
similarity index 100%
rename from windows/keep-secure/images/vsc-07-right-click-certificate-templates.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png
diff --git a/windows/keep-secure/images/vsc-08-enable-certificate-template.png b/windows/access-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png
similarity index 100%
rename from windows/keep-secure/images/vsc-08-enable-certificate-template.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png
diff --git a/windows/keep-secure/images/vsc-09-stop-service-start-service.png b/windows/access-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png
similarity index 100%
rename from windows/keep-secure/images/vsc-09-stop-service-start-service.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png
diff --git a/windows/keep-secure/images/vsc-10-cmd-run-as-administrator.png b/windows/access-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png
similarity index 100%
rename from windows/keep-secure/images/vsc-10-cmd-run-as-administrator.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png
diff --git a/windows/keep-secure/images/vsc-11-certificates-request-new-certificate.png b/windows/access-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png
similarity index 100%
rename from windows/keep-secure/images/vsc-11-certificates-request-new-certificate.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png
diff --git a/windows/keep-secure/images/vsc-12-certificate-enrollment-select-certificate.png b/windows/access-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png
similarity index 100%
rename from windows/keep-secure/images/vsc-12-certificate-enrollment-select-certificate.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png
diff --git a/windows/keep-secure/images/vsc-physical-smart-card-lifecycle.png b/windows/access-protection/virtual-smart-cards/images/vsc-physical-smart-card-lifecycle.png
similarity index 100%
rename from windows/keep-secure/images/vsc-physical-smart-card-lifecycle.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-physical-smart-card-lifecycle.png
diff --git a/windows/keep-secure/images/vsc-process-of-accessing-user-key.png b/windows/access-protection/virtual-smart-cards/images/vsc-process-of-accessing-user-key.png
similarity index 100%
rename from windows/keep-secure/images/vsc-process-of-accessing-user-key.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-process-of-accessing-user-key.png
diff --git a/windows/keep-secure/images/vsc-virtual-smart-card-icon.png b/windows/access-protection/virtual-smart-cards/images/vsc-virtual-smart-card-icon.png
similarity index 100%
rename from windows/keep-secure/images/vsc-virtual-smart-card-icon.png
rename to windows/access-protection/virtual-smart-cards/images/vsc-virtual-smart-card-icon.png
diff --git a/windows/keep-secure/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/access-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
similarity index 100%
rename from windows/keep-secure/virtual-smart-card-deploy-virtual-smart-cards.md
rename to windows/access-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
diff --git a/windows/keep-secure/virtual-smart-card-evaluate-security.md b/windows/access-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
similarity index 100%
rename from windows/keep-secure/virtual-smart-card-evaluate-security.md
rename to windows/access-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
diff --git a/windows/keep-secure/virtual-smart-card-get-started.md b/windows/access-protection/virtual-smart-cards/virtual-smart-card-get-started.md
similarity index 100%
rename from windows/keep-secure/virtual-smart-card-get-started.md
rename to windows/access-protection/virtual-smart-cards/virtual-smart-card-get-started.md
diff --git a/windows/keep-secure/virtual-smart-card-overview.md b/windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md
similarity index 99%
rename from windows/keep-secure/virtual-smart-card-overview.md
rename to windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md
index 54e8c6f4d2..4ff1788ca5 100644
--- a/windows/keep-secure/virtual-smart-card-overview.md
+++ b/windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -16,7 +16,7 @@ This topic for IT professional provides an overview of the virtual smart card te
**Did you mean…**
-- [Smart Cards](smart-card-windows-smart-card-technical-reference.md)
+- [Smart Cards](../smart-cards/smart-card-windows-smart-card-technical-reference.md)
## Feature description
diff --git a/windows/keep-secure/virtual-smart-card-tpmvscmgr.md b/windows/access-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
similarity index 100%
rename from windows/keep-secure/virtual-smart-card-tpmvscmgr.md
rename to windows/access-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
diff --git a/windows/keep-secure/virtual-smart-card-understanding-and-evaluating.md b/windows/access-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
similarity index 100%
rename from windows/keep-secure/virtual-smart-card-understanding-and-evaluating.md
rename to windows/access-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
diff --git a/windows/keep-secure/virtual-smart-card-use-virtual-smart-cards.md b/windows/access-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
similarity index 100%
rename from windows/keep-secure/virtual-smart-card-use-virtual-smart-cards.md
rename to windows/access-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/access-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
similarity index 100%
rename from windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
rename to windows/access-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
diff --git a/windows/keep-secure/images/vpn-app-rules.png b/windows/access-protection/vpn/images/vpn-app-rules.png
similarity index 100%
rename from windows/keep-secure/images/vpn-app-rules.png
rename to windows/access-protection/vpn/images/vpn-app-rules.png
diff --git a/windows/keep-secure/images/vpn-app-trigger.PNG b/windows/access-protection/vpn/images/vpn-app-trigger.PNG
similarity index 100%
rename from windows/keep-secure/images/vpn-app-trigger.PNG
rename to windows/access-protection/vpn/images/vpn-app-trigger.PNG
diff --git a/windows/keep-secure/images/vpn-conditional-access-intune.png b/windows/access-protection/vpn/images/vpn-conditional-access-intune.png
similarity index 100%
rename from windows/keep-secure/images/vpn-conditional-access-intune.png
rename to windows/access-protection/vpn/images/vpn-conditional-access-intune.png
diff --git a/windows/keep-secure/images/vpn-connection-intune.png b/windows/access-protection/vpn/images/vpn-connection-intune.png
similarity index 100%
rename from windows/keep-secure/images/vpn-connection-intune.png
rename to windows/access-protection/vpn/images/vpn-connection-intune.png
diff --git a/windows/keep-secure/images/vpn-connection.png b/windows/access-protection/vpn/images/vpn-connection.png
similarity index 100%
rename from windows/keep-secure/images/vpn-connection.png
rename to windows/access-protection/vpn/images/vpn-connection.png
diff --git a/windows/keep-secure/images/vpn-custom-xml-intune.png b/windows/access-protection/vpn/images/vpn-custom-xml-intune.png
similarity index 100%
rename from windows/keep-secure/images/vpn-custom-xml-intune.png
rename to windows/access-protection/vpn/images/vpn-custom-xml-intune.png
diff --git a/windows/keep-secure/images/vpn-device-compliance.png b/windows/access-protection/vpn/images/vpn-device-compliance.png
similarity index 100%
rename from windows/keep-secure/images/vpn-device-compliance.png
rename to windows/access-protection/vpn/images/vpn-device-compliance.png
diff --git a/windows/keep-secure/images/vpn-eap-xml.png b/windows/access-protection/vpn/images/vpn-eap-xml.png
similarity index 100%
rename from windows/keep-secure/images/vpn-eap-xml.png
rename to windows/access-protection/vpn/images/vpn-eap-xml.png
diff --git a/windows/keep-secure/images/vpn-intune-policy.png b/windows/access-protection/vpn/images/vpn-intune-policy.png
similarity index 100%
rename from windows/keep-secure/images/vpn-intune-policy.png
rename to windows/access-protection/vpn/images/vpn-intune-policy.png
diff --git a/windows/keep-secure/images/vpn-name-intune.png b/windows/access-protection/vpn/images/vpn-name-intune.png
similarity index 100%
rename from windows/keep-secure/images/vpn-name-intune.png
rename to windows/access-protection/vpn/images/vpn-name-intune.png
diff --git a/windows/keep-secure/images/vpn-profilexml-intune.png b/windows/access-protection/vpn/images/vpn-profilexml-intune.png
similarity index 100%
rename from windows/keep-secure/images/vpn-profilexml-intune.png
rename to windows/access-protection/vpn/images/vpn-profilexml-intune.png
diff --git a/windows/keep-secure/images/vpn-split-route.png b/windows/access-protection/vpn/images/vpn-split-route.png
similarity index 100%
rename from windows/keep-secure/images/vpn-split-route.png
rename to windows/access-protection/vpn/images/vpn-split-route.png
diff --git a/windows/keep-secure/images/vpn-split.png b/windows/access-protection/vpn/images/vpn-split.png
similarity index 100%
rename from windows/keep-secure/images/vpn-split.png
rename to windows/access-protection/vpn/images/vpn-split.png
diff --git a/windows/keep-secure/images/vpn-traffic-rules.png b/windows/access-protection/vpn/images/vpn-traffic-rules.png
similarity index 100%
rename from windows/keep-secure/images/vpn-traffic-rules.png
rename to windows/access-protection/vpn/images/vpn-traffic-rules.png
diff --git a/windows/keep-secure/vpn-authentication.md b/windows/access-protection/vpn/vpn-authentication.md
similarity index 100%
rename from windows/keep-secure/vpn-authentication.md
rename to windows/access-protection/vpn/vpn-authentication.md
diff --git a/windows/keep-secure/vpn-auto-trigger-profile.md b/windows/access-protection/vpn/vpn-auto-trigger-profile.md
similarity index 100%
rename from windows/keep-secure/vpn-auto-trigger-profile.md
rename to windows/access-protection/vpn/vpn-auto-trigger-profile.md
diff --git a/windows/keep-secure/vpn-conditional-access.md b/windows/access-protection/vpn/vpn-conditional-access.md
similarity index 100%
rename from windows/keep-secure/vpn-conditional-access.md
rename to windows/access-protection/vpn/vpn-conditional-access.md
diff --git a/windows/keep-secure/vpn-connection-type.md b/windows/access-protection/vpn/vpn-connection-type.md
similarity index 100%
rename from windows/keep-secure/vpn-connection-type.md
rename to windows/access-protection/vpn/vpn-connection-type.md
diff --git a/windows/keep-secure/vpn-guide.md b/windows/access-protection/vpn/vpn-guide.md
similarity index 100%
rename from windows/keep-secure/vpn-guide.md
rename to windows/access-protection/vpn/vpn-guide.md
diff --git a/windows/keep-secure/vpn-name-resolution.md b/windows/access-protection/vpn/vpn-name-resolution.md
similarity index 100%
rename from windows/keep-secure/vpn-name-resolution.md
rename to windows/access-protection/vpn/vpn-name-resolution.md
diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/access-protection/vpn/vpn-profile-options.md
similarity index 100%
rename from windows/keep-secure/vpn-profile-options.md
rename to windows/access-protection/vpn/vpn-profile-options.md
diff --git a/windows/keep-secure/vpn-routing.md b/windows/access-protection/vpn/vpn-routing.md
similarity index 100%
rename from windows/keep-secure/vpn-routing.md
rename to windows/access-protection/vpn/vpn-routing.md
diff --git a/windows/keep-secure/vpn-security-features.md b/windows/access-protection/vpn/vpn-security-features.md
similarity index 96%
rename from windows/keep-secure/vpn-security-features.md
rename to windows/access-protection/vpn/vpn-security-features.md
index 93238fc9ca..5fd8b19932 100644
--- a/windows/keep-secure/vpn-security-features.md
+++ b/windows/access-protection/vpn/vpn-security-features.md
@@ -49,7 +49,7 @@ The value of the **EdpModeId** is an Enterprise ID. The networking stack will lo
Additionally, when connecting with WIP, the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced configuration is needed) because the WIP policies and App lists automatically take effect.
-[Learn more about Windows Information Protection](protect-enterprise-data-using-wip.md)
+[Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip)
## Traffic filters
diff --git a/windows/keep-secure/windows-credential-theft-mitigation-guide-abstract.md b/windows/access-protection/windows-credential-theft-mitigation-guide-abstract.md
similarity index 100%
rename from windows/keep-secure/windows-credential-theft-mitigation-guide-abstract.md
rename to windows/access-protection/windows-credential-theft-mitigation-guide-abstract.md
diff --git a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/access-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
similarity index 100%
rename from windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
rename to windows/access-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
diff --git a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/access-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
similarity index 100%
rename from windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
rename to windows/access-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
diff --git a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/access-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
similarity index 100%
rename from windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
rename to windows/access-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
diff --git a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md b/windows/access-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
similarity index 100%
rename from windows/keep-secure/assign-security-group-filters-to-the-gpo.md
rename to windows/access-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
diff --git a/windows/keep-secure/basic-firewall-policy-design.md b/windows/access-protection/windows-firewall/basic-firewall-policy-design.md
similarity index 100%
rename from windows/keep-secure/basic-firewall-policy-design.md
rename to windows/access-protection/windows-firewall/basic-firewall-policy-design.md
diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/access-protection/windows-firewall/boundary-zone-gpos.md
similarity index 100%
rename from windows/keep-secure/boundary-zone-gpos.md
rename to windows/access-protection/windows-firewall/boundary-zone-gpos.md
diff --git a/windows/keep-secure/boundary-zone.md b/windows/access-protection/windows-firewall/boundary-zone.md
similarity index 100%
rename from windows/keep-secure/boundary-zone.md
rename to windows/access-protection/windows-firewall/boundary-zone.md
diff --git a/windows/keep-secure/certificate-based-isolation-policy-design-example.md b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
similarity index 100%
rename from windows/keep-secure/certificate-based-isolation-policy-design-example.md
rename to windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
diff --git a/windows/keep-secure/certificate-based-isolation-policy-design.md b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md
similarity index 100%
rename from windows/keep-secure/certificate-based-isolation-policy-design.md
rename to windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md
diff --git a/windows/keep-secure/change-rules-from-request-to-require-mode.md b/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md
similarity index 100%
rename from windows/keep-secure/change-rules-from-request-to-require-mode.md
rename to windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md
diff --git a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md b/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
similarity index 100%
rename from windows/keep-secure/checklist-configuring-basic-firewall-settings.md
rename to windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
diff --git a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/access-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
similarity index 100%
rename from windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
rename to windows/access-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
diff --git a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/access-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
similarity index 100%
rename from windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
rename to windows/access-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/access-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
similarity index 100%
rename from windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
rename to windows/access-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/access-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
similarity index 100%
rename from windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
rename to windows/access-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/access-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
similarity index 100%
rename from windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
rename to windows/access-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
diff --git a/windows/keep-secure/checklist-creating-group-policy-objects.md b/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md
similarity index 100%
rename from windows/keep-secure/checklist-creating-group-policy-objects.md
rename to windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md
diff --git a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md b/windows/access-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
similarity index 100%
rename from windows/keep-secure/checklist-creating-inbound-firewall-rules.md
rename to windows/access-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
diff --git a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md b/windows/access-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
similarity index 100%
rename from windows/keep-secure/checklist-creating-outbound-firewall-rules.md
rename to windows/access-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/access-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
similarity index 100%
rename from windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
rename to windows/access-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
diff --git a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
similarity index 100%
rename from windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
rename to windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
similarity index 100%
rename from windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
rename to windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
similarity index 100%
rename from windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
rename to windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
similarity index 100%
rename from windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
rename to windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
diff --git a/windows/keep-secure/configure-authentication-methods.md b/windows/access-protection/windows-firewall/configure-authentication-methods.md
similarity index 100%
rename from windows/keep-secure/configure-authentication-methods.md
rename to windows/access-protection/windows-firewall/configure-authentication-methods.md
diff --git a/windows/keep-secure/configure-data-protection-quick-mode-settings.md b/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
similarity index 100%
rename from windows/keep-secure/configure-data-protection-quick-mode-settings.md
rename to windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
diff --git a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/access-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
similarity index 100%
rename from windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
rename to windows/access-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
diff --git a/windows/keep-secure/configure-key-exchange-main-mode-settings.md b/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
similarity index 100%
rename from windows/keep-secure/configure-key-exchange-main-mode-settings.md
rename to windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
diff --git a/windows/keep-secure/configure-the-rules-to-require-encryption.md b/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md
similarity index 100%
rename from windows/keep-secure/configure-the-rules-to-require-encryption.md
rename to windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md
diff --git a/windows/keep-secure/configure-the-windows-firewall-log.md b/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md
similarity index 100%
rename from windows/keep-secure/configure-the-windows-firewall-log.md
rename to windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md
diff --git a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md b/windows/access-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
similarity index 100%
rename from windows/keep-secure/configure-the-workstation-authentication-certificate-template.md
rename to windows/access-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
diff --git a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
similarity index 100%
rename from windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
rename to windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
diff --git a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md b/windows/access-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
similarity index 100%
rename from windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md
rename to windows/access-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
diff --git a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md b/windows/access-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
similarity index 100%
rename from windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md
rename to windows/access-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
diff --git a/windows/keep-secure/create-a-group-account-in-active-directory.md b/windows/access-protection/windows-firewall/create-a-group-account-in-active-directory.md
similarity index 100%
rename from windows/keep-secure/create-a-group-account-in-active-directory.md
rename to windows/access-protection/windows-firewall/create-a-group-account-in-active-directory.md
diff --git a/windows/keep-secure/create-a-group-policy-object.md b/windows/access-protection/windows-firewall/create-a-group-policy-object.md
similarity index 100%
rename from windows/keep-secure/create-a-group-policy-object.md
rename to windows/access-protection/windows-firewall/create-a-group-policy-object.md
diff --git a/windows/keep-secure/create-an-authentication-exemption-list-rule.md b/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
similarity index 100%
rename from windows/keep-secure/create-an-authentication-exemption-list-rule.md
rename to windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
diff --git a/windows/keep-secure/create-an-authentication-request-rule.md b/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md
similarity index 100%
rename from windows/keep-secure/create-an-authentication-request-rule.md
rename to windows/access-protection/windows-firewall/create-an-authentication-request-rule.md
diff --git a/windows/keep-secure/create-an-inbound-icmp-rule.md b/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md
similarity index 100%
rename from windows/keep-secure/create-an-inbound-icmp-rule.md
rename to windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md
diff --git a/windows/keep-secure/create-an-inbound-port-rule.md b/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md
similarity index 100%
rename from windows/keep-secure/create-an-inbound-port-rule.md
rename to windows/access-protection/windows-firewall/create-an-inbound-port-rule.md
diff --git a/windows/keep-secure/create-an-inbound-program-or-service-rule.md b/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
similarity index 100%
rename from windows/keep-secure/create-an-inbound-program-or-service-rule.md
rename to windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
diff --git a/windows/keep-secure/create-an-outbound-port-rule.md b/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md
similarity index 100%
rename from windows/keep-secure/create-an-outbound-port-rule.md
rename to windows/access-protection/windows-firewall/create-an-outbound-port-rule.md
diff --git a/windows/keep-secure/create-an-outbound-program-or-service-rule.md b/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
similarity index 100%
rename from windows/keep-secure/create-an-outbound-program-or-service-rule.md
rename to windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
diff --git a/windows/keep-secure/create-inbound-rules-to-support-rpc.md b/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
similarity index 100%
rename from windows/keep-secure/create-inbound-rules-to-support-rpc.md
rename to windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
diff --git a/windows/keep-secure/create-wmi-filters-for-the-gpo.md b/windows/access-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
similarity index 100%
rename from windows/keep-secure/create-wmi-filters-for-the-gpo.md
rename to windows/access-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
diff --git a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
similarity index 100%
rename from windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md
rename to windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md b/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
similarity index 100%
rename from windows/keep-secure/determining-the-trusted-state-of-your-devices.md
rename to windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
diff --git a/windows/keep-secure/documenting-the-zones.md b/windows/access-protection/windows-firewall/documenting-the-zones.md
similarity index 100%
rename from windows/keep-secure/documenting-the-zones.md
rename to windows/access-protection/windows-firewall/documenting-the-zones.md
diff --git a/windows/keep-secure/domain-isolation-policy-design-example.md b/windows/access-protection/windows-firewall/domain-isolation-policy-design-example.md
similarity index 100%
rename from windows/keep-secure/domain-isolation-policy-design-example.md
rename to windows/access-protection/windows-firewall/domain-isolation-policy-design-example.md
diff --git a/windows/keep-secure/domain-isolation-policy-design.md b/windows/access-protection/windows-firewall/domain-isolation-policy-design.md
similarity index 100%
rename from windows/keep-secure/domain-isolation-policy-design.md
rename to windows/access-protection/windows-firewall/domain-isolation-policy-design.md
diff --git a/windows/keep-secure/enable-predefined-inbound-rules.md b/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md
similarity index 100%
rename from windows/keep-secure/enable-predefined-inbound-rules.md
rename to windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md
diff --git a/windows/keep-secure/enable-predefined-outbound-rules.md b/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md
similarity index 100%
rename from windows/keep-secure/enable-predefined-outbound-rules.md
rename to windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md
diff --git a/windows/keep-secure/encryption-zone-gpos.md b/windows/access-protection/windows-firewall/encryption-zone-gpos.md
similarity index 100%
rename from windows/keep-secure/encryption-zone-gpos.md
rename to windows/access-protection/windows-firewall/encryption-zone-gpos.md
diff --git a/windows/keep-secure/encryption-zone.md b/windows/access-protection/windows-firewall/encryption-zone.md
similarity index 100%
rename from windows/keep-secure/encryption-zone.md
rename to windows/access-protection/windows-firewall/encryption-zone.md
diff --git a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
similarity index 100%
rename from windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md
rename to windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
diff --git a/windows/keep-secure/exempt-icmp-from-authentication.md b/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md
similarity index 100%
rename from windows/keep-secure/exempt-icmp-from-authentication.md
rename to windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md
diff --git a/windows/keep-secure/exemption-list.md b/windows/access-protection/windows-firewall/exemption-list.md
similarity index 100%
rename from windows/keep-secure/exemption-list.md
rename to windows/access-protection/windows-firewall/exemption-list.md
diff --git a/windows/keep-secure/firewall-gpos.md b/windows/access-protection/windows-firewall/firewall-gpos.md
similarity index 100%
rename from windows/keep-secure/firewall-gpos.md
rename to windows/access-protection/windows-firewall/firewall-gpos.md
diff --git a/windows/keep-secure/firewall-policy-design-example.md b/windows/access-protection/windows-firewall/firewall-policy-design-example.md
similarity index 100%
rename from windows/keep-secure/firewall-policy-design-example.md
rename to windows/access-protection/windows-firewall/firewall-policy-design-example.md
diff --git a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md b/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
similarity index 100%
rename from windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
rename to windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
diff --git a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md b/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
similarity index 100%
rename from windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
rename to windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
diff --git a/windows/keep-secure/gathering-information-about-your-devices.md b/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md
similarity index 100%
rename from windows/keep-secure/gathering-information-about-your-devices.md
rename to windows/access-protection/windows-firewall/gathering-information-about-your-devices.md
diff --git a/windows/keep-secure/gathering-other-relevant-information.md b/windows/access-protection/windows-firewall/gathering-other-relevant-information.md
similarity index 100%
rename from windows/keep-secure/gathering-other-relevant-information.md
rename to windows/access-protection/windows-firewall/gathering-other-relevant-information.md
diff --git a/windows/keep-secure/gathering-the-information-you-need.md b/windows/access-protection/windows-firewall/gathering-the-information-you-need.md
similarity index 100%
rename from windows/keep-secure/gathering-the-information-you-need.md
rename to windows/access-protection/windows-firewall/gathering-the-information-you-need.md
diff --git a/windows/keep-secure/gpo-domiso-boundary.md b/windows/access-protection/windows-firewall/gpo-domiso-boundary.md
similarity index 100%
rename from windows/keep-secure/gpo-domiso-boundary.md
rename to windows/access-protection/windows-firewall/gpo-domiso-boundary.md
diff --git a/windows/keep-secure/gpo-domiso-encryption.md b/windows/access-protection/windows-firewall/gpo-domiso-encryption.md
similarity index 97%
rename from windows/keep-secure/gpo-domiso-encryption.md
rename to windows/access-protection/windows-firewall/gpo-domiso-encryption.md
index dac33f72d4..b5d3c6801e 100644
--- a/windows/keep-secure/gpo-domiso-encryption.md
+++ b/windows/access-protection/windows-firewall/gpo-domiso-encryption.md
@@ -3,6 +3,10 @@ title: GPO\_DOMISO\_Encryption\_WS2008 (Windows 10)
description: GPO\_DOMISO\_Encryption\_WS2008
ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446
author: brianlic-msft
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
---
# GPO\_DOMISO\_Encryption\_WS2008
diff --git a/windows/keep-secure/gpo-domiso-firewall.md b/windows/access-protection/windows-firewall/gpo-domiso-firewall.md
similarity index 100%
rename from windows/keep-secure/gpo-domiso-firewall.md
rename to windows/access-protection/windows-firewall/gpo-domiso-firewall.md
diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
similarity index 100%
rename from windows/keep-secure/gpo-domiso-isolateddomain-clients.md
rename to windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
similarity index 100%
rename from windows/keep-secure/gpo-domiso-isolateddomain-servers.md
rename to windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
similarity index 100%
rename from windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
rename to windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
diff --git a/windows/access-protection/windows-firewall/images/corpnet.gif b/windows/access-protection/windows-firewall/images/corpnet.gif
new file mode 100644
index 0000000000..f76182ee25
Binary files /dev/null and b/windows/access-protection/windows-firewall/images/corpnet.gif differ
diff --git a/windows/keep-secure/images/createipsecrule.gif b/windows/access-protection/windows-firewall/images/createipsecrule.gif
similarity index 100%
rename from windows/keep-secure/images/createipsecrule.gif
rename to windows/access-protection/windows-firewall/images/createipsecrule.gif
diff --git a/windows/keep-secure/images/powershelllogosmall.gif b/windows/access-protection/windows-firewall/images/powershelllogosmall.gif
similarity index 100%
rename from windows/keep-secure/images/powershelllogosmall.gif
rename to windows/access-protection/windows-firewall/images/powershelllogosmall.gif
diff --git a/windows/keep-secure/images/qmcryptoset.gif b/windows/access-protection/windows-firewall/images/qmcryptoset.gif
similarity index 100%
rename from windows/keep-secure/images/qmcryptoset.gif
rename to windows/access-protection/windows-firewall/images/qmcryptoset.gif
diff --git a/windows/keep-secure/images/wfas-design2example1.gif b/windows/access-protection/windows-firewall/images/wfas-design2example1.gif
similarity index 100%
rename from windows/keep-secure/images/wfas-design2example1.gif
rename to windows/access-protection/windows-firewall/images/wfas-design2example1.gif
diff --git a/windows/keep-secure/images/wfas-design3example1.gif b/windows/access-protection/windows-firewall/images/wfas-design3example1.gif
similarity index 100%
rename from windows/keep-secure/images/wfas-design3example1.gif
rename to windows/access-protection/windows-firewall/images/wfas-design3example1.gif
diff --git a/windows/keep-secure/images/wfas-designexample1.gif b/windows/access-protection/windows-firewall/images/wfas-designexample1.gif
similarity index 100%
rename from windows/keep-secure/images/wfas-designexample1.gif
rename to windows/access-protection/windows-firewall/images/wfas-designexample1.gif
diff --git a/windows/keep-secure/images/wfas-designflowchart1.gif b/windows/access-protection/windows-firewall/images/wfas-designflowchart1.gif
similarity index 100%
rename from windows/keep-secure/images/wfas-designflowchart1.gif
rename to windows/access-protection/windows-firewall/images/wfas-designflowchart1.gif
diff --git a/windows/keep-secure/images/wfas-domainiso.gif b/windows/access-protection/windows-firewall/images/wfas-domainiso.gif
similarity index 100%
rename from windows/keep-secure/images/wfas-domainiso.gif
rename to windows/access-protection/windows-firewall/images/wfas-domainiso.gif
diff --git a/windows/keep-secure/images/wfas-domainisoencrypt.gif b/windows/access-protection/windows-firewall/images/wfas-domainisoencrypt.gif
similarity index 100%
rename from windows/keep-secure/images/wfas-domainisoencrypt.gif
rename to windows/access-protection/windows-firewall/images/wfas-domainisoencrypt.gif
diff --git a/windows/keep-secure/images/wfas-domainisohighsec.gif b/windows/access-protection/windows-firewall/images/wfas-domainisohighsec.gif
similarity index 100%
rename from windows/keep-secure/images/wfas-domainisohighsec.gif
rename to windows/access-protection/windows-firewall/images/wfas-domainisohighsec.gif
diff --git a/windows/keep-secure/images/wfas-domainnag.gif b/windows/access-protection/windows-firewall/images/wfas-domainnag.gif
similarity index 100%
rename from windows/keep-secure/images/wfas-domainnag.gif
rename to windows/access-protection/windows-firewall/images/wfas-domainnag.gif
diff --git a/windows/keep-secure/images/wfas-icon-checkbox.gif b/windows/access-protection/windows-firewall/images/wfas-icon-checkbox.gif
similarity index 100%
rename from windows/keep-secure/images/wfas-icon-checkbox.gif
rename to windows/access-protection/windows-firewall/images/wfas-icon-checkbox.gif
diff --git a/windows/keep-secure/images/wfas-implement.gif b/windows/access-protection/windows-firewall/images/wfas-implement.gif
similarity index 100%
rename from windows/keep-secure/images/wfas-implement.gif
rename to windows/access-protection/windows-firewall/images/wfas-implement.gif
diff --git a/windows/keep-secure/images/wfasdomainisoboundary.gif b/windows/access-protection/windows-firewall/images/wfasdomainisoboundary.gif
similarity index 100%
rename from windows/keep-secure/images/wfasdomainisoboundary.gif
rename to windows/access-protection/windows-firewall/images/wfasdomainisoboundary.gif
diff --git a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
similarity index 100%
rename from windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md
rename to windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
diff --git a/windows/keep-secure/isolated-domain-gpos.md b/windows/access-protection/windows-firewall/isolated-domain-gpos.md
similarity index 100%
rename from windows/keep-secure/isolated-domain-gpos.md
rename to windows/access-protection/windows-firewall/isolated-domain-gpos.md
diff --git a/windows/keep-secure/isolated-domain.md b/windows/access-protection/windows-firewall/isolated-domain.md
similarity index 100%
rename from windows/keep-secure/isolated-domain.md
rename to windows/access-protection/windows-firewall/isolated-domain.md
diff --git a/windows/keep-secure/isolating-apps-on-your-network.md b/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
similarity index 100%
rename from windows/keep-secure/isolating-apps-on-your-network.md
rename to windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
diff --git a/windows/keep-secure/link-the-gpo-to-the-domain.md b/windows/access-protection/windows-firewall/link-the-gpo-to-the-domain.md
similarity index 100%
rename from windows/keep-secure/link-the-gpo-to-the-domain.md
rename to windows/access-protection/windows-firewall/link-the-gpo-to-the-domain.md
diff --git a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/access-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
similarity index 100%
rename from windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
rename to windows/access-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
diff --git a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/access-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
similarity index 100%
rename from windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
rename to windows/access-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
similarity index 100%
rename from windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md
rename to windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
similarity index 100%
rename from windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
rename to windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md b/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
similarity index 100%
rename from windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md
rename to windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
diff --git a/windows/keep-secure/open-windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
similarity index 100%
rename from windows/keep-secure/open-windows-firewall-with-advanced-security.md
rename to windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
diff --git a/windows/keep-secure/planning-certificate-based-authentication.md b/windows/access-protection/windows-firewall/planning-certificate-based-authentication.md
similarity index 100%
rename from windows/keep-secure/planning-certificate-based-authentication.md
rename to windows/access-protection/windows-firewall/planning-certificate-based-authentication.md
diff --git a/windows/keep-secure/planning-domain-isolation-zones.md b/windows/access-protection/windows-firewall/planning-domain-isolation-zones.md
similarity index 100%
rename from windows/keep-secure/planning-domain-isolation-zones.md
rename to windows/access-protection/windows-firewall/planning-domain-isolation-zones.md
diff --git a/windows/keep-secure/planning-gpo-deployment.md b/windows/access-protection/windows-firewall/planning-gpo-deployment.md
similarity index 100%
rename from windows/keep-secure/planning-gpo-deployment.md
rename to windows/access-protection/windows-firewall/planning-gpo-deployment.md
diff --git a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/access-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
similarity index 100%
rename from windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md
rename to windows/access-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
diff --git a/windows/keep-secure/planning-isolation-groups-for-the-zones.md b/windows/access-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
similarity index 100%
rename from windows/keep-secure/planning-isolation-groups-for-the-zones.md
rename to windows/access-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
diff --git a/windows/keep-secure/planning-network-access-groups.md b/windows/access-protection/windows-firewall/planning-network-access-groups.md
similarity index 100%
rename from windows/keep-secure/planning-network-access-groups.md
rename to windows/access-protection/windows-firewall/planning-network-access-groups.md
diff --git a/windows/keep-secure/planning-server-isolation-zones.md b/windows/access-protection/windows-firewall/planning-server-isolation-zones.md
similarity index 100%
rename from windows/keep-secure/planning-server-isolation-zones.md
rename to windows/access-protection/windows-firewall/planning-server-isolation-zones.md
diff --git a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md b/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
similarity index 100%
rename from windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md
rename to windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
diff --git a/windows/keep-secure/planning-the-gpos.md b/windows/access-protection/windows-firewall/planning-the-gpos.md
similarity index 100%
rename from windows/keep-secure/planning-the-gpos.md
rename to windows/access-protection/windows-firewall/planning-the-gpos.md
diff --git a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
similarity index 100%
rename from windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md
rename to windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
diff --git a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md b/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
similarity index 100%
rename from windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md
rename to windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
diff --git a/windows/keep-secure/procedures-used-in-this-guide.md b/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md
similarity index 100%
rename from windows/keep-secure/procedures-used-in-this-guide.md
rename to windows/access-protection/windows-firewall/procedures-used-in-this-guide.md
diff --git a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md b/windows/access-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
similarity index 100%
rename from windows/keep-secure/protect-devices-from-unwanted-network-traffic.md
rename to windows/access-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
similarity index 100%
rename from windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md
rename to windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md b/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
similarity index 100%
rename from windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md
rename to windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
diff --git a/windows/keep-secure/restrict-access-to-only-trusted-devices.md b/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
similarity index 100%
rename from windows/keep-secure/restrict-access-to-only-trusted-devices.md
rename to windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
diff --git a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md b/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
similarity index 100%
rename from windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md
rename to windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
similarity index 100%
rename from windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md
rename to windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
diff --git a/windows/keep-secure/server-isolation-gpos.md b/windows/access-protection/windows-firewall/server-isolation-gpos.md
similarity index 100%
rename from windows/keep-secure/server-isolation-gpos.md
rename to windows/access-protection/windows-firewall/server-isolation-gpos.md
diff --git a/windows/keep-secure/server-isolation-policy-design-example.md b/windows/access-protection/windows-firewall/server-isolation-policy-design-example.md
similarity index 100%
rename from windows/keep-secure/server-isolation-policy-design-example.md
rename to windows/access-protection/windows-firewall/server-isolation-policy-design-example.md
diff --git a/windows/keep-secure/server-isolation-policy-design.md b/windows/access-protection/windows-firewall/server-isolation-policy-design.md
similarity index 100%
rename from windows/keep-secure/server-isolation-policy-design.md
rename to windows/access-protection/windows-firewall/server-isolation-policy-design.md
diff --git a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
similarity index 100%
rename from windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md
rename to windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
diff --git a/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
similarity index 100%
rename from windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md
rename to windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
diff --git a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md b/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
similarity index 100%
rename from windows/keep-secure/verify-that-network-traffic-is-authenticated.md
rename to windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
similarity index 94%
rename from windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
rename to windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index e82ec6f3d5..498b42fa47 100644
--- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -63,7 +63,7 @@ netsh advfirewall set allprofiles state on
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
```
-### Control firewall behavior
+### Control Windows Firewall behavior
The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall with Advanced Security console.
@@ -84,6 +84,36 @@ Windows PowerShell
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
```
+### Disable Windows Firewall
+
+Microsoft recommends that you do not disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
+
+Disabling Windows Firewall with Advanced Security can also cause problems, including:
+
+- Start menu can stop working
+- Modern applications can fail to install or update
+- Activation of Windows via phone fails
+- Application or OS incompatibilities that depend on Windows Firewall
+
+Microsoft recommends disabling Windows Firewall with Advanced Security only when installing a third-party firewall, and resetting Windows Firewall back to defaults when the third-party software is disabled or removed.
+
+If disabling Windows Firewall with Advanced Security is required, do not disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
+Stopping the Windows Firewall service is not supported by Microsoft.
+
+Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that need to be disabled for compatibility.
+You should not disable the firewall yourself for this purpose.
+
+The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
+
+Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
+For more information, see [Windows firewall with advanced security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
+
+The following example disables Windows Firewall with Advanced Security for all profiles.
+
+```powershell
+Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
+```
+
## Deploy basic firewall rules
This section provides scriptlet examples for creating, modifying, and deleting firewall rules.
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
similarity index 100%
rename from windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md
rename to windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
similarity index 100%
rename from windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md
rename to windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
similarity index 100%
rename from windows/keep-secure/windows-firewall-with-advanced-security.md
rename to windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md
new file mode 100644
index 0000000000..7f815bfe0e
--- /dev/null
+++ b/windows/application-management/TOC.md
@@ -0,0 +1,101 @@
+# [Manage applications in Windows 10](index.md)
+## [Sideload apps](sideload-apps-in-windows-10.md)
+## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md)
+### [Getting Started with App-V](app-v/appv-getting-started.md)
+#### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md)
+##### [Release Notes for App-V for Windows 10, version 1607](app-v/appv-release-notes-for-appv-for-windows.md)
+##### [Release Notes for App-V for Windows 10, version 1703](app-v/appv-release-notes-for-appv-for-windows-1703.md)
+#### [Evaluating App-V](app-v/appv-evaluating-appv.md)
+#### [High Level Architecture for App-V](app-v/appv-high-level-architecture.md)
+### [Planning for App-V](app-v/appv-planning-for-appv.md)
+#### [Preparing Your Environment for App-V](app-v/appv-preparing-your-environment.md)
+##### [App-V Prerequisites](app-v/appv-prerequisites.md)
+##### [App-V Security Considerations](app-v/appv-security-considerations.md)
+#### [Planning to Deploy App-V](app-v/appv-planning-to-deploy-appv.md)
+##### [App-V Supported Configurations](app-v/appv-supported-configurations.md)
+##### [App-V Capacity Planning](app-v/appv-capacity-planning.md)
+##### [Planning for High Availability with App-V](app-v/appv-planning-for-high-availability-with-appv.md)
+##### [Planning to Deploy App-V with an Electronic Software Distribution System](app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md)
+##### [Planning for the App-V Server Deployment](app-v/appv-planning-for-appv-server-deployment.md)
+##### [Planning for the App-V Sequencer and Client Deployment](app-v/appv-planning-for-sequencer-and-client-deployment.md)
+##### [Planning for Using App-V with Office](app-v/appv-planning-for-using-appv-with-office.md)
+##### [Planning to Use Folder Redirection with App-V](app-v/appv-planning-folder-redirection-with-appv.md)
+#### [App-V Planning Checklist](app-v/appv-planning-checklist.md)
+### [Deploying App-V](app-v/appv-deploying-appv.md)
+#### [Deploying the App-V Sequencer and Configuring the Client](app-v/appv-deploying-the-appv-sequencer-and-client.md)
+##### [About Client Configuration Settings](app-v/appv-client-configuration-settings.md)
+##### [Enable the App-V desktop client](app-v/appv-enable-the-app-v-desktop-client.md)
+##### [How to Install the Sequencer](app-v/appv-install-the-sequencer.md)
+#### [Deploying the App-V Server](app-v/appv-deploying-the-appv-server.md)
+##### [How to Deploy the App-V Server](app-v/appv-deploy-the-appv-server.md)
+##### [How to Deploy the App-V Server Using a Script](app-v/appv-deploy-the-appv-server-with-a-script.md)
+##### [How to Deploy the App-V Databases by Using SQL Scripts](app-v/appv-deploy-appv-databases-with-sql-scripts.md)
+##### [How to Install the Publishing Server on a Remote Computer](app-v/appv-install-the-publishing-server-on-a-remote-computer.md)
+##### [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md)
+##### [How to install the Management Server on a Standalone Computer and Connect it to the Database ](app-v/appv-install-the-management-server-on-a-standalone-computer.md)
+##### [About App-V Reporting](app-v/appv-reporting.md)
+##### [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](app-v/appv-install-the-reporting-server-on-a-standalone-computer.md)
+#### [App-V Deployment Checklist](app-v/appv-deployment-checklist.md)
+#### [Deploying Microsoft Office 2016 by Using App-V](app-v/appv-deploying-microsoft-office-2016-with-appv.md)
+#### [Deploying Microsoft Office 2013 by Using App-V](app-v/appv-deploying-microsoft-office-2013-with-appv.md)
+#### [Deploying Microsoft Office 2010 by Using App-V](app-v/appv-deploying-microsoft-office-2010-wth-appv.md)
+### [Operations for App-V](app-v/appv-operations.md)
+#### [Creating and Managing App-V Virtualized Applications](app-v/appv-creating-and-managing-virtualized-applications.md)
+##### [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](app-v/appv-auto-provision-a-vm.md)
+##### [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](app-v/appv-auto-batch-sequencing.md)
+##### [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](app-v/appv-auto-batch-updating.md)
+##### [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](app-v/appv-sequence-a-new-application.md)
+##### [How to Modify an Existing Virtual Application Package](app-v/appv-modify-an-existing-virtual-application-package.md)
+##### [How to Create and Use a Project Template](app-v/appv-create-and-use-a-project-template.md)
+##### [How to Create a Package Accelerator](app-v/appv-create-a-package-accelerator.md)
+##### [How to Create a Virtual Application Package Using an App-V Package Accelerator](app-v/appv-create-a-virtual-application-package-package-accelerator.md)
+#### [Administering App-V Virtual Applications by Using the Management Console](app-v/appv-administering-virtual-applications-with-the-management-console.md)
+##### [About App-V Dynamic Configuration](app-v/appv-dynamic-configuration.md)
+##### [How to Connect to the Management Console ](app-v/appv-connect-to-the-management-console.md)
+##### [How to Add or Upgrade Packages by Using the Management Console](app-v/appv-add-or-upgrade-packages-with-the-management-console.md)
+##### [How to Configure Access to Packages by Using the Management Console ](app-v/appv-configure-access-to-packages-with-the-management-console.md)
+##### [How to Publish a Package by Using the Management Console ](app-v/appv-publish-a-packages-with-the-management-console.md)
+##### [How to Delete a Package in the Management Console ](app-v/appv-delete-a-package-with-the-management-console.md)
+##### [How to Add or Remove an Administrator by Using the Management Console](app-v/appv-add-or-remove-an-administrator-with-the-management-console.md)
+##### [How to Register and Unregister a Publishing Server by Using the Management Console](app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md)
+##### [How to Create a Custom Configuration File by Using the App-V Management Console](app-v/appv-create-a-custom-configuration-file-with-the-management-console.md)
+##### [How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console](app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md)
+##### [How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console](app-v/appv-customize-virtual-application-extensions-with-the-management-console.md)
+##### [How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console ](app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md)
+#### [Managing Connection Groups](app-v/appv-managing-connection-groups.md)
+##### [About the Connection Group Virtual Environment](app-v/appv-connection-group-virtual-environment.md)
+##### [About the Connection Group File](app-v/appv-connection-group-file.md)
+##### [How to Create a Connection Group](app-v/appv-create-a-connection-group.md)
+##### [How to Create a Connection Group with User-Published and Globally Published Packages](app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)
+##### [How to Delete a Connection Group](app-v/appv-delete-a-connection-group.md)
+##### [How to Publish a Connection Group](app-v/appv-publish-a-connection-group.md)
+##### [How to Make a Connection Group Ignore the Package Version](app-v/appv-configure-connection-groups-to-ignore-the-package-version.md)
+##### [How to Allow Only Administrators to Enable Connection Groups](app-v/appv-allow-administrators-to-enable-connection-groups.md)
+#### [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md)
+##### [How to deploy App-V Packages Using Electronic Software Distribution](app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md)
+##### [How to Enable Only Administrators to Publish Packages by Using an ESD](app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md)
+#### [Using the App-V Client Management Console](app-v/appv-using-the-client-management-console.md)
+##### [Automatically clean-up unpublished packages on the App-V client](app-v/appv-auto-clean-unpublished-packages.md)
+#### [Migrating to App-V from a Previous Version](app-v/appv-migrating-to-appv-from-a-previous-version.md)
+##### [How to Convert a Package Created in a Previous Version of App-V](app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md)
+#### [Maintaining App-V](app-v/appv-maintaining-appv.md)
+##### [How to Move the App-V Server to Another Computer](app-v/appv-move-the-appv-server-to-another-computer.md)
+#### [Administering App-V by Using Windows PowerShell](app-v/appv-administering-appv-with-powershell.md)
+##### [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help ](app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md)
+##### [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md)
+##### [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)
+##### [How to Modify Client Configuration by Using Windows PowerShell](app-v/appv-modify-client-configuration-with-powershell.md)
+##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
+##### [How to Apply the User Configuration File by Using Windows PowerShell](app-v/appv-apply-the-user-configuration-file-with-powershell.md)
+##### [How to Apply the Deployment Configuration File by Using Windows PowerShell](app-v/appv-apply-the-deployment-configuration-file-with-powershell.md)
+##### [How to Sequence a Package by Using Windows PowerShell ](app-v/appv-sequence-a-package-with-powershell.md)
+##### [How to Create a Package Accelerator by Using Windows PowerShell](app-v/appv-create-a-package-accelerator-with-powershell.md)
+##### [How to Enable Reporting on the App-V Client by Using Windows PowerShell](app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md)
+##### [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md)
+### [Troubleshooting App-V](app-v/appv-troubleshooting.md)
+### [Technical Reference for App-V](app-v/appv-technical-reference.md)
+#### [Available Mobile Device Management (MDM) settings for App-V](app-v/appv-available-mdm-settings.md)
+#### [Performance Guidance for Application Virtualization](app-v/appv-performance-guidance.md)
+#### [Application Publishing and Client Interaction](app-v/appv-application-publishing-and-client-interaction.md)
+#### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md)
+#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
diff --git a/windows/manage/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md
similarity index 100%
rename from windows/manage/appv-about-appv.md
rename to windows/application-management/app-v/appv-about-appv.md
diff --git a/windows/manage/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
similarity index 100%
rename from windows/manage/appv-add-or-remove-an-administrator-with-the-management-console.md
rename to windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
diff --git a/windows/manage/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
similarity index 100%
rename from windows/manage/appv-add-or-upgrade-packages-with-the-management-console.md
rename to windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
diff --git a/windows/manage/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
similarity index 100%
rename from windows/manage/appv-administering-appv-with-powershell.md
rename to windows/application-management/app-v/appv-administering-appv-with-powershell.md
diff --git a/windows/manage/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
similarity index 100%
rename from windows/manage/appv-administering-virtual-applications-with-the-management-console.md
rename to windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
diff --git a/windows/manage/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
similarity index 100%
rename from windows/manage/appv-allow-administrators-to-enable-connection-groups.md
rename to windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
diff --git a/windows/manage/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
similarity index 100%
rename from windows/manage/appv-application-publishing-and-client-interaction.md
rename to windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
diff --git a/windows/manage/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
similarity index 100%
rename from windows/manage/appv-apply-the-deployment-configuration-file-with-powershell.md
rename to windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
diff --git a/windows/manage/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
similarity index 100%
rename from windows/manage/appv-apply-the-user-configuration-file-with-powershell.md
rename to windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
diff --git a/windows/manage/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md
similarity index 96%
rename from windows/manage/appv-auto-batch-sequencing.md
rename to windows/application-management/app-v/appv-auto-batch-sequencing.md
index 2722febd18..a90e25e2eb 100644
--- a/windows/manage/appv-auto-batch-sequencing.md
+++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md
@@ -35,7 +35,7 @@ Sequencing multiple apps at the same time requires that you create a **ConfigFil
2. Add the following required XML info for each app:
- - **<Name>.** The name of the app you're adding to the package.
+ - **<AppName>.** The name of the app you're adding to the package.
- **<InstallerFolder>.** The file path to the folder with the app installer.
@@ -55,7 +55,7 @@ Sequencing multiple apps at the same time requires that you create a **ConfigFil
- Skype for Windows
+ Skype for WindowsD:\Install\New\SkypeforWindowsSkypeSetup.exe/S
@@ -64,7 +64,7 @@ Sequencing multiple apps at the same time requires that you create a **ConfigFil
True
- Power BI
+ Power BID:\Install\New\MicrosoftPowerBIPBIDesktop.msi/S
@@ -97,7 +97,7 @@ Sequencing multipe apps at the same time requires that you create a **ConfigFIle
2. Add the following required XML info for each app:
- - **<Name>.** The name of the app you're adding to the package.
+ - **<AppName>.** The name of the app you're adding to the package.
- **<InstallerFolder>.** The file path to the folder with the app installer.
@@ -115,7 +115,7 @@ Sequencing multipe apps at the same time requires that you create a **ConfigFIle
- Skype for Windows
+ Skype for WindowsD:\Install\New\SkypeforWindowsSkypeSetup.exe20
@@ -123,7 +123,7 @@ Sequencing multipe apps at the same time requires that you create a **ConfigFIle
True
- Power BI
+ Power BID:\Install\New\MicrosoftPowerBIPBIDesktop.msi20
diff --git a/windows/manage/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md
similarity index 96%
rename from windows/manage/appv-auto-batch-updating.md
rename to windows/application-management/app-v/appv-auto-batch-updating.md
index 3c9a7531bc..0430b81a0b 100644
--- a/windows/manage/appv-auto-batch-updating.md
+++ b/windows/application-management/app-v/appv-auto-batch-updating.md
@@ -29,7 +29,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile*
2. Add the following XML info for each app:
- - **<Name>.** The name of the app you're adding to the package.
+ - **<AppName>.** The name of the app you're adding to the package.
- **<InstallerFolder>.** The file path to the folder with the app installer.
@@ -50,7 +50,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile*
- Skype for Windows Update
+ Skype for Windows UpdateD:\Install\Update\SkypeforWindowsSkypeSetup.exe/S
@@ -60,7 +60,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile*
True
- Microsoft Power BI Update
+ Microsoft Power BI UpdateD:\Install\Update\PowerBIPBIDesktop.msi/S
@@ -95,7 +95,7 @@ Updating multipe apps at the same time requires that you create a **ConfigFile**
2. Add the following XML info for each app:
- - **<Name>.** The name of the app you're adding to the package.
+ - **<AppName>.** The name of the app you're adding to the package.
- **<InstallerFolder>.** The file path to the folder with the app installer.
@@ -115,7 +115,7 @@ Updating multipe apps at the same time requires that you create a **ConfigFile**
- Skype for Windows Update
+ Skype for Windows UpdateD:\Install\Update\SkypeforWindowsSkypeSetup.exe/S
@@ -125,7 +125,7 @@ Updating multipe apps at the same time requires that you create a **ConfigFile**
True
- Microsoft Power BI Update
+ Microsoft Power BI UpdateD:\Install\Update\PowerBIPBIDesktop.msi/S
diff --git a/windows/manage/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
similarity index 100%
rename from windows/manage/appv-auto-clean-unpublished-packages.md
rename to windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
diff --git a/windows/manage/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md
similarity index 100%
rename from windows/manage/appv-auto-provision-a-vm.md
rename to windows/application-management/app-v/appv-auto-provision-a-vm.md
diff --git a/windows/manage/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
similarity index 95%
rename from windows/manage/appv-available-mdm-settings.md
rename to windows/application-management/app-v/appv-available-mdm-settings.md
index dc5eb1a61a..1fc2a529b1 100644
--- a/windows/manage/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -1,5 +1,5 @@
---
-title: Available Mobile Data Management (MDM) settings for App-V (Windows 10)
+title: Available Mobile Device Management (MDM) settings for App-V (Windows 10)
description: A list of the available MDM settings for App-V on Windows 10.
author: eross-msft
ms.pagetype: mdop, appcompat, virtualization
@@ -8,8 +8,8 @@ ms.sitesec: library
ms.prod: w10
---
-# Available Mobile Data Management (MDM) settings for App-V
-With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Data Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page.
+# Available Mobile Device Management (MDM) settings for App-V
+With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page.
diff --git a/windows/manage/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
similarity index 100%
rename from windows/manage/appv-capacity-planning.md
rename to windows/application-management/app-v/appv-capacity-planning.md
diff --git a/windows/manage/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md
similarity index 100%
rename from windows/manage/appv-client-configuration-settings.md
rename to windows/application-management/app-v/appv-client-configuration-settings.md
diff --git a/windows/manage/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
similarity index 100%
rename from windows/manage/appv-configure-access-to-packages-with-the-management-console.md
rename to windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
diff --git a/windows/manage/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
similarity index 100%
rename from windows/manage/appv-configure-connection-groups-to-ignore-the-package-version.md
rename to windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
diff --git a/windows/manage/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
similarity index 100%
rename from windows/manage/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
rename to windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
diff --git a/windows/manage/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md
similarity index 100%
rename from windows/manage/appv-connect-to-the-management-console.md
rename to windows/application-management/app-v/appv-connect-to-the-management-console.md
diff --git a/windows/manage/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md
similarity index 100%
rename from windows/manage/appv-connection-group-file.md
rename to windows/application-management/app-v/appv-connection-group-file.md
diff --git a/windows/manage/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
similarity index 100%
rename from windows/manage/appv-connection-group-virtual-environment.md
rename to windows/application-management/app-v/appv-connection-group-virtual-environment.md
diff --git a/windows/manage/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
similarity index 100%
rename from windows/manage/appv-convert-a-package-created-in-a-previous-version-of-appv.md
rename to windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
diff --git a/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
similarity index 100%
rename from windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
rename to windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
diff --git a/windows/manage/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md
similarity index 100%
rename from windows/manage/appv-create-a-connection-group.md
rename to windows/application-management/app-v/appv-create-a-connection-group.md
diff --git a/windows/manage/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
similarity index 100%
rename from windows/manage/appv-create-a-custom-configuration-file-with-the-management-console.md
rename to windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
diff --git a/windows/manage/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
similarity index 100%
rename from windows/manage/appv-create-a-package-accelerator-with-powershell.md
rename to windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
diff --git a/windows/manage/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md
similarity index 100%
rename from windows/manage/appv-create-a-package-accelerator.md
rename to windows/application-management/app-v/appv-create-a-package-accelerator.md
diff --git a/windows/manage/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
similarity index 100%
rename from windows/manage/appv-create-a-virtual-application-package-package-accelerator.md
rename to windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
diff --git a/windows/manage/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
similarity index 100%
rename from windows/manage/appv-create-and-use-a-project-template.md
rename to windows/application-management/app-v/appv-create-and-use-a-project-template.md
diff --git a/windows/manage/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
similarity index 100%
rename from windows/manage/appv-creating-and-managing-virtualized-applications.md
rename to windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
diff --git a/windows/manage/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
similarity index 100%
rename from windows/manage/appv-customize-virtual-application-extensions-with-the-management-console.md
rename to windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
diff --git a/windows/manage/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
similarity index 100%
rename from windows/manage/appv-delete-a-connection-group.md
rename to windows/application-management/app-v/appv-delete-a-connection-group.md
diff --git a/windows/manage/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
similarity index 100%
rename from windows/manage/appv-delete-a-package-with-the-management-console.md
rename to windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
diff --git a/windows/manage/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
similarity index 100%
rename from windows/manage/appv-deploy-appv-databases-with-sql-scripts.md
rename to windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
diff --git a/windows/manage/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
similarity index 100%
rename from windows/manage/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
rename to windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
diff --git a/windows/manage/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
similarity index 100%
rename from windows/manage/appv-deploy-the-appv-server-with-a-script.md
rename to windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
diff --git a/windows/manage/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
similarity index 100%
rename from windows/manage/appv-deploy-the-appv-server.md
rename to windows/application-management/app-v/appv-deploy-the-appv-server.md
diff --git a/windows/manage/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md
similarity index 100%
rename from windows/manage/appv-deploying-appv.md
rename to windows/application-management/app-v/appv-deploying-appv.md
diff --git a/windows/manage/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
similarity index 100%
rename from windows/manage/appv-deploying-microsoft-office-2010-wth-appv.md
rename to windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
diff --git a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
similarity index 100%
rename from windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
rename to windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
diff --git a/windows/manage/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
similarity index 100%
rename from windows/manage/appv-deploying-microsoft-office-2016-with-appv.md
rename to windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
diff --git a/windows/manage/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
similarity index 100%
rename from windows/manage/appv-deploying-packages-with-electronic-software-distribution-solutions.md
rename to windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
diff --git a/windows/manage/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
similarity index 100%
rename from windows/manage/appv-deploying-the-appv-sequencer-and-client.md
rename to windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
diff --git a/windows/manage/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
similarity index 100%
rename from windows/manage/appv-deploying-the-appv-server.md
rename to windows/application-management/app-v/appv-deploying-the-appv-server.md
diff --git a/windows/manage/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
similarity index 100%
rename from windows/manage/appv-deployment-checklist.md
rename to windows/application-management/app-v/appv-deployment-checklist.md
diff --git a/windows/manage/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
similarity index 100%
rename from windows/manage/appv-dynamic-configuration.md
rename to windows/application-management/app-v/appv-dynamic-configuration.md
diff --git a/windows/manage/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
similarity index 100%
rename from windows/manage/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
rename to windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
diff --git a/windows/manage/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
similarity index 100%
rename from windows/manage/appv-enable-reporting-on-the-appv-client-with-powershell.md
rename to windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
diff --git a/windows/manage/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
similarity index 100%
rename from windows/manage/appv-enable-the-app-v-desktop-client.md
rename to windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
diff --git a/windows/manage/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md
similarity index 100%
rename from windows/manage/appv-evaluating-appv.md
rename to windows/application-management/app-v/appv-evaluating-appv.md
diff --git a/windows/manage/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md
similarity index 100%
rename from windows/manage/appv-for-windows.md
rename to windows/application-management/app-v/appv-for-windows.md
diff --git a/windows/manage/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
similarity index 100%
rename from windows/manage/appv-getting-started.md
rename to windows/application-management/app-v/appv-getting-started.md
diff --git a/windows/manage/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
similarity index 100%
rename from windows/manage/appv-high-level-architecture.md
rename to windows/application-management/app-v/appv-high-level-architecture.md
diff --git a/windows/manage/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
similarity index 100%
rename from windows/manage/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
rename to windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
diff --git a/windows/manage/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
similarity index 100%
rename from windows/manage/appv-install-the-management-and-reporting-databases-on-separate-computers.md
rename to windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
diff --git a/windows/manage/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
similarity index 100%
rename from windows/manage/appv-install-the-management-server-on-a-standalone-computer.md
rename to windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
diff --git a/windows/manage/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
similarity index 100%
rename from windows/manage/appv-install-the-publishing-server-on-a-remote-computer.md
rename to windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
diff --git a/windows/manage/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
similarity index 100%
rename from windows/manage/appv-install-the-reporting-server-on-a-standalone-computer.md
rename to windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
diff --git a/windows/manage/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
similarity index 100%
rename from windows/manage/appv-install-the-sequencer.md
rename to windows/application-management/app-v/appv-install-the-sequencer.md
diff --git a/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
similarity index 100%
rename from windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
rename to windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
diff --git a/windows/manage/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md
similarity index 100%
rename from windows/manage/appv-maintaining-appv.md
rename to windows/application-management/app-v/appv-maintaining-appv.md
diff --git a/windows/manage/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
similarity index 100%
rename from windows/manage/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
rename to windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
diff --git a/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
similarity index 100%
rename from windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
rename to windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
diff --git a/windows/manage/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
similarity index 100%
rename from windows/manage/appv-managing-connection-groups.md
rename to windows/application-management/app-v/appv-managing-connection-groups.md
diff --git a/windows/manage/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
similarity index 100%
rename from windows/manage/appv-migrating-to-appv-from-a-previous-version.md
rename to windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
diff --git a/windows/manage/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
similarity index 100%
rename from windows/manage/appv-modify-an-existing-virtual-application-package.md
rename to windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
diff --git a/windows/manage/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
similarity index 100%
rename from windows/manage/appv-modify-client-configuration-with-powershell.md
rename to windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
diff --git a/windows/manage/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
similarity index 100%
rename from windows/manage/appv-move-the-appv-server-to-another-computer.md
rename to windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
diff --git a/windows/manage/appv-operations.md b/windows/application-management/app-v/appv-operations.md
similarity index 100%
rename from windows/manage/appv-operations.md
rename to windows/application-management/app-v/appv-operations.md
diff --git a/windows/manage/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
similarity index 99%
rename from windows/manage/appv-performance-guidance.md
rename to windows/application-management/app-v/appv-performance-guidance.md
index e0a277bf9c..86b7d3eb82 100644
--- a/windows/manage/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -263,11 +263,11 @@ We recommend using User Experience Virtualization (UE-V) to capture and centrali
For more information, see:
-- [User Experience Virtualization (UE-V) for Windows 10 overview](uev-for-windows.md)
+- [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows)
-- [Get Started with UE-V](uev-getting-started.md)
+- [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started)
-In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](http://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows 10 overview](uev-for-windows.md).
+In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](http://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).
**Note**
Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
diff --git a/windows/manage/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
similarity index 100%
rename from windows/manage/appv-planning-checklist.md
rename to windows/application-management/app-v/appv-planning-checklist.md
diff --git a/windows/manage/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
similarity index 100%
rename from windows/manage/appv-planning-folder-redirection-with-appv.md
rename to windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
diff --git a/windows/manage/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
similarity index 100%
rename from windows/manage/appv-planning-for-appv-server-deployment.md
rename to windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
diff --git a/windows/manage/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md
similarity index 100%
rename from windows/manage/appv-planning-for-appv.md
rename to windows/application-management/app-v/appv-planning-for-appv.md
diff --git a/windows/manage/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
similarity index 100%
rename from windows/manage/appv-planning-for-high-availability-with-appv.md
rename to windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
diff --git a/windows/manage/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
similarity index 100%
rename from windows/manage/appv-planning-for-sequencer-and-client-deployment.md
rename to windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
diff --git a/windows/manage/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
similarity index 100%
rename from windows/manage/appv-planning-for-using-appv-with-office.md
rename to windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
diff --git a/windows/manage/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
similarity index 100%
rename from windows/manage/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
rename to windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
diff --git a/windows/manage/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
similarity index 100%
rename from windows/manage/appv-planning-to-deploy-appv.md
rename to windows/application-management/app-v/appv-planning-to-deploy-appv.md
diff --git a/windows/manage/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md
similarity index 100%
rename from windows/manage/appv-preparing-your-environment.md
rename to windows/application-management/app-v/appv-preparing-your-environment.md
diff --git a/windows/manage/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md
similarity index 100%
rename from windows/manage/appv-prerequisites.md
rename to windows/application-management/app-v/appv-prerequisites.md
diff --git a/windows/manage/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md
similarity index 100%
rename from windows/manage/appv-publish-a-connection-group.md
rename to windows/application-management/app-v/appv-publish-a-connection-group.md
diff --git a/windows/manage/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
similarity index 100%
rename from windows/manage/appv-publish-a-packages-with-the-management-console.md
rename to windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
diff --git a/windows/manage/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
similarity index 100%
rename from windows/manage/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
rename to windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
diff --git a/windows/manage/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
similarity index 100%
rename from windows/manage/appv-release-notes-for-appv-for-windows-1703.md
rename to windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
diff --git a/windows/manage/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
similarity index 100%
rename from windows/manage/appv-release-notes-for-appv-for-windows.md
rename to windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
diff --git a/windows/manage/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
similarity index 100%
rename from windows/manage/appv-reporting.md
rename to windows/application-management/app-v/appv-reporting.md
diff --git a/windows/manage/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
similarity index 100%
rename from windows/manage/appv-running-locally-installed-applications-inside-a-virtual-environment.md
rename to windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
diff --git a/windows/manage/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md
similarity index 100%
rename from windows/manage/appv-security-considerations.md
rename to windows/application-management/app-v/appv-security-considerations.md
diff --git a/windows/manage/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md
similarity index 100%
rename from windows/manage/appv-sequence-a-new-application.md
rename to windows/application-management/app-v/appv-sequence-a-new-application.md
diff --git a/windows/manage/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
similarity index 100%
rename from windows/manage/appv-sequence-a-package-with-powershell.md
rename to windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
diff --git a/windows/manage/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md
similarity index 100%
rename from windows/manage/appv-supported-configurations.md
rename to windows/application-management/app-v/appv-supported-configurations.md
diff --git a/windows/manage/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md
similarity index 100%
rename from windows/manage/appv-technical-reference.md
rename to windows/application-management/app-v/appv-technical-reference.md
diff --git a/windows/manage/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
similarity index 100%
rename from windows/manage/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
rename to windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
diff --git a/windows/manage/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md
similarity index 100%
rename from windows/manage/appv-troubleshooting.md
rename to windows/application-management/app-v/appv-troubleshooting.md
diff --git a/windows/manage/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
similarity index 100%
rename from windows/manage/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
rename to windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
diff --git a/windows/manage/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
similarity index 100%
rename from windows/manage/appv-using-the-client-management-console.md
rename to windows/application-management/app-v/appv-using-the-client-management-console.md
diff --git a/windows/manage/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
similarity index 100%
rename from windows/manage/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
rename to windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
diff --git a/windows/manage/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
similarity index 100%
rename from windows/manage/appv-viewing-appv-server-publishing-metadata.md
rename to windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
diff --git a/windows/configure/images/app-v-in-adk.png b/windows/application-management/app-v/images/app-v-in-adk.png
similarity index 100%
rename from windows/configure/images/app-v-in-adk.png
rename to windows/application-management/app-v/images/app-v-in-adk.png
diff --git a/windows/configure/images/checklistbox.gif b/windows/application-management/app-v/images/checklistbox.gif
similarity index 100%
rename from windows/configure/images/checklistbox.gif
rename to windows/application-management/app-v/images/checklistbox.gif
diff --git a/windows/configure/images/packageaddfileandregistrydata-global.png b/windows/application-management/app-v/images/packageaddfileandregistrydata-global.png
similarity index 100%
rename from windows/configure/images/packageaddfileandregistrydata-global.png
rename to windows/application-management/app-v/images/packageaddfileandregistrydata-global.png
diff --git a/windows/configure/images/packageaddfileandregistrydata-stream.png b/windows/application-management/app-v/images/packageaddfileandregistrydata-stream.png
similarity index 100%
rename from windows/configure/images/packageaddfileandregistrydata-stream.png
rename to windows/application-management/app-v/images/packageaddfileandregistrydata-stream.png
diff --git a/windows/configure/images/packageaddfileandregistrydata.png b/windows/application-management/app-v/images/packageaddfileandregistrydata.png
similarity index 100%
rename from windows/configure/images/packageaddfileandregistrydata.png
rename to windows/application-management/app-v/images/packageaddfileandregistrydata.png
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
new file mode 100644
index 0000000000..a0c06828be
--- /dev/null
+++ b/windows/application-management/docfx.json
@@ -0,0 +1,41 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg",
+ "**/*.gif"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ },
+ "fileMetadata": {},
+ "template": [],
+ "dest": "win-app-management"
+ }
+}
\ No newline at end of file
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
new file mode 100644
index 0000000000..9fd65e3fa8
--- /dev/null
+++ b/windows/application-management/index.md
@@ -0,0 +1,22 @@
+---
+title: Windows 10 application management
+description: Windows 10 application management
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Windows 10 application management
+
+**Applies to**
+- Windows 10
+
+Learn about managing applications in Window 10 and Windows 10 Mobile clients.
+
+
+| Topic | Description |
+|---|---|
+|[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications|
+|[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients|
diff --git a/windows/deploy/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md
similarity index 100%
rename from windows/deploy/sideload-apps-in-windows-10.md
rename to windows/application-management/sideload-apps-in-windows-10.md
diff --git a/windows/breadcrumb/toc.yml b/windows/breadcrumb/toc.yml
deleted file mode 100644
index 40ff5fde9b..0000000000
--- a/windows/breadcrumb/toc.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-- name: Windows
- tocHref: /itpro/windows/
- topicHref: /itpro/windows/index
- items:
- - name: What's new
- tocHref: /itpro/windows/whats-new/
- topicHref: /itpro/windows/whats-new/index
- - name: Plan
- tocHref: /itpro/windows/plan/
- topicHref: /itpro/windows/plan/index
- - name: Deploy
- tocHref: /itpro/windows/deploy/
- topicHref: /itpro/windows/deploy/index
- - name: Configure
- tocHref: /itpro/windows/configure/
- topicHref: /itpro/windows/configure/index
- - name: Update
- tocHref: /itpro/windows/update/
- topicHref: /itpro/windows/update/index
- - name: Keep secure
- tocHref: /itpro/windows/keep-secure/
- topicHref: /itpro/windows/keep-secure/index
- - name: Manage
- tocHref: /itpro/windows/manage/
- topicHref: /itpro/windows/manage/index
\ No newline at end of file
diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md
new file mode 100644
index 0000000000..f1ecdab931
--- /dev/null
+++ b/windows/client-management/TOC.md
@@ -0,0 +1,12 @@
+# [Manage clients in Windows 10](index.md)
+## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
+## [Create mandatory user profiles](mandatory-user-profile.md)
+## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
+## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
+## [New policies for Windows 10](new-policies-for-windows-10.md)
+## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
+## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md)
+## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
+## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
+## [Windows libraries](windows-libraries.md)
+## [Change history for Client management](change-history-for-client-management.md)
diff --git a/windows/manage/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md
similarity index 100%
rename from windows/manage/administrative-tools-in-windows-10.md
rename to windows/client-management/administrative-tools-in-windows-10.md
diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md
new file mode 100644
index 0000000000..17d2570fda
--- /dev/null
+++ b/windows/client-management/change-history-for-client-management.md
@@ -0,0 +1,26 @@
+---
+title: Change history for Client management (Windows 10)
+description: This topic lists changes to documentation for configuring Windows 10.
+keywords:
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: jdeckerMS
+---
+
+# Change history for Client management
+
+This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
+
+## April 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [New policies for Windows 10](new-policies-for-windows-10.md) | Added a list of new Group Policy settings for Windows 10, version 1703 |
+
+## RELEASE: Windows 10, version 1703
+
+The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topic has been added:
+
+- [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md)
diff --git a/windows/manage/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
similarity index 92%
rename from windows/manage/connect-to-remote-aadj-pc.md
rename to windows/client-management/connect-to-remote-aadj-pc.md
index 8424e7c1c3..e67fdf2234 100644
--- a/windows/manage/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -1,7 +1,6 @@
---
title: Connect to remote Azure Active Directory-joined PC (Windows 10)
description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
-ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
keywords: ["MDM", "device management", "RDP", "AADJ"]
ms.prod: w10
ms.mktglfcycl: manage
@@ -25,7 +24,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
-- Ensure [Remote Credential Guard](../keep-secure/remote-credential-guard.md), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
+- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
- On the PC that you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
new file mode 100644
index 0000000000..107c56cde2
--- /dev/null
+++ b/windows/client-management/docfx.json
@@ -0,0 +1,41 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg",
+ "**/*.gif"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ },
+ "fileMetadata": {},
+ "template": [],
+ "dest": "win-client-management"
+ }
+}
\ No newline at end of file
diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
similarity index 67%
rename from windows/manage/group-policies-for-enterprise-and-education-editions.md
rename to windows/client-management/group-policies-for-enterprise-and-education-editions.md
index 74dced9953..ecb2e27c4a 100644
--- a/windows/manage/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
@@ -18,18 +18,18 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
| Policy name | Policy path | Comments |
| --- | --- | --- |
-| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
-| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) |
-| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) |
-| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) |
-| **Do not require CTRL+ALT+DEL** combined with**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon andComputer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](set-up-a-device-for-anyone-to-use.md)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. **Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
-| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md |
-| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) |
-| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
+| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
+| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
+| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
+| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
+| **Do not require CTRL+ALT+DEL** combined with**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon andComputer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](/windows/configuration/set-up-a-device-for-anyone-to-use)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. **Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
+| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight |
+| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
+| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application
User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
-| **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app
User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](manage-access-to-private-store.md) |
-| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](../configure/cortana-at-work-overview.md) |
+| **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app
User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
+| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |
-
+
\ No newline at end of file
diff --git a/windows/configure/images/aadj1.jpg b/windows/client-management/images/aadj1.jpg
similarity index 100%
rename from windows/configure/images/aadj1.jpg
rename to windows/client-management/images/aadj1.jpg
diff --git a/windows/configure/images/aadj2.jpg b/windows/client-management/images/aadj2.jpg
similarity index 100%
rename from windows/configure/images/aadj2.jpg
rename to windows/client-management/images/aadj2.jpg
diff --git a/windows/configure/images/aadj3.jpg b/windows/client-management/images/aadj3.jpg
similarity index 100%
rename from windows/configure/images/aadj3.jpg
rename to windows/client-management/images/aadj3.jpg
diff --git a/windows/configure/images/aadj4.jpg b/windows/client-management/images/aadj4.jpg
similarity index 100%
rename from windows/configure/images/aadj4.jpg
rename to windows/client-management/images/aadj4.jpg
diff --git a/windows/configure/images/aadjbrowser.jpg b/windows/client-management/images/aadjbrowser.jpg
similarity index 100%
rename from windows/configure/images/aadjbrowser.jpg
rename to windows/client-management/images/aadjbrowser.jpg
diff --git a/windows/configure/images/aadjcal.jpg b/windows/client-management/images/aadjcal.jpg
similarity index 100%
rename from windows/configure/images/aadjcal.jpg
rename to windows/client-management/images/aadjcal.jpg
diff --git a/windows/configure/images/aadjcalmail.jpg b/windows/client-management/images/aadjcalmail.jpg
similarity index 100%
rename from windows/configure/images/aadjcalmail.jpg
rename to windows/client-management/images/aadjcalmail.jpg
diff --git a/windows/configure/images/aadjmail1.jpg b/windows/client-management/images/aadjmail1.jpg
similarity index 100%
rename from windows/configure/images/aadjmail1.jpg
rename to windows/client-management/images/aadjmail1.jpg
diff --git a/windows/configure/images/aadjmail2.jpg b/windows/client-management/images/aadjmail2.jpg
similarity index 100%
rename from windows/configure/images/aadjmail2.jpg
rename to windows/client-management/images/aadjmail2.jpg
diff --git a/windows/configure/images/aadjmail3.jpg b/windows/client-management/images/aadjmail3.jpg
similarity index 100%
rename from windows/configure/images/aadjmail3.jpg
rename to windows/client-management/images/aadjmail3.jpg
diff --git a/windows/configure/images/aadjonedrive.jpg b/windows/client-management/images/aadjonedrive.jpg
similarity index 100%
rename from windows/configure/images/aadjonedrive.jpg
rename to windows/client-management/images/aadjonedrive.jpg
diff --git a/windows/configure/images/aadjonenote.jpg b/windows/client-management/images/aadjonenote.jpg
similarity index 100%
rename from windows/configure/images/aadjonenote.jpg
rename to windows/client-management/images/aadjonenote.jpg
diff --git a/windows/configure/images/aadjonenote2.jpg b/windows/client-management/images/aadjonenote2.jpg
similarity index 100%
rename from windows/configure/images/aadjonenote2.jpg
rename to windows/client-management/images/aadjonenote2.jpg
diff --git a/windows/configure/images/aadjonenote3.jpg b/windows/client-management/images/aadjonenote3.jpg
similarity index 100%
rename from windows/configure/images/aadjonenote3.jpg
rename to windows/client-management/images/aadjonenote3.jpg
diff --git a/windows/configure/images/aadjpin.jpg b/windows/client-management/images/aadjpin.jpg
similarity index 100%
rename from windows/configure/images/aadjpin.jpg
rename to windows/client-management/images/aadjpin.jpg
diff --git a/windows/configure/images/aadjppt.jpg b/windows/client-management/images/aadjppt.jpg
similarity index 100%
rename from windows/configure/images/aadjppt.jpg
rename to windows/client-management/images/aadjppt.jpg
diff --git a/windows/configure/images/aadjverify.jpg b/windows/client-management/images/aadjverify.jpg
similarity index 100%
rename from windows/configure/images/aadjverify.jpg
rename to windows/client-management/images/aadjverify.jpg
diff --git a/windows/configure/images/aadjword.jpg b/windows/client-management/images/aadjword.jpg
similarity index 100%
rename from windows/configure/images/aadjword.jpg
rename to windows/client-management/images/aadjword.jpg
diff --git a/windows/manage/images/aadjwsfb.jpg b/windows/client-management/images/aadjwsfb.jpg
similarity index 100%
rename from windows/manage/images/aadjwsfb.jpg
rename to windows/client-management/images/aadjwsfb.jpg
diff --git a/windows/configure/images/admin-tools-folder.png b/windows/client-management/images/admin-tools-folder.png
similarity index 100%
rename from windows/configure/images/admin-tools-folder.png
rename to windows/client-management/images/admin-tools-folder.png
diff --git a/windows/configure/images/admin-tools.png b/windows/client-management/images/admin-tools.png
similarity index 100%
rename from windows/configure/images/admin-tools.png
rename to windows/client-management/images/admin-tools.png
diff --git a/windows/configure/images/allow-rdp.png b/windows/client-management/images/allow-rdp.png
similarity index 100%
rename from windows/configure/images/allow-rdp.png
rename to windows/client-management/images/allow-rdp.png
diff --git a/windows/configure/images/checkmark.png b/windows/client-management/images/checkmark.png
similarity index 100%
rename from windows/configure/images/checkmark.png
rename to windows/client-management/images/checkmark.png
diff --git a/windows/configure/images/copy-to-change.png b/windows/client-management/images/copy-to-change.png
similarity index 100%
rename from windows/configure/images/copy-to-change.png
rename to windows/client-management/images/copy-to-change.png
diff --git a/windows/configure/images/copy-to-path.png b/windows/client-management/images/copy-to-path.png
similarity index 100%
rename from windows/configure/images/copy-to-path.png
rename to windows/client-management/images/copy-to-path.png
diff --git a/windows/configure/images/copy-to.PNG b/windows/client-management/images/copy-to.PNG
similarity index 100%
rename from windows/configure/images/copy-to.PNG
rename to windows/client-management/images/copy-to.PNG
diff --git a/windows/configure/images/crossmark.png b/windows/client-management/images/crossmark.png
similarity index 100%
rename from windows/configure/images/crossmark.png
rename to windows/client-management/images/crossmark.png
diff --git a/windows/configure/images/rdp.png b/windows/client-management/images/rdp.png
similarity index 100%
rename from windows/configure/images/rdp.png
rename to windows/client-management/images/rdp.png
diff --git a/windows/client-management/images/settings-page-visibility-gp.png b/windows/client-management/images/settings-page-visibility-gp.png
new file mode 100644
index 0000000000..198fc83a7c
Binary files /dev/null and b/windows/client-management/images/settings-page-visibility-gp.png differ
diff --git a/windows/configure/images/sysprep-error.png b/windows/client-management/images/sysprep-error.png
similarity index 100%
rename from windows/configure/images/sysprep-error.png
rename to windows/client-management/images/sysprep-error.png
diff --git a/windows/configure/images/windows-10-management-cyod-byod-flow.png b/windows/client-management/images/windows-10-management-cyod-byod-flow.png
similarity index 100%
rename from windows/configure/images/windows-10-management-cyod-byod-flow.png
rename to windows/client-management/images/windows-10-management-cyod-byod-flow.png
diff --git a/windows/configure/images/windows-10-management-gp-intune-flow.png b/windows/client-management/images/windows-10-management-gp-intune-flow.png
similarity index 100%
rename from windows/configure/images/windows-10-management-gp-intune-flow.png
rename to windows/client-management/images/windows-10-management-gp-intune-flow.png
diff --git a/windows/configure/images/windows-10-management-range-of-options.png b/windows/client-management/images/windows-10-management-range-of-options.png
similarity index 100%
rename from windows/configure/images/windows-10-management-range-of-options.png
rename to windows/client-management/images/windows-10-management-range-of-options.png
diff --git a/windows/client-management/index.md b/windows/client-management/index.md
new file mode 100644
index 0000000000..5ee8fc4e71
--- /dev/null
+++ b/windows/client-management/index.md
@@ -0,0 +1,31 @@
+---
+title: Client management (Windows 10)
+description: Windows 10 client management
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Client management
+
+**Applies to**
+- Windows 10
+
+Learn about the administrative tools, tasks and best practices for managing Windows 10 and Windows 10 Mobile clients across your enterprise.
+
+| Topic | Description |
+|---|---|
+|[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)| Links to documentation for tools for IT pros and advanced users in the Administrative Tools folder.|
+|[Connect to remote AADJ PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
+|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
+|[Join Windows 10 Mobile to AAD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
+|[Manage corporate devices](manage-corporate-devices.md)| Listing of resources to manage all your corporate devices running Windows 10 : desktops, laptops, tablets, and phones |
+|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs|
+|[Mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.|
+|[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10|
+|[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options|
+|[Deploy Windows 10 Mobile](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
+|[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.|
+|[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. |
\ No newline at end of file
diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
similarity index 96%
rename from windows/manage/join-windows-10-mobile-to-azure-active-directory.md
rename to windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
index 969c7bc490..1b2593fec1 100644
--- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
@@ -62,7 +62,7 @@ However, neither of these methods provides SSO in the Windows Store or SSO to re
Using **Settings** > **Accounts** > **Your email and accounts** > **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](https://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM.
-An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook Web Access, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password.
+An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook on the web, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password.
## Preparing for Windows 10 Mobile
@@ -122,7 +122,7 @@ An added work account provides the same SSO experience in browser apps like Offi
- **Note** To learn more about the PIN requirement, see [Why a PIN is better than a password](../keep-secure/why-a-pin-is-better-than-a-password.md).
+ **Note** To learn more about the PIN requirement, see [Why a PIN is better than a password](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password).
@@ -191,7 +191,7 @@ To see the Notebooks that your Azure AD account has access to, tap **More Notebo
## Use Windows Store for Business
-[Windows Store for Business](windows-store-for-business.md) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Windows Store for Business portal can be installed by users.
+[Windows Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Windows Store for Business portal can be installed by users.
diff --git a/windows/manage/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
similarity index 82%
rename from windows/manage/manage-corporate-devices.md
rename to windows/client-management/manage-corporate-devices.md
index c282a281cf..a966ef1982 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -27,12 +27,12 @@ You can use the same management tools to manage all device types running Windows
| --- | --- |
| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment |
| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC |
-| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage user experiences to provide a consistent and predictable experience for employees |
+| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees |
| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 |
| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education |
-| [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md) | Changes to the Group Policy settings that you use to manage Start |
+| [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start |
| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | How to plan for and deploy Windows 10 Mobile devices |
-| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations |
+| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations |
## Learn more
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
new file mode 100644
index 0000000000..b246e0bbf1
--- /dev/null
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -0,0 +1,30 @@
+---
+title: Manage the Settings app with Group Policy (Windows 10)
+description: Find out how to manage the Settings app with Group Policy.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Manage the Settings app with Group Policy
+
+Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
+
+This policy is available at **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
+
+
+
+## Configuring the Group Policy
+
+The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
+
+>[!NOTE]
+> When you specify the URI in the Settings Page Visbility textbox, don't include **ms-settings:** in the string.
+
+Here are some examples:
+
+- To show only the the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**.
+- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**.
+
+
diff --git a/windows/manage/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
similarity index 100%
rename from windows/manage/manage-windows-10-in-your-organization-modern-management.md
rename to windows/client-management/manage-windows-10-in-your-organization-modern-management.md
diff --git a/windows/manage/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
similarity index 96%
rename from windows/manage/mandatory-user-profile.md
rename to windows/client-management/mandatory-user-profile.md
index 3ced9aa8fd..f3344f6f15 100644
--- a/windows/manage/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -162,10 +162,9 @@ When a user is configured with a mandatory profile, Windows 10 starts as though
## Related topics
-- [Manage Windows 10 Start layout and taskbar options](windows-10-start-layout-options-and-policies.md)
-- [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
-- [Windows Spotlight on the lock screen](../configure/windows-spotlight.md)
-- [Configure devices without MDM](configure-devices-without-mdm.md)
-
+- [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies)
+- [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps)
+- [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight)
+- [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
new file mode 100644
index 0000000000..2d0e3ccf37
--- /dev/null
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -0,0 +1,211 @@
+---
+title: New policies for Windows 10 (Windows 10)
+description: Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1.
+ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D
+keywords: ["MDM", "Group Policy"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# New policies for Windows 10
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://go.microsoft.com/fwlink/p/?LinkID=625081).
+
+## New Group Policy settings in Windows 10, version 1703
+
+The following Group Policy settings were added in Windows 10, version 1703:
+
+**Control Panel**
+
+- Control Panel\Add or Remove Programs\Specify default category for Add New Programs
+- Control Panel\Add or Remove Programs\Hide the "Add a program from CD-ROM or floppy disk" option
+- Control Panel\Personalization\Prevent changing lock screen and logon image
+
+**Network**
+
+- Network\Background Intelligent Transfer Service (BITS)\Limit the maximum network bandwidth for BITS background transfers
+- Network\Background Intelligent Transfer Service (BITS)\Allow BITS Peercaching
+- Network\Background Intelligent Transfer Service (BITS)\Limit the age of files in the BITS Peercache
+- Network\Background Intelligent Transfer Service (BITS)\Limit the BITS Peercache size
+- Network\DNS Client\Allow NetBT queries for fully qualified domain names
+- Network\Network Connections\Prohibit access to properties of components of a LAN connection
+- Network\Network Connections\Ability to Enable/Disable a LAN connection
+- Network\Offline Files\Turn on economical application of administratively assigned Offline Files
+- Network\Offline Files\Configure slow-link mode
+- Network\Offline Files\Enable Transparent Caching
+- Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds\Set the Seed Server
+- Network\Microsoft Peer-to-Peer Networking Services\Disable password strength validation for Peer Grouping
+
+**System**
+
+- System\App-V\Streaming\Location Provider
+- System\App-V\Streaming\Certificate Filter For Client SSL
+- System\Credentials Delegation\Allow delegating default credentials with NTLM-only server authentication
+- System\Ctrl+Alt+Del Options\Remove Change Password
+- System\Ctrl+Alt+Del Options\Remove Lock Computer
+- System\Ctrl+Alt+Del Options\Remove Task Manager
+- System\Ctrl+Alt+Del Options\Remove Logoff
+- System\Device Installation\Do not send a Windows error report when a generic driver is installed on a device
+- System\Device Installation\Prevent Windows from sending an error report when a device driver requests additional software during installation
+- System\Locale Services\Disallow user override of locale settings
+- System\Logon\Do not process the legacy run list
+- System\Logon\Always use custom logon background
+- System\Logon\Do not display network selection UI
+- System\Logon\Block user from showing account details on sign-in
+- System\Logon\Turn off app notifications on the lock screen
+- System\User Profiles\Establish timeout value for dialog boxes
+- System\Enable Windows NTP Server\Windows Time Service\Enable Windows NTP Client
+
+**Windows Components**
+
+- Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX Controls
+- Windows Components\ActiveX Installer Service\Establish ActiveX installation policy for sites in Trusted zones
+- Windows Components\Application Compatibility\Turn off Application Compatibility Engine
+- Windows Components\Application Compatibility\Turn off Program Compatibility Assistant
+- Windows Components\Application Compatibility\Turn off Program Compatibility Assistant
+- Windows Components\Application Compatibility\Turn off Steps Recorder
+- Windows Components\Attachment Manager\Notify antivirus programs when opening attachments
+- Windows Components\Biometrics\Allow the use of biometrics
+- Windows Components\NetMeeting\Disable Whiteboard
+- Windows Components\Data Collection and Preview Builds\Configure the Commercial ID
+- Windows Components\File Explorer\Display the menu bar in File Explorer
+- Windows Components\File History\Turn off File History
+- Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\Play animations in web pages
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Turn on Cross-Site Scripting Filter
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Turn on Cross-Site Scripting Filter
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Run ActiveX controls and plugins
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Script ActiveX controls marked safe for scripting
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone\Run ActiveX controls and plugins
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone\Script ActiveX controls marked safe for scripting
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\Run ActiveX controls and plugins
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\Script ActiveX controls marked safe for scripting
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\Run ActiveX controls and plugins
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\Script ActiveX controls marked safe for scripting
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\Run ActiveX controls and plugins
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\Script ActiveX controls marked safe for scripting
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Run ActiveX controls and plugins
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Script ActiveX controls marked safe for scripting
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Run ActiveX controls and plugins
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Script ActiveX controls marked safe for scripting
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Run ActiveX controls and plugins
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Script ActiveX controls marked safe for scripting
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\Run ActiveX controls and plugins
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\Script ActiveX controls marked safe for scripting
+- Windows Components\Internet Explorer\Accelerators\Restrict Accelerators to those deployed through Group Policy
+- Windows Components\Internet Explorer\Compatibility View\Turn on Internet Explorer 7 Standards Mode
+- Windows Components\Location and Sensors\Windows Location Provider\Turn off Windows Location Provider
+- Windows Components\Microsoft Edge\Configure Autofill
+- Windows Components\Microsoft Edge\Allow Developer Tools
+- Windows Components\Microsoft Edge\Allow Developer Tools
+- Windows Components\Microsoft Edge\Configure Do Not Track
+- Windows Components\Microsoft Edge\Allow InPrivate browsing
+- Windows Components\Microsoft Edge\Configure Password Manager
+- Windows Components\Microsoft Edge\Configure Password Manager
+- Windows Components\Microsoft Edge\Configure Pop-up Blocker
+- Windows Components\Microsoft Edge\Configure Pop-up Blocker
+- Windows Components\Microsoft Edge\Allow search engine customization
+- Windows Components\Microsoft Edge\Allow search engine customization
+- Windows Components\Microsoft Edge\Configure search suggestions in Address bar
+- Windows Components\Microsoft Edge\Set default search engine
+- Windows Components\Microsoft Edge\Configure additional search engines
+- Windows Components\Microsoft Edge\Configure additional search engines
+- Windows Components\Microsoft Edge\Configure the Enterprise Mode Site List
+- Windows Components\Microsoft Edge\Configure the Enterprise Mode Site List
+- Windows Components\Microsoft Edge\Prevent using Localhost IP address for WebRTC
+- Windows Components\Microsoft Edge\Prevent using Localhost IP address for WebRTC
+- Windows Components\Microsoft Edge\Configure Start pages
+- Windows Components\Microsoft Edge\Configure Start pages
+- Windows Components\Microsoft Edge\Disable lockdown of Start pages
+- Windows Components\Microsoft Edge\Disable lockdown of Start pages
+- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites
+- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites
+- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files
+- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\.Net Framework Configuration
+- Windows Components\Windows Installer\Prohibit use of Restart Manager
+- Windows Components\Desktop Gadgets\Restrict unpacking and installation of gadgets that are not digitally signed.
+- Windows Components\Desktop Gadgets\Turn Off user-installed desktop gadgets
+- Windows Components\Desktop Gadgets\Turn Off user-installed desktop gadgets
+- Windows Components\OneDrive\Prevent the usage of OneDrive for file storage
+- Windows Components\OneDrive\Prevent the usage of OneDrive for file storage on Windows 8.1
+- Windows Components\OneDrive\Prevent OneDrive files from syncing over metered connections
+- Windows Components\OneDrive\Save documents to OneDrive by default
+- Windows Components\Smart Card\Allow certificates with no extended key usage certificate attribute
+- Windows Components\Smart Card\Turn on certificate propagation from smart card
+- Windows Components\Tablet PC\Pen UX Behaviors\Prevent flicks
+- Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])
+- Windows Components\Windows Defender Antivirus\Real-time Protection\Turn on behavior monitoring
+- Windows Components\Windows Defender Antivirus\Signature Updates\Define file shares for downloading definition updates
+- Windows Components\Windows Defender Antivirus\Signature Updates\Turn on scan after signature update
+- Windows Components\File Explorer\Display confirmation dialog when deleting files
+- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Allow OpenSearch queries in File Explorer
+- Windows Components\Windows Update\Remove access to use all Windows Update features
+- Windows Components\Windows Update\Configure Automatic Updates
+- Windows Components\Windows Update\Specify intranet Microsoft update service location
+- Windows Components\Windows Update\Automatic Updates detection frequency
+- Windows Components\Windows Update\Allow non-administrators to receive update notifications
+- Windows Components\Windows Update\Allow Automatic Updates immediate installation
+- Windows Components\Windows Update\Turn on recommended updates via Automatic Updates
+- Windows Components\Shutdown Options\Turn off legacy remote shutdown interface
+
+
+For a spreadsheet of Group Policy settings included in Windows 10 and Windows Server 2016, see [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=613627).
+
+## New MDM policies
+
+
+Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile includes settings from Windows Phone 8.1, plus new or enhanced settings for Windows 10, such as:
+
+- Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only)
+
+- Enhanced Bluetooth policies
+
+- Passport and Hello
+
+- Device update
+
+- Hardware-based device health attestation
+
+- [Kiosk mode](/windows/configuration/set-up-a-device-for-anyone-to-use), start screen, start menu layout
+
+- Security
+
+- [VPN](https://go.microsoft.com/fwlink/p/?LinkId=623295) and enterprise Wi-Fi management
+
+- Certificate management
+
+- Windows Tips
+
+- Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
+
+Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
+
+If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317).
+
+No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=613264). For more information, see the [ActiveSync configuration service provider](https://go.microsoft.com/fwlink/p/?LinkId=618944) technical reference.
+
+## Related topics
+
+
+[Manage corporate devices](manage-corporate-devices.md)
+
+[Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10)
+
+[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/manage/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md
similarity index 100%
rename from windows/manage/reset-a-windows-10-mobile-device.md
rename to windows/client-management/reset-a-windows-10-mobile-device.md
diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
similarity index 99%
rename from windows/manage/windows-10-mobile-and-mdm.md
rename to windows/client-management/windows-10-mobile-and-mdm.md
index cc517ce971..0d6a833f58 100644
--- a/windows/manage/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -195,7 +195,7 @@ The Windows Push Notification Services enable software developers to send toast,
However, push notifications can affect battery life so the battery saver in Windows 10 Mobile limits background activity on the devices to extend battery life. Users can configure battery saver to turn on automatically when the battery drops below a set threshold. Windows 10 Mobile disables the receipt of push notifications to save energy when battery saver is on.
However, there is an exception to this behavior. In Windows 10 Mobile, the Always allowed battery saver setting (found in the Settings app) allows apps to receive push notifications even when battery saver is on. Users can manually configure this list, or IT can use the MDM system to configure the battery saver settings URI scheme in Windows 10 Mobile (ms-settings:batterysaver-settings).
-For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).
+For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](/windows/device-security/windows-10-mobile-security-guide).
**Windows Update for Business**
Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing updates.
@@ -301,7 +301,7 @@ Certificates help improve security by providing account authentication, Wi Fi au
To install certificates manually, you can post them on Microsoft Edge website or send them directly via email, which is ideal for testing purposes.
Using SCEP and MDM systems, certificate management is completely transparent and requires no user intervention, helping improve user productivity, and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device (as long as the MDM system supports the Simple Certificate Enrollment Protocol (SCEP) or Personal Information Exchange (PFX)). The MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.
In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. The table below lists the Windows 10 Mobile PFX certificate deployment settings.
-Get more detailed information about MDM certificate management in the [Client Certificate Install CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](../keep-secure/installing-digital-certificates-on-windows-10-mobile.md).
+Get more detailed information about MDM certificate management in the [Client Certificate Install CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile).
Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently.
>**Note:** To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Windows Store. This Windows 10 Mobile app can help you:
@@ -520,7 +520,7 @@ To install acquired Windows Store or LOB apps offline on a Windows 10 Mobile dev
Windows Store apps or LOB apps that have been uploaded to the Windows Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Windows Store certificates. LOB apps that are uploaded to the Windows Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 Mobile Enterprise edition.
-Learn more about the [Windows Store for Business](windows-store-for-business.md).
+Learn more about the [Windows Store for Business](/microsoft-store/index).
### Managing apps
@@ -590,7 +590,7 @@ The following table lists the settings that can be configured for Windows Inform
>**Note:** * Are mandatory Windows Information Protection policies. To make Windows Information Protection functional, AppLocker and network isolation settings - specifically Enterprise IP Range and Enterprise Network Domain Names – must be configured. This defines the source of all corporate data that needs protection and also ensures data written to these locations won’t be encrypted by the user’s encryption key (so that others in the company can access it.
-For more information on Windows Information Protection, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634(v=vs.85).aspx) and the following in-depth article series [Protect your enterprise data using Windows Information Protection](../keep-secure/protect-enterprise-data-using-wip.md).
+For more information on Windows Information Protection, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634(v=vs.85).aspx) and the following in-depth article series [Protect your enterprise data using Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip).
### Managing user activities
@@ -796,7 +796,7 @@ Upgrading to Windows 10 Mobile Enterprise edition provides additional device and
- **Deploy an unlimited number of self-signed LOB apps to a single device:** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device. To deploy more than 20 self-signed LOB apps, Windows 10 Mobile Enterprise is required.
- **Set the telemetry level:** Microsoft collects telemetry data to help keep Windows devices secure and to help Microsoft improve the quality of Windows and Microsoft services. An upgrade to Windows 10 Mobile Enterprise edition is required to set the telemetry level so that only telemetry information required to keep devices secured is gathered.
-To learn more about telemetry, visit [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md).
+To learn more about telemetry, visit [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
To activate Windows 10 Mobile Enterprise, use your MDM system or a provisioning package to inject the Windows 10 Enterprise license on a Windows 10 Mobile device. Licenses can be obtained from the Volume Licensing portal. For testing purposes, you can obtain a licensing file from the MSDN download center. A valid MSDN subscription is required.
@@ -897,7 +897,7 @@ In addition, in version 1607, you can configure when the update is applied to th
Although Windows 10 Enterprise enables IT administrators to defer installation of new updates from Windows Update, enterprises may also want additional control over update processes. With this in mind, Microsoft created Windows Update for Business. Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing updates. If you are using a MDM system, the use of Windows Update for Business is not a requirement, as you can manage these features from your MDM system.
-Learn more about [Windows Update for Business](../plan/windows-update-for-business.md).
+Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
IT administrators can specify where the device gets updates from with AllowUpdateService. This could be Microsoft Update, Windows Update for Business, or Windows Server Update Services (WSUS.
@@ -950,7 +950,7 @@ DHA-enabled device management solutions help IT managers create a unified securi
>**Note:** Windows Device Health Attestation Service can be used for conditional access scenarios which may be enabled by Mobile Device Management solutions (e.g.: Microsoft Intune) and other types of management systems (e.g.: SCCM) purchased separately.
-For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).
+For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](/windows/device-security/windows-10-mobile-security-guide).
Thisis a lists of attributes that are supported by DHA and can trigger the corrective actions mentioned above.
- **Attestation Identity Key (AIK) present** Indicates that an AIK is present (i.e., the device can be trusted more than a device without an AIK).
@@ -1014,7 +1014,7 @@ Microsoft uses telemetry (diagnostics, performance, and usage data) from Windows
You can control the level of data that telemetry systems collect. To configure devices, specify one of these levels in the Allow Telemetry setting with your MDM system.
-For more information, see [Configure Windows telemetry in Your organization](configure-windows-telemetry-in-your-organization.md).
+For more information, see [Configure Windows telemetry in Your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
>**Note:** Telemetry can only be managed when the device is upgraded to Windows 10 Mobile Enterprise edition.
@@ -1072,4 +1072,3 @@ A better option than wiping the entire device is to use Windows Information Prot
- November 2015 Updated for Windows 10 Mobile (version 1511)
- August 2016 Updated for Windows 10 Mobile Anniversary Update (version 1607)
-
diff --git a/windows/manage/windows-libraries.md b/windows/client-management/windows-libraries.md
similarity index 99%
rename from windows/manage/windows-libraries.md
rename to windows/client-management/windows-libraries.md
index f8937e7a43..0b4746f88d 100644
--- a/windows/manage/windows-libraries.md
+++ b/windows/client-management/windows-libraries.md
@@ -7,10 +7,9 @@ ms.manager: dongill
ms.technology: storage
ms.topic: article
author: jasongerend
-ms.date: 2/6/2017
description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
---
-# Windows Libraries
+# Windows libraries
> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
new file mode 100644
index 0000000000..6fbfc73401
--- /dev/null
+++ b/windows/configuration/TOC.md
@@ -0,0 +1,92 @@
+# [Configure Windows 10](index.md)
+## [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
+## [Basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
+## [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md)
+## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
+## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md)
+### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
+### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
+### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
+### [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md)
+## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md)
+### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
+### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md)
+#### [NFC-based device provisioning](mobile-devices/provisioning-nfc.md)
+#### [Barcode provisioning and the package splitter tool](mobile-devices/provisioning-package-splitter.md)
+### [Use the Lockdown Designer app to create a Lockdown XML file](mobile-devices/mobile-lockdown-designer.md)
+### [Configure Windows 10 Mobile using Lockdown XML](mobile-devices/lockdown-xml.md)
+### [Settings and quick actions that can be locked down in Windows 10 Mobile](mobile-devices/settings-that-can-be-locked-down.md)
+### [Product IDs in Windows 10 Mobile](mobile-devices/product-ids-in-windows-10-mobile.md)
+### [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md)
+## [Configure cellular settings for tablets and PCs](provisioning-apn.md)
+## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md)
+### [Configure Windows Spotlight on the lock screen](windows-spotlight.md)
+### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
+### [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
+#### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+#### [Customize and export Start layout](customize-and-export-start-layout.md)
+#### [Add image for secondary tiles](start-secondary-tiles.md)
+#### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
+#### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+#### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+#### [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+#### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
+## [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md)
+### [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md)
+#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work/cortana-at-work-scenario-1.md)
+#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/cortana-at-work-scenario-2.md)
+#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/cortana-at-work-scenario-3.md)
+#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/cortana-at-work-scenario-4.md)
+#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/cortana-at-work-scenario-5.md)
+#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work/cortana-at-work-scenario-6.md)
+#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work/cortana-at-work-scenario-7.md)
+### [Set up and test Cortana with Office 365 in your organization](cortana-at-work/cortana-at-work-o365.md)
+### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work/cortana-at-work-crm.md)
+### [Set up and test Cortana for Power BI in your organization](cortana-at-work/cortana-at-work-powerbi.md)
+### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md)
+### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md)
+### [Send feedback about Cortana at work back to Microsoft](cortana-at-work/cortana-at-work-feedback.md)
+## [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
+## [Provisioning packages for Windows 10](provisioning-packages/provisioning-packages.md)
+### [How provisioning works in Windows 10](provisioning-packages/provisioning-how-it-works.md)
+### [Introduction to configuration service providers (CSPs)](provisioning-packages/how-it-pros-can-use-configuration-service-providers.md)
+### [Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md)
+### [Create a provisioning package](provisioning-packages/provisioning-create-package.md)
+### [Apply a provisioning package](provisioning-packages/provisioning-apply-package.md)
+### [Settings changed when you uninstall a provisioning package](provisioning-packages/provisioning-uninstall-package.md)
+### [Provision PCs with common settings for initial deployment (desktop wizard)](provisioning-packages/provision-pcs-for-initial-deployment.md)
+### [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)
+### [Use a script to install a desktop app in provisioning packages](provisioning-packages/provisioning-script-to-install-app.md)
+### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-packages/provisioning-powershell.md)
+### [Windows ICD command-line interface (reference)](provisioning-packages/provisioning-command-line.md)
+### [Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md)
+## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)
+## [User Experience Virtualization (UE-V) for Windows](ue-v/uev-for-windows.md)
+### [Get Started with UE-V](ue-v/uev-getting-started.md)
+#### [What's New in UE-V for Windows 10, version 1607](ue-v/uev-whats-new-in-uev-for-windows.md)
+#### [User Experience Virtualization Release Notes](ue-v/uev-release-notes-1607.md)
+#### [Upgrade to UE-V for Windows 10](ue-v/uev-upgrade-uev-from-previous-releases.md)
+### [Prepare a UE-V Deployment](ue-v/uev-prepare-for-deployment.md)
+#### [Deploy Required UE-V Features](ue-v/uev-deploy-required-features.md)
+#### [Deploy UE-V for use with Custom Applications](ue-v/uev-deploy-uev-for-custom-applications.md)
+### [Administering UE-V](ue-v/uev-administering-uev.md)
+#### [Manage Configurations for UE-V](ue-v/uev-manage-configurations.md)
+##### [Configuring UE-V with Group Policy Objects](ue-v/uev-configuring-uev-with-group-policy-objects.md)
+##### [Configuring UE-V with System Center Configuration Manager](ue-v/uev-configuring-uev-with-system-center-configuration-manager.md)
+##### [Administering UE-V with Windows PowerShell and WMI](ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md)
+###### [Managing the UE-V Service and Packages with Windows PowerShell and WMI](ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md)
+###### [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md)
+#### [Working with Custom UE-V Templates and the UE-V Template Generator](ue-v/uev-working-with-custom-templates-and-the-uev-generator.md)
+#### [Manage Administrative Backup and Restore in UE-V](ue-v/uev-manage-administrative-backup-and-restore.md)
+#### [Changing the Frequency of UE-V Scheduled Tasks](ue-v/uev-changing-the-frequency-of-scheduled-tasks.md)
+#### [Migrating UE-V Settings Packages](ue-v/uev-migrating-settings-packages.md)
+#### [Using UE-V with Application Virtualization Applications](ue-v/uev-using-uev-with-application-virtualization-applications.md)
+### [Troubleshooting UE-V](ue-v/uev-troubleshooting.md)
+### [Technical Reference for UE-V](ue-v/uev-technical-reference.md)
+#### [Sync Methods for UE-V](ue-v/uev-sync-methods.md)
+#### [Sync Trigger Events for UE-V](ue-v/uev-sync-trigger-events.md)
+#### [Synchronizing Microsoft Office with UE-V](ue-v/uev-synchronizing-microsoft-office-with-uev.md)
+#### [Application Template Schema Reference for UE-V](ue-v/uev-application-template-schema-reference.md)
+#### [Security Considerations for UE-V](ue-v/uev-security-considerations.md)
+## [Change history for Configure Windows 10](change-history-for-configure-windows-10.md)
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
new file mode 100644
index 0000000000..0ae4581bb0
--- /dev/null
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
@@ -0,0 +1,4115 @@
+---
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10)
+keywords: privacy, telemetry
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+---
+
+
+# Windows 10, version 1703 basic level Windows diagnostic events and fields
+
+
+ **Applies to**
+
+- Windows 10, version 1703
+
+
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information.
+
+The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
+
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
+
+You can learn more about Windows functional and diagnostic data through these articles:
+
+
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+- [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
+
+
+
+
+## Common data extensions
+
+### Common Data Extensions.App
+
+
+
+The following fields are available:
+
+- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **userId** The userID as known by the application.
+- **env** The environment from which the event was logged.
+- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+
+
+### Common Data Extensions.CS
+
+
+
+The following fields are available:
+
+- **sig** A common schema signature that identifies new and modified event schemas.
+
+
+### Common Data Extensions.CUET
+
+
+
+The following fields are available:
+
+- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **op** Represents the ETW Op Code.
+- **cat** Represents a bitmask of the ETW Keywords associated with the event.
+- **flags** Represents the bitmap that captures various Windows specific flags.
+- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **tickets** A list of strings that represent entries in the HTTP header of the web request that includes this event.
+- **bseq** Upload buffer sequence number in the format \:\
+- **mon** Combined monitor and event sequence numbers in the format \:\
+
+
+### Common Data Extensions.Device
+
+
+
+The following fields are available:
+
+- **ver** Represents the major and minor version of the extension.
+- **localId** Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **deviceClass** Represents the classification of the device, the device “family”. For example, Desktop, Server, or Mobile.
+
+
+### Common Data Extensions.Envelope
+
+
+
+The following fields are available:
+
+- **ver** Represents the major and minor version of the extension.
+- **name** Represents the uniquely qualified name for the event.
+- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
+- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **seqNum** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **iKey** Represents an ID for applications or other logical groupings of events.
+- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **os** Represents the operating system name.
+- **osVer** Represents the OS version, and its format is OS dependent.
+- **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **appVer** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+
+
+### Common Data Extensions.OS
+
+
+
+The following fields are available:
+
+- **ver** Represents the major and minor version of the extension.
+- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale** Represents the locale of the operating system.
+- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+
+
+### Common Data Extensions.User
+
+
+
+The following fields are available:
+
+- **ver** Represents the major and minor version of the extension.
+- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.XBL
+
+
+
+The following fields are available:
+
+- **nbf** Not before time
+- **expId** Expiration time
+- **sbx** XBOX sandbox identifier
+- **dty** XBOX device type
+- **did** XBOX device ID
+- **xid** A list of base10-encoded XBOX User IDs.
+- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+
+
+### Common Data Extensions.Consent UI Event
+
+This User Account Control (UAC) telemetry point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
+
+The following fields are available:
+
+- **eventType** Represents the type of elevation: If it succeeded, was cancelled, or was auto-approved.
+- **splitToken** Represents the flag used to distinguish between administrators and standard users.
+- **friendlyName** Represents the name of the file requesting elevation from low IL.
+- **elevationReason** Represents the distinction between various elevation requests sources (appcompat, installer, COM, MSI and so on).
+- **exeName** Represents the name of the file requesting elevation from low IL.
+- **signatureState** Represents the state of the signature, if it signed, unsigned, OS signed and so on.
+- **publisherName** Represents the name of the publisher of the file requesting elevation from low IL.
+- **cmdLine** Represents the full command line arguments being used to elevate.
+- **Hash.Length** Represents the length of the hash of the file requesting elevation from low IL.
+- **Hash** Represents the hash of the file requesting elevation from low IL.
+- **HashAlgId** Represents the algorithm ID of the hash of the file requesting elevation from low IL.
+- **telemetryFlags** Represents the details about the elevation prompt for CEIP data.
+- **timeStamp** Represents the time stamp on the file requesting elevation.
+- **fileVersionMS** Represents the major version of the file requesting elevation.
+- **fileVersionLS** Represents the minor version of the file requesting elevation.
+
+
+## Common data fields
+
+### Common Data Fields.MS.Device.DeviceInventory.Change
+
+These fields are added whenever Ms.Device.DeviceInventoryChange is included in the event.
+
+The following fields are available:
+
+- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+- **objectType** Indicates the object type that the event applies to.
+- **Action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+
+
+### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PreUpgradeSettings
+
+These fields are added whenever PreUpgradeSettings is included in the event.
+
+The following fields are available:
+
+- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service before the feature update completed.
+- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device.
+- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on before the feature update completed.
+- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user.
+- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed.
+- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device.
+- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device before the feature update completed.
+- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device.
+- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user before the feature update completed.
+- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user.
+- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device before the feature update.
+- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
+- **HKLM_TIPC.Enabled** The state of TIPC for the device.
+- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device.
+- **HKCU_TIPC.Enabled** The state of TIPC for the current user.
+- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user.
+- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device before the feature update was completed?
+- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device.
+- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user before the feature update was completed?
+- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
+- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
+- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
+- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
+- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
+- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
+- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
+
+
+### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PostUpgradeSettings
+
+These fields are added whenever PostUpgradeSettings is included in the event.
+
+The following fields are available:
+
+- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service after the feature update has completed.
+- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device.
+- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on after a feature update has completed.
+- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user.
+- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed.
+- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device.
+- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device after the feature update has completed.
+- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device.
+- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user after the feature update has completed.
+- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user.
+- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device after the feature update.
+- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
+- **HKLM_TIPC.Enabled** The state of TIPC for the device.
+- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device.
+- **HKCU_TIPC.Enabled** The state of TIPC for the current user.
+- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user.
+- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device after the feature update has completed?
+- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device.
+- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user after the feature update has completed?
+- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
+- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
+- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
+- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
+- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
+- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
+- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
+
+
+## Appraiser events
+
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
+
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+
+The following fields are available:
+
+- **PCFP** An ID for the system that is calculated by hashing hardware identifiers.
+- **InventoryApplicationFile** The total InventoryApplicationFile objects that are present on this device.
+- **InventoryMediaCenter** The total InventoryMediaCenter objects that are present on this device.
+- **InventoryLanguagePack** The total InventoryLanguagePack objects that are present on this device.
+- **InventoryUplevelDriverPackage** The total InventoryUplevelDriverPackage objects that are present on this device.
+- **InventorySystemBios** The total InventorySystemBios objects that are present on this device.
+- **SystemProcessorCompareExchange** The total SystemProcessorCompareExchange objects that are present on this device.
+- **SystemProcessorLahfSahf** The total SystemProcessorLahfSahf objects that are present on this device.
+- **SystemMemory** The total SystemMemory objects that are present on this device.
+- **SystemProcessorPrefetchW** The total SystemProcessorPrefetchW objects that are present on this device.
+- **SystemProcessorSse2** The total SystemProcessorSse2 objects that are present on this device.
+- **SystemProcessorNx** The total SystemProcessorNx objects that are present on this device.
+- **SystemWlan** The total SystemWlan objects that are present on this device.
+- **SystemWim** The total SystemWim objects that are present on this device
+- **SystemTouch** The total SystemTouch objects that are present on this device.
+- **SystemWindowsActivationStatus** The total SystemWindowsActivationStatus objects that are present on this device.
+
+
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureIdHashSha256
+
+This event lists the types of objects and the hashed values of all the identifiers for each one. This allows for a more in-depth way to ensure that the records present on the server match what is present on the client.
+
+The following fields are available:
+
+- **PCFP** An ID for the system that is calculated by hashing hardware identifiers.
+- **InventoryApplicationFile** The SHA256 hash of InventoryApplicationFile objects that are present on this device.
+- **InventoryMediaCenter** The SHA256 hash of InventoryMediaCenter objects that are present on this device.
+- **InventoryLanguagePack** The SHA256 hash of InventoryLanguagePack objects that are present on this device.
+- **InventoryUplevelDriverPackage** The SHA256 hash of InventoryUplevelDriverPackage objects that are present on this device.
+- **InventorySystemBios** The SHA256 hash of InventorySystemBios objects that are present on this device.
+- **SystemProcessorCompareExchange** The SHA256 hash of SystemProcessorCompareExchange objects that are present on this device.
+- **SystemProcessorLahfSahf** The SHA256 hash of SystemProcessorLahfSahf objects that are present on this device.
+- **SystemMemory** The SHA256 hash of SystemMemory objects that are present on this device.
+- **SystemProcessorPrefetchW** The SHA256 hash of SystemProcessorPrefetchW objects that are present on this device.
+- **SystemProcessorSse2** The SHA256 hash of SystemProcessorSse2 objects that are present on this device.
+- **SystemProcessorNx** The SHA256 hash of SystemProcessorNx objects that are present on this device.
+- **SystemWlan** The SHA256 hash of SystemWlan objects that are present on this device.
+- **SystemWim** The SHA256 hash of SystemWim objects that are present on this device.
+- **SystemTouch** The SHA256 hash of SystemTouch objects that are present on this device.
+- **SystemWindowsActivationStatus** The SHA256 hash of SystemWindowsActivationStatus objects that are present on this device.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
+
+This event sends compatibility information about a file to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
+- **AvDisplayName** If it is an anti-virus app, this is its display name.
+- **CompatModelIndex** The compatibility prediction for this file.
+- **HasCitData** Is the file present in CIT data?
+- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
+- **IsAv** Is the file an anti-virus reporting EXE?
+- **ResolveAttempted** This will always be an empty string when sending telemetry.
+- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+
+This event indicates that the DatasourceApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
+
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
+
+This event sends compatibility data for a PNP device, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **ActiveNetworkConnection** Is the device an active network device?
+- **IsBootCritical** Is the device boot critical?
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this device.
+- **WuDriverCoverage** Is there a driver uplevel for this device according to Windows Update?
+- **WuDriverUpdateID** The Windows Update ID of the applicable uplevel driver.
+- **WuPopulatedFromID** The expected uplevel driver matching ID based on driver coverage from Windows Update.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+
+This event indicates that the DatasourceDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
+
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+
+This event sends compatibility database data about driver packages to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this driver package.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
+
+This event indicates that the DatasourceDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
+
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
+
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+
+This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this BIOS.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
+
+This event indicates that the DatasourceSystemBios object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
+
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
+
+This event sends compatibility decision data about a file to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS.
+- **BlockingApplication** Are there any application issues that interfere with upgrade due to the file in question?
+- **DisplayGenericMessage** Will be a generic message be shown for this file?
+- **HardBlock** This file is blocked in the SDB.
+- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB?
+- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
+- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
+- **NeedsDismissAction** Will the file cause an action that can be dimissed?
+- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app.
+- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade?
+- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app.
+- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade.
+- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB,
+- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade.
+- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed.
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade.
+- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
+- **SoftBlock** The file is softblocked in the SDB and has a warning.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
+
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
+
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
+
+This event sends compatibility decision data about a PNP device to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked?
+- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked?
+- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device?
+- **BlockingDevice** Is this PNP device blocking upgrade?
+- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device?
+- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
+- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
+- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
+- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden?
+- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
+- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
+- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
+- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
+
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
+
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
+
+This event sends decision data about driver package compatibility to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block?
+- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block?
+- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade?
+- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
+
+This event indicates that the DecisionDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
+
+This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
+
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessage** Will a generic message be shown for this block?
+- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block?
+- **SdbBlockUpgrade** Is a matching info block blocking upgrade?
+- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag?
+- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
+
+This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
+
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
+
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks?
+- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
+
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
+
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app?
+- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade?
+- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app?
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
+
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
+
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center?
+- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true?
+- **MediaCenterInUse** Is Windows Media Center actively being used?
+- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use?
+- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition?
+- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
+
+This event indicates that the DecisionMediaCenter object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
+
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
+
+This event sends compatibility decision data about the BIOS to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device blocked from upgrade due to a BIOS block?
+- **HasBiosBlock** Does the device have a BIOS block?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
+
+This event indicates that the DecisionSystemBios object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
+
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning
+
+The event that indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
+
+The following fields are available:
+
+- **Time** The client time of the event.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+
+
+### Microsoft.Windows.Appraiser.General.GatedRegChange
+
+This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
+
+The following fields are available:
+
+- **Time** The client time of the event.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **RegKey** The registry key name for which a result is being sent.
+- **RegValue** The registry value for which a result is being sent.
+- **OldData** The previous data in the registry value before the scan ran.
+- **NewData** The data in the registry value after the scan completed.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
+- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
+- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
+- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **CompanyName** The company name of the vendor who developed this file.
+- **FileId** A hash that uniquely identifies a file.
+- **FileVersion** The File version field from the file metadata under Properties -> Details.
+- **LinkDate** The date and time that this file was linked on.
+- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
+- **Name** The name of the file that was inventoried.
+- **ProductName** The Product name field from the file metadata under Properties -> Details.
+- **ProductVersion** The Product version field from the file metadata under Properties -> Details.
+- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **Size** The size of the file (in hexadecimal bytes).
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
+
+This event indicates that the InventoryApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
+
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
+
+This event sends data about the number of language packs installed on the system, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **HasLanguagePack** Does this device have 2 or more language packs?
+- **LanguagePackCount** How many language packs are installed?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
+
+This event indicates that the InventoryLanguagePack object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
+
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
+
+This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **EverLaunched** Has Windows Media Center ever been launched?
+- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center?
+- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured?
+- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch?
+- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files?
+- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
+- **IsSupported** Does the running OS support Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
+
+This event indicates that the InventoryMediaCenter object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
+
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
+
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BiosDate** The release date of the BIOS in UTC format.
+- **BiosName** The name field from Win32_BIOS.
+- **Manufacturer** The manufacturer field from Win32_ComputerSystem.
+- **Model** The model field from Win32_ComputerSystem.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
+
+This event indicates that the InventorySystemBios object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
+
+This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
+
+This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BootCritical** Is the driver package marked as boot critical?
+- **Build** The build value from the driver package.
+- **CatalogFile** The name of the catalog file within the driver package.
+- **ClassGuid** The device class GUID from the driver package.
+- **Class** The device class from the driver package.
+- **Date** The date from the driver package.
+- **SignatureStatus** Indicates if the driver package is signed. Unknown:0, Unsigned:1, Signed: 2
+- **Inbox** Is the driver package of a driver that is included with Windows?
+- **VersionMajor** The major version of the driver package.
+- **VersionMinor** The minor version of the driver package.
+- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU
+- **Provider** The provider of the driver package.
+- **PublishedName** The name of the INF file, post-rename.
+- **Revision** The revision of the driver package.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+
+This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
+
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.IsOnlineTelemetryOutputter
+
+This event indicates if Appraiser was able to connect successfully to Windows Update to get driver availability information.
+
+The following fields are available:
+
+- **Time** The client time of the event.
+- **PCFP** A unique hardware identifier that is calculated by hashing hardware identifiers.
+- **IsOnlineRun** Was the device able to connect to Windows Update to get driver availability information?
+
+
+### Microsoft.Windows.Appraiser.General.IsOnlineWuDriverDataSource
+
+This event indicates if Appraiser was able to connect to Windows Update to gather driver coverage information.
+
+The following fields are available:
+
+- **Time** The client time of the event.
+- **PCFP** A unique hardware identifier that is calculated by hashing hardware identifiers.
+- **IsOnlineRun** Was the device able to connect to Windows Update to get driver availability information?
+- **TargetVersion** The abbreviated name for the OS version against which Windows Update was queried.
+
+
+### Microsoft.Windows.Appraiser.General.RunContext
+
+This event indicates what should be expected in the data payload.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **Time** The client time of the event.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+
+
+### Microsoft.Windows.Appraiser.General.SetupAdlStatus
+
+This event indicates if Appraiser used data files from the setup image or more up-to-date data files downloaded from a Microsoft server.
+
+The following fields are available:
+
+- **Time** The client time of the event.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **Result** The last result of the operation to determine if there is a data file to download.
+- **OneSettingsInitialized** Was the query to OneSettings, where the information is stored on if there is a data file to download, initialized?
+- **Url** The URL of the data file to download. This will be an empty string if there is no data file to download.
+- **UsingAlternateData** Is the client using alternate data file or using the data file in the setup image?
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device from upgrade due to memory restrictions?
+- **MemoryRequirementViolated** Was a memory requirement violated?
+- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
+- **ram** The amount of memory on the device.
+- **ramKB** The amount of memory (in KB).
+- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes).
+- **virtualKB** The amount of virtual memory (in KB).
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
+
+This event that the SystemMemory object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
+
+This event indicates that a new set of SystemMemoryAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
+
+This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **CompareExchange128Support** Does the CPU support CompareExchange128?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
+
+This event indicates that the SystemProcessorCompareExchange object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
+
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+
+This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **LahfSahfSupport** Does the CPU support LAHF/SAHF?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
+
+This event indicates that the SystemProcessorLahfSahf object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
+
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
+
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support.
+- **NXProcessorSupport** Does the processor support NX?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
+
+This event indicates that the SystemProcessorNx object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
+
+This event indicates that a new set of SystemProcessorNxAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **PrefetchWSupport** Does the processor support PrefetchW?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
+
+This event indicates that the SystemProcessorPrefetchW object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
+
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
+
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **SSE2ProcessorSupport** Does the processor support SSE2?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
+
+This event indicates that the SystemProcessorSse2 object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
+
+This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+
+This event sends data indicating whether the system supports touch, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer?
+- **MaximumTouches** The maximum number of touch points supported by the device hardware.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchRemove
+
+This event indicates that the SystemTouch object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
+
+This event indicates that a new set of SystemTouchAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimAdd
+
+This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IsWimBoot** Is the current operating system running from a compressed WIM file?
+- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimRemove
+
+This event indicates that the SystemWim object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+
+This event indicates that a new set of SystemWimAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+
+This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated.
+- **WindowsNotActivatedDecision** Is the current operating system activated?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
+
+This event indicates that the SystemWindowsActivationStatus object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
+
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked because of an emulated WLAN driver?
+- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block?
+- **WlanEmulatedDriver** Does the device have an emulated WLAN driver?
+- **WlanExists** Does the device support WLAN at all?
+- **WlanModulePresent** Are any WLAN modules present?
+- **WlanNativeDriver** Does the device have a non-emulated WLAN driver?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanRemove
+
+This event indicates that the SystemWlan object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
+
+This event indicates that a new set of SystemWlanAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+
+A summary event indicating the parameters and result of a telemetry run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+
+The following fields are available:
+
+- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
+- **Time** The client time of the event.
+- **RunDate** The date that the telemetry run was stated, expressed as a filetime.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run.
+- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
+- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
+- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **AuxFinal** Obsolete, always set to false
+- **StoreHandleIsNotNull** Obsolete, always set to false
+- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run.
+- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
+- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **TelementrySent** Indicates if telemetry was successfully sent.
+- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
+- **RunResult** The hresult of the Appraiser telemetry run.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmAdd
+
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
+- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
+- **WmdrmApiResult** Raw value of the API used to gather DRM state.
+- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased
+- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **BlockingApplication** Same as NeedsDismissAction
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmRemove
+
+This event indicates that the Wmdrm object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmStartSync
+
+This event indicates that a new set of WmdrmAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+## Census events
+
+### Census.App
+
+This event sends version data about the Apps running on this device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **IEVersion** Retrieves which version of Internet Explorer is running on this device.
+- **CensusVersion** The version of Census that generated the current data for this device.
+
+
+### Census.Battery
+
+This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalBatteryCapablities** Represents information about what the battery is capable of doing.
+- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity to estimate the battery's wear.
+- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh.
+- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
+- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance.
+
+
+### Census.Camera
+
+This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
+- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
+
+
+### Census.Enterprise
+
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
+
+The following fields are available:
+
+- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
+- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
+- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
+- **IsDomainJoined** Indicates whether a machine is joined to a domain.
+- **HashedDomain** The hashed representation of the user domain used for login.
+- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
+- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **CDJType** Represents the type of cloud domain joined for the machine.
+- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption
+- **IsDERequirementMet** Represents if the device can do device encryption.
+- **IsEDPEnabled** Represents if Enterprise data protected on the device.
+- **ContainerType** The type of container, such as process or virtual machine hosted.
+
+
+### Census.Firmware
+
+This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS).
+- **FirmwareReleaseDate** Represents the date the current firmware was released.
+- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI.
+- **FirmwareVersion** Represents the version of the current firmware.
+
+
+### Census.Flighting
+
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **FlightIds** A list of the different Windows Insider builds on this device.
+- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
+- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program.
+- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
+- **DeviceSampleRate** The telemetry sample rate assigned to the device.
+- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
+- **SSRK** Retrieves the mobile targeting settings.
+
+
+### Census.Hardware
+
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
+- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields.
+- **DeviceColor** Indicates a color of the device.
+- **DeviceName** The device name that is set by the user.
+- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
+- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
+- **OEMModelNumber** The device model number.
+- **OEMModelName** The device model name.
+- **OEMModelSKU** The device edition that is defined by the manufacturer.
+- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary.
+- **OEMSerialNumber** The serial number of the device that is set by the manufacturer.
+- **PhoneManufacturer** The friendly name of the phone manufacturer.
+- **SoCName** The firmware manufacturer of the device.
+- **DUID** The device unique ID.
+- **InventoryId** The device ID used for compatibility testing.
+- **VoiceSupported** Does the device have a cellular radio capable of making voice calls?
+- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
+- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
+- **StudyID** Used to identify retail and non-retail device.
+- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced.
+- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
+- **DeviceForm** Indicates the form as per the device classification.
+- **DigitizerSupport** Is a digitizer supported?
+- **OEMModelBaseBoard** The baseboard model used by the OEM.
+- **OEMModelSystemFamily** The system family set on the device by an OEM.
+- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices.
+- **ActiveMicCount** The number of active microphones attached to the device.
+- **OEMModelSystemVersion** The system model version set on the device by the OEM.
+
+
+### Census.Memory
+
+This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date.
+
+The following fields are available:
+
+- **TotalPhysicalRAM** Represents the physical memory (in MB).
+- **TotalVisibleMemory** Represents the memory that is not reserved by the system.
+
+
+### Census.Network
+
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date.
+
+The following fields are available:
+
+- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users.
+- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US.
+- **NetworkCost** Represents the network cost associated with a connection.
+- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user.
+- **NetworkAdapterGUID** The GUID of the primary network adapter.
+
+
+### Census.OS
+
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **GenuineState** Retrieves the ID Value specifying the OS Genuine check.
+- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go
+- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI.
+- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
+- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
+- **OSSKU** Retrieves the Friendly Name of OS Edition.
+- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine.
+- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS.
+- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability.
+- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled.
+- **Signature** Retrieves if it is a signature machine sold by Microsoft store.
+- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode.
+- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine.
+- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
+- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key.
+- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy.
+- **ServiceProductKeyID** Retrieves the License key of the KMS
+- **LanguagePacks** The list of language packages installed on the device.
+- **InstallLanguage** The first language installed on the user machine.
+- **IsEduData** Returns Boolean if the education data policy is enabled.
+- **SharedPCMode** Returns Boolean for education devices used as shared cart
+- **SLICVersion** Returns OS type/version from SLIC table.
+- **SLICStatus** Whether a SLIC table exists on the device.
+- **OSEdition** Retrieves the version of the current OS.
+- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues.
+- **ProductActivationResult** Returns Boolean if the OS Activation was successful.
+- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines.
+- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
+- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy.
+- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time
+- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy.
+
+
+### Census.Processor
+
+This event sends data about the processor (architecture, speed, number of cores, manufacturer, and model number), to help keep Windows up to date.
+
+The following fields are available:
+
+- **ProcessorCores** Retrieves the number of cores in the processor.
+- **ProcessorPhysicalCores** Number of physical cores in the processor.
+- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture.
+- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz.
+- **ProcessorManufacturer** Retrieves the name of the processor's manufacturer.
+- **ProcessorModel** Retrieves the name of the processor model.
+- **SocketCount** Number of physical CPU sockets of the machine.
+- **ProcessorIdentifier** The processor identifier of a manufacturer.
+
+
+### Census.Speech
+
+This event is used to gather basic speech settings on the device.
+
+The following fields are available:
+
+- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
+- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
+- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
+
+
+### Census.Storage
+
+This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
+
+The following fields are available:
+
+- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB.
+- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB.
+- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
+
+
+### Census.Userdefault
+
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultBrowserProgId** The ProgramId of the current user's default browser
+- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf
+
+
+### Census.UserDisplay
+
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display.
+- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
+- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
+- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
+- **VRAMDedicated** Retrieves the video RAM in MB.
+- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card.
+- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use.
+
+
+### Census.UserNLS
+
+This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultAppLanguage** The current user Default App Language.
+- **HomeLocation** The current user location, which is populated using GetUserGeoId() function.
+- **DisplayLanguage** The current user preferred Windows Display Language.
+- **SpeechInputLanguages** The Speech Input languages installed on the device.
+- **KeyboardInputLanguages** The Keyboard input languages installed on the device.
+
+
+### Census.VM
+
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
+
+The following fields are available:
+
+- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware.
+- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present.
+- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
+- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor.
+
+
+### Census.WU
+
+This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
+
+The following fields are available:
+
+- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier.
+- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
+- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device.
+- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
+- **AppStoreAutoUpdatePolicy** Retrieves the Windows Store App Auto Update group policy setting
+- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
+- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
+- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS).
+- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades
+- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates
+- **WUPauseState** Retrieves WU setting to determine if updates are paused
+- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device .
+- **OSRolledBack** A flag that represents when a feature update has rolled back during setup.
+- **OSRollbackCount** The number of times feature updates have rolled back on the device.
+- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently.
+- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading.
+
+
+### Census.Xbox
+
+This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
+
+The following fields are available:
+
+- **XboxLiveDeviceId** Retrieves the unique device id of the console.
+- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
+- **XboxLiveSandboxId** Retrieves the developer sandbox id if the device is internal to MS.
+- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
+
+
+## Diagnostic data events
+
+### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
+
+This event sends data indicating that a device has undergone a change of telemetry opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
+
+The following fields are available:
+
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
+- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
+- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
+- **CanPerformScripting** True if UTC is allowed to perform scripting.
+- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
+- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry opt-in level was last changed.
+
+
+### TelClientSynthetic.AuthorizationInfo_Startup
+
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date.
+
+The following fields are available:
+
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
+- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
+- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
+- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
+- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
+- **CanPerformScripting** True if UTC is allowed to perform scripting.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started.
+
+
+### TelClientSynthetic.ConnectivityHeartBeat_0
+
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+
+The following fields are available:
+
+- **CensusExitCode** Returns last execution codes from census client run.
+- **CensusStartTime** Returns timestamp corresponding to last successful census run.
+- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine.
+- **LastConnectivityLossTime** Retrieves the last time the device lost free network.
+- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
+- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds.
+- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds.
+- **LastConntectivityLossTime** Retrieves the last time the device lost free network.
+
+
+### TelClientSynthetic.HeartBeat_5
+
+This event sends data about the health and quality of the telemetry data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+
+The following fields are available:
+
+- **PreviousHeartBeatTime** The time of last heartbeat event. This allows chaining of events.
+- **EtwDroppedCount** The number of events dropped by the ETW layer of the telemetry client.
+- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the telemetry client.
+- **DecodingDroppedCount** The number of events dropped because of decoding failures.
+- **ThrottledDroppedCount** The number of events dropped due to throttling of noisy providers.
+- **DbDroppedCount** The number of events that were dropped because the database was full.
+- **EventSubStoreResetCounter** The number of times the event database was reset.
+- **EventSubStoreResetSizeSum** The total size of the event database across all resets reports in this instance.
+- **CriticalOverflowEntersCounter** The number of times a critical overflow mode was entered into the event database.
+- **EnteringCriticalOverflowDroppedCounter** The number of events that was dropped because a critical overflow mode was initiated.
+- **UploaderDroppedCount** The number of events dropped by the uploader layer of the telemetry client.
+- **InvalidHttpCodeCount** The number of invalid HTTP codes received from Vortex.
+- **LastInvalidHttpCode** The last invalid HTTP code received from Vortex.
+- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experience and Telemetry component.
+- **LastEventSizeOffender** The name of the last event that exceeded the maximum event size.
+- **SettingsHttpAttempts** The number of attempts to contact the OneSettings service.
+- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
+- **VortexHttpAttempts** The number of attempts to contact the Vortex service.
+- **EventsUploaded** The number of events that have been uploaded.
+- **DbCriticalDroppedCount** The total number of dropped critical events in the event database.
+- **VortexHttpFailures4xx** The number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx** The number of 500-599 error codes received from Vortex.
+- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
+- **HeartBeatSequenceNumber** A monotonically increasing heartbeat counter.
+- **EtwDroppedBufferCount** The number of buffers dropped in the CUET ETW session.
+- **FullTriggerBufferDroppedCount** The number of events that were dropped because the trigger buffer was full.
+- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
+- **CriticalDataDbDroppedCount** The number of critical data sampled events that were dropped at the database layer.
+- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe.
+- **AgentConnectionErrorsCount** The number of non-timeout errors associated with the host/agent channel.
+- **LastAgentConnectionError** The last non-timeout error that happened in the host/agent channel.
+- **Flags** Flags that indicate device state, such as network, battery, and opt-in state.
+- **CensusTaskEnabled** Indicates whether Census is enabled.
+- **CensusExitCode** The last exit code of the Census task.
+- **CensusStartTime** The time of the last Census run.
+
+
+### TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate
+
+This event sends basic data on privacy settings before and after a feature update. This is used to ensure that customer privacy settings are correctly migrated across feature updates.
+
+The following fields are available:
+
+- **PostUpgradeSettings** The privacy settings after a feature update.
+- **PreUpgradeSettings** The privacy settings before a feature update.
+
+
+## DxgKernelTelemetry events
+
+### DxgKrnlTelemetry.GPUAdapterInventoryV2
+
+This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
+
+The following fields are available:
+
+- **version** The event version.
+- **bootId** The system boot ID.
+- **aiSeqId** The event sequence ID.
+- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES?
+- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
+- **InterfaceId** The GPU interface ID.
+- **GPUVendorID** The GPU vendor ID.
+- **GPUDeviceID** The GPU device ID.
+- **SubVendorID** The GPU sub vendor ID.
+- **SubSystemID** The subsystem ID.
+- **GPURevisionID** The GPU revision ID.
+- **DriverVersion** The display driver version.
+- **DriverDate** The date of the display driver.
+- **DriverRank** The rank of the display driver.
+- **IsMiracastSupported** Does the GPU support Miracast?
+- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution?
+- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device?
+- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device?
+- **IsMPOSupported** Does the GPU support Multi-Plane Overlays?
+- **IsLDA** Is the GPU comprised of Linked Display Adapters?
+- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor?
+- **IsPostAdapter** Is this GPU the POST GPU in the device?
+- **IsSoftwareDevice** Is this a software implementation of the GPU?
+- **IsRenderDevice** Does the GPU have rendering capabilities?
+- **IsDisplayDevice** Does the GPU have displaying capabilities?
+- **WDDMVersion** The Windows Display Driver Model version.
+- **DisplayAdapterLuid** The display adapter LUID.
+- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload.
+- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload.
+- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
+- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes).
+- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes).
+- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes).
+- **NumVidPnSources** The number of supported display output sources.
+- **NumVidPnTargets** The number of supported display output targets.
+
+
+## Fault Reporting events
+
+### Microsoft.Windows.FaultReporting.AppCrashEvent
+
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes" by a user DO NOT emit this event.
+
+The following fields are available:
+
+- **ProcessId** The ID of the process that has crashed.
+- **ProcessCreateTime** The time of creation of the process that has crashed.
+- **ExceptionCode** The exception code returned by the process that has crashed.
+- **ExceptionOffset** The address where the exception had occurred.
+- **AppName** The name of the app that has crashed.
+- **AppVersion** The version of the app that has crashed.
+- **AppTimeStamp** The date/time stamp of the app.
+- **ModName** Exception module name (e.g. bar.dll).
+- **ModVersion** The version of the module that has crashed.
+- **ModTimeStamp** The date/time stamp of the module.
+- **PackageFullName** Store application identity.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported
+- **TargetAsId** The sequence number for the hanging process.
+
+
+## Hang Reporting events
+
+### Microsoft.Windows.HangReporting.AppHangEvent
+
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+
+The following fields are available:
+
+- **AppName** The name of the app that has hung.
+- **TypeCode** Bitmap describing the hang type.
+- **ProcessId** The ID of the process that has hung.
+- **UTCReplace_TargetAppId** The kernel reported AppId of the application being reported.
+- **ProcessCreateTime** The time of creation of the process that has hung.
+- **UTCReplace_TargetAppVer** The specific version of the application being reported.
+- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
+- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
+- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **PackageFullName** Store application identity.
+- **AppVersion** The version of the app that has hung.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported.
+- **TargetAsId** The sequence number for the hanging process.
+
+
+## Inventory events
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
+
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
+
+The following fields are available:
+
+- **Device** A count of device objects in cache
+- **DeviceCensus** A count of devicecensus objects in cache
+- **DriverPackageExtended** A count of driverpackageextended objects in cache
+- **File** A count of file objects in cache
+- **Generic** A count of generic objects in cache
+- **HwItem** A count of hwitem objects in cache
+- **InventoryApplication** A count of application objects in cache
+- **InventoryApplicationFile** A count of application file objects in cache
+- **InventoryDeviceContainer** A count of device container objects in cache
+- **InventoryDeviceMediaClass** A count of device media objects in cache
+- **InventoryDevicePnp** A count of devicepnp objects in cache
+- **InventoryDriverBinary** A count of driver binary objects in cache
+- **InventoryDriverPackage** A count of device objects in cache
+- **Metadata** A count of metadata objects in cache
+- **Orphan** A count of orphan file objects in cache
+- **Programs** A count of program objects in cache
+- **FileSigningInfo** A count of file signing info objects in cache.
+- **InventoryDeviceInterface** A count of inventory device interface objects in cache.
+
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
+
+This event sends inventory component versions for the Device Inventory data.
+
+The following fields are available:
+
+- **aeinv** The version of the App inventory component.
+- **devinv** The file version of the Device inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+
+This event sends basic metadata about an application on the system to help keep Windows up to date.
+
+The following fields are available:
+
+- **ProgramInstanceId** A hash of the file IDs in an app.
+- **Name** The name of the application. Location pulled from depends on 'Source' field.
+- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
+- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **Version** The version number of the program.
+- **Language** The language code of the program.
+- **Source** How the program was installed (ARP, MSI, Appx, etc...)
+- **MsiProductCode** A GUID that describe the MSI Product.
+- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
+- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install.
+- **RootDirPath** The path to the root directory where the program was installed.
+- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics)
+- **InstallDateMsi** The install date if the application was installed via MSI. Passed as an array.
+- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array.
+- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array.
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **objectInstanceId** ProgramId (a hash of Name, Version, Publisher, and Language of an application used to identify it).
+- **PackageFullName** The package full name for a Store application.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **StoreAppType** A sub-classification for the type of Windows Store app, such as UWP or Win8StoreApp.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
+
+This event indicates that a new set of InventoryApplicationAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
+
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ModelName** The model name.
+- **ModelId** A model GUID.
+- **PrimaryCategory** The primary category for the device container.
+- **Categories** A comma separated list of functional categories in which the container belongs.
+- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsActive** Is the device connected, or has it been seen in the last 14 days?
+- **IsPaired** Does the device container require pairing?
+- **IsNetworked** Is this a networked device?
+- **IsMachineContainer** Is the container the root device itself?
+- **FriendlyName** The name of the device container.
+- **DiscoveryMethod** The discovery method for the device container.
+- **ModelNumber** The model number for the device container.
+- **Manufacturer** The manufacturer name for the device container.
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **objectInstanceId** ContainerId
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
+
+This event indicates that the InventoryDeviceContainer object is no longer present.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
+
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
+
+This event retrieves information about what sensor interfaces are available on the device.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Accelerometer3D** Indicates if an Accelerator3D sensor is found.
+- **ActivityDetection** Indicates if an Activity Detection sensor is found.
+- **AmbientLight** Indicates if an Ambient Light sensor is found.
+- **Barometer** Indicates if a Barometer sensor is found.
+- **Custom** Indicates if a Custom sensor is found.
+- **FloorElevation** Indicates if a Floor Elevation sensor is found.
+- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found.
+- **GravityVector** Indicates if a Gravity Detector sensor is found.
+- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found.
+- **Humidity** Indicates if a Humidity sensor is found.
+- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found.
+- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found.
+- **Orientation** Indicates if an Orientation sensor is found.
+- **Pedometer** Indicates if a Pedometer sensor is found.
+- **Proximity** Indicates if a Proximity sensor is found.
+- **RelativeOrientation** Indicates if a Relative Orientation sensor is found.
+- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found.
+- **Temperature** Indicates if a Temperature sensor is found.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
+
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
+
+This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Audio_CaptureDriver** The Audio device capture driver endpoint.
+- **Audio_RenderDriver** The Audio device render driver endpoint.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
+
+This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
+
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
+
+This event sends basic metadata about a PNP device and its associated driver to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **HWID** A JSON array that provides the value and order of the HWID tree for the device.
+- **COMPID** A JSON array the provides the value and order of the compatible ID tree for the device.
+- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **Enumerator** The bus that enumerated the device.
+- **ContainerId** A system-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the device.
+- **DeviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present.
+- **ParentId** Device instance id of the parent of the device.
+- **STACKID** A JSON array that provides the value and order of the STACKID tree for the device.
+- **Description** The device description.
+- **MatchingID** Represents the hardware ID or compatible ID that Windows uses to install a device instance.
+- **Class** The device setup class of the driver loaded for the device.
+- **ClassGuid** The device setup class guid of the driver loaded for the device.
+- **Manufacturer** The device manufacturer.
+- **Model** The device model.
+- **Inf** The INF file name.
+- **DriverVerVersion** The version of the driver loaded for the device.
+- **DriverVerDate** The date of the driver loaded for the device.
+- **Provider** The device provider.
+- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **Service** The device service name.
+- **LowerClassFilters** Lower filter class drivers IDs installed for the device.
+- **LowerFilters** Lower filter drivers IDs installed for the device.
+- **UpperClassFilters** Upper filter class drivers IDs installed for the device.
+- **UpperFilters** Upper filter drivers IDs installed for the device.
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **DriverId** A unique identifier for the installed device.
+- **DriverName** The name of the driver image file.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **ProblemCode** The current error code for the device.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
+
+This event indicates that the InventoryDevicePnpRemove object is no longer present.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
+
+This event sends basic metadata about driver files running on the system to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **DriverName** The file name of the driver.
+- **Inf** The name of the INF file.
+- **DriverPackageStrongName** The strong name of the driver package.
+- **DriverCompany** The company name that developed the driver.
+- **DriverCheckSum** The checksum of the driver file.
+- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file.
+- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
+- **DriverInBox** Is the driver included with the operating system?
+- **DriverSigned** Is the driver signed?
+- **DriverIsKernelMode** Is it a kernel mode driver?
+- **DriverVersion** The version of the driver file.
+- **ImageSize** The size of the driver file.
+- **Product** The product name that is included in the driver file.
+- **ProductVersion** The product version that is included in the driver file.
+- **WdfVersion** The Windows Driver Framework version.
+- **Service** The name of the service that is installed for the device.
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
+
+This event indicates that the InventoryDriverBinary object is no longer present.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
+
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
+
+This event sends basic metadata about drive packages installed on the system to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **Inf** The INF name of the driver package.
+- **ClassGuid** The class GUID for the device driver.
+- **Class** The class name for the device driver.
+- **Directory** The path to the driver package.
+- **Date** The driver package date.
+- **Version** The version of the driver package.
+- **Provider** The provider for the driver package.
+- **SubmissionId** The HLK submission ID for the driver package.
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
+
+This event indicates that the InventoryDriverPackageRemove object is no longer present.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
+
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Indicators.Checksum
+
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
+
+The following fields are available:
+
+- **ChecksumDictionary** A count of each operating system indicator.
+- **PCFP** Equivalent to the InventoryId field that is found in other core events.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
+
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **IndicatorValue** The indicator value
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
+
+This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd, indicating that the item has been removed. There are no additional unique fields in this event.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
+
+This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
+
+The following fields are available:
+
+- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+
+
+## OneDrive events
+
+### Microsoft.OneDrive.Sync.Setup.APIOperation
+
+This event includes basic data about install and uninstall OneDrive API operations.
+
+The following fields are available:
+
+- **APIName** The name of the API.
+- **ScenarioName** The name of the scenario.
+- **Duration** How long the operation took.
+- **isSuccess** Was the operation successful?
+- **ResultCode** The result code.
+
+
+### Microsoft.OneDrive.Sync.Setup.EndExperience
+
+This event includes a success or failure summary of the installation.
+
+The following fields are available:
+
+- **APIName** The name of the API.
+- **ScenarioName** The name of the scenario.
+- **Hresult** The HResult of the operation.
+- **isSuccess** Was the operation successful?
+
+
+### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
+
+This event is related to the OS version when the OS is upgraded with OneDrive installed.
+
+The following fields are available:
+
+- **HResult** The HResult of the operation.
+- **SourceOSVersion** The source version of the operating system.
+- **SourceOSBuildNumber** The source build number of the operating system.
+- **SourceOSBuildBranch** The source branch of the operating system.
+- **CurrentOSVersion** The current version of the operating system.
+- **CurrentOSBuildNumber** The current build number of the operating system.
+- **CurrentOSBuildBranch** The current branch of the operating system.
+- **CurrentOneDriveVersion** The current version of OneDrive.
+
+
+### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
+
+This event is related to registering or unregistering the OneDrive update task.
+
+The following fields are available:
+
+- **APIName** The name of the API.
+- **ScenarioName** The name of the scenario.
+- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation.
+- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation.
+- **isSuccess** Was the operation successful?
+
+
+### Microsoft.OneDrive.Sync.Setup.SetupCommonData
+
+This event contains basic OneDrive configuration data that helps to diagnose failures.
+
+The following fields are available:
+
+- **AppVersion** The version of the app.
+- **OfficeVersion** The version of Office that is installed.
+- **BuildArch** Is the architecture x86 or x64?
+- **Market** Which market is this in?
+- **OneDriveDeviceId** The OneDrive device ID.
+- **MachineGuid** The CEIP machine ID.
+- **IsMSFTInternal** Is this an internal Microsoft device?
+- **OSDeviceName** Only if the device is internal to Microsoft, the device name.
+- **OSUserName** Only if the device is internal to Microsoft, the user name.
+- **Environment** Is the device on the production or int service?
+- **OfficeVersionString** The version of Office that is installed.
+- **BuildArchitecture** Is the architecture x86 or x64?
+- **UserGuid** The CEIP user ID.
+- **MSFTInternal** Is this an internal Microsoft device?
+
+
+### Microsoft.OneDrive.Sync.Updater.CommonData
+
+This event contains basic OneDrive configuration data that helps to diagnose failures.
+
+The following fields are available:
+
+- **AppVersion** The version of the app.
+- **OfficeVersion** The version of Office that is installed.
+- **BuildArch** Is the architecture x86 or x64?
+- **Market** Which market is this in?
+- **OneDriveDeviceId** The OneDrive device ID.
+- **MachineGuid** The CEIP machine ID.
+- **IsMSFTInternal** Is this an internal Microsoft device?
+- **OSDeviceName** Only if the device is internal to Microsoft, the device name.
+- **OSUserName** Only if the device is internal to Microsoft, the user name.
+- **Environment** Is the device on the production or int service?
+- **UserGuid** A unique global user identifier.
+
+
+### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
+
+This event determines the installation state of dependent OneDrive components.
+
+The following fields are available:
+
+- **ComponentName** The name of the dependent component.
+- **isInstalled** Is the dependent component installed?
+
+
+### Microsoft.OneDrive.Sync.Updater.OfficeRegistration
+
+This event determines the status of the OneDrive integration with Microsoft Office.
+
+The following fields are available:
+
+- **isValid** Is the Microsoft Office registration valid?
+
+
+### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
+
+This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
+
+The following fields are available:
+
+- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system.
+- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system.
+
+
+### Microsoft.OneDrive.Sync.Updater.RepairResult
+
+The event determines the result of the installation repair.
+
+The following fields are available:
+
+- **hr** The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.SetupBinaryDownloadHResult
+
+This event indicates the status when downloading the OneDrive setup file.
+
+The following fields are available:
+
+- **hr** The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
+
+This event determines the outcome of the operation.
+
+The following fields are available:
+
+- **UpdaterVersion** The version of the updater.
+- **IsLoggingEnabled** Is logging enabled?
+- **hr** The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateTierReg
+
+This event determines status of the update tier registry values.
+
+The following fields are available:
+
+- **regReadEnterpriseHr** The HResult of the enterprise reg read value.
+- **regReadTeamHr** The HResult of the team reg read value.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
+
+This event determines the status when downloading the OneDrive update configuration file.
+
+The following fields are available:
+
+- **hr** The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
+
+This event determines the error code that was returned when verifying Internet connectivity.
+
+The following fields are available:
+
+- **winInetError** The HResult of the operation.
+
+
+## Setup events
+
+### SetupPlatformTel.SetupPlatformTelActivityEvent
+
+This event sends a unique ID that can be used to bind Setup Platform events together, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **Value** Retrieves the value associated with the corresponding event name. For example: For time-related events, this will include the system time.
+- **ActivityId** Provides a unique Id to correlate events that occur between a activity start event, and a stop event
+- **ActivityName** Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.)
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStarted
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+The following fields are available:
+
+- **Name** The name of the dynamic update type. Example: GDR driver
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStopped
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+
+
+### SetupPlatformTel.SetupPlatformTelEvent
+
+This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
+
+The following fields are available:
+
+- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
+- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+
+
+## Shared PC events
+
+### Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount
+
+Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account Manager to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates.
+
+The following fields are available:
+
+- **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager.
+- **userSid** The security identifier of the account.
+- **accountType** The type of account that was deleted. Example: AD, AAD, or Local
+
+
+### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
+
+Activity for run of the Transient Account Manager that determines if any user accounts should be deleted for devices set up for Shared PC mode to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates
+
+The following fields are available:
+
+- **wilActivity** Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager.
+- **totalAccountCount** The number of accounts on a device after running the Transient Account Manager policies.
+- **evaluationTrigger** When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours
+
+
+## Software update events
+
+### SoftwareUpdateClientTelemetry.CheckForUpdates
+
+This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date
+
+The following fields are available:
+
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **DeviceModel** What is the device model.
+- **BiosName** The name of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **ClientVersion** The version number of the software distribution client.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **SyncType** Describes the type of scan the event was
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
+- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
+- **ScanDurationInSeconds** The number of seconds a scan took
+- **ScanEnqueueTime** The number of seconds it took to initialize a scan
+- **NumberOfLoop** The number of round trips the scan required
+- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
+- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
+- **ServiceUrl** The environment URL a device is configured to scan with
+- **Online** Indicates if this was an online scan.
+- **AllowCachedResults** Indicates if the scan allowed using cached results.
+- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
+- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down.
+- **MSIError** The last error that was encountered during a scan for updates.
+- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
+- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan.
+- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
+- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated.
+- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
+- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
+- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
+- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation.
+- **DeferredUpdates** Update IDs which are currently being deferred until a later time
+- **BranchReadinessLevel** The servicing branch configured on the device.
+- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
+- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days).
+- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days).
+- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **SearchFilter** Contains information indicating filters applied while checking for content applicable to the device. For example, to filter out all content which may require a reboot.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **PausedUpdates** A list of UpdateIds which that currently being paused.
+- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **DriverSyncPassPerformed** Were drivers scanned this time?
+
+
+### SoftwareUpdateClientTelemetry.Commit
+
+This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventScenario** State of call
+- **EventInstanceID** A globally unique identifier for event instance.
+- **DeviceModel** What is the device model.
+- **BiosName** The name of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **ClientVersion** The version number of the software distribution client.
+- **WUDeviceID** UniqueDeviceID
+- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Windows Store.
+- **EventType** Possible values are "Child", "Bundle", or "Driver".
+- **UpdateId** Unique Update ID
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **RevisionNumber** Unique revision number of Update
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
+- **BundleRevisionNumber** Identifies the revision number of the content bundle
+- **FlightId** The specific id of the flight the device is getting
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+
+
+### SoftwareUpdateClientTelemetry.Download
+
+This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **DeviceModel** What is the device model.
+- **BiosName** The name of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **ClientVersion** The version number of the software distribution client.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
+- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
+- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
+- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
+- **HostName** The hostname URL the content is downloading from.
+- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
+- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
+- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
+- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
+- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle).
+- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
+- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **UpdateId** An identifier associated with the specific piece of content.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
+- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
+- **FlightId** The specific id of the flight (pre-release build) the device is getting.
+- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
+- **UsedDO** Whether the download used the delivery optimization service.
+- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
+- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
+- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight.
+- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle.
+- **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download.
+- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
+- **PackageFullName** The package name of the content.
+- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads.
+- **WUSetting** Indicates the users' current updating settings.
+- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
+- **PlatformRole** The PowerPlatformRole as defined on MSDN
+- **IsAOACDevice** Is it Always On, Always Connected?
+- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
+- **Edition** Indicates the edition of Windows being used.
+- **DeviceOEM** What OEM does this device belong to.
+- **ClientManagedByWSUSServer** Indicates whether the client is managed by Windows Server Update Services (WSUS).
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+
+
+### SoftwareUpdateClientTelemetry.Install
+
+This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **DeviceModel** What is the device model.
+- **BiosName** The name of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **ClientVersion** The version number of the software distribution client.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult).
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FlightRing** The ring that a device is on if participating in the Windows Insider Program.
+- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **IsWUfBEnabled** Is Windows Update for Business enabled on the device?
+- **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device?
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **CurrentMobileOperator** Mobile operator that device is currently connected to.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced.
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **IsFirmware** Is this update a firmware update?
+- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process?
+- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update?
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **ExtendedErrorCode** The extended error code.
+- **CSIErrorType** The stage of CBS installation where it failed.
+- **MsiAction** The stage of MSI installation where it failed.
+- **MsiProductCode** The unique identifier of the MSI installer.
+- **TransactionCode** The ID which represents a given MSI installation
+- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart?
+- **UpdateId** Unique update ID
+- **RevisionNumber** The revision number of this specific piece of content.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **HandlerType** Indicates what kind of content is being installed. Example: app, driver, Windows update
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
+- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
+- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build.
+- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install?
+- **PackageFullName** The package name of the content being installed.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle?
+- **CbsDownloadMethod** Was the download a full download or a partial download?
+- **ClientManagedByWSUSServer** Is the client managed by Windows Server Update Services (WSUS)?
+- **DeviceOEM** What OEM does this device belong to.
+- **DownloadPriority** The priority of the download activity.
+- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
+- **Edition** Indicates the edition of Windows being used.
+- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
+- **IsAOACDevice** Is it Always On, Always Connected? (Mobile device usage model)
+- **PlatformRole** The PowerPlatformRole as defined on MSDN.
+- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
+- **RepeatSuccessInstallFlag** Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
+- **WUSetting** Indicates the user's current updating settings.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **QualityUpdatePause** Are quality OS updates paused on the device?
+- **FeatureUpdatePause** Are feature OS updates paused on the device?
+- **MergedUpdate** Was the OS update and a BSP update merged for installation?
+
+
+### SoftwareUpdateClientTelemetry.SLSDiscovery
+
+This event sends data about the ability of Windows to discover the location of a backend server with which it must connect to perform updates or content acquisition, in order to determine disruptions in availability of update services and provide context for Windows Update errors.
+
+The following fields are available:
+
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **SusClientId** The unique device ID controlled by the software distribution client
+- **WUAVersion** The version number of the software distribution client
+- **ServiceID** An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
+- **UrlPath** Path to the SLS cab that was downloaded
+- **HResult** Indicates the result code of the event (success, cancellation, failure code HResult)
+- **IsBackground** Indicates whether the SLS discovery event took place in the foreground or background
+- **NextExpirationTime** Indicates when the SLS cab expires
+
+
+### SoftwareUpdateClientTelemetry.UpdateDetected
+
+This event sends data about an AppX app that has been updated from the Windows Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+
+The following fields are available:
+
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
+- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **WUDeviceID** The unique device ID controlled by the software distribution client
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **EventInstanceID** A globally unique identifier for event instance
+- **DeviceModel** The device's model as defined in system bios
+- **BiosName** The name of the device's system bios
+- **BIOSVendor** The vendor of the device's system bios
+- **BiosVersion** The version of the device's system bios
+- **BiosReleaseDate** The release date of the device's system bios
+- **SystemBIOSMajorRelease** The major release version of the device's system system
+- **SystemBIOSMinorRelease** The minor release version of the device's system system
+- **BiosFamily** The device's family as defined in system bios
+- **BiosSKUNumber** The device's SKU as defined in system bios
+- **ClientVersion** The version number of the software distribution client
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided
+- **ServiceGuid** An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
+- **StatusCode** Indicates the result code of the event (success, cancellation, failure code HResult)
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion
+- **SyncType** Describes the type of scan the event was
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
+- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
+- **ScanDurationInSeconds** The number of seconds a scan took
+- **ScanEnqueueTime** The number of seconds it took to initialize a scan
+- **NumberOfLoop** The number of round trips the scan required
+- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
+- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
+- **ServiceUrl** The environment URL a device is configured to scan with
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+
+
+### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
+
+This event identifies whether updates have been tampered with and protects against man-in-the-middle attacks.
+
+The following fields are available:
+
+- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
+- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store
+- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
+- **StatusCode** The status code of the event.
+- **ExtendedStatusCode** The secondary status code of the event.
+- **RevisionId** The revision ID for a specific piece of content.
+- **UpdateId** The update ID for a specific piece of content.
+- **RevisionNumber** The revision number for a specific piece of content.
+- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
+- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed.
+- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
+- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
+- **SignatureAlgorithm** The hash algorithm for the metadata signature.
+- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
+- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
+- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token.
+- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable.
+- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
+- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
+- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
+- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
+- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
+
+
+## Update events
+
+### Update360Telemetry.UpdateAgent_DownloadRequest
+
+This event sends data during the download request phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current download request phase.
+- **PackageCountTotal** Total number of packages needed.
+- **PackageCountRequired** Number of required packages requested.
+- **PackageCountOptional** Number of optional packages requested.
+- **ObjectId** Unique value for each Update Agent mode.
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Result of the download request phase of update.
+- **PackageSizeCanonical** Size of canonical packages in bytes
+- **PackageSizeDiff** Size of diff packages in bytes
+- **PackageSizeExpress** Size of express packages in bytes
+- **FlightId** Unique ID for each flight.
+- **UpdateId** Unique ID for each update.
+- **PackageCountTotalCanonical** Total number of canonical packages.
+- **PackageCountTotalDiff** Total number of diff packages.
+- **PackageCountTotalExpress** Total number of express packages.
+- **RangeRequestState** Represents the state of the download range request.
+- **DeletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+
+
+### Update360Telemetry.UpdateAgent_Initialize
+
+This event sends data during the initialize phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current initialize phase.
+- **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **UpdateId** Unique ID for each update.
+- **FlightId** Unique ID for each flight.
+- **FlightMetadata** Contains the FlightId and the build being flighted.
+- **ObjectId** Unique value for each Update Agent mode.
+- **SessionId** Unique value for each Update Agent mode attempt .
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+
+
+### Update360Telemetry.UpdateAgent_Install
+
+This event sends data during the install phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current install phase.
+- **ObjectId** Unique value for each Update Agent mode.
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **RelatedCV** Correlation vector value generated from the latest scan.
+- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **FlightId** Unique ID for each flight.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgent_ModeStart
+
+This event sends data for the start of each mode during the process of updating Windows.
+
+The following fields are available:
+
+- **Mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
+- **ObjectId** Unique value for each Update Agent mode.
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **RelatedCV** The correlation vector value generated from the latest scan.
+- **FlightId** Unique ID for each flight.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgent_SetupBoxLaunch
+
+This event sends data during the launching of the setup box when updating Windows.
+
+The following fields are available:
+
+- **Quiet** Indicates whether setup is running in quiet mode. 0 = false 1 = true
+- **ObjectId** Unique value for each Update Agent mode.
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **RelatedCV** Correlation vector value generated from the latest scan.
+- **FlightId** Unique ID for each flight.
+- **UpdateId** Unique ID for each update.
+- **SetupMode** Setup mode 1 = predownload, 2 = install, 3 = finalize
+- **SandboxSize** The size of the sandbox folder on the device.
+
+
+## Upgrade events
+
+### Setup360Telemetry.Downlevel
+
+This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
+- **TestId** A string that uniquely identifies a group of events.
+- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS).
+- **HostOSBuildNumber** The build number of the downlevel OS.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. It's an HRESULT error code that can be used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+
+
+### Setup360Telemetry.Finalize
+
+This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+### Setup360Telemetry.OsUninstall
+
+The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **WuId** Windows Update client ID.
+- **TestId** A string to uniquely identify a group of events.
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+### Setup360Telemetry.PostRebootInstall
+
+This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+### Setup360Telemetry.PreDownloadQuiet
+
+This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+### Setup360Telemetry.PreDownloadUX
+
+The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **WuId** Windows Update client ID.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system).
+- **HostOSBuildNumber** The build number of the previous operating system.
+- **Setup360Scenario** The Setup360 flow type. Examplle: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+
+
+### Setup360Telemetry.PreInstallQuiet
+
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT)
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+### Setup360Telemetry.PreInstallUX
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **WuId** Windows Update client ID.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+### Setup360Telemetry.Setup360
+
+This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
+- **ReportId** Retrieves the report ID.
+- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
+- **ScenarioId** Retrieves the deployment scenario.
+- **FieldName** Retrieves the data point.
+- **Value** Retrieves the value associated with the corresponding FieldName.
+- **ClientId** Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string.
+
+
+### Setup360Telemetry.UnexpectedEvent
+
+This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **HostOSBuildNumber** The build number of the previous OS.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+
+
+## Windows Error Reporting events
+
+### Microsoft.Windows.WERVertical.OSCrash
+
+This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+
+The following fields are available:
+
+- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check.
+- **BugCheckParameter1** Uint64 parameter providing additional information.
+- **BootId** Uint32 identifying the boot number for this device.
+- **BugCheckParameter2** Uint64 parameter providing additional information.
+- **BugCheckParameter4** Uint64 parameter providing additional information.
+- **BugCheckParameter3** Uint64 parameter providing additional information.
+- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise
+- **DumpFileSize** Size of the dump file
+- **DumpFileAttributes** Codes that identify the type of data contained in the dump file
+
+
+## Windows Store events
+
+### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
+
+This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure.
+
+The following fields are available:
+
+- **PFN** The product family name of the product being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed before this operation.
+- **IsUpdate** Flag indicating if this is an update.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **CategoryId** The Item Category ID.
+- **ProductId** The identity of the package or packages being installed.
+- **IsInteractive** Was this requested by a user?
+- **IsRemediation** Was this a remediation install?
+- **BundleId** The Item Bundle ID.
+- **IsMandatory** Was this a mandatory update?
+- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled.
+- **UserAttemptNumber** The total number of user attempts at installation before it was canceled.
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
+
+This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure.
+
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare
+
+This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure.
+
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
+
+This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **IsInteractive** Was this requested by a user?
+- **AttemptNumber** Total number of installation attempts.
+- **BundleId** The identity of the Windows Insider build that is associated with this product.
+- **PreviousHResult** The previous HResult code.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **CategoryId** The identity of the package or packages being installed.
+- **PFN** The name of all packages to be downloaded and installed.
+- **ProductId** The name of the package or packages requested for installation.
+- **IsUpdate** Is this a product update?
+- **IsRemediation** Is this repairing a previous installation?
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
+- **PreviousInstallState** Previous installation state before it was canceled.
+- **IsMandatory** Is this a mandatory update?
+- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled.
+- **UserAttemptNumber** Total number of user attempts to install before it was canceled.
+- **IsRestore** Is this an automatic restore of a previously acquired product?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
+
+This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure
+
+The following fields are available:
+
+- **IsBundle** Is this a bundle?
+- **ProductId** The Store Product ID of the product being installed.
+- **SkuId** Specific edition of the item being installed.
+- **CatalogId** The Store Product ID of the app being installed.
+- **PackageFamilyName** The name of the package being installed.
+- **HResult** HResult code of the action being performed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+
+This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **PFN** Product Family Name of the product being installed.
+- **HResult** HResult code to show the result of the operation (success/failure).
+- **ProductId** The Store Product ID for the product being installed.
+- **IsInteractive** Did the user initiate the installation?
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsRemediation** Is this repairing a previous installation?
+- **UpdateId** The update ID (if this is an update)
+- **AttemptNumber** The total number of attempts to acquire this product.
+- **IsUpdate** Is this an update?
+- **IsMandatory** Is this a mandatory update?
+- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
+- **UserAttemptNumber** The number of attempts by the user to acquire this product
+- **IsRestore** Is this happening after a device restore?
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **ParentBundledId** The product's parent bundle ID.
+- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
+
+This event happens during the app update or installation when content is being downloaded at the end of the process to report success or failure. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **PFN** The Product Family Name of the app being download.
+- **IsRemediation** Is this repairing a previous installation?
+- **DownloadSize** The total size of the download.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **CategoryId** The identity of the package or packages being installed.
+- **IsUpdate** Is this an update?
+- **HResult** The result code of the last action performed.
+- **IsInteractive** Is this initiated by the user?
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The identity of the Windows Insider build associated with this product.
+- **ProductId** The Store Product ID for the product being installed.
+- **IsMandatory** Is this a mandatory installation?
+- **SystemAttemptNumber** The number of attempts by the system to download.
+- **UserAttemptNumber** The number of attempts by the user to download.
+- **IsRestore** Is this a restore of a previously acquired product?
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID.
+- **ExtendedHResult** Any extended HResult error codes.
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
+
+This event happens when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
+
+This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
+
+This event is sent after a product has been installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **BundleId** The identity of the build associated with this product.
+- **PFN** Product Family Name of the product being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **CategoryId** The identity of the package or packages being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **HResult** The result code of the last action performed.
+- **IsRemediation** Is this repairing a previous installation?
+- **IsInteractive** Is this an interactive installation?
+- **IsUpdate** Is this an update?
+- **IsMandatory** Is this a mandatory installation?
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **ExtendedHResult** The extended HResult error code.
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
+
+This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed.
+- **IsApplicability** Is this request to only check if there are any applicable packages to install?
+- **IsInteractive** Is this user requested?
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsOnline** Is the request doing an online check?
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
+
+This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **IsRemediation** Is this repairing a previous installation?
+- **IsUpdate** Is this an update?
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **ProductId** The Store Product ID for the product being installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **IsInteractive** Is this user requested?
+- **PFN** The name of the package or packages requested for install.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **IsMandatory** Is this a mandatory update?
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **IsRestore** Is this restoring previously acquired content?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
+
+This event is sent between download and installation to see if there is app data that needs to be restored from the cloud. It's used to keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **IsInteractive** Is this user requested?
+- **PFN** The name of the package or packages requested for install.
+- **IsUpdate** Is this an update?
+- **CategoryId** The identity of the package or packages being installed.
+- **HResult** The result code of the last action performed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **ProductId** The Store Product ID for the product being installed.
+- **BundleId** The identity of the build associated with this product.
+- **IsRemediation** Is this repairing a previous installation?
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsMandatory** Is this a mandatory update?
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of system attempts.
+- **IsRestore** Is this restoring previously acquired content?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
+
+This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+
+This event is sent at the end of an app install or update and is used to track the very end of the install or update process.
+
+The following fields are available:
+
+- **ProductId** The product ID of the app that is being updated or installed.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **FailedRetry** Was the installation or update retry successful?
+- **HResult** The HResult code of the operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+
+This event is sent at the beginning of an app install or update and is used to track the very beginning of the install or update process.
+
+The following fields are available:
+
+- **ProductId** The product ID of the app that is being updated or installed.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
+
+This event happens at the beginning of the install process when an app update or new app is installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed.
+- **BundleId** The identity of the build associated with this product.
+- **SkuId** Specific edition ID being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **VolumePath** The disk path of the installation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
+
+This event is sent when a product install or update is paused either by a user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
+- **IsRemediation** Is this repairing a previous installation?
+- **PreviousHResult** The result code of the last action performed before this operation.
+- **ProductId** The Store Product ID for the product being installed.
+- **IsUpdate** Is this an update?
+- **PreviousInstallState** Previous state before the installation or update was paused.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **IsInteractive** Is this user requested?
+- **BundleId** The identity of the build associated with this product.
+- **PFN** The Product Full Name.
+- **IsMandatory** Is this a mandatory update?
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **IsRestore** Is this restoring previously acquired content?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
+
+This event happens when a product install or update is resumed either by a user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **RelatedCV** Correlation Vector for the original install before it was resumed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **PreviousHResult** The previous HResult error code.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **CategoryId** The identity of the package or packages being installed.
+- **PFN** The name of the package or packages requested for install.
+- **IsUpdate** Is this an update?
+- **PreviousInstallState** Previous state before the installation was paused.
+- **IsRemediation** Is this repairing a previous installation?
+- **IsInteractive** Is this user requested?
+- **ProductId** The Store Product ID for the product being installed.
+- **IsMandatory** Is this a mandatory update?
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **IsRestore** Is this restoring previously acquired content?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **IsBundle** Is this a bundle?
+- **WUContentId** The Windows Update content ID
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **IsUserRetry** Did the user initiate the retry?
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
+
+This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ProductId** The Store Product ID for the product being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
+
+This event is sent when searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specfic edition of the app being updated.
+- **CatalogId** The Store Product ID for the product being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
+
+This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **PFamN** The name of the product that is requested for update.
+
+
+## Windows Update Delivery Optimization events
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
+
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group.
+- **fileID** The ID of the file being downloaded.
+- **sessionID** The ID of the file download session.
+- **scenarioID** The ID of the scenario.
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **updateID** The ID of the update being downloaded.
+- **background** Is the download being done in the background?
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **clientTelId** A random number used for device sampling.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same group.
+- **errorCode** The error code that was returned.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **experimentId** When running a test, this is used to correlate events that are part of the same test.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **usedMemoryStream** Did the download use memory streaming?
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
+
+This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **sessionID** The ID of the download session.
+- **scenarioID** The ID of the scenario.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group.
+- **updateID** The ID of the update being downloaded.
+- **fileSize** The size of the file being downloaded.
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **fileID** The ID of the file being downloaded.
+- **background** Is the download a background download?
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **totalTime** How long did the download take (in seconds)?
+- **restrictedUpload** Is the upload restricted?
+- **clientTelId** A random number used for device sampling.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group.
+- **downloadMode** The download mode used for this file download session.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **numPeers** The total number of peers used for this download.
+- **cdnConnectionCount** The total number of connections made to the CDN.
+- **lanConnectionCount** The total number of connections made to peers in the same LAN.
+- **groupConnectionCount** The total number of connections made to peers in the same group.
+- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group.
+- **cdnIp** The IP address of the source CDN.
+- **downlinkBps** The maximum measured available download bandwidth (in bytes per second).
+- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second).
+- **downlinkUsageBps** The download speed (in bytes per second).
+- **uplinkUsageBps** The upload speed (in bytes per second).
+- **totalTimeMs** Duration of the download (in seconds).
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **bytesRequested** The total number of bytes requested for download.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **usedMemoryStream** Did the download use memory streaming?
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
+
+This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **updateID** The ID of the update being paused.
+- **errorCode** The error code that was returned.
+- **scenarioID** The ID of the scenario.
+- **background** Is the download a background download?
+- **sessionID** The ID of the download session.
+- **clientTelId** A random number used for device sampling.
+- **reasonCode** The reason for pausing the download.
+- **fileID** The ID of the file being paused.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **isVpn** Is the device connected to a Virtual Private Network?
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
+
+This event describes the start of a new download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **errorCode** The error code that was returned.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **peerID** The ID for this Delivery Optimization client.
+- **doClientVersion** The version of the Delivery Optimization client.
+- **jobID** The ID of the Windows Update job.
+- **sessionID** The ID of the download session.
+- **updateID** The ID of the update being downloaded.
+- **scenarioID** The ID of the scenario.
+- **fileID** The ID of the file being downloaded.
+- **cdnUrl** The URL of the CDN.
+- **filePath** The path where the file will be written.
+- **groupID** ID for the group.
+- **background** Is the download a background download?
+- **downloadMode** The download mode used for this file download session.
+- **minFileSizePolicy** The minimum content file size policy to allow the download using Peering.
+- **diceRoll** The dice roll value used in sampling events.
+- **deviceProfile** Identifies the usage or form factor. Example: Desktop or Xbox
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **usedMemoryStream** Did the download use memory streaming?
+- **minDiskSizePolicyEnforced** Is the minimum disk size enforced via policy?
+- **minDiskSizeGB** The minimum disk size (in GB) required for Peering.
+- **clientTelId** A random number used for device sampling.
+- **costFlags** A set of flags representing network cost.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
+
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **errorCode** The error code that was returned.
+- **httpStatusCode** The HTTP status code returned by the CDN.
+- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
+- **sessionID** The ID of the download session.
+- **cdnUrl** The URL of the CDN.
+- **cdnIp** The IP address of the CDN.
+- **cdnHeaders** The HTTP headers returned by the CDN.
+- **clientTelId** A random number used for device sampling.
+- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET
+- **requestSize** The size of the range requested from the CDN.
+- **responseSize** The size of the range response received from the CDN.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.JobError
+
+This event represents a Windows Update job error. It allows for investigation of top errors.
+
+The following fields are available:
+
+- **jobID** The Windows Update job ID.
+- **fileID** The ID of the file being downloaded.
+- **errorCode** The error code returned.
+- **clientTelId** A random number used for device sampling.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+
+
+## Windows Update events
+
+### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationCompleted
+
+This event sends data collected at the end of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
+
+The following fields are available:
+
+- **MigrationEndtime** A system timestamp of when the DMF migration completed.
+- **UpdateIds** A collection of GUIDs for updates that are associated with the DMF session.
+- **WuClientid** The GUID of the Windows Update client responsible for triggering the DMF migration.
+- **MigrationDurationinmilliseconds** How long the DMF migration took (in milliseconds).
+- **RevisionNumbers** A collection of revision numbers for the updates associated with the DMF session.
+
+
+### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
+
+This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
+
+The following fields are available:
+
+- **UpdateIds** A collection of GUIDs identifying the upgrades that are running.
+- **MigrationStarttime** The timestamp representing the beginning of the DMF migration.
+- **MigrationOEMphases** The number of OEM-authored migrators scheduled to be ran by DMF for this upgrade.
+- **WuClientid** The GUID of the Windows Update client invoking DMF.
+- **MigrationMicrosoftphases** The number of Microsoft-authored migrators scheduled to be ran by DMF for this upgrade.
+- **RevisionNumbers** A collection of the revision numbers associated with the UpdateIds.
+
+
+### Microsoft.Windows.Update.DataMigrationFramework.MigratorResult
+
+This event sends DMF migrator data to help keep Windows up to date.
+
+The following fields are available:
+
+- **MigratorGuid** A GUID identifying the migrator that just completed.
+- **RunDurationInSeconds** The time it took for the migrator to complete.
+- **CurrentStep** This is the last step the migrator reported before returning a result. This tells us how far through the individual migrator the device was before failure.
+- **MigratorName** The name of the migrator that just completed.
+- **MigratorId** A GUID identifying the migrator that just completed.
+- **ErrorCode** The result (as an HRESULT) of the migrator that just completed.
+- **TotalSteps** Migrators report progress in number of completed steps against the total steps. This is the total number of steps.
+
+
+### Microsoft.Windows.Update.Orchestrator.CommitFailed
+
+This events tracks when a device needs to restart after an update but did not.
+
+The following fields are available:
+
+- **wuDeviceid** The Windows Update device GUID.
+- **errorCode** The error code that was returned.
+
+
+### Microsoft.Windows.Update.Orchestrator.Detection
+
+This event sends launch data for a Windows Update scan to help keep Windows up to date.
+
+The following fields are available:
+
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **revisionNumber** Update revision number.
+- **eventScenario** End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **deferReason** Reason why the device could not check for updates.
+- **detectionBlockreason** Reason for detection not completing.
+- **interactive** Identifies if session is User Initiated.
+- **updateId** Update ID.
+- **detectionDeferreason** A log of deferral reasons for every update state.
+- **flightID** A unique update ID.
+- **updateScenarioType** The update session type.
+- **errorCode** The returned error code.
+
+
+### Microsoft.Windows.Update.Orchestrator.Download
+
+This event sends launch data for a Windows Update download to help keep Windows up to date.
+
+The following fields are available:
+
+- **detectionDeferreason** Reason for download not completing
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **interactive** Identifies if session is user initiated.
+- **revisionNumber** Update revision number.
+- **deferReason** Reason for download not completing
+- **updateId** Update ID.
+- **eventScenario** End to end update session ID.
+- **errorCode** An error code represented as a hexadecimal value
+- **flightID** Unique update ID.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
+
+This event sends data on whether the update was applicable to the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **updateId** Unique Update ID
+- **revisionNumber** Revision Number of the Update
+- **UpdateStatus** Integer that describes Update state
+- **EventPublishedTime** time that the event was generated
+- **wuDeviceid** Unique Device ID
+- **flightID** Unique Update ID
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
+
+This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
+
+The following fields are available:
+
+- **revisionNumber** Revision number of the update.
+- **EventPublishedTime** Time of the event.
+- **updateId** Update ID.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **flightID** Unique update ID
+- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.Install
+
+This event sends launch data for a Windows Update install to help keep Windows up to date.
+
+The following fields are available:
+
+- **eventScenario** End to end update session ID.
+- **deferReason** Reason for install not completing.
+- **interactive** Identifies if session is user initiated.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **batteryLevel** Current battery capacity in mWh or percentage left.
+- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress.
+- **errorCode** The error code reppresented by a hexadecimal value.
+- **updateId** Update ID.
+- **revisionNumber** Update revision number.
+- **flightID** Unique update ID
+- **installRebootinitiatetime** The time it took for a reboot to be attempted.
+- **flightUpdate** Flight update
+- **minutesToCommit** The time it took to install updates.
+- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates.
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.PostInstall
+
+This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date.
+
+The following fields are available:
+
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **eventScenario** End to end update session ID.
+- **sessionType** Interactive vs. Background.
+- **bundleRevisionnumber** Bundle revision number.
+- **batteryLevel** Current battery capacity in mWh or percentage left.
+- **bundleId** Update grouping ID.
+- **errorCode** Hex code for the error message, to allow lookup of the specific error.
+- **flightID** Unique update ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.RebootFailed
+
+This event sends information about whether an update required a reboot and reasons for failure to help keep Windows up to date.
+
+The following fields are available:
+
+- **updateId** Update ID.
+- **batteryLevel** Current battery capacity in mWh or percentage left.
+- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
+- **installRebootDeferreason** Reason for reboot not occurring.
+- **revisionNumber** Update revision number.
+- **EventPublishedTime** The time that the reboot failure occurred.
+- **deferReason** Reason for install not completing.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **flightID** Unique update ID.
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
+
+This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+
+The following fields are available:
+
+- **RebootTaskRestoredTime** Time at which this reboot task was restored.
+- **wuDeviceid** Device id on which the reboot is restored
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.SystemNeeded
+
+This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+
+The following fields are available:
+
+- **eventScenario** End to end update session ID.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **systemNeededReason** Reason ID
+- **updateId** Update ID.
+- **revisionNumber** Update revision number.
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
+
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **policyCacherefreshtime** Refresh time
+- **policiesNamevaluesource** Policy Name
+- **updateInstalluxsetting** This shows whether a user has set policies via UX option
+- **configuredPoliciescount** Policy Count
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
+
+This event sends data about whether an update required a reboot to help keep Windows up to date.
+
+The following fields are available:
+
+- **updateId** Update ID.
+- **revisionNumber** Update revision number.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **flightID** Unique update ID.
+- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates
+
+This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventScenario** The scenario of the event. Example: Started, Failed, or Succeeded
+- **StatusCode** The HRESULT code of the operation.
+- **CallerApplicationName** The name of the USS scheduled task. Example UssScheduled or UssBoot
+- **ClientVersion** The version of the client.
+- **EventInstanceID** The USS session ID.
+- **WUDeviceID** The Windows Update device ID.
+- **ServiceGuid** The GUID of the service.
+- **BspVersion** The version of the BSP.
+- **OemName** The name of the manufacturer.
+- **DeviceName** The name of the device.
+- **CommercializationOperator** The name of the operator.
+- **DetectionVersion** The string returned from the GetDetectionVersion export of the downloaded detection DLL.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
+
+This event is sent when a security update has successfully completed.
+
+The following fields are available:
+
+- **UtcTime** The Coordinated Universal Time that the restart was no longer needed.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
+
+This event sends data about a required reboot that is scheduled with no user interaction, to help keep Windows up to date.
+
+The following fields are available:
+
+- **updateId** Update ID of the update that is getting installed with this reboot.
+- **ScheduledRebootTime** Time of the scheduled reboot.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **revisionNumber** Revision number of the update that is getting installed with this reboot.
+- **forcedreboot** True, if a reboot is forced on the device. False, otherwise.
+- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action.
+- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
+- **activeHoursApplicable** True, If Active Hours applicable on this device. False, otherwise.
+- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise.
+- **rebootState** The state of the reboot.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
+
+This event is sent when a toast notification is shown to the user about scheduling a device restart.
+
+The following fields are available:
+
+- **UtcTime** The Coordinated Universal Time when the toast notification was shown.
+
+
+### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
+
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ScheduledRebootTime** The time that the device was restarted.
+- **updateId** The Windows Update device GUID.
+- **revisionNumber** The revision number of the OS being updated.
+- **wuDeviceid** The Windows Update device GUID.
+- **forcedreboot** Is the restart that's being scheduled a forced restart?
+- **rebootArgument** The arguments that are passed to the OS for the restarted.
+- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
+- **activeHoursApplicable** Is the restart respecting Active Hours?
+- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours?
+- **rebootState** The state of the restart.
+
+
+## Winlogon events
+
+### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
+
+This event signals the completion of the setup process. It happens only once during the first logon.
+
+
+
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
new file mode 100644
index 0000000000..726fbd96c4
--- /dev/null
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -0,0 +1,32 @@
+---
+title: Change history for Configure Windows 10 (Windows 10)
+description: This topic lists changes to documentation for configuring Windows 10.
+keywords:
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: jdeckerMS
+---
+
+# Change history for Configure Windows 10
+
+This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+
+## April 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Added instructions for using WMI bridge to configure shared PC |
+
+
+## RELEASE: Windows 10, version 1703
+
+The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:
+
+- [Use the Lockdown Designer app to create a Lockdown XML file](mobile-devices/mobile-lockdown-designer.md)
+- [Add image for secondary tiles](start-secondary-tiles.md)
+- [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)
+- [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
+- [Windows 10, version 1703 Diagnostic Data](windows-diagnostic-data.md)
\ No newline at end of file
diff --git a/windows/configure/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md
similarity index 100%
rename from windows/configure/changes-to-start-policies-in-windows-10.md
rename to windows/configuration/changes-to-start-policies-in-windows-10.md
diff --git a/windows/configure/configure-devices-without-mdm.md b/windows/configuration/configure-devices-without-mdm.md
similarity index 99%
rename from windows/configure/configure-devices-without-mdm.md
rename to windows/configuration/configure-devices-without-mdm.md
index 04ba35f499..1c9093477b 100644
--- a/windows/configure/configure-devices-without-mdm.md
+++ b/windows/configuration/configure-devices-without-mdm.md
@@ -1,7 +1,6 @@
---
title: Configure devices without MDM (Windows 10)
description: Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10.
-ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
keywords: runtime provisioning, provisioning package
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configure/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
similarity index 100%
rename from windows/configure/configure-windows-10-taskbar.md
rename to windows/configuration/configure-windows-10-taskbar.md
diff --git a/windows/configure/configure-windows-telemetry-in-your-organization.md b/windows/configuration/configure-windows-telemetry-in-your-organization.md
similarity index 99%
rename from windows/configure/configure-windows-telemetry-in-your-organization.md
rename to windows/configuration/configure-windows-telemetry-in-your-organization.md
index d8710b1bb2..7edc786a66 100644
--- a/windows/configure/configure-windows-telemetry-in-your-organization.md
+++ b/windows/configuration/configure-windows-telemetry-in-your-organization.md
@@ -98,7 +98,7 @@ Windows telemetry also helps Microsoft better understand how customers use (or d
### Insights into your own organization
-Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md).
+Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
#### Upgrade Readiness
diff --git a/windows/configure/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
similarity index 96%
rename from windows/configure/cortana-at-work-crm.md
rename to windows/configuration/cortana-at-work/cortana-at-work-crm.md
index 4bfca8e08c..a1011e2397 100644
--- a/windows/configure/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -19,7 +19,7 @@ Cortana integration is a Preview feature that's available for your test or dev e
>[!NOTE]
>For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](http://go.microsoft.com/fwlink/p/?LinkId=746819).
-
+
## Turn on Cortana with Dynamics CRM in your organization
You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](http://go.microsoft.com/fwlink/p/?LinkId=746817)?
@@ -43,7 +43,7 @@ You must tell your employees to turn on Cortana, before they’ll be able to use
2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**.
- 
+ 
The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen.
diff --git a/windows/configure/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
similarity index 72%
rename from windows/configure/cortana-at-work-feedback.md
rename to windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index 38e531cdca..fc46c6b7ee 100644
--- a/windows/configure/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -16,7 +16,7 @@ localizationpriority: high
We ask that you report bugs and issues. To provide feedback, you can click the **Feedback** icon in the Cortana window. When you send this form to Microsoft it also includes troubleshooting info, in case you run into problems.
-
+
-If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Preview feedback app. For info about the Insider Preview feedback app, see [How to use Windows Insider Preview – Updates and feedback](http://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc).
+If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Program feedback app. For info about the feedback app, see [How to use Windows Insider Preview – Updates and feedback](http://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc).
diff --git a/windows/configure/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
similarity index 97%
rename from windows/configure/cortana-at-work-o365.md
rename to windows/configuration/cortana-at-work/cortana-at-work-o365.md
index be3a27e0f3..b9b9f1f63c 100644
--- a/windows/configure/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@@ -18,7 +18,7 @@ Cortana in Windows 10 is already great at letting your employees quickly see wha
But Cortana works even harder when she connects to Office 365, helping employees to be notified about unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late.
-
+
We’re continuing to add more and more capabilities to Cortana so she can become even more helpful with your productivity-related tasks, such as emailing, scheduling, and other tasks that are important to help you be successful.
@@ -45,7 +45,7 @@ You must tell your employees to turn on Cortana before they’ll be able to use
2. Click on **Connected Services**, click **Office 365**, and then click **Connect**.
- 
+ 
The employee can also disconnect by clicking **Disconnect** from the **Office 365** screen.
diff --git a/windows/configure/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
similarity index 92%
rename from windows/configure/cortana-at-work-overview.md
rename to windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 9202776ada..c6a9a191ca 100644
--- a/windows/configure/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -20,7 +20,7 @@ Cortana has powerful configuration options, specifically optimized for your busi
Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
-
+
## Where is Cortana available for use in my organization?
You can use Cortana at work in all countries/regions where Cortana is supported for consumers. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, she will also become available to enterprise customers.
@@ -42,7 +42,7 @@ Cortana requires the following hardware and software to successfully run the inc
|Client operating system |
**Desktop:** Windows 10, version 1703
**Mobile:** Windows 10 Mobile, version 1703 (with limited functionality)
|
|Azure Active Directory (Azure AD) |While all employees signing into Cortana need an Azure AD account; an Azure AD premium tenant isn’t required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana, but won't turn Cortana off.
For example:
If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work.
If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. |
-|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md)
If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft System Center Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.|
+|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip)
If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft System Center Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.|
## Signing in using Azure AD
Your organization must have an Azure AD tenant and your employees’ devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx)
diff --git a/windows/configure/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
similarity index 93%
rename from windows/configure/cortana-at-work-policy-settings.md
rename to windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index fabe225293..06a4b3cf08 100644
--- a/windows/configure/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -11,23 +11,23 @@ localizationpriority: high
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
**Applies to:**
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
+- Windows 10
+- Windows 10 Mobile
>[!NOTE]
>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).
|Group policy |MDM policy |Description |
|-------------|-----------|------------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
**NOTE** This setting only applies to Windows 10 for desktop devices. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
**Note** This setting only applies to Windows 10 for desktop devices. |
|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.
**In Windows 10, version 1511** Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later** Cortana still works if this setting is turned off (disabled).|
|None|System/AllowLocation|Specifies whether to allow app access to the Location service.
**In Windows 10, version 1511** Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later** Cortana still works if this setting is turned off (disabled).|
|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
Use this setting if you only want to support Azure AD in your organization.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.
**NOTE** This setting only applies to Windows 10 Mobile.|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.
**Note** This setting only applies to Windows 10 Mobile.|
|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.
**In Windows 10 Pro edition** This setting can’t be managed.
**In Windows 10 Enterprise edition** Cortana won't work if this setting is turned off (disabled).|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.
**IMPORTANT** Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.
**Important** Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|
diff --git a/windows/configure/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
similarity index 86%
rename from windows/configure/cortana-at-work-powerbi.md
rename to windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index a4245062b7..26579a4c9c 100644
--- a/windows/configure/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -44,35 +44,35 @@ Before you can start this testing scenario, you must first set up your test envi
2. Expand the left rail by clicking the **Show the navigation pane** icon.
- 
+ 
3. Click **Get Data** from the left-hand navigation in Power BI.
- 
+ 
4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen.
- 
+ 
5. Click **Retail Analysis Sample**, and then click **Connect**.
- 
+ 
The sample data is imported and you’re returned to the **Power BI** screen.
6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**.
- 
+ 
7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**.
- 
+ 
8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list.
9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**.
- 
+ 
>[!NOTE]
>It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana.
@@ -82,13 +82,13 @@ You must create special reports, known as _Answer Pages_, to display the most co
After you’ve finished creating your Answer Page, you can continue to the included testing scenarios.
- >[!NOTE]
- >It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
+>[!NOTE]
+>It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
**To create a custom sales data Answer Page for Cortana**
1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**.
- 
+ 
2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**.
@@ -96,11 +96,11 @@ After you’ve finished creating your Answer Page, you can continue to the inclu
3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list.
- 
+ 
4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**.
- 
+ 
The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders.
@@ -108,7 +108,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu
The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns.
- 
+ 
6. Click **File**, click **Save as**, and save the report as _Sales data 2016_.
@@ -124,13 +124,13 @@ Now that you’ve set up your device, you can use Cortana to show your info from
Cortana shows you the available results.
- 
+ 
3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**.
Cortana returns your custom report.
- 
+ 
>[!NOTE]
>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
diff --git a/windows/configure/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
similarity index 92%
rename from windows/configure/cortana-at-work-scenario-1.md
rename to windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index 869f6285f7..54b801cabc 100644
--- a/windows/configure/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -49,8 +49,8 @@ This process helps you to manage the content Cortana shows in your Notebook.
3. Add *Redmond, Washington*, double-click the search result, click **Add**, and then click **Save**.
- 
+ 
4. Click on the **Home** icon and scroll to the weather forecast for Redmond, Washington.
- 
\ No newline at end of file
+ 
\ No newline at end of file
diff --git a/windows/configure/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
similarity index 94%
rename from windows/configure/cortana-at-work-scenario-2.md
rename to windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index 0ae41c64a4..af1b1610ae 100644
--- a/windows/configure/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -27,7 +27,7 @@ This process helps you use Cortana at work to perform a quick search.
You should see the weather in New York, New York at the top of the search results.
- 
+ 
## Search with Cortana, by using voice commands
This process helps you to use Cortana at work and voice commands to perform a quick search.
@@ -36,4 +36,4 @@ This process helps you to use Cortana at work and voice commands to perform a qu
2. Say *What's the weather in Chicago?* Cortana tells you and shows you the current weather in Chicago.
- 
\ No newline at end of file
+ 
\ No newline at end of file
diff --git a/windows/configure/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
similarity index 85%
rename from windows/configure/cortana-at-work-scenario-3.md
rename to windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index 2200f6b5f9..540ea0bb4b 100644
--- a/windows/configure/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -28,11 +28,11 @@ This process helps you to create a reminder based on a specific location.
2. Click the **+** sign, add a subject for your reminder, such as _Remember to file expense report receipts_, and then click **Place**.
- 
+ 
3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder.
- 
+ 
4. Click **Done**.
@@ -47,13 +47,13 @@ This process helps you to create a reminder based on a specific location.
The photo is stored with the reminder.
- 
+ 
8. Review the reminder info, and then click **Remind**.
The reminder is saved and ready to be triggered.
- 
+ 
## Create a reminder for a specific location by using voice commands
This process helps you to use Cortana at work and voice commands to create a reminder for a specific location.
@@ -64,21 +64,21 @@ This process helps you to use Cortana at work and voice commands to create a rem
Cortana opens a new reminder task and asks if it sounds good.
- 
+ 
3. Say _Yes_ so Cortana can save the reminder.
- 
+ 
## Edit or archive an existing reminder
This process helps you to edit or archive and existing or completed reminder.
1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
- 
+ 
2. Click the pending reminder you want to edit.
- 
+ 
3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click **Save** to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**.
\ No newline at end of file
diff --git a/windows/configure/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
similarity index 90%
rename from windows/configure/cortana-at-work-scenario-4.md
rename to windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index 736de5db9f..cf313aa77c 100644
--- a/windows/configure/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -32,7 +32,7 @@ This process helps you find your upcoming meetings.
You’ll see all your meetings scheduled for the next day.
- 
+ 
## Find out about upcoming meetings by using voice commands
This process helps you to use Cortana at work and voice commands to find your upcoming meetings.
@@ -44,6 +44,6 @@ This process helps you to use Cortana at work and voice commands to find your up
>[!IMPORTANT]
>Make sure that you have a meeting scheduled for the time you specify here.
- 
+ 
diff --git a/windows/configure/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
similarity index 89%
rename from windows/configure/cortana-at-work-scenario-5.md
rename to windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index a662de7d04..5df8bb1b2e 100644
--- a/windows/configure/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -31,7 +31,7 @@ This process helps you to send a quick message to a co-worker from the work addr
4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**.
- 
+ 
## Send an email to a co-worker by using voice commands
This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book.
@@ -46,10 +46,10 @@ This process helps you to use Cortana at work and voice commands to send a quick
The message is added and you’re asked if you want to **Send it**, **Add more**, or **Make changes**.
- 
+ 
4. Say _Send it_.
The email is sent.
- 
\ No newline at end of file
+ 
\ No newline at end of file
diff --git a/windows/configure/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
similarity index 91%
rename from windows/configure/cortana-at-work-scenario-6.md
rename to windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index 8c7e307ed1..f369b838fb 100644
--- a/windows/configure/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -29,11 +29,11 @@ Cortana automatically finds patterns in your email, suggesting reminders based t
3. Make sure the **Contacts, email, calendar, and communication history** option is turned on.
- 
+ 
4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**.
- 
+ 
5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, _I’ll finish this project by end of day today_.
@@ -41,5 +41,5 @@ Cortana automatically finds patterns in your email, suggesting reminders based t
If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed.
- 
+ 
diff --git a/windows/configure/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
similarity index 93%
rename from windows/configure/cortana-at-work-scenario-7.md
rename to windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
index 4c2451c969..7fff5ef044 100644
--- a/windows/configure/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@@ -20,7 +20,7 @@ This optional scenario helps you to protect your organization’s data on a devi
## Use Cortana and WIP to protect your organization’s data
-1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
+1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip).
2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_.
diff --git a/windows/configure/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
similarity index 100%
rename from windows/configure/cortana-at-work-testing-scenarios.md
rename to windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
diff --git a/windows/configure/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
similarity index 86%
rename from windows/configure/cortana-at-work-voice-commands.md
rename to windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index e15752085d..8d7ff55a35 100644
--- a/windows/configure/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -28,13 +28,13 @@ To enable voice commands in Cortana
Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background.
- - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana).
+ - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana).
- - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana).
+ - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana).
2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
-## Test Scenario: Use voice commands in a Windows Store app
+## Test scenario: Use voice commands in a Windows Store app
While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
**To get a Windows Store app**
@@ -49,7 +49,7 @@ While these aren't line-of-business apps, we've worked to make sure to implement
2. Click on **Connected Services**, click **Uber**, and then click **Connect**.
- 
+ 
**To use the voice-enabled commands with Cortana**
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
diff --git a/windows/configure/images/cortana-about-me.png b/windows/configuration/cortana-at-work/images/cortana-about-me.png
similarity index 100%
rename from windows/configure/images/cortana-about-me.png
rename to windows/configuration/cortana-at-work/images/cortana-about-me.png
diff --git a/windows/configure/images/cortana-add-reminder.png b/windows/configuration/cortana-at-work/images/cortana-add-reminder.png
similarity index 100%
rename from windows/configure/images/cortana-add-reminder.png
rename to windows/configuration/cortana-at-work/images/cortana-add-reminder.png
diff --git a/windows/configure/images/cortana-chicago-weather.png b/windows/configuration/cortana-at-work/images/cortana-chicago-weather.png
similarity index 100%
rename from windows/configure/images/cortana-chicago-weather.png
rename to windows/configuration/cortana-at-work/images/cortana-chicago-weather.png
diff --git a/windows/configure/images/cortana-communication-history-permissions.png b/windows/configuration/cortana-at-work/images/cortana-communication-history-permissions.png
similarity index 100%
rename from windows/configure/images/cortana-communication-history-permissions.png
rename to windows/configuration/cortana-at-work/images/cortana-communication-history-permissions.png
diff --git a/windows/configure/images/cortana-complete-send-email-coworker-mic.png b/windows/configuration/cortana-at-work/images/cortana-complete-send-email-coworker-mic.png
similarity index 100%
rename from windows/configure/images/cortana-complete-send-email-coworker-mic.png
rename to windows/configuration/cortana-at-work/images/cortana-complete-send-email-coworker-mic.png
diff --git a/windows/configure/images/cortana-connect-crm.png b/windows/configuration/cortana-at-work/images/cortana-connect-crm.png
similarity index 100%
rename from windows/configure/images/cortana-connect-crm.png
rename to windows/configuration/cortana-at-work/images/cortana-connect-crm.png
diff --git a/windows/configure/images/cortana-connect-o365.png b/windows/configuration/cortana-at-work/images/cortana-connect-o365.png
similarity index 100%
rename from windows/configure/images/cortana-connect-o365.png
rename to windows/configuration/cortana-at-work/images/cortana-connect-o365.png
diff --git a/windows/configure/images/cortana-connect-uber.png b/windows/configuration/cortana-at-work/images/cortana-connect-uber.png
similarity index 100%
rename from windows/configure/images/cortana-connect-uber.png
rename to windows/configuration/cortana-at-work/images/cortana-connect-uber.png
diff --git a/windows/configure/images/cortana-crm-screen.png b/windows/configuration/cortana-at-work/images/cortana-crm-screen.png
similarity index 100%
rename from windows/configure/images/cortana-crm-screen.png
rename to windows/configuration/cortana-at-work/images/cortana-crm-screen.png
diff --git a/windows/configure/images/cortana-feedback.png b/windows/configuration/cortana-at-work/images/cortana-feedback.png
similarity index 100%
rename from windows/configure/images/cortana-feedback.png
rename to windows/configuration/cortana-at-work/images/cortana-feedback.png
diff --git a/windows/configure/images/cortana-final-reminder.png b/windows/configuration/cortana-at-work/images/cortana-final-reminder.png
similarity index 100%
rename from windows/configure/images/cortana-final-reminder.png
rename to windows/configuration/cortana-at-work/images/cortana-final-reminder.png
diff --git a/windows/configure/images/cortana-meeting-specific-time.png b/windows/configuration/cortana-at-work/images/cortana-meeting-specific-time.png
similarity index 100%
rename from windows/configure/images/cortana-meeting-specific-time.png
rename to windows/configuration/cortana-at-work/images/cortana-meeting-specific-time.png
diff --git a/windows/configure/images/cortana-meeting-tomorrow.png b/windows/configuration/cortana-at-work/images/cortana-meeting-tomorrow.png
similarity index 100%
rename from windows/configure/images/cortana-meeting-tomorrow.png
rename to windows/configuration/cortana-at-work/images/cortana-meeting-tomorrow.png
diff --git a/windows/configure/images/cortana-newyork-weather.png b/windows/configuration/cortana-at-work/images/cortana-newyork-weather.png
similarity index 100%
rename from windows/configure/images/cortana-newyork-weather.png
rename to windows/configuration/cortana-at-work/images/cortana-newyork-weather.png
diff --git a/windows/configure/images/cortana-o365-screen.png b/windows/configuration/cortana-at-work/images/cortana-o365-screen.png
similarity index 100%
rename from windows/configure/images/cortana-o365-screen.png
rename to windows/configuration/cortana-at-work/images/cortana-o365-screen.png
diff --git a/windows/configure/images/cortana-place-reminder.png b/windows/configuration/cortana-at-work/images/cortana-place-reminder.png
similarity index 100%
rename from windows/configure/images/cortana-place-reminder.png
rename to windows/configuration/cortana-at-work/images/cortana-place-reminder.png
diff --git a/windows/configure/images/cortana-powerbi-create-report.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-create-report.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-create-report.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-create-report.png
diff --git a/windows/configure/images/cortana-powerbi-expand-nav.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-expand-nav.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-expand-nav.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-expand-nav.png
diff --git a/windows/configure/images/cortana-powerbi-field-selection.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-field-selection.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-field-selection.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-field-selection.png
diff --git a/windows/configure/images/cortana-powerbi-getdata-samples.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-getdata-samples.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-getdata-samples.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-getdata-samples.png
diff --git a/windows/configure/images/cortana-powerbi-getdata.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-getdata.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-getdata.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-getdata.png
diff --git a/windows/configure/images/cortana-powerbi-myreport.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-myreport.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-myreport.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-myreport.png
diff --git a/windows/configure/images/cortana-powerbi-pagesize.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-pagesize.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-pagesize.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-pagesize.png
diff --git a/windows/configure/images/cortana-powerbi-report-qna.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-report-qna.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-report-qna.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-report-qna.png
diff --git a/windows/configure/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-dashboard.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-retail-analysis-dashboard.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-dashboard.png
diff --git a/windows/configure/images/cortana-powerbi-retail-analysis-dataset.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-dataset.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-retail-analysis-dataset.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-dataset.png
diff --git a/windows/configure/images/cortana-powerbi-retail-analysis-sample.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-sample.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-retail-analysis-sample.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-sample.png
diff --git a/windows/configure/images/cortana-powerbi-search.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-search.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-search.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-search.png
diff --git a/windows/configure/images/cortana-powerbi-settings.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-settings.png
similarity index 100%
rename from windows/configure/images/cortana-powerbi-settings.png
rename to windows/configuration/cortana-at-work/images/cortana-powerbi-settings.png
diff --git a/windows/configure/images/cortana-redmond-weather.png b/windows/configuration/cortana-at-work/images/cortana-redmond-weather.png
similarity index 100%
rename from windows/configure/images/cortana-redmond-weather.png
rename to windows/configuration/cortana-at-work/images/cortana-redmond-weather.png
diff --git a/windows/configure/images/cortana-reminder-edit.png b/windows/configuration/cortana-at-work/images/cortana-reminder-edit.png
similarity index 100%
rename from windows/configure/images/cortana-reminder-edit.png
rename to windows/configuration/cortana-at-work/images/cortana-reminder-edit.png
diff --git a/windows/configure/images/cortana-reminder-list.png b/windows/configuration/cortana-at-work/images/cortana-reminder-list.png
similarity index 100%
rename from windows/configure/images/cortana-reminder-list.png
rename to windows/configuration/cortana-at-work/images/cortana-reminder-list.png
diff --git a/windows/configure/images/cortana-reminder-mic.png b/windows/configuration/cortana-at-work/images/cortana-reminder-mic.png
similarity index 100%
rename from windows/configure/images/cortana-reminder-mic.png
rename to windows/configuration/cortana-at-work/images/cortana-reminder-mic.png
diff --git a/windows/configure/images/cortana-reminder-pending-mic.png b/windows/configuration/cortana-at-work/images/cortana-reminder-pending-mic.png
similarity index 100%
rename from windows/configure/images/cortana-reminder-pending-mic.png
rename to windows/configuration/cortana-at-work/images/cortana-reminder-pending-mic.png
diff --git a/windows/configure/images/cortana-reminder-pending.png b/windows/configuration/cortana-at-work/images/cortana-reminder-pending.png
similarity index 100%
rename from windows/configure/images/cortana-reminder-pending.png
rename to windows/configuration/cortana-at-work/images/cortana-reminder-pending.png
diff --git a/windows/configure/images/cortana-send-email-coworker-mic.png b/windows/configuration/cortana-at-work/images/cortana-send-email-coworker-mic.png
similarity index 100%
rename from windows/configure/images/cortana-send-email-coworker-mic.png
rename to windows/configuration/cortana-at-work/images/cortana-send-email-coworker-mic.png
diff --git a/windows/configure/images/cortana-send-email-coworker.png b/windows/configuration/cortana-at-work/images/cortana-send-email-coworker.png
similarity index 100%
rename from windows/configure/images/cortana-send-email-coworker.png
rename to windows/configuration/cortana-at-work/images/cortana-send-email-coworker.png
diff --git a/windows/configure/images/cortana-suggested-reminder-settings.png b/windows/configuration/cortana-at-work/images/cortana-suggested-reminder-settings.png
similarity index 100%
rename from windows/configure/images/cortana-suggested-reminder-settings.png
rename to windows/configuration/cortana-at-work/images/cortana-suggested-reminder-settings.png
diff --git a/windows/configure/images/cortana-suggested-reminder.png b/windows/configuration/cortana-at-work/images/cortana-suggested-reminder.png
similarity index 100%
rename from windows/configure/images/cortana-suggested-reminder.png
rename to windows/configuration/cortana-at-work/images/cortana-suggested-reminder.png
diff --git a/windows/configure/images/cortana-weather-multipanel.png b/windows/configuration/cortana-at-work/images/cortana-weather-multipanel.png
similarity index 100%
rename from windows/configure/images/cortana-weather-multipanel.png
rename to windows/configuration/cortana-at-work/images/cortana-weather-multipanel.png
diff --git a/windows/configure/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
similarity index 100%
rename from windows/configure/customize-and-export-start-layout.md
rename to windows/configuration/customize-and-export-start-layout.md
diff --git a/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
similarity index 100%
rename from windows/configure/customize-windows-10-start-screens-by-using-group-policy.md
rename to windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
diff --git a/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
similarity index 99%
rename from windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md
rename to windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 5bbbcc8808..5255a639ff 100644
--- a/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -25,7 +25,7 @@ In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Ed
>[!NOTE]
>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-lockdown-designer.md) for mobile.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-devices/mobile-lockdown-designer.md) for mobile.
>[!WARNING]
>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
diff --git a/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
similarity index 98%
rename from windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
rename to windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 07d5c016a8..842bde95de 100644
--- a/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -25,7 +25,7 @@ In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Ed
>[!IMPORTANT]
>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-lockdown-designer.md) for mobile.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-devices/mobile-lockdown-designer.md) for mobile.
## How Start layout control works
@@ -54,7 +54,7 @@ The **Export-StartLayout** cmdlet produces an XML file. Because Windows Configur
## Create a provisioning package that contains a customized Start layout
-Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
+Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
new file mode 100644
index 0000000000..07ca5a5dc2
--- /dev/null
+++ b/windows/configuration/docfx.json
@@ -0,0 +1,41 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg",
+ "**/*.gif"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ },
+ "fileMetadata": {},
+ "template": [],
+ "dest": "win-configuration"
+ }
+}
\ No newline at end of file
diff --git a/windows/configure/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
similarity index 99%
rename from windows/configure/guidelines-for-assigned-access-app.md
rename to windows/configuration/guidelines-for-assigned-access-app.md
index 30dd845161..0c36993eea 100644
--- a/windows/configure/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -1,7 +1,6 @@
---
title: Guidelines for choosing an app for assigned access (Windows 10)
description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
-ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
keywords: ["kiosk", "lockdown", "assigned access"]
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configure/images/ActionCenterXML.jpg b/windows/configuration/images/ActionCenterXML.jpg
similarity index 100%
rename from windows/configure/images/ActionCenterXML.jpg
rename to windows/configuration/images/ActionCenterXML.jpg
diff --git a/windows/configure/images/AppsXML.jpg b/windows/configuration/images/AppsXML.jpg
similarity index 100%
rename from windows/configure/images/AppsXML.jpg
rename to windows/configuration/images/AppsXML.jpg
diff --git a/windows/configure/images/AppsXML.png b/windows/configuration/images/AppsXML.png
similarity index 100%
rename from windows/configure/images/AppsXML.png
rename to windows/configuration/images/AppsXML.png
diff --git a/windows/configure/images/ButtonsXML.jpg b/windows/configuration/images/ButtonsXML.jpg
similarity index 100%
rename from windows/configure/images/ButtonsXML.jpg
rename to windows/configuration/images/ButtonsXML.jpg
diff --git a/windows/configure/images/CSPRunnerXML.jpg b/windows/configuration/images/CSPRunnerXML.jpg
similarity index 100%
rename from windows/configure/images/CSPRunnerXML.jpg
rename to windows/configuration/images/CSPRunnerXML.jpg
diff --git a/windows/configure/images/ICD.png b/windows/configuration/images/ICD.png
similarity index 100%
rename from windows/configure/images/ICD.png
rename to windows/configuration/images/ICD.png
diff --git a/windows/configure/images/ICDstart-option.PNG b/windows/configuration/images/ICDstart-option.PNG
similarity index 100%
rename from windows/configure/images/ICDstart-option.PNG
rename to windows/configuration/images/ICDstart-option.PNG
diff --git a/windows/configure/images/ISE.PNG b/windows/configuration/images/ISE.PNG
similarity index 100%
rename from windows/configure/images/ISE.PNG
rename to windows/configuration/images/ISE.PNG
diff --git a/windows/configure/images/MenuItemsXML.png b/windows/configuration/images/MenuItemsXML.png
similarity index 100%
rename from windows/configure/images/MenuItemsXML.png
rename to windows/configuration/images/MenuItemsXML.png
diff --git a/windows/configure/images/PoC-big.png b/windows/configuration/images/PoC-big.png
similarity index 100%
rename from windows/configure/images/PoC-big.png
rename to windows/configuration/images/PoC-big.png
diff --git a/windows/configure/images/PoC.png b/windows/configuration/images/PoC.png
similarity index 100%
rename from windows/configure/images/PoC.png
rename to windows/configuration/images/PoC.png
diff --git a/windows/configure/images/SettingsXML.png b/windows/configuration/images/SettingsXML.png
similarity index 100%
rename from windows/configure/images/SettingsXML.png
rename to windows/configuration/images/SettingsXML.png
diff --git a/windows/configure/images/StartGrid.jpg b/windows/configuration/images/StartGrid.jpg
similarity index 100%
rename from windows/configure/images/StartGrid.jpg
rename to windows/configuration/images/StartGrid.jpg
diff --git a/windows/configure/images/StartGridPinnedApps.jpg b/windows/configuration/images/StartGridPinnedApps.jpg
similarity index 100%
rename from windows/configure/images/StartGridPinnedApps.jpg
rename to windows/configuration/images/StartGridPinnedApps.jpg
diff --git a/windows/configure/images/TilesXML.png b/windows/configuration/images/TilesXML.png
similarity index 100%
rename from windows/configure/images/TilesXML.png
rename to windows/configuration/images/TilesXML.png
diff --git a/windows/configure/images/account-management-details.PNG b/windows/configuration/images/account-management-details.PNG
similarity index 100%
rename from windows/configure/images/account-management-details.PNG
rename to windows/configuration/images/account-management-details.PNG
diff --git a/devices/surface-hub/images/account-management.PNG b/windows/configuration/images/account-management.PNG
similarity index 100%
rename from devices/surface-hub/images/account-management.PNG
rename to windows/configuration/images/account-management.PNG
diff --git a/devices/surface-hub/images/add-applications-details.PNG b/windows/configuration/images/add-applications-details.PNG
similarity index 100%
rename from devices/surface-hub/images/add-applications-details.PNG
rename to windows/configuration/images/add-applications-details.PNG
diff --git a/devices/surface-hub/images/add-applications.PNG b/windows/configuration/images/add-applications.PNG
similarity index 100%
rename from devices/surface-hub/images/add-applications.PNG
rename to windows/configuration/images/add-applications.PNG
diff --git a/devices/surface-hub/images/add-certificates-details.PNG b/windows/configuration/images/add-certificates-details.PNG
similarity index 100%
rename from devices/surface-hub/images/add-certificates-details.PNG
rename to windows/configuration/images/add-certificates-details.PNG
diff --git a/devices/surface-hub/images/add-certificates.PNG b/windows/configuration/images/add-certificates.PNG
similarity index 100%
rename from devices/surface-hub/images/add-certificates.PNG
rename to windows/configuration/images/add-certificates.PNG
diff --git a/windows/configure/images/adk-install.png b/windows/configuration/images/adk-install.png
similarity index 100%
rename from windows/configure/images/adk-install.png
rename to windows/configuration/images/adk-install.png
diff --git a/windows/manage/images/admin-tools-folder.png b/windows/configuration/images/admin-tools-folder.png
similarity index 100%
rename from windows/manage/images/admin-tools-folder.png
rename to windows/configuration/images/admin-tools-folder.png
diff --git a/windows/manage/images/admin-tools.png b/windows/configuration/images/admin-tools.png
similarity index 100%
rename from windows/manage/images/admin-tools.png
rename to windows/configuration/images/admin-tools.png
diff --git a/windows/manage/images/allow-rdp.png b/windows/configuration/images/allow-rdp.png
similarity index 100%
rename from windows/manage/images/allow-rdp.png
rename to windows/configuration/images/allow-rdp.png
diff --git a/windows/manage/images/app-v-in-adk.png b/windows/configuration/images/app-v-in-adk.png
similarity index 100%
rename from windows/manage/images/app-v-in-adk.png
rename to windows/configuration/images/app-v-in-adk.png
diff --git a/windows/configure/images/apprule.png b/windows/configuration/images/apprule.png
similarity index 100%
rename from windows/configure/images/apprule.png
rename to windows/configuration/images/apprule.png
diff --git a/devices/surface-hub/images/apps.png b/windows/configuration/images/apps.png
similarity index 100%
rename from devices/surface-hub/images/apps.png
rename to windows/configuration/images/apps.png
diff --git a/windows/configure/images/appwarning.png b/windows/configuration/images/appwarning.png
similarity index 100%
rename from windows/configure/images/appwarning.png
rename to windows/configuration/images/appwarning.png
diff --git a/windows/configure/images/azureadjoined.png b/windows/configuration/images/azureadjoined.png
similarity index 100%
rename from windows/configure/images/azureadjoined.png
rename to windows/configuration/images/azureadjoined.png
diff --git a/windows/configure/images/backicon.png b/windows/configuration/images/backicon.png
similarity index 100%
rename from windows/configure/images/backicon.png
rename to windows/configuration/images/backicon.png
diff --git a/windows/configure/images/bulk-enroll-mobile-details.PNG b/windows/configuration/images/bulk-enroll-mobile-details.PNG
similarity index 100%
rename from windows/configure/images/bulk-enroll-mobile-details.PNG
rename to windows/configuration/images/bulk-enroll-mobile-details.PNG
diff --git a/windows/configure/images/bulk-enroll-mobile.PNG b/windows/configuration/images/bulk-enroll-mobile.PNG
similarity index 100%
rename from windows/configure/images/bulk-enroll-mobile.PNG
rename to windows/configuration/images/bulk-enroll-mobile.PNG
diff --git a/windows/configure/images/check_blu.png b/windows/configuration/images/check_blu.png
similarity index 100%
rename from windows/configure/images/check_blu.png
rename to windows/configuration/images/check_blu.png
diff --git a/windows/configure/images/check_grn.png b/windows/configuration/images/check_grn.png
similarity index 100%
rename from windows/configure/images/check_grn.png
rename to windows/configuration/images/check_grn.png
diff --git a/windows/manage/images/checklistbox.gif b/windows/configuration/images/checklistbox.gif
similarity index 100%
rename from windows/manage/images/checklistbox.gif
rename to windows/configuration/images/checklistbox.gif
diff --git a/windows/configure/images/checklistdone.png b/windows/configuration/images/checklistdone.png
similarity index 100%
rename from windows/configure/images/checklistdone.png
rename to windows/configuration/images/checklistdone.png
diff --git a/windows/deploy/images/checkmark.png b/windows/configuration/images/checkmark.png
similarity index 100%
rename from windows/deploy/images/checkmark.png
rename to windows/configuration/images/checkmark.png
diff --git a/windows/configure/images/choose-package.png b/windows/configuration/images/choose-package.png
similarity index 100%
rename from windows/configure/images/choose-package.png
rename to windows/configuration/images/choose-package.png
diff --git a/windows/configure/images/config-policy.png b/windows/configuration/images/config-policy.png
similarity index 100%
rename from windows/configure/images/config-policy.png
rename to windows/configuration/images/config-policy.png
diff --git a/windows/configure/images/config-source.png b/windows/configuration/images/config-source.png
similarity index 100%
rename from windows/configure/images/config-source.png
rename to windows/configuration/images/config-source.png
diff --git a/windows/configure/images/configconflict.png b/windows/configuration/images/configconflict.png
similarity index 100%
rename from windows/configure/images/configconflict.png
rename to windows/configuration/images/configconflict.png
diff --git a/windows/configure/images/connect-aad.png b/windows/configuration/images/connect-aad.png
similarity index 100%
rename from windows/configure/images/connect-aad.png
rename to windows/configuration/images/connect-aad.png
diff --git a/windows/configure/images/convert.png b/windows/configuration/images/convert.png
similarity index 100%
rename from windows/configure/images/convert.png
rename to windows/configuration/images/convert.png
diff --git a/windows/manage/images/copy-to-change.png b/windows/configuration/images/copy-to-change.png
similarity index 100%
rename from windows/manage/images/copy-to-change.png
rename to windows/configuration/images/copy-to-change.png
diff --git a/windows/manage/images/copy-to-path.png b/windows/configuration/images/copy-to-path.png
similarity index 100%
rename from windows/manage/images/copy-to-path.png
rename to windows/configuration/images/copy-to-path.png
diff --git a/windows/manage/images/copy-to.PNG b/windows/configuration/images/copy-to.PNG
similarity index 100%
rename from windows/manage/images/copy-to.PNG
rename to windows/configuration/images/copy-to.PNG
diff --git a/windows/manage/images/cortana-about-me.png b/windows/configuration/images/cortana-about-me.png
similarity index 100%
rename from windows/manage/images/cortana-about-me.png
rename to windows/configuration/images/cortana-about-me.png
diff --git a/windows/manage/images/cortana-add-reminder.png b/windows/configuration/images/cortana-add-reminder.png
similarity index 100%
rename from windows/manage/images/cortana-add-reminder.png
rename to windows/configuration/images/cortana-add-reminder.png
diff --git a/windows/manage/images/cortana-chicago-weather.png b/windows/configuration/images/cortana-chicago-weather.png
similarity index 100%
rename from windows/manage/images/cortana-chicago-weather.png
rename to windows/configuration/images/cortana-chicago-weather.png
diff --git a/windows/manage/images/cortana-communication-history-permissions.png b/windows/configuration/images/cortana-communication-history-permissions.png
similarity index 100%
rename from windows/manage/images/cortana-communication-history-permissions.png
rename to windows/configuration/images/cortana-communication-history-permissions.png
diff --git a/windows/manage/images/cortana-complete-send-email-coworker-mic.png b/windows/configuration/images/cortana-complete-send-email-coworker-mic.png
similarity index 100%
rename from windows/manage/images/cortana-complete-send-email-coworker-mic.png
rename to windows/configuration/images/cortana-complete-send-email-coworker-mic.png
diff --git a/windows/manage/images/cortana-connect-crm.png b/windows/configuration/images/cortana-connect-crm.png
similarity index 100%
rename from windows/manage/images/cortana-connect-crm.png
rename to windows/configuration/images/cortana-connect-crm.png
diff --git a/windows/manage/images/cortana-connect-o365.png b/windows/configuration/images/cortana-connect-o365.png
similarity index 100%
rename from windows/manage/images/cortana-connect-o365.png
rename to windows/configuration/images/cortana-connect-o365.png
diff --git a/windows/manage/images/cortana-connect-uber.png b/windows/configuration/images/cortana-connect-uber.png
similarity index 100%
rename from windows/manage/images/cortana-connect-uber.png
rename to windows/configuration/images/cortana-connect-uber.png
diff --git a/windows/manage/images/cortana-crm-screen.png b/windows/configuration/images/cortana-crm-screen.png
similarity index 100%
rename from windows/manage/images/cortana-crm-screen.png
rename to windows/configuration/images/cortana-crm-screen.png
diff --git a/windows/manage/images/cortana-feedback.png b/windows/configuration/images/cortana-feedback.png
similarity index 100%
rename from windows/manage/images/cortana-feedback.png
rename to windows/configuration/images/cortana-feedback.png
diff --git a/windows/manage/images/cortana-final-reminder.png b/windows/configuration/images/cortana-final-reminder.png
similarity index 100%
rename from windows/manage/images/cortana-final-reminder.png
rename to windows/configuration/images/cortana-final-reminder.png
diff --git a/windows/manage/images/cortana-meeting-specific-time.png b/windows/configuration/images/cortana-meeting-specific-time.png
similarity index 100%
rename from windows/manage/images/cortana-meeting-specific-time.png
rename to windows/configuration/images/cortana-meeting-specific-time.png
diff --git a/windows/manage/images/cortana-meeting-tomorrow.png b/windows/configuration/images/cortana-meeting-tomorrow.png
similarity index 100%
rename from windows/manage/images/cortana-meeting-tomorrow.png
rename to windows/configuration/images/cortana-meeting-tomorrow.png
diff --git a/windows/manage/images/cortana-newyork-weather.png b/windows/configuration/images/cortana-newyork-weather.png
similarity index 100%
rename from windows/manage/images/cortana-newyork-weather.png
rename to windows/configuration/images/cortana-newyork-weather.png
diff --git a/windows/manage/images/cortana-o365-screen.png b/windows/configuration/images/cortana-o365-screen.png
similarity index 100%
rename from windows/manage/images/cortana-o365-screen.png
rename to windows/configuration/images/cortana-o365-screen.png
diff --git a/windows/manage/images/cortana-place-reminder.png b/windows/configuration/images/cortana-place-reminder.png
similarity index 100%
rename from windows/manage/images/cortana-place-reminder.png
rename to windows/configuration/images/cortana-place-reminder.png
diff --git a/windows/manage/images/cortana-powerbi-create-report.png b/windows/configuration/images/cortana-powerbi-create-report.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-create-report.png
rename to windows/configuration/images/cortana-powerbi-create-report.png
diff --git a/windows/manage/images/cortana-powerbi-expand-nav.png b/windows/configuration/images/cortana-powerbi-expand-nav.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-expand-nav.png
rename to windows/configuration/images/cortana-powerbi-expand-nav.png
diff --git a/windows/manage/images/cortana-powerbi-field-selection.png b/windows/configuration/images/cortana-powerbi-field-selection.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-field-selection.png
rename to windows/configuration/images/cortana-powerbi-field-selection.png
diff --git a/windows/manage/images/cortana-powerbi-getdata-samples.png b/windows/configuration/images/cortana-powerbi-getdata-samples.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-getdata-samples.png
rename to windows/configuration/images/cortana-powerbi-getdata-samples.png
diff --git a/windows/manage/images/cortana-powerbi-getdata.png b/windows/configuration/images/cortana-powerbi-getdata.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-getdata.png
rename to windows/configuration/images/cortana-powerbi-getdata.png
diff --git a/windows/manage/images/cortana-powerbi-myreport.png b/windows/configuration/images/cortana-powerbi-myreport.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-myreport.png
rename to windows/configuration/images/cortana-powerbi-myreport.png
diff --git a/windows/manage/images/cortana-powerbi-pagesize.png b/windows/configuration/images/cortana-powerbi-pagesize.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-pagesize.png
rename to windows/configuration/images/cortana-powerbi-pagesize.png
diff --git a/windows/manage/images/cortana-powerbi-report-qna.png b/windows/configuration/images/cortana-powerbi-report-qna.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-report-qna.png
rename to windows/configuration/images/cortana-powerbi-report-qna.png
diff --git a/windows/manage/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/configuration/images/cortana-powerbi-retail-analysis-dashboard.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-retail-analysis-dashboard.png
rename to windows/configuration/images/cortana-powerbi-retail-analysis-dashboard.png
diff --git a/windows/manage/images/cortana-powerbi-retail-analysis-dataset.png b/windows/configuration/images/cortana-powerbi-retail-analysis-dataset.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-retail-analysis-dataset.png
rename to windows/configuration/images/cortana-powerbi-retail-analysis-dataset.png
diff --git a/windows/manage/images/cortana-powerbi-retail-analysis-sample.png b/windows/configuration/images/cortana-powerbi-retail-analysis-sample.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-retail-analysis-sample.png
rename to windows/configuration/images/cortana-powerbi-retail-analysis-sample.png
diff --git a/windows/manage/images/cortana-powerbi-search.png b/windows/configuration/images/cortana-powerbi-search.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-search.png
rename to windows/configuration/images/cortana-powerbi-search.png
diff --git a/windows/manage/images/cortana-powerbi-settings.png b/windows/configuration/images/cortana-powerbi-settings.png
similarity index 100%
rename from windows/manage/images/cortana-powerbi-settings.png
rename to windows/configuration/images/cortana-powerbi-settings.png
diff --git a/windows/manage/images/cortana-redmond-weather.png b/windows/configuration/images/cortana-redmond-weather.png
similarity index 100%
rename from windows/manage/images/cortana-redmond-weather.png
rename to windows/configuration/images/cortana-redmond-weather.png
diff --git a/windows/manage/images/cortana-reminder-edit.png b/windows/configuration/images/cortana-reminder-edit.png
similarity index 100%
rename from windows/manage/images/cortana-reminder-edit.png
rename to windows/configuration/images/cortana-reminder-edit.png
diff --git a/windows/manage/images/cortana-reminder-list.png b/windows/configuration/images/cortana-reminder-list.png
similarity index 100%
rename from windows/manage/images/cortana-reminder-list.png
rename to windows/configuration/images/cortana-reminder-list.png
diff --git a/windows/manage/images/cortana-reminder-mic.png b/windows/configuration/images/cortana-reminder-mic.png
similarity index 100%
rename from windows/manage/images/cortana-reminder-mic.png
rename to windows/configuration/images/cortana-reminder-mic.png
diff --git a/windows/manage/images/cortana-reminder-pending-mic.png b/windows/configuration/images/cortana-reminder-pending-mic.png
similarity index 100%
rename from windows/manage/images/cortana-reminder-pending-mic.png
rename to windows/configuration/images/cortana-reminder-pending-mic.png
diff --git a/windows/manage/images/cortana-reminder-pending.png b/windows/configuration/images/cortana-reminder-pending.png
similarity index 100%
rename from windows/manage/images/cortana-reminder-pending.png
rename to windows/configuration/images/cortana-reminder-pending.png
diff --git a/windows/manage/images/cortana-send-email-coworker-mic.png b/windows/configuration/images/cortana-send-email-coworker-mic.png
similarity index 100%
rename from windows/manage/images/cortana-send-email-coworker-mic.png
rename to windows/configuration/images/cortana-send-email-coworker-mic.png
diff --git a/windows/manage/images/cortana-send-email-coworker.png b/windows/configuration/images/cortana-send-email-coworker.png
similarity index 100%
rename from windows/manage/images/cortana-send-email-coworker.png
rename to windows/configuration/images/cortana-send-email-coworker.png
diff --git a/windows/manage/images/cortana-suggested-reminder-settings.png b/windows/configuration/images/cortana-suggested-reminder-settings.png
similarity index 100%
rename from windows/manage/images/cortana-suggested-reminder-settings.png
rename to windows/configuration/images/cortana-suggested-reminder-settings.png
diff --git a/windows/manage/images/cortana-suggested-reminder.png b/windows/configuration/images/cortana-suggested-reminder.png
similarity index 100%
rename from windows/manage/images/cortana-suggested-reminder.png
rename to windows/configuration/images/cortana-suggested-reminder.png
diff --git a/windows/manage/images/cortana-weather-multipanel.png b/windows/configuration/images/cortana-weather-multipanel.png
similarity index 100%
rename from windows/manage/images/cortana-weather-multipanel.png
rename to windows/configuration/images/cortana-weather-multipanel.png
diff --git a/windows/deploy/images/crossmark.png b/windows/configuration/images/crossmark.png
similarity index 100%
rename from windows/deploy/images/crossmark.png
rename to windows/configuration/images/crossmark.png
diff --git a/windows/configure/images/csp-placeholder.png b/windows/configuration/images/csp-placeholder.png
similarity index 100%
rename from windows/configure/images/csp-placeholder.png
rename to windows/configuration/images/csp-placeholder.png
diff --git a/windows/configure/images/cspinicd.png b/windows/configuration/images/cspinicd.png
similarity index 100%
rename from windows/configure/images/cspinicd.png
rename to windows/configuration/images/cspinicd.png
diff --git a/windows/configure/images/csptable.png b/windows/configuration/images/csptable.png
similarity index 100%
rename from windows/configure/images/csptable.png
rename to windows/configuration/images/csptable.png
diff --git a/windows/configure/images/customization-start-edge.PNG b/windows/configuration/images/customization-start-edge.PNG
similarity index 100%
rename from windows/configure/images/customization-start-edge.PNG
rename to windows/configuration/images/customization-start-edge.PNG
diff --git a/windows/configure/images/customization-start.PNG b/windows/configuration/images/customization-start.PNG
similarity index 100%
rename from windows/configure/images/customization-start.PNG
rename to windows/configuration/images/customization-start.PNG
diff --git a/windows/configure/images/dep-win8-l-usmt-migrationcomparemigstores.gif b/windows/configuration/images/dep-win8-l-usmt-migrationcomparemigstores.gif
similarity index 100%
rename from windows/configure/images/dep-win8-l-usmt-migrationcomparemigstores.gif
rename to windows/configuration/images/dep-win8-l-usmt-migrationcomparemigstores.gif
diff --git a/windows/configure/images/dep-win8-l-usmt-pcrefresh.jpg b/windows/configuration/images/dep-win8-l-usmt-pcrefresh.jpg
similarity index 100%
rename from windows/configure/images/dep-win8-l-usmt-pcrefresh.jpg
rename to windows/configuration/images/dep-win8-l-usmt-pcrefresh.jpg
diff --git a/windows/configure/images/dep-win8-l-usmt-pcreplace.jpg b/windows/configuration/images/dep-win8-l-usmt-pcreplace.jpg
similarity index 100%
rename from windows/configure/images/dep-win8-l-usmt-pcreplace.jpg
rename to windows/configuration/images/dep-win8-l-usmt-pcreplace.jpg
diff --git a/windows/configure/images/dep-win8-l-vamt-findingcomputerdialog.gif b/windows/configuration/images/dep-win8-l-vamt-findingcomputerdialog.gif
similarity index 100%
rename from windows/configure/images/dep-win8-l-vamt-findingcomputerdialog.gif
rename to windows/configuration/images/dep-win8-l-vamt-findingcomputerdialog.gif
diff --git a/windows/configure/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif b/windows/configuration/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif
similarity index 100%
rename from windows/configure/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif
rename to windows/configuration/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif
diff --git a/windows/configure/images/dep-win8-l-vamt-image001-enterprise.jpg b/windows/configuration/images/dep-win8-l-vamt-image001-enterprise.jpg
similarity index 100%
rename from windows/configure/images/dep-win8-l-vamt-image001-enterprise.jpg
rename to windows/configuration/images/dep-win8-l-vamt-image001-enterprise.jpg
diff --git a/windows/configure/images/dep-win8-l-vamt-makindependentactivationscenario.jpg b/windows/configuration/images/dep-win8-l-vamt-makindependentactivationscenario.jpg
similarity index 100%
rename from windows/configure/images/dep-win8-l-vamt-makindependentactivationscenario.jpg
rename to windows/configuration/images/dep-win8-l-vamt-makindependentactivationscenario.jpg
diff --git a/windows/configure/images/dep-win8-l-vamt-makproxyactivationscenario.jpg b/windows/configuration/images/dep-win8-l-vamt-makproxyactivationscenario.jpg
similarity index 100%
rename from windows/configure/images/dep-win8-l-vamt-makproxyactivationscenario.jpg
rename to windows/configuration/images/dep-win8-l-vamt-makproxyactivationscenario.jpg
diff --git a/windows/configure/images/deploy-finish.PNG b/windows/configuration/images/deploy-finish.PNG
similarity index 100%
rename from windows/configure/images/deploy-finish.PNG
rename to windows/configuration/images/deploy-finish.PNG
diff --git a/windows/configure/images/deploymentworkflow.png b/windows/configuration/images/deploymentworkflow.png
similarity index 100%
rename from windows/configure/images/deploymentworkflow.png
rename to windows/configuration/images/deploymentworkflow.png
diff --git a/devices/surface-hub/images/developer-setup.PNG b/windows/configuration/images/developer-setup.PNG
similarity index 100%
rename from devices/surface-hub/images/developer-setup.PNG
rename to windows/configuration/images/developer-setup.PNG
diff --git a/windows/configure/images/disk2vhd-convert.PNG b/windows/configuration/images/disk2vhd-convert.PNG
similarity index 100%
rename from windows/configure/images/disk2vhd-convert.PNG
rename to windows/configuration/images/disk2vhd-convert.PNG
diff --git a/windows/configure/images/disk2vhd-gen2.PNG b/windows/configuration/images/disk2vhd-gen2.PNG
similarity index 100%
rename from windows/configure/images/disk2vhd-gen2.PNG
rename to windows/configuration/images/disk2vhd-gen2.PNG
diff --git a/windows/configure/images/disk2vhd.PNG b/windows/configuration/images/disk2vhd.PNG
similarity index 100%
rename from windows/configure/images/disk2vhd.PNG
rename to windows/configuration/images/disk2vhd.PNG
diff --git a/windows/configure/images/disk2vhd4.PNG b/windows/configuration/images/disk2vhd4.PNG
similarity index 100%
rename from windows/configure/images/disk2vhd4.PNG
rename to windows/configuration/images/disk2vhd4.PNG
diff --git a/windows/configure/images/doneicon.png b/windows/configuration/images/doneicon.png
similarity index 100%
rename from windows/configure/images/doneicon.png
rename to windows/configuration/images/doneicon.png
diff --git a/windows/configure/images/download_vhd.png b/windows/configuration/images/download_vhd.png
similarity index 100%
rename from windows/configure/images/download_vhd.png
rename to windows/configuration/images/download_vhd.png
diff --git a/windows/configure/images/e3-activated.png b/windows/configuration/images/e3-activated.png
similarity index 100%
rename from windows/configure/images/e3-activated.png
rename to windows/configuration/images/e3-activated.png
diff --git a/windows/configure/images/edge-with-logo.png b/windows/configuration/images/edge-with-logo.png
similarity index 100%
rename from windows/configure/images/edge-with-logo.png
rename to windows/configuration/images/edge-with-logo.png
diff --git a/windows/configure/images/edge-without-logo.png b/windows/configuration/images/edge-without-logo.png
similarity index 100%
rename from windows/configure/images/edge-without-logo.png
rename to windows/configuration/images/edge-without-logo.png
diff --git a/windows/configure/images/enterprise-e3-ad-connect.png b/windows/configuration/images/enterprise-e3-ad-connect.png
similarity index 100%
rename from windows/configure/images/enterprise-e3-ad-connect.png
rename to windows/configuration/images/enterprise-e3-ad-connect.png
diff --git a/windows/configure/images/enterprise-e3-choose-how.png b/windows/configuration/images/enterprise-e3-choose-how.png
similarity index 100%
rename from windows/configure/images/enterprise-e3-choose-how.png
rename to windows/configuration/images/enterprise-e3-choose-how.png
diff --git a/windows/configure/images/enterprise-e3-connect-to-work-or-school.png b/windows/configuration/images/enterprise-e3-connect-to-work-or-school.png
similarity index 100%
rename from windows/configure/images/enterprise-e3-connect-to-work-or-school.png
rename to windows/configuration/images/enterprise-e3-connect-to-work-or-school.png
diff --git a/windows/configure/images/enterprise-e3-lets-get-2.png b/windows/configuration/images/enterprise-e3-lets-get-2.png
similarity index 100%
rename from windows/configure/images/enterprise-e3-lets-get-2.png
rename to windows/configuration/images/enterprise-e3-lets-get-2.png
diff --git a/windows/configure/images/enterprise-e3-lets-get.png b/windows/configuration/images/enterprise-e3-lets-get.png
similarity index 100%
rename from windows/configure/images/enterprise-e3-lets-get.png
rename to windows/configuration/images/enterprise-e3-lets-get.png
diff --git a/windows/configure/images/enterprise-e3-set-up-work-or-school.png b/windows/configuration/images/enterprise-e3-set-up-work-or-school.png
similarity index 100%
rename from windows/configure/images/enterprise-e3-set-up-work-or-school.png
rename to windows/configuration/images/enterprise-e3-set-up-work-or-school.png
diff --git a/windows/configure/images/enterprise-e3-sign-in.png b/windows/configuration/images/enterprise-e3-sign-in.png
similarity index 100%
rename from windows/configure/images/enterprise-e3-sign-in.png
rename to windows/configuration/images/enterprise-e3-sign-in.png
diff --git a/windows/configure/images/enterprise-e3-who-owns.png b/windows/configuration/images/enterprise-e3-who-owns.png
similarity index 100%
rename from windows/configure/images/enterprise-e3-who-owns.png
rename to windows/configuration/images/enterprise-e3-who-owns.png
diff --git a/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png b/windows/configuration/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png
similarity index 100%
rename from windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png
rename to windows/configuration/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png
diff --git a/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png b/windows/configuration/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png
similarity index 100%
rename from windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png
rename to windows/configuration/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png
diff --git a/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png b/windows/configuration/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png
similarity index 100%
rename from windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png
rename to windows/configuration/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png
diff --git a/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png b/windows/configuration/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png
similarity index 100%
rename from windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png
rename to windows/configuration/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png
diff --git a/windows/configure/images/export-mgt-desktop.png b/windows/configuration/images/export-mgt-desktop.png
similarity index 100%
rename from windows/configure/images/export-mgt-desktop.png
rename to windows/configuration/images/export-mgt-desktop.png
diff --git a/windows/configure/images/export-mgt-mobile.png b/windows/configuration/images/export-mgt-mobile.png
similarity index 100%
rename from windows/configure/images/export-mgt-mobile.png
rename to windows/configuration/images/export-mgt-mobile.png
diff --git a/windows/configure/images/express-settings.png b/windows/configuration/images/express-settings.png
similarity index 100%
rename from windows/configure/images/express-settings.png
rename to windows/configuration/images/express-settings.png
diff --git a/windows/configure/images/fig1-deferupgrades.png b/windows/configuration/images/fig1-deferupgrades.png
similarity index 100%
rename from windows/configure/images/fig1-deferupgrades.png
rename to windows/configuration/images/fig1-deferupgrades.png
diff --git a/windows/configure/images/fig10-contosoinstall.png b/windows/configuration/images/fig10-contosoinstall.png
similarity index 100%
rename from windows/configure/images/fig10-contosoinstall.png
rename to windows/configuration/images/fig10-contosoinstall.png
diff --git a/windows/configure/images/fig10-unattend.png b/windows/configuration/images/fig10-unattend.png
similarity index 100%
rename from windows/configure/images/fig10-unattend.png
rename to windows/configuration/images/fig10-unattend.png
diff --git a/windows/configure/images/fig13-captureimage.png b/windows/configuration/images/fig13-captureimage.png
similarity index 100%
rename from windows/configure/images/fig13-captureimage.png
rename to windows/configuration/images/fig13-captureimage.png
diff --git a/windows/configure/images/fig16-contentstatus.png b/windows/configuration/images/fig16-contentstatus.png
similarity index 100%
rename from windows/configure/images/fig16-contentstatus.png
rename to windows/configuration/images/fig16-contentstatus.png
diff --git a/windows/configure/images/fig17-win10image.png b/windows/configuration/images/fig17-win10image.png
similarity index 100%
rename from windows/configure/images/fig17-win10image.png
rename to windows/configuration/images/fig17-win10image.png
diff --git a/windows/configure/images/fig18-distwindows.png b/windows/configuration/images/fig18-distwindows.png
similarity index 100%
rename from windows/configure/images/fig18-distwindows.png
rename to windows/configuration/images/fig18-distwindows.png
diff --git a/windows/configure/images/fig2-deploymenttimeline.png b/windows/configuration/images/fig2-deploymenttimeline.png
similarity index 100%
rename from windows/configure/images/fig2-deploymenttimeline.png
rename to windows/configuration/images/fig2-deploymenttimeline.png
diff --git a/windows/configure/images/fig2-gather.png b/windows/configuration/images/fig2-gather.png
similarity index 100%
rename from windows/configure/images/fig2-gather.png
rename to windows/configuration/images/fig2-gather.png
diff --git a/windows/configure/images/fig2-importedos.png b/windows/configuration/images/fig2-importedos.png
similarity index 100%
rename from windows/configure/images/fig2-importedos.png
rename to windows/configuration/images/fig2-importedos.png
diff --git a/windows/configure/images/fig2-taskseq.png b/windows/configuration/images/fig2-taskseq.png
similarity index 100%
rename from windows/configure/images/fig2-taskseq.png
rename to windows/configuration/images/fig2-taskseq.png
diff --git a/windows/configure/images/fig21-add-drivers.png b/windows/configuration/images/fig21-add-drivers.png
similarity index 100%
rename from windows/configure/images/fig21-add-drivers.png
rename to windows/configuration/images/fig21-add-drivers.png
diff --git a/windows/configure/images/fig22-createcategories.png b/windows/configuration/images/fig22-createcategories.png
similarity index 100%
rename from windows/configure/images/fig22-createcategories.png
rename to windows/configuration/images/fig22-createcategories.png
diff --git a/windows/configure/images/fig27-driverpackage.png b/windows/configuration/images/fig27-driverpackage.png
similarity index 100%
rename from windows/configure/images/fig27-driverpackage.png
rename to windows/configuration/images/fig27-driverpackage.png
diff --git a/windows/configure/images/fig28-addapp.png b/windows/configuration/images/fig28-addapp.png
similarity index 100%
rename from windows/configure/images/fig28-addapp.png
rename to windows/configuration/images/fig28-addapp.png
diff --git a/windows/configure/images/fig3-overlaprelease.png b/windows/configuration/images/fig3-overlaprelease.png
similarity index 100%
rename from windows/configure/images/fig3-overlaprelease.png
rename to windows/configuration/images/fig3-overlaprelease.png
diff --git a/windows/configure/images/fig30-settingspack.png b/windows/configuration/images/fig30-settingspack.png
similarity index 100%
rename from windows/configure/images/fig30-settingspack.png
rename to windows/configuration/images/fig30-settingspack.png
diff --git a/windows/configure/images/fig32-deploywiz.png b/windows/configuration/images/fig32-deploywiz.png
similarity index 100%
rename from windows/configure/images/fig32-deploywiz.png
rename to windows/configuration/images/fig32-deploywiz.png
diff --git a/windows/configure/images/fig4-oob-drivers.png b/windows/configuration/images/fig4-oob-drivers.png
similarity index 100%
rename from windows/configure/images/fig4-oob-drivers.png
rename to windows/configuration/images/fig4-oob-drivers.png
diff --git a/windows/configure/images/fig5-selectprofile.png b/windows/configuration/images/fig5-selectprofile.png
similarity index 100%
rename from windows/configure/images/fig5-selectprofile.png
rename to windows/configuration/images/fig5-selectprofile.png
diff --git a/windows/configure/images/fig6-taskseq.png b/windows/configuration/images/fig6-taskseq.png
similarity index 100%
rename from windows/configure/images/fig6-taskseq.png
rename to windows/configuration/images/fig6-taskseq.png
diff --git a/windows/configure/images/fig8-cust-tasks.png b/windows/configuration/images/fig8-cust-tasks.png
similarity index 100%
rename from windows/configure/images/fig8-cust-tasks.png
rename to windows/configuration/images/fig8-cust-tasks.png
diff --git a/windows/configure/images/fig8-suspend.png b/windows/configuration/images/fig8-suspend.png
similarity index 100%
rename from windows/configure/images/fig8-suspend.png
rename to windows/configuration/images/fig8-suspend.png
diff --git a/windows/configure/images/fig9-resumetaskseq.png b/windows/configuration/images/fig9-resumetaskseq.png
similarity index 100%
rename from windows/configure/images/fig9-resumetaskseq.png
rename to windows/configuration/images/fig9-resumetaskseq.png
diff --git a/windows/configure/images/figure4-deployment-workbench.png b/windows/configuration/images/figure4-deployment-workbench.png
similarity index 100%
rename from windows/configure/images/figure4-deployment-workbench.png
rename to windows/configuration/images/figure4-deployment-workbench.png
diff --git a/windows/configure/images/finish-details-mobile.PNG b/windows/configuration/images/finish-details-mobile.PNG
similarity index 100%
rename from windows/configure/images/finish-details-mobile.PNG
rename to windows/configuration/images/finish-details-mobile.PNG
diff --git a/devices/surface-hub/images/finish-details.png b/windows/configuration/images/finish-details.png
similarity index 100%
rename from devices/surface-hub/images/finish-details.png
rename to windows/configuration/images/finish-details.png
diff --git a/windows/configure/images/finish-mobile.PNG b/windows/configuration/images/finish-mobile.PNG
similarity index 100%
rename from windows/configure/images/finish-mobile.PNG
rename to windows/configuration/images/finish-mobile.PNG
diff --git a/devices/surface-hub/images/finish.PNG b/windows/configuration/images/finish.PNG
similarity index 100%
rename from devices/surface-hub/images/finish.PNG
rename to windows/configuration/images/finish.PNG
diff --git a/devices/surface-hub/images/five.png b/windows/configuration/images/five.png
similarity index 100%
rename from devices/surface-hub/images/five.png
rename to windows/configuration/images/five.png
diff --git a/devices/surface-hub/images/four.png b/windows/configuration/images/four.png
similarity index 100%
rename from devices/surface-hub/images/four.png
rename to windows/configuration/images/four.png
diff --git a/windows/configure/images/funfacts.png b/windows/configuration/images/funfacts.png
similarity index 100%
rename from windows/configure/images/funfacts.png
rename to windows/configuration/images/funfacts.png
diff --git a/windows/configure/images/genrule.png b/windows/configuration/images/genrule.png
similarity index 100%
rename from windows/configure/images/genrule.png
rename to windows/configuration/images/genrule.png
diff --git a/windows/configure/images/gp-branch.png b/windows/configuration/images/gp-branch.png
similarity index 100%
rename from windows/configure/images/gp-branch.png
rename to windows/configuration/images/gp-branch.png
diff --git a/windows/configure/images/gp-exclude-drivers.png b/windows/configuration/images/gp-exclude-drivers.png
similarity index 100%
rename from windows/configure/images/gp-exclude-drivers.png
rename to windows/configuration/images/gp-exclude-drivers.png
diff --git a/windows/configure/images/gp-feature.png b/windows/configuration/images/gp-feature.png
similarity index 100%
rename from windows/configure/images/gp-feature.png
rename to windows/configuration/images/gp-feature.png
diff --git a/windows/configure/images/gp-quality.png b/windows/configuration/images/gp-quality.png
similarity index 100%
rename from windows/configure/images/gp-quality.png
rename to windows/configuration/images/gp-quality.png
diff --git a/windows/configure/images/hyper-v-feature.png b/windows/configuration/images/hyper-v-feature.png
similarity index 100%
rename from windows/configure/images/hyper-v-feature.png
rename to windows/configuration/images/hyper-v-feature.png
diff --git a/windows/configure/images/icd-adv-shared-pc.PNG b/windows/configuration/images/icd-adv-shared-pc.PNG
similarity index 100%
rename from windows/configure/images/icd-adv-shared-pc.PNG
rename to windows/configuration/images/icd-adv-shared-pc.PNG
diff --git a/windows/configure/images/icd-create-options-1703.PNG b/windows/configuration/images/icd-create-options-1703.PNG
similarity index 100%
rename from windows/configure/images/icd-create-options-1703.PNG
rename to windows/configuration/images/icd-create-options-1703.PNG
diff --git a/windows/configure/images/icd-create-options.PNG b/windows/configuration/images/icd-create-options.PNG
similarity index 100%
rename from windows/configure/images/icd-create-options.PNG
rename to windows/configuration/images/icd-create-options.PNG
diff --git a/windows/configure/images/icd-desktop-1703.PNG b/windows/configuration/images/icd-desktop-1703.PNG
similarity index 100%
rename from windows/configure/images/icd-desktop-1703.PNG
rename to windows/configuration/images/icd-desktop-1703.PNG
diff --git a/windows/configure/images/icd-export-menu.png b/windows/configuration/images/icd-export-menu.png
similarity index 100%
rename from windows/configure/images/icd-export-menu.png
rename to windows/configuration/images/icd-export-menu.png
diff --git a/windows/configure/images/icd-install.PNG b/windows/configuration/images/icd-install.PNG
similarity index 100%
rename from windows/configure/images/icd-install.PNG
rename to windows/configuration/images/icd-install.PNG
diff --git a/windows/configure/images/icd-multi-target-true.png b/windows/configuration/images/icd-multi-target-true.png
similarity index 100%
rename from windows/configure/images/icd-multi-target-true.png
rename to windows/configuration/images/icd-multi-target-true.png
diff --git a/windows/configure/images/icd-multi-targetstate-true.png b/windows/configuration/images/icd-multi-targetstate-true.png
similarity index 100%
rename from windows/configure/images/icd-multi-targetstate-true.png
rename to windows/configuration/images/icd-multi-targetstate-true.png
diff --git a/windows/configure/images/icd-runtime.PNG b/windows/configuration/images/icd-runtime.PNG
similarity index 100%
rename from windows/configure/images/icd-runtime.PNG
rename to windows/configuration/images/icd-runtime.PNG
diff --git a/windows/configure/images/icd-school.PNG b/windows/configuration/images/icd-school.PNG
similarity index 100%
rename from windows/configure/images/icd-school.PNG
rename to windows/configuration/images/icd-school.PNG
diff --git a/windows/configure/images/icd-script1.png b/windows/configuration/images/icd-script1.png
similarity index 100%
rename from windows/configure/images/icd-script1.png
rename to windows/configuration/images/icd-script1.png
diff --git a/windows/configure/images/icd-script2.png b/windows/configuration/images/icd-script2.png
similarity index 100%
rename from windows/configure/images/icd-script2.png
rename to windows/configuration/images/icd-script2.png
diff --git a/windows/configure/images/icd-setting-help.PNG b/windows/configuration/images/icd-setting-help.PNG
similarity index 100%
rename from windows/configure/images/icd-setting-help.PNG
rename to windows/configuration/images/icd-setting-help.PNG
diff --git a/windows/configure/images/icd-settings.PNG b/windows/configuration/images/icd-settings.PNG
similarity index 100%
rename from windows/configure/images/icd-settings.PNG
rename to windows/configuration/images/icd-settings.PNG
diff --git a/windows/configure/images/icd-simple-edit.png b/windows/configuration/images/icd-simple-edit.png
similarity index 100%
rename from windows/configure/images/icd-simple-edit.png
rename to windows/configuration/images/icd-simple-edit.png
diff --git a/windows/configure/images/icd-simple.PNG b/windows/configuration/images/icd-simple.PNG
similarity index 100%
rename from windows/configure/images/icd-simple.PNG
rename to windows/configuration/images/icd-simple.PNG
diff --git a/windows/configure/images/icd-step1.PNG b/windows/configuration/images/icd-step1.PNG
similarity index 100%
rename from windows/configure/images/icd-step1.PNG
rename to windows/configuration/images/icd-step1.PNG
diff --git a/windows/configure/images/icd-step2.PNG b/windows/configuration/images/icd-step2.PNG
similarity index 100%
rename from windows/configure/images/icd-step2.PNG
rename to windows/configuration/images/icd-step2.PNG
diff --git a/windows/configure/images/icd-step3.PNG b/windows/configuration/images/icd-step3.PNG
similarity index 100%
rename from windows/configure/images/icd-step3.PNG
rename to windows/configuration/images/icd-step3.PNG
diff --git a/windows/configure/images/icd-step4.PNG b/windows/configuration/images/icd-step4.PNG
similarity index 100%
rename from windows/configure/images/icd-step4.PNG
rename to windows/configuration/images/icd-step4.PNG
diff --git a/windows/configure/images/icd-step5.PNG b/windows/configuration/images/icd-step5.PNG
similarity index 100%
rename from windows/configure/images/icd-step5.PNG
rename to windows/configuration/images/icd-step5.PNG
diff --git a/windows/configure/images/icd-switch.PNG b/windows/configuration/images/icd-switch.PNG
similarity index 100%
rename from windows/configure/images/icd-switch.PNG
rename to windows/configuration/images/icd-switch.PNG
diff --git a/windows/configure/images/icdbrowse.png b/windows/configuration/images/icdbrowse.png
similarity index 100%
rename from windows/configure/images/icdbrowse.png
rename to windows/configuration/images/icdbrowse.png
diff --git a/windows/configure/images/identitychoices.png b/windows/configuration/images/identitychoices.png
similarity index 100%
rename from windows/configure/images/identitychoices.png
rename to windows/configuration/images/identitychoices.png
diff --git a/windows/configure/images/image.PNG b/windows/configuration/images/image.PNG
similarity index 100%
rename from windows/configure/images/image.PNG
rename to windows/configuration/images/image.PNG
diff --git a/windows/configure/images/installing-drivers.png b/windows/configuration/images/installing-drivers.png
similarity index 100%
rename from windows/configure/images/installing-drivers.png
rename to windows/configuration/images/installing-drivers.png
diff --git a/windows/configure/images/kiosk-account-details.PNG b/windows/configuration/images/kiosk-account-details.PNG
similarity index 100%
rename from windows/configure/images/kiosk-account-details.PNG
rename to windows/configuration/images/kiosk-account-details.PNG
diff --git a/windows/configure/images/kiosk-account.PNG b/windows/configuration/images/kiosk-account.PNG
similarity index 100%
rename from windows/configure/images/kiosk-account.PNG
rename to windows/configuration/images/kiosk-account.PNG
diff --git a/windows/configure/images/kiosk-common-details.PNG b/windows/configuration/images/kiosk-common-details.PNG
similarity index 100%
rename from windows/configure/images/kiosk-common-details.PNG
rename to windows/configuration/images/kiosk-common-details.PNG
diff --git a/windows/configure/images/kiosk-common.PNG b/windows/configuration/images/kiosk-common.PNG
similarity index 100%
rename from windows/configure/images/kiosk-common.PNG
rename to windows/configuration/images/kiosk-common.PNG
diff --git a/windows/configure/images/launchicon.png b/windows/configuration/images/launchicon.png
similarity index 100%
rename from windows/configure/images/launchicon.png
rename to windows/configuration/images/launchicon.png
diff --git a/windows/configure/images/ld-apps.PNG b/windows/configuration/images/ld-apps.PNG
similarity index 100%
rename from windows/configure/images/ld-apps.PNG
rename to windows/configuration/images/ld-apps.PNG
diff --git a/windows/configure/images/ld-buttons.PNG b/windows/configuration/images/ld-buttons.PNG
similarity index 100%
rename from windows/configure/images/ld-buttons.PNG
rename to windows/configuration/images/ld-buttons.PNG
diff --git a/windows/configure/images/ld-connect.PNG b/windows/configuration/images/ld-connect.PNG
similarity index 100%
rename from windows/configure/images/ld-connect.PNG
rename to windows/configuration/images/ld-connect.PNG
diff --git a/windows/configure/images/ld-csp.PNG b/windows/configuration/images/ld-csp.PNG
similarity index 100%
rename from windows/configure/images/ld-csp.PNG
rename to windows/configuration/images/ld-csp.PNG
diff --git a/windows/configure/images/ld-export.PNG b/windows/configuration/images/ld-export.PNG
similarity index 100%
rename from windows/configure/images/ld-export.PNG
rename to windows/configuration/images/ld-export.PNG
diff --git a/windows/configure/images/ld-other.PNG b/windows/configuration/images/ld-other.PNG
similarity index 100%
rename from windows/configure/images/ld-other.PNG
rename to windows/configuration/images/ld-other.PNG
diff --git a/windows/configure/images/ld-pair.PNG b/windows/configuration/images/ld-pair.PNG
similarity index 100%
rename from windows/configure/images/ld-pair.PNG
rename to windows/configuration/images/ld-pair.PNG
diff --git a/windows/configure/images/ld-quick.PNG b/windows/configuration/images/ld-quick.PNG
similarity index 100%
rename from windows/configure/images/ld-quick.PNG
rename to windows/configuration/images/ld-quick.PNG
diff --git a/windows/configure/images/ld-role.PNG b/windows/configuration/images/ld-role.PNG
similarity index 100%
rename from windows/configure/images/ld-role.PNG
rename to windows/configuration/images/ld-role.PNG
diff --git a/windows/configure/images/ld-settings.PNG b/windows/configuration/images/ld-settings.PNG
similarity index 100%
rename from windows/configure/images/ld-settings.PNG
rename to windows/configuration/images/ld-settings.PNG
diff --git a/windows/configure/images/ld-start.PNG b/windows/configuration/images/ld-start.PNG
similarity index 100%
rename from windows/configure/images/ld-start.PNG
rename to windows/configuration/images/ld-start.PNG
diff --git a/windows/configure/images/ld-sync.PNG b/windows/configuration/images/ld-sync.PNG
similarity index 100%
rename from windows/configure/images/ld-sync.PNG
rename to windows/configuration/images/ld-sync.PNG
diff --git a/windows/configure/images/ldstore.PNG b/windows/configuration/images/ldstore.PNG
similarity index 100%
rename from windows/configure/images/ldstore.PNG
rename to windows/configuration/images/ldstore.PNG
diff --git a/windows/configure/images/license-terms.png b/windows/configuration/images/license-terms.png
similarity index 100%
rename from windows/configure/images/license-terms.png
rename to windows/configuration/images/license-terms.png
diff --git a/windows/configure/images/lily.jpg b/windows/configuration/images/lily.jpg
similarity index 100%
rename from windows/configure/images/lily.jpg
rename to windows/configuration/images/lily.jpg
diff --git a/windows/configure/images/lockdownapps.png b/windows/configuration/images/lockdownapps.png
similarity index 100%
rename from windows/configure/images/lockdownapps.png
rename to windows/configuration/images/lockdownapps.png
diff --git a/windows/configure/images/lockscreen.png b/windows/configuration/images/lockscreen.png
similarity index 100%
rename from windows/configure/images/lockscreen.png
rename to windows/configuration/images/lockscreen.png
diff --git a/windows/configure/images/lockscreenpolicy.png b/windows/configuration/images/lockscreenpolicy.png
similarity index 100%
rename from windows/configure/images/lockscreenpolicy.png
rename to windows/configuration/images/lockscreenpolicy.png
diff --git a/windows/configure/images/mdm-diag-report-powershell.PNG b/windows/configuration/images/mdm-diag-report-powershell.PNG
similarity index 100%
rename from windows/configure/images/mdm-diag-report-powershell.PNG
rename to windows/configuration/images/mdm-diag-report-powershell.PNG
diff --git a/windows/configure/images/mdm.png b/windows/configuration/images/mdm.png
similarity index 100%
rename from windows/configure/images/mdm.png
rename to windows/configuration/images/mdm.png
diff --git a/windows/configure/images/mdt-01-fig01.png b/windows/configuration/images/mdt-01-fig01.png
similarity index 100%
rename from windows/configure/images/mdt-01-fig01.png
rename to windows/configuration/images/mdt-01-fig01.png
diff --git a/windows/configure/images/mdt-01-fig02.jpg b/windows/configuration/images/mdt-01-fig02.jpg
similarity index 100%
rename from windows/configure/images/mdt-01-fig02.jpg
rename to windows/configuration/images/mdt-01-fig02.jpg
diff --git a/windows/configure/images/mdt-03-fig01.png b/windows/configuration/images/mdt-03-fig01.png
similarity index 100%
rename from windows/configure/images/mdt-03-fig01.png
rename to windows/configuration/images/mdt-03-fig01.png
diff --git a/windows/configure/images/mdt-03-fig02.png b/windows/configuration/images/mdt-03-fig02.png
similarity index 100%
rename from windows/configure/images/mdt-03-fig02.png
rename to windows/configuration/images/mdt-03-fig02.png
diff --git a/windows/configure/images/mdt-03-fig03.png b/windows/configuration/images/mdt-03-fig03.png
similarity index 100%
rename from windows/configure/images/mdt-03-fig03.png
rename to windows/configuration/images/mdt-03-fig03.png
diff --git a/windows/configure/images/mdt-03-fig04.png b/windows/configuration/images/mdt-03-fig04.png
similarity index 100%
rename from windows/configure/images/mdt-03-fig04.png
rename to windows/configuration/images/mdt-03-fig04.png
diff --git a/windows/configure/images/mdt-03-fig05.png b/windows/configuration/images/mdt-03-fig05.png
similarity index 100%
rename from windows/configure/images/mdt-03-fig05.png
rename to windows/configuration/images/mdt-03-fig05.png
diff --git a/windows/configure/images/mdt-04-fig01.png b/windows/configuration/images/mdt-04-fig01.png
similarity index 100%
rename from windows/configure/images/mdt-04-fig01.png
rename to windows/configuration/images/mdt-04-fig01.png
diff --git a/windows/configure/images/mdt-05-fig01.png b/windows/configuration/images/mdt-05-fig01.png
similarity index 100%
rename from windows/configure/images/mdt-05-fig01.png
rename to windows/configuration/images/mdt-05-fig01.png
diff --git a/windows/configure/images/mdt-05-fig02.png b/windows/configuration/images/mdt-05-fig02.png
similarity index 100%
rename from windows/configure/images/mdt-05-fig02.png
rename to windows/configuration/images/mdt-05-fig02.png
diff --git a/windows/configure/images/mdt-05-fig03.png b/windows/configuration/images/mdt-05-fig03.png
similarity index 100%
rename from windows/configure/images/mdt-05-fig03.png
rename to windows/configuration/images/mdt-05-fig03.png
diff --git a/windows/configure/images/mdt-05-fig04.png b/windows/configuration/images/mdt-05-fig04.png
similarity index 100%
rename from windows/configure/images/mdt-05-fig04.png
rename to windows/configuration/images/mdt-05-fig04.png
diff --git a/windows/configure/images/mdt-05-fig05.png b/windows/configuration/images/mdt-05-fig05.png
similarity index 100%
rename from windows/configure/images/mdt-05-fig05.png
rename to windows/configuration/images/mdt-05-fig05.png
diff --git a/windows/configure/images/mdt-05-fig07.png b/windows/configuration/images/mdt-05-fig07.png
similarity index 100%
rename from windows/configure/images/mdt-05-fig07.png
rename to windows/configuration/images/mdt-05-fig07.png
diff --git a/windows/configure/images/mdt-05-fig08.png b/windows/configuration/images/mdt-05-fig08.png
similarity index 100%
rename from windows/configure/images/mdt-05-fig08.png
rename to windows/configuration/images/mdt-05-fig08.png
diff --git a/windows/configure/images/mdt-05-fig09.png b/windows/configuration/images/mdt-05-fig09.png
similarity index 100%
rename from windows/configure/images/mdt-05-fig09.png
rename to windows/configuration/images/mdt-05-fig09.png
diff --git a/windows/configure/images/mdt-05-fig10.png b/windows/configuration/images/mdt-05-fig10.png
similarity index 100%
rename from windows/configure/images/mdt-05-fig10.png
rename to windows/configuration/images/mdt-05-fig10.png
diff --git a/windows/configure/images/mdt-06-fig01.png b/windows/configuration/images/mdt-06-fig01.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig01.png
rename to windows/configuration/images/mdt-06-fig01.png
diff --git a/windows/configure/images/mdt-06-fig03.png b/windows/configuration/images/mdt-06-fig03.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig03.png
rename to windows/configuration/images/mdt-06-fig03.png
diff --git a/windows/configure/images/mdt-06-fig04.png b/windows/configuration/images/mdt-06-fig04.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig04.png
rename to windows/configuration/images/mdt-06-fig04.png
diff --git a/windows/configure/images/mdt-06-fig05.png b/windows/configuration/images/mdt-06-fig05.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig05.png
rename to windows/configuration/images/mdt-06-fig05.png
diff --git a/windows/configure/images/mdt-06-fig06.png b/windows/configuration/images/mdt-06-fig06.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig06.png
rename to windows/configuration/images/mdt-06-fig06.png
diff --git a/windows/configure/images/mdt-06-fig07.png b/windows/configuration/images/mdt-06-fig07.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig07.png
rename to windows/configuration/images/mdt-06-fig07.png
diff --git a/windows/configure/images/mdt-06-fig08.png b/windows/configuration/images/mdt-06-fig08.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig08.png
rename to windows/configuration/images/mdt-06-fig08.png
diff --git a/windows/configure/images/mdt-06-fig10.png b/windows/configuration/images/mdt-06-fig10.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig10.png
rename to windows/configuration/images/mdt-06-fig10.png
diff --git a/windows/configure/images/mdt-06-fig12.png b/windows/configuration/images/mdt-06-fig12.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig12.png
rename to windows/configuration/images/mdt-06-fig12.png
diff --git a/windows/configure/images/mdt-06-fig13.png b/windows/configuration/images/mdt-06-fig13.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig13.png
rename to windows/configuration/images/mdt-06-fig13.png
diff --git a/windows/configure/images/mdt-06-fig14.png b/windows/configuration/images/mdt-06-fig14.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig14.png
rename to windows/configuration/images/mdt-06-fig14.png
diff --git a/windows/configure/images/mdt-06-fig15.png b/windows/configuration/images/mdt-06-fig15.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig15.png
rename to windows/configuration/images/mdt-06-fig15.png
diff --git a/windows/configure/images/mdt-06-fig16.png b/windows/configuration/images/mdt-06-fig16.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig16.png
rename to windows/configuration/images/mdt-06-fig16.png
diff --git a/windows/configure/images/mdt-06-fig20.png b/windows/configuration/images/mdt-06-fig20.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig20.png
rename to windows/configuration/images/mdt-06-fig20.png
diff --git a/windows/configure/images/mdt-06-fig21.png b/windows/configuration/images/mdt-06-fig21.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig21.png
rename to windows/configuration/images/mdt-06-fig21.png
diff --git a/windows/configure/images/mdt-06-fig26.png b/windows/configuration/images/mdt-06-fig26.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig26.png
rename to windows/configuration/images/mdt-06-fig26.png
diff --git a/windows/configure/images/mdt-06-fig31.png b/windows/configuration/images/mdt-06-fig31.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig31.png
rename to windows/configuration/images/mdt-06-fig31.png
diff --git a/windows/configure/images/mdt-06-fig33.png b/windows/configuration/images/mdt-06-fig33.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig33.png
rename to windows/configuration/images/mdt-06-fig33.png
diff --git a/windows/configure/images/mdt-06-fig35.png b/windows/configuration/images/mdt-06-fig35.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig35.png
rename to windows/configuration/images/mdt-06-fig35.png
diff --git a/windows/configure/images/mdt-06-fig36.png b/windows/configuration/images/mdt-06-fig36.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig36.png
rename to windows/configuration/images/mdt-06-fig36.png
diff --git a/windows/configure/images/mdt-06-fig37.png b/windows/configuration/images/mdt-06-fig37.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig37.png
rename to windows/configuration/images/mdt-06-fig37.png
diff --git a/windows/configure/images/mdt-06-fig39.png b/windows/configuration/images/mdt-06-fig39.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig39.png
rename to windows/configuration/images/mdt-06-fig39.png
diff --git a/windows/configure/images/mdt-06-fig42.png b/windows/configuration/images/mdt-06-fig42.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig42.png
rename to windows/configuration/images/mdt-06-fig42.png
diff --git a/windows/configure/images/mdt-06-fig43.png b/windows/configuration/images/mdt-06-fig43.png
similarity index 100%
rename from windows/configure/images/mdt-06-fig43.png
rename to windows/configuration/images/mdt-06-fig43.png
diff --git a/windows/configure/images/mdt-07-fig01.png b/windows/configuration/images/mdt-07-fig01.png
similarity index 100%
rename from windows/configure/images/mdt-07-fig01.png
rename to windows/configuration/images/mdt-07-fig01.png
diff --git a/windows/configure/images/mdt-07-fig03.png b/windows/configuration/images/mdt-07-fig03.png
similarity index 100%
rename from windows/configure/images/mdt-07-fig03.png
rename to windows/configuration/images/mdt-07-fig03.png
diff --git a/windows/configure/images/mdt-07-fig08.png b/windows/configuration/images/mdt-07-fig08.png
similarity index 100%
rename from windows/configure/images/mdt-07-fig08.png
rename to windows/configuration/images/mdt-07-fig08.png
diff --git a/windows/configure/images/mdt-07-fig09.png b/windows/configuration/images/mdt-07-fig09.png
similarity index 100%
rename from windows/configure/images/mdt-07-fig09.png
rename to windows/configuration/images/mdt-07-fig09.png
diff --git a/windows/configure/images/mdt-07-fig10.png b/windows/configuration/images/mdt-07-fig10.png
similarity index 100%
rename from windows/configure/images/mdt-07-fig10.png
rename to windows/configuration/images/mdt-07-fig10.png
diff --git a/windows/configure/images/mdt-07-fig11.png b/windows/configuration/images/mdt-07-fig11.png
similarity index 100%
rename from windows/configure/images/mdt-07-fig11.png
rename to windows/configuration/images/mdt-07-fig11.png
diff --git a/windows/configure/images/mdt-07-fig13.png b/windows/configuration/images/mdt-07-fig13.png
similarity index 100%
rename from windows/configure/images/mdt-07-fig13.png
rename to windows/configuration/images/mdt-07-fig13.png
diff --git a/windows/configure/images/mdt-07-fig14.png b/windows/configuration/images/mdt-07-fig14.png
similarity index 100%
rename from windows/configure/images/mdt-07-fig14.png
rename to windows/configuration/images/mdt-07-fig14.png
diff --git a/windows/configure/images/mdt-07-fig15.png b/windows/configuration/images/mdt-07-fig15.png
similarity index 100%
rename from windows/configure/images/mdt-07-fig15.png
rename to windows/configuration/images/mdt-07-fig15.png
diff --git a/windows/configure/images/mdt-07-fig16.png b/windows/configuration/images/mdt-07-fig16.png
similarity index 100%
rename from windows/configure/images/mdt-07-fig16.png
rename to windows/configuration/images/mdt-07-fig16.png
diff --git a/windows/configure/images/mdt-08-fig01.png b/windows/configuration/images/mdt-08-fig01.png
similarity index 100%
rename from windows/configure/images/mdt-08-fig01.png
rename to windows/configuration/images/mdt-08-fig01.png
diff --git a/windows/configure/images/mdt-08-fig02.png b/windows/configuration/images/mdt-08-fig02.png
similarity index 100%
rename from windows/configure/images/mdt-08-fig02.png
rename to windows/configuration/images/mdt-08-fig02.png
diff --git a/windows/configure/images/mdt-08-fig03.png b/windows/configuration/images/mdt-08-fig03.png
similarity index 100%
rename from windows/configure/images/mdt-08-fig03.png
rename to windows/configuration/images/mdt-08-fig03.png
diff --git a/windows/configure/images/mdt-08-fig05.png b/windows/configuration/images/mdt-08-fig05.png
similarity index 100%
rename from windows/configure/images/mdt-08-fig05.png
rename to windows/configuration/images/mdt-08-fig05.png
diff --git a/windows/configure/images/mdt-08-fig06.png b/windows/configuration/images/mdt-08-fig06.png
similarity index 100%
rename from windows/configure/images/mdt-08-fig06.png
rename to windows/configuration/images/mdt-08-fig06.png
diff --git a/windows/configure/images/mdt-08-fig14.png b/windows/configuration/images/mdt-08-fig14.png
similarity index 100%
rename from windows/configure/images/mdt-08-fig14.png
rename to windows/configuration/images/mdt-08-fig14.png
diff --git a/windows/configure/images/mdt-08-fig15.png b/windows/configuration/images/mdt-08-fig15.png
similarity index 100%
rename from windows/configure/images/mdt-08-fig15.png
rename to windows/configuration/images/mdt-08-fig15.png
diff --git a/windows/configure/images/mdt-09-fig01.png b/windows/configuration/images/mdt-09-fig01.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig01.png
rename to windows/configuration/images/mdt-09-fig01.png
diff --git a/windows/configure/images/mdt-09-fig02.png b/windows/configuration/images/mdt-09-fig02.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig02.png
rename to windows/configuration/images/mdt-09-fig02.png
diff --git a/windows/configure/images/mdt-09-fig03.png b/windows/configuration/images/mdt-09-fig03.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig03.png
rename to windows/configuration/images/mdt-09-fig03.png
diff --git a/windows/configure/images/mdt-09-fig04.png b/windows/configuration/images/mdt-09-fig04.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig04.png
rename to windows/configuration/images/mdt-09-fig04.png
diff --git a/windows/configure/images/mdt-09-fig06.png b/windows/configuration/images/mdt-09-fig06.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig06.png
rename to windows/configuration/images/mdt-09-fig06.png
diff --git a/windows/configure/images/mdt-09-fig07.png b/windows/configuration/images/mdt-09-fig07.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig07.png
rename to windows/configuration/images/mdt-09-fig07.png
diff --git a/windows/configure/images/mdt-09-fig08.png b/windows/configuration/images/mdt-09-fig08.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig08.png
rename to windows/configuration/images/mdt-09-fig08.png
diff --git a/windows/configure/images/mdt-09-fig09.png b/windows/configuration/images/mdt-09-fig09.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig09.png
rename to windows/configuration/images/mdt-09-fig09.png
diff --git a/windows/configure/images/mdt-09-fig10.png b/windows/configuration/images/mdt-09-fig10.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig10.png
rename to windows/configuration/images/mdt-09-fig10.png
diff --git a/windows/configure/images/mdt-09-fig11.png b/windows/configuration/images/mdt-09-fig11.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig11.png
rename to windows/configuration/images/mdt-09-fig11.png
diff --git a/windows/configure/images/mdt-09-fig12.png b/windows/configuration/images/mdt-09-fig12.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig12.png
rename to windows/configuration/images/mdt-09-fig12.png
diff --git a/windows/configure/images/mdt-09-fig13.png b/windows/configuration/images/mdt-09-fig13.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig13.png
rename to windows/configuration/images/mdt-09-fig13.png
diff --git a/windows/configure/images/mdt-09-fig14.png b/windows/configuration/images/mdt-09-fig14.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig14.png
rename to windows/configuration/images/mdt-09-fig14.png
diff --git a/windows/configure/images/mdt-09-fig15.png b/windows/configuration/images/mdt-09-fig15.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig15.png
rename to windows/configuration/images/mdt-09-fig15.png
diff --git a/windows/configure/images/mdt-09-fig16.png b/windows/configuration/images/mdt-09-fig16.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig16.png
rename to windows/configuration/images/mdt-09-fig16.png
diff --git a/windows/configure/images/mdt-09-fig17.png b/windows/configuration/images/mdt-09-fig17.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig17.png
rename to windows/configuration/images/mdt-09-fig17.png
diff --git a/windows/configure/images/mdt-09-fig18.png b/windows/configuration/images/mdt-09-fig18.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig18.png
rename to windows/configuration/images/mdt-09-fig18.png
diff --git a/windows/configure/images/mdt-09-fig19.png b/windows/configuration/images/mdt-09-fig19.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig19.png
rename to windows/configuration/images/mdt-09-fig19.png
diff --git a/windows/configure/images/mdt-09-fig20.png b/windows/configuration/images/mdt-09-fig20.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig20.png
rename to windows/configuration/images/mdt-09-fig20.png
diff --git a/windows/configure/images/mdt-09-fig21.png b/windows/configuration/images/mdt-09-fig21.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig21.png
rename to windows/configuration/images/mdt-09-fig21.png
diff --git a/windows/configure/images/mdt-09-fig22.png b/windows/configuration/images/mdt-09-fig22.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig22.png
rename to windows/configuration/images/mdt-09-fig22.png
diff --git a/windows/configure/images/mdt-09-fig23.png b/windows/configuration/images/mdt-09-fig23.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig23.png
rename to windows/configuration/images/mdt-09-fig23.png
diff --git a/windows/configure/images/mdt-09-fig24.png b/windows/configuration/images/mdt-09-fig24.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig24.png
rename to windows/configuration/images/mdt-09-fig24.png
diff --git a/windows/configure/images/mdt-09-fig25.png b/windows/configuration/images/mdt-09-fig25.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig25.png
rename to windows/configuration/images/mdt-09-fig25.png
diff --git a/windows/configure/images/mdt-09-fig26.png b/windows/configuration/images/mdt-09-fig26.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig26.png
rename to windows/configuration/images/mdt-09-fig26.png
diff --git a/windows/configure/images/mdt-09-fig27.png b/windows/configuration/images/mdt-09-fig27.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig27.png
rename to windows/configuration/images/mdt-09-fig27.png
diff --git a/windows/configure/images/mdt-09-fig28.png b/windows/configuration/images/mdt-09-fig28.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig28.png
rename to windows/configuration/images/mdt-09-fig28.png
diff --git a/windows/configure/images/mdt-09-fig29.png b/windows/configuration/images/mdt-09-fig29.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig29.png
rename to windows/configuration/images/mdt-09-fig29.png
diff --git a/windows/configure/images/mdt-09-fig30.png b/windows/configuration/images/mdt-09-fig30.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig30.png
rename to windows/configuration/images/mdt-09-fig30.png
diff --git a/windows/configure/images/mdt-09-fig31.png b/windows/configuration/images/mdt-09-fig31.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig31.png
rename to windows/configuration/images/mdt-09-fig31.png
diff --git a/windows/configure/images/mdt-09-fig32.png b/windows/configuration/images/mdt-09-fig32.png
similarity index 100%
rename from windows/configure/images/mdt-09-fig32.png
rename to windows/configuration/images/mdt-09-fig32.png
diff --git a/windows/configure/images/mdt-10-fig01.png b/windows/configuration/images/mdt-10-fig01.png
similarity index 100%
rename from windows/configure/images/mdt-10-fig01.png
rename to windows/configuration/images/mdt-10-fig01.png
diff --git a/windows/configure/images/mdt-10-fig02.png b/windows/configuration/images/mdt-10-fig02.png
similarity index 100%
rename from windows/configure/images/mdt-10-fig02.png
rename to windows/configuration/images/mdt-10-fig02.png
diff --git a/windows/configure/images/mdt-10-fig03.png b/windows/configuration/images/mdt-10-fig03.png
similarity index 100%
rename from windows/configure/images/mdt-10-fig03.png
rename to windows/configuration/images/mdt-10-fig03.png
diff --git a/windows/configure/images/mdt-10-fig04.png b/windows/configuration/images/mdt-10-fig04.png
similarity index 100%
rename from windows/configure/images/mdt-10-fig04.png
rename to windows/configuration/images/mdt-10-fig04.png
diff --git a/windows/configure/images/mdt-10-fig05.png b/windows/configuration/images/mdt-10-fig05.png
similarity index 100%
rename from windows/configure/images/mdt-10-fig05.png
rename to windows/configuration/images/mdt-10-fig05.png
diff --git a/windows/configure/images/mdt-10-fig06.png b/windows/configuration/images/mdt-10-fig06.png
similarity index 100%
rename from windows/configure/images/mdt-10-fig06.png
rename to windows/configuration/images/mdt-10-fig06.png
diff --git a/windows/configure/images/mdt-10-fig07.png b/windows/configuration/images/mdt-10-fig07.png
similarity index 100%
rename from windows/configure/images/mdt-10-fig07.png
rename to windows/configuration/images/mdt-10-fig07.png
diff --git a/windows/configure/images/mdt-10-fig08.png b/windows/configuration/images/mdt-10-fig08.png
similarity index 100%
rename from windows/configure/images/mdt-10-fig08.png
rename to windows/configuration/images/mdt-10-fig08.png
diff --git a/windows/configure/images/mdt-10-fig09.png b/windows/configuration/images/mdt-10-fig09.png
similarity index 100%
rename from windows/configure/images/mdt-10-fig09.png
rename to windows/configuration/images/mdt-10-fig09.png
diff --git a/windows/configure/images/mdt-11-fig05.png b/windows/configuration/images/mdt-11-fig05.png
similarity index 100%
rename from windows/configure/images/mdt-11-fig05.png
rename to windows/configuration/images/mdt-11-fig05.png
diff --git a/windows/configure/images/mdt-11-fig06.png b/windows/configuration/images/mdt-11-fig06.png
similarity index 100%
rename from windows/configure/images/mdt-11-fig06.png
rename to windows/configuration/images/mdt-11-fig06.png
diff --git a/windows/configure/images/mdt-11-fig07.png b/windows/configuration/images/mdt-11-fig07.png
similarity index 100%
rename from windows/configure/images/mdt-11-fig07.png
rename to windows/configuration/images/mdt-11-fig07.png
diff --git a/windows/configure/images/mdt-11-fig08.png b/windows/configuration/images/mdt-11-fig08.png
similarity index 100%
rename from windows/configure/images/mdt-11-fig08.png
rename to windows/configuration/images/mdt-11-fig08.png
diff --git a/windows/configure/images/mdt-11-fig09.png b/windows/configuration/images/mdt-11-fig09.png
similarity index 100%
rename from windows/configure/images/mdt-11-fig09.png
rename to windows/configuration/images/mdt-11-fig09.png
diff --git a/windows/configure/images/mdt-11-fig10.png b/windows/configuration/images/mdt-11-fig10.png
similarity index 100%
rename from windows/configure/images/mdt-11-fig10.png
rename to windows/configuration/images/mdt-11-fig10.png
diff --git a/windows/configure/images/mdt-11-fig11.png b/windows/configuration/images/mdt-11-fig11.png
similarity index 100%
rename from windows/configure/images/mdt-11-fig11.png
rename to windows/configuration/images/mdt-11-fig11.png
diff --git a/windows/configure/images/mdt-11-fig12.png b/windows/configuration/images/mdt-11-fig12.png
similarity index 100%
rename from windows/configure/images/mdt-11-fig12.png
rename to windows/configuration/images/mdt-11-fig12.png
diff --git a/windows/configure/images/mdt-11-fig13.png b/windows/configuration/images/mdt-11-fig13.png
similarity index 100%
rename from windows/configure/images/mdt-11-fig13.png
rename to windows/configuration/images/mdt-11-fig13.png
diff --git a/windows/configure/images/mdt-11-fig14.png b/windows/configuration/images/mdt-11-fig14.png
similarity index 100%
rename from windows/configure/images/mdt-11-fig14.png
rename to windows/configuration/images/mdt-11-fig14.png
diff --git a/windows/configure/images/mdt-11-fig15.png b/windows/configuration/images/mdt-11-fig15.png
similarity index 100%
rename from windows/configure/images/mdt-11-fig15.png
rename to windows/configuration/images/mdt-11-fig15.png
diff --git a/windows/configure/images/mdt-11-fig16.png b/windows/configuration/images/mdt-11-fig16.png
similarity index 100%
rename from windows/configure/images/mdt-11-fig16.png
rename to windows/configuration/images/mdt-11-fig16.png
diff --git a/windows/configure/images/mobile-start-layout.png b/windows/configuration/images/mobile-start-layout.png
similarity index 100%
rename from windows/configure/images/mobile-start-layout.png
rename to windows/configuration/images/mobile-start-layout.png
diff --git a/windows/configure/images/multi-target.png b/windows/configuration/images/multi-target.png
similarity index 100%
rename from windows/configure/images/multi-target.png
rename to windows/configuration/images/multi-target.png
diff --git a/windows/configure/images/nfc.png b/windows/configuration/images/nfc.png
similarity index 100%
rename from windows/configure/images/nfc.png
rename to windows/configuration/images/nfc.png
diff --git a/windows/configure/images/oma-uri-shared-pc.png b/windows/configuration/images/oma-uri-shared-pc.png
similarity index 100%
rename from windows/configure/images/oma-uri-shared-pc.png
rename to windows/configuration/images/oma-uri-shared-pc.png
diff --git a/windows/configure/images/one.png b/windows/configuration/images/one.png
similarity index 100%
rename from windows/configure/images/one.png
rename to windows/configuration/images/one.png
diff --git a/windows/configuration/images/oobe.jpg b/windows/configuration/images/oobe.jpg
new file mode 100644
index 0000000000..2e700971c1
Binary files /dev/null and b/windows/configuration/images/oobe.jpg differ
diff --git a/windows/configure/images/package-trust.png b/windows/configuration/images/package-trust.png
similarity index 100%
rename from windows/configure/images/package-trust.png
rename to windows/configuration/images/package-trust.png
diff --git a/windows/configure/images/package.png b/windows/configuration/images/package.png
similarity index 100%
rename from windows/configure/images/package.png
rename to windows/configuration/images/package.png
diff --git a/windows/manage/images/packageaddfileandregistrydata-global.png b/windows/configuration/images/packageaddfileandregistrydata-global.png
similarity index 100%
rename from windows/manage/images/packageaddfileandregistrydata-global.png
rename to windows/configuration/images/packageaddfileandregistrydata-global.png
diff --git a/windows/manage/images/packageaddfileandregistrydata-stream.png b/windows/configuration/images/packageaddfileandregistrydata-stream.png
similarity index 100%
rename from windows/manage/images/packageaddfileandregistrydata-stream.png
rename to windows/configuration/images/packageaddfileandregistrydata-stream.png
diff --git a/windows/manage/images/packageaddfileandregistrydata.png b/windows/configuration/images/packageaddfileandregistrydata.png
similarity index 100%
rename from windows/manage/images/packageaddfileandregistrydata.png
rename to windows/configuration/images/packageaddfileandregistrydata.png
diff --git a/windows/configure/images/packages-mobile.png b/windows/configuration/images/packages-mobile.png
similarity index 100%
rename from windows/configure/images/packages-mobile.png
rename to windows/configuration/images/packages-mobile.png
diff --git a/windows/configure/images/phoneprovision.png b/windows/configuration/images/phoneprovision.png
similarity index 100%
rename from windows/configure/images/phoneprovision.png
rename to windows/configuration/images/phoneprovision.png
diff --git a/windows/configure/images/policytocsp.png b/windows/configuration/images/policytocsp.png
similarity index 100%
rename from windows/configure/images/policytocsp.png
rename to windows/configuration/images/policytocsp.png
diff --git a/windows/configure/images/powericon.png b/windows/configuration/images/powericon.png
similarity index 100%
rename from windows/configure/images/powericon.png
rename to windows/configuration/images/powericon.png
diff --git a/windows/configure/images/priv-telemetry-levels.png b/windows/configuration/images/priv-telemetry-levels.png
similarity index 100%
rename from windows/configure/images/priv-telemetry-levels.png
rename to windows/configuration/images/priv-telemetry-levels.png
diff --git a/windows/configure/images/prov.jpg b/windows/configuration/images/prov.jpg
similarity index 100%
rename from windows/configure/images/prov.jpg
rename to windows/configuration/images/prov.jpg
diff --git a/windows/configure/images/provisioning-csp-assignedaccess.png b/windows/configuration/images/provisioning-csp-assignedaccess.png
similarity index 100%
rename from windows/configure/images/provisioning-csp-assignedaccess.png
rename to windows/configuration/images/provisioning-csp-assignedaccess.png
diff --git a/windows/manage/images/rdp.png b/windows/configuration/images/rdp.png
similarity index 100%
rename from windows/manage/images/rdp.png
rename to windows/configuration/images/rdp.png
diff --git a/windows/configure/images/resetdevice.png b/windows/configuration/images/resetdevice.png
similarity index 100%
rename from windows/configure/images/resetdevice.png
rename to windows/configuration/images/resetdevice.png
diff --git a/windows/configure/images/scanos.PNG b/windows/configuration/images/scanos.PNG
similarity index 100%
rename from windows/configure/images/scanos.PNG
rename to windows/configuration/images/scanos.PNG
diff --git a/windows/configure/images/sccm-asset.PNG b/windows/configuration/images/sccm-asset.PNG
similarity index 100%
rename from windows/configure/images/sccm-asset.PNG
rename to windows/configuration/images/sccm-asset.PNG
diff --git a/windows/configure/images/sccm-assets.PNG b/windows/configuration/images/sccm-assets.PNG
similarity index 100%
rename from windows/configure/images/sccm-assets.PNG
rename to windows/configuration/images/sccm-assets.PNG
diff --git a/windows/configure/images/sccm-client.PNG b/windows/configuration/images/sccm-client.PNG
similarity index 100%
rename from windows/configure/images/sccm-client.PNG
rename to windows/configuration/images/sccm-client.PNG
diff --git a/windows/configure/images/sccm-collection.PNG b/windows/configuration/images/sccm-collection.PNG
similarity index 100%
rename from windows/configure/images/sccm-collection.PNG
rename to windows/configuration/images/sccm-collection.PNG
diff --git a/windows/configure/images/sccm-install-os.PNG b/windows/configuration/images/sccm-install-os.PNG
similarity index 100%
rename from windows/configure/images/sccm-install-os.PNG
rename to windows/configuration/images/sccm-install-os.PNG
diff --git a/windows/configure/images/sccm-post-refresh.PNG b/windows/configuration/images/sccm-post-refresh.PNG
similarity index 100%
rename from windows/configure/images/sccm-post-refresh.PNG
rename to windows/configuration/images/sccm-post-refresh.PNG
diff --git a/windows/configure/images/sccm-pxe.PNG b/windows/configuration/images/sccm-pxe.PNG
similarity index 100%
rename from windows/configure/images/sccm-pxe.PNG
rename to windows/configuration/images/sccm-pxe.PNG
diff --git a/windows/configure/images/sccm-site.PNG b/windows/configuration/images/sccm-site.PNG
similarity index 100%
rename from windows/configure/images/sccm-site.PNG
rename to windows/configuration/images/sccm-site.PNG
diff --git a/windows/configure/images/sccm-software-cntr.PNG b/windows/configuration/images/sccm-software-cntr.PNG
similarity index 100%
rename from windows/configure/images/sccm-software-cntr.PNG
rename to windows/configuration/images/sccm-software-cntr.PNG
diff --git a/windows/configure/images/sec-bios.png b/windows/configuration/images/sec-bios.png
similarity index 100%
rename from windows/configure/images/sec-bios.png
rename to windows/configuration/images/sec-bios.png
diff --git a/windows/configure/images/set-up-device-details-desktop.PNG b/windows/configuration/images/set-up-device-details-desktop.PNG
similarity index 100%
rename from windows/configure/images/set-up-device-details-desktop.PNG
rename to windows/configuration/images/set-up-device-details-desktop.PNG
diff --git a/windows/configure/images/set-up-device-details-mobile.PNG b/windows/configuration/images/set-up-device-details-mobile.PNG
similarity index 100%
rename from windows/configure/images/set-up-device-details-mobile.PNG
rename to windows/configuration/images/set-up-device-details-mobile.PNG
diff --git a/windows/configure/images/set-up-device-details.PNG b/windows/configuration/images/set-up-device-details.PNG
similarity index 100%
rename from windows/configure/images/set-up-device-details.PNG
rename to windows/configuration/images/set-up-device-details.PNG
diff --git a/windows/configure/images/set-up-device-mobile.PNG b/windows/configuration/images/set-up-device-mobile.PNG
similarity index 100%
rename from windows/configure/images/set-up-device-mobile.PNG
rename to windows/configuration/images/set-up-device-mobile.PNG
diff --git a/devices/surface-hub/images/set-up-device.PNG b/windows/configuration/images/set-up-device.PNG
similarity index 100%
rename from devices/surface-hub/images/set-up-device.PNG
rename to windows/configuration/images/set-up-device.PNG
diff --git a/windows/configure/images/set-up-network-details-desktop.PNG b/windows/configuration/images/set-up-network-details-desktop.PNG
similarity index 100%
rename from windows/configure/images/set-up-network-details-desktop.PNG
rename to windows/configuration/images/set-up-network-details-desktop.PNG
diff --git a/windows/configure/images/set-up-network-details-mobile.PNG b/windows/configuration/images/set-up-network-details-mobile.PNG
similarity index 100%
rename from windows/configure/images/set-up-network-details-mobile.PNG
rename to windows/configuration/images/set-up-network-details-mobile.PNG
diff --git a/windows/configure/images/set-up-network-details.PNG b/windows/configuration/images/set-up-network-details.PNG
similarity index 100%
rename from windows/configure/images/set-up-network-details.PNG
rename to windows/configuration/images/set-up-network-details.PNG
diff --git a/windows/configure/images/set-up-network-mobile.PNG b/windows/configuration/images/set-up-network-mobile.PNG
similarity index 100%
rename from windows/configure/images/set-up-network-mobile.PNG
rename to windows/configuration/images/set-up-network-mobile.PNG
diff --git a/devices/surface-hub/images/set-up-network.PNG b/windows/configuration/images/set-up-network.PNG
similarity index 100%
rename from devices/surface-hub/images/set-up-network.PNG
rename to windows/configuration/images/set-up-network.PNG
diff --git a/windows/configure/images/settings-table.png b/windows/configuration/images/settings-table.png
similarity index 100%
rename from windows/configure/images/settings-table.png
rename to windows/configuration/images/settings-table.png
diff --git a/windows/configure/images/settingsicon.png b/windows/configuration/images/settingsicon.png
similarity index 100%
rename from windows/configure/images/settingsicon.png
rename to windows/configuration/images/settingsicon.png
diff --git a/windows/configuration/images/setupmsg.jpg b/windows/configuration/images/setupmsg.jpg
new file mode 100644
index 0000000000..06348dd2b8
Binary files /dev/null and b/windows/configuration/images/setupmsg.jpg differ
diff --git a/windows/configure/images/seven.png b/windows/configuration/images/seven.png
similarity index 100%
rename from windows/configure/images/seven.png
rename to windows/configuration/images/seven.png
diff --git a/windows/configure/images/show-more-tiles.png b/windows/configuration/images/show-more-tiles.png
similarity index 100%
rename from windows/configure/images/show-more-tiles.png
rename to windows/configuration/images/show-more-tiles.png
diff --git a/windows/configure/images/sign-in-prov.png b/windows/configuration/images/sign-in-prov.png
similarity index 100%
rename from windows/configure/images/sign-in-prov.png
rename to windows/configuration/images/sign-in-prov.png
diff --git a/windows/configure/images/six.png b/windows/configuration/images/six.png
similarity index 100%
rename from windows/configure/images/six.png
rename to windows/configuration/images/six.png
diff --git a/windows/configure/images/spotlight.png b/windows/configuration/images/spotlight.png
similarity index 100%
rename from windows/configure/images/spotlight.png
rename to windows/configuration/images/spotlight.png
diff --git a/windows/configure/images/spotlight2.png b/windows/configuration/images/spotlight2.png
similarity index 100%
rename from windows/configure/images/spotlight2.png
rename to windows/configuration/images/spotlight2.png
diff --git a/windows/configure/images/start-pinned-app.png b/windows/configuration/images/start-pinned-app.png
similarity index 100%
rename from windows/configure/images/start-pinned-app.png
rename to windows/configuration/images/start-pinned-app.png
diff --git a/windows/configure/images/start-screen-size.png b/windows/configuration/images/start-screen-size.png
similarity index 100%
rename from windows/configure/images/start-screen-size.png
rename to windows/configuration/images/start-screen-size.png
diff --git a/windows/configure/images/startannotated.png b/windows/configuration/images/startannotated.png
similarity index 100%
rename from windows/configure/images/startannotated.png
rename to windows/configuration/images/startannotated.png
diff --git a/windows/configure/images/starticon.png b/windows/configuration/images/starticon.png
similarity index 100%
rename from windows/configure/images/starticon.png
rename to windows/configuration/images/starticon.png
diff --git a/windows/configure/images/startlayoutpolicy.jpg b/windows/configuration/images/startlayoutpolicy.jpg
similarity index 100%
rename from windows/configure/images/startlayoutpolicy.jpg
rename to windows/configuration/images/startlayoutpolicy.jpg
diff --git a/windows/configure/images/starttemplate.jpg b/windows/configuration/images/starttemplate.jpg
similarity index 100%
rename from windows/configure/images/starttemplate.jpg
rename to windows/configuration/images/starttemplate.jpg
diff --git a/windows/configure/images/svr_mgr2.png b/windows/configuration/images/svr_mgr2.png
similarity index 100%
rename from windows/configure/images/svr_mgr2.png
rename to windows/configuration/images/svr_mgr2.png
diff --git a/windows/manage/images/sysprep-error.png b/windows/configuration/images/sysprep-error.png
similarity index 100%
rename from windows/manage/images/sysprep-error.png
rename to windows/configuration/images/sysprep-error.png
diff --git a/windows/configure/images/taskbar-blank.png b/windows/configuration/images/taskbar-blank.png
similarity index 100%
rename from windows/configure/images/taskbar-blank.png
rename to windows/configuration/images/taskbar-blank.png
diff --git a/windows/configure/images/taskbar-default-plus.png b/windows/configuration/images/taskbar-default-plus.png
similarity index 100%
rename from windows/configure/images/taskbar-default-plus.png
rename to windows/configuration/images/taskbar-default-plus.png
diff --git a/windows/configure/images/taskbar-default-removed.png b/windows/configuration/images/taskbar-default-removed.png
similarity index 100%
rename from windows/configure/images/taskbar-default-removed.png
rename to windows/configuration/images/taskbar-default-removed.png
diff --git a/windows/configure/images/taskbar-default.png b/windows/configuration/images/taskbar-default.png
similarity index 100%
rename from windows/configure/images/taskbar-default.png
rename to windows/configuration/images/taskbar-default.png
diff --git a/windows/configure/images/taskbar-generic.png b/windows/configuration/images/taskbar-generic.png
similarity index 100%
rename from windows/configure/images/taskbar-generic.png
rename to windows/configuration/images/taskbar-generic.png
diff --git a/windows/configure/images/taskbar-region-defr.png b/windows/configuration/images/taskbar-region-defr.png
similarity index 100%
rename from windows/configure/images/taskbar-region-defr.png
rename to windows/configuration/images/taskbar-region-defr.png
diff --git a/windows/configure/images/taskbar-region-other.png b/windows/configuration/images/taskbar-region-other.png
similarity index 100%
rename from windows/configure/images/taskbar-region-other.png
rename to windows/configuration/images/taskbar-region-other.png
diff --git a/windows/configure/images/taskbar-region-usuk.png b/windows/configuration/images/taskbar-region-usuk.png
similarity index 100%
rename from windows/configure/images/taskbar-region-usuk.png
rename to windows/configuration/images/taskbar-region-usuk.png
diff --git a/windows/configure/images/taskbarSTARTERBLANK.png b/windows/configuration/images/taskbarSTARTERBLANK.png
similarity index 100%
rename from windows/configure/images/taskbarSTARTERBLANK.png
rename to windows/configuration/images/taskbarSTARTERBLANK.png
diff --git a/devices/surface-hub/images/three.png b/windows/configuration/images/three.png
similarity index 100%
rename from devices/surface-hub/images/three.png
rename to windows/configuration/images/three.png
diff --git a/windows/configure/images/trust-package.png b/windows/configuration/images/trust-package.png
similarity index 100%
rename from windows/configure/images/trust-package.png
rename to windows/configuration/images/trust-package.png
diff --git a/windows/configure/images/twain.png b/windows/configuration/images/twain.png
similarity index 100%
rename from windows/configure/images/twain.png
rename to windows/configuration/images/twain.png
diff --git a/devices/surface-hub/images/two.png b/windows/configuration/images/two.png
similarity index 100%
rename from devices/surface-hub/images/two.png
rename to windows/configuration/images/two.png
diff --git a/windows/configure/images/ua-cg-01.png b/windows/configuration/images/ua-cg-01.png
similarity index 100%
rename from windows/configure/images/ua-cg-01.png
rename to windows/configuration/images/ua-cg-01.png
diff --git a/windows/configure/images/ua-cg-02.png b/windows/configuration/images/ua-cg-02.png
similarity index 100%
rename from windows/configure/images/ua-cg-02.png
rename to windows/configuration/images/ua-cg-02.png
diff --git a/windows/configure/images/ua-cg-03.png b/windows/configuration/images/ua-cg-03.png
similarity index 100%
rename from windows/configure/images/ua-cg-03.png
rename to windows/configuration/images/ua-cg-03.png
diff --git a/windows/configure/images/ua-cg-04.png b/windows/configuration/images/ua-cg-04.png
similarity index 100%
rename from windows/configure/images/ua-cg-04.png
rename to windows/configuration/images/ua-cg-04.png
diff --git a/windows/configure/images/ua-cg-05.png b/windows/configuration/images/ua-cg-05.png
similarity index 100%
rename from windows/configure/images/ua-cg-05.png
rename to windows/configuration/images/ua-cg-05.png
diff --git a/windows/configure/images/ua-cg-06.png b/windows/configuration/images/ua-cg-06.png
similarity index 100%
rename from windows/configure/images/ua-cg-06.png
rename to windows/configuration/images/ua-cg-06.png
diff --git a/windows/configure/images/ua-cg-07.png b/windows/configuration/images/ua-cg-07.png
similarity index 100%
rename from windows/configure/images/ua-cg-07.png
rename to windows/configuration/images/ua-cg-07.png
diff --git a/windows/configure/images/ua-cg-08.png b/windows/configuration/images/ua-cg-08.png
similarity index 100%
rename from windows/configure/images/ua-cg-08.png
rename to windows/configuration/images/ua-cg-08.png
diff --git a/windows/configure/images/ua-cg-09.png b/windows/configuration/images/ua-cg-09.png
similarity index 100%
rename from windows/configure/images/ua-cg-09.png
rename to windows/configuration/images/ua-cg-09.png
diff --git a/windows/configure/images/ua-cg-10.png b/windows/configuration/images/ua-cg-10.png
similarity index 100%
rename from windows/configure/images/ua-cg-10.png
rename to windows/configuration/images/ua-cg-10.png
diff --git a/windows/configure/images/ua-cg-11.png b/windows/configuration/images/ua-cg-11.png
similarity index 100%
rename from windows/configure/images/ua-cg-11.png
rename to windows/configuration/images/ua-cg-11.png
diff --git a/windows/configure/images/ua-cg-12.png b/windows/configuration/images/ua-cg-12.png
similarity index 100%
rename from windows/configure/images/ua-cg-12.png
rename to windows/configuration/images/ua-cg-12.png
diff --git a/windows/configure/images/ua-cg-13.png b/windows/configuration/images/ua-cg-13.png
similarity index 100%
rename from windows/configure/images/ua-cg-13.png
rename to windows/configuration/images/ua-cg-13.png
diff --git a/windows/configure/images/ua-cg-14.png b/windows/configuration/images/ua-cg-14.png
similarity index 100%
rename from windows/configure/images/ua-cg-14.png
rename to windows/configuration/images/ua-cg-14.png
diff --git a/windows/configure/images/ua-cg-15.png b/windows/configuration/images/ua-cg-15.png
similarity index 100%
rename from windows/configure/images/ua-cg-15.png
rename to windows/configuration/images/ua-cg-15.png
diff --git a/windows/configure/images/ua-cg-16.png b/windows/configuration/images/ua-cg-16.png
similarity index 100%
rename from windows/configure/images/ua-cg-16.png
rename to windows/configuration/images/ua-cg-16.png
diff --git a/windows/configure/images/ua-cg-17.png b/windows/configuration/images/ua-cg-17.png
similarity index 100%
rename from windows/configure/images/ua-cg-17.png
rename to windows/configuration/images/ua-cg-17.png
diff --git a/windows/configure/images/uc-01.png b/windows/configuration/images/uc-01.png
similarity index 100%
rename from windows/configure/images/uc-01.png
rename to windows/configuration/images/uc-01.png
diff --git a/windows/configure/images/uc-02.png b/windows/configuration/images/uc-02.png
similarity index 100%
rename from windows/configure/images/uc-02.png
rename to windows/configuration/images/uc-02.png
diff --git a/windows/configure/images/uc-02a.png b/windows/configuration/images/uc-02a.png
similarity index 100%
rename from windows/configure/images/uc-02a.png
rename to windows/configuration/images/uc-02a.png
diff --git a/windows/configure/images/uc-03.png b/windows/configuration/images/uc-03.png
similarity index 100%
rename from windows/configure/images/uc-03.png
rename to windows/configuration/images/uc-03.png
diff --git a/windows/configure/images/uc-03a.png b/windows/configuration/images/uc-03a.png
similarity index 100%
rename from windows/configure/images/uc-03a.png
rename to windows/configuration/images/uc-03a.png
diff --git a/windows/configure/images/uc-04.png b/windows/configuration/images/uc-04.png
similarity index 100%
rename from windows/configure/images/uc-04.png
rename to windows/configuration/images/uc-04.png
diff --git a/windows/configure/images/uc-04a.png b/windows/configuration/images/uc-04a.png
similarity index 100%
rename from windows/configure/images/uc-04a.png
rename to windows/configuration/images/uc-04a.png
diff --git a/windows/configure/images/uc-05.png b/windows/configuration/images/uc-05.png
similarity index 100%
rename from windows/configure/images/uc-05.png
rename to windows/configuration/images/uc-05.png
diff --git a/windows/configure/images/uc-05a.png b/windows/configuration/images/uc-05a.png
similarity index 100%
rename from windows/configure/images/uc-05a.png
rename to windows/configuration/images/uc-05a.png
diff --git a/windows/configure/images/uc-06.png b/windows/configuration/images/uc-06.png
similarity index 100%
rename from windows/configure/images/uc-06.png
rename to windows/configuration/images/uc-06.png
diff --git a/windows/configure/images/uc-06a.png b/windows/configuration/images/uc-06a.png
similarity index 100%
rename from windows/configure/images/uc-06a.png
rename to windows/configuration/images/uc-06a.png
diff --git a/windows/configure/images/uc-07.png b/windows/configuration/images/uc-07.png
similarity index 100%
rename from windows/configure/images/uc-07.png
rename to windows/configuration/images/uc-07.png
diff --git a/windows/configure/images/uc-07a.png b/windows/configuration/images/uc-07a.png
similarity index 100%
rename from windows/configure/images/uc-07a.png
rename to windows/configuration/images/uc-07a.png
diff --git a/windows/configure/images/uc-08.png b/windows/configuration/images/uc-08.png
similarity index 100%
rename from windows/configure/images/uc-08.png
rename to windows/configuration/images/uc-08.png
diff --git a/windows/configure/images/uc-08a.png b/windows/configuration/images/uc-08a.png
similarity index 100%
rename from windows/configure/images/uc-08a.png
rename to windows/configuration/images/uc-08a.png
diff --git a/windows/configure/images/uc-09.png b/windows/configuration/images/uc-09.png
similarity index 100%
rename from windows/configure/images/uc-09.png
rename to windows/configuration/images/uc-09.png
diff --git a/windows/configure/images/uc-09a.png b/windows/configuration/images/uc-09a.png
similarity index 100%
rename from windows/configure/images/uc-09a.png
rename to windows/configuration/images/uc-09a.png
diff --git a/windows/configure/images/uc-10.png b/windows/configuration/images/uc-10.png
similarity index 100%
rename from windows/configure/images/uc-10.png
rename to windows/configuration/images/uc-10.png
diff --git a/windows/configure/images/uc-10a.png b/windows/configuration/images/uc-10a.png
similarity index 100%
rename from windows/configure/images/uc-10a.png
rename to windows/configuration/images/uc-10a.png
diff --git a/windows/configure/images/uc-11.png b/windows/configuration/images/uc-11.png
similarity index 100%
rename from windows/configure/images/uc-11.png
rename to windows/configuration/images/uc-11.png
diff --git a/windows/configure/images/uc-12.png b/windows/configuration/images/uc-12.png
similarity index 100%
rename from windows/configure/images/uc-12.png
rename to windows/configuration/images/uc-12.png
diff --git a/windows/configure/images/uc-13.png b/windows/configuration/images/uc-13.png
similarity index 100%
rename from windows/configure/images/uc-13.png
rename to windows/configuration/images/uc-13.png
diff --git a/windows/configure/images/uc-14.png b/windows/configuration/images/uc-14.png
similarity index 100%
rename from windows/configure/images/uc-14.png
rename to windows/configuration/images/uc-14.png
diff --git a/windows/configure/images/uc-15.png b/windows/configuration/images/uc-15.png
similarity index 100%
rename from windows/configure/images/uc-15.png
rename to windows/configuration/images/uc-15.png
diff --git a/windows/configure/images/uc-16.png b/windows/configuration/images/uc-16.png
similarity index 100%
rename from windows/configure/images/uc-16.png
rename to windows/configuration/images/uc-16.png
diff --git a/windows/configure/images/uc-17.png b/windows/configuration/images/uc-17.png
similarity index 100%
rename from windows/configure/images/uc-17.png
rename to windows/configuration/images/uc-17.png
diff --git a/windows/configure/images/uc-18.png b/windows/configuration/images/uc-18.png
similarity index 100%
rename from windows/configure/images/uc-18.png
rename to windows/configuration/images/uc-18.png
diff --git a/windows/configure/images/uc-19.png b/windows/configuration/images/uc-19.png
similarity index 100%
rename from windows/configure/images/uc-19.png
rename to windows/configuration/images/uc-19.png
diff --git a/windows/configure/images/uc-20.png b/windows/configuration/images/uc-20.png
similarity index 100%
rename from windows/configure/images/uc-20.png
rename to windows/configuration/images/uc-20.png
diff --git a/windows/configure/images/uc-21.png b/windows/configuration/images/uc-21.png
similarity index 100%
rename from windows/configure/images/uc-21.png
rename to windows/configuration/images/uc-21.png
diff --git a/windows/configure/images/uc-22.png b/windows/configuration/images/uc-22.png
similarity index 100%
rename from windows/configure/images/uc-22.png
rename to windows/configuration/images/uc-22.png
diff --git a/windows/configure/images/uc-23.png b/windows/configuration/images/uc-23.png
similarity index 100%
rename from windows/configure/images/uc-23.png
rename to windows/configuration/images/uc-23.png
diff --git a/windows/configure/images/uc-24.png b/windows/configuration/images/uc-24.png
similarity index 100%
rename from windows/configure/images/uc-24.png
rename to windows/configuration/images/uc-24.png
diff --git a/windows/configure/images/uc-25.png b/windows/configuration/images/uc-25.png
similarity index 100%
rename from windows/configure/images/uc-25.png
rename to windows/configuration/images/uc-25.png
diff --git a/windows/configure/images/upgrade-analytics-apps-known-issues.png b/windows/configuration/images/upgrade-analytics-apps-known-issues.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-apps-known-issues.png
rename to windows/configuration/images/upgrade-analytics-apps-known-issues.png
diff --git a/windows/configure/images/upgrade-analytics-apps-no-known-issues.png b/windows/configuration/images/upgrade-analytics-apps-no-known-issues.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-apps-no-known-issues.png
rename to windows/configuration/images/upgrade-analytics-apps-no-known-issues.png
diff --git a/windows/configure/images/upgrade-analytics-architecture.png b/windows/configuration/images/upgrade-analytics-architecture.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-architecture.png
rename to windows/configuration/images/upgrade-analytics-architecture.png
diff --git a/windows/configure/images/upgrade-analytics-create-iedataoptin.png b/windows/configuration/images/upgrade-analytics-create-iedataoptin.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-create-iedataoptin.png
rename to windows/configuration/images/upgrade-analytics-create-iedataoptin.png
diff --git a/windows/configure/images/upgrade-analytics-deploy-eligible.png b/windows/configuration/images/upgrade-analytics-deploy-eligible.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-deploy-eligible.png
rename to windows/configuration/images/upgrade-analytics-deploy-eligible.png
diff --git a/windows/configure/images/upgrade-analytics-drivers-known.png b/windows/configuration/images/upgrade-analytics-drivers-known.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-drivers-known.png
rename to windows/configuration/images/upgrade-analytics-drivers-known.png
diff --git a/windows/configure/images/upgrade-analytics-most-active-sites.png b/windows/configuration/images/upgrade-analytics-most-active-sites.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-most-active-sites.png
rename to windows/configuration/images/upgrade-analytics-most-active-sites.png
diff --git a/windows/configure/images/upgrade-analytics-namepub-rollup.PNG b/windows/configuration/images/upgrade-analytics-namepub-rollup.PNG
similarity index 100%
rename from windows/configure/images/upgrade-analytics-namepub-rollup.PNG
rename to windows/configuration/images/upgrade-analytics-namepub-rollup.PNG
diff --git a/windows/configure/images/upgrade-analytics-overview.png b/windows/configuration/images/upgrade-analytics-overview.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-overview.png
rename to windows/configuration/images/upgrade-analytics-overview.png
diff --git a/windows/configure/images/upgrade-analytics-pilot.png b/windows/configuration/images/upgrade-analytics-pilot.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-pilot.png
rename to windows/configuration/images/upgrade-analytics-pilot.png
diff --git a/windows/configure/images/upgrade-analytics-prioritize.png b/windows/configuration/images/upgrade-analytics-prioritize.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-prioritize.png
rename to windows/configuration/images/upgrade-analytics-prioritize.png
diff --git a/windows/configure/images/upgrade-analytics-query-activex-name.png b/windows/configuration/images/upgrade-analytics-query-activex-name.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-query-activex-name.png
rename to windows/configuration/images/upgrade-analytics-query-activex-name.png
diff --git a/windows/configure/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG b/windows/configuration/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG
similarity index 100%
rename from windows/configure/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG
rename to windows/configuration/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG
diff --git a/windows/configure/images/upgrade-analytics-ready-for-windows-status.PNG b/windows/configuration/images/upgrade-analytics-ready-for-windows-status.PNG
similarity index 100%
rename from windows/configure/images/upgrade-analytics-ready-for-windows-status.PNG
rename to windows/configuration/images/upgrade-analytics-ready-for-windows-status.PNG
diff --git a/windows/configure/images/upgrade-analytics-site-activity-by-doc-mode.png b/windows/configuration/images/upgrade-analytics-site-activity-by-doc-mode.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-site-activity-by-doc-mode.png
rename to windows/configuration/images/upgrade-analytics-site-activity-by-doc-mode.png
diff --git a/windows/configure/images/upgrade-analytics-site-domain-detail.png b/windows/configuration/images/upgrade-analytics-site-domain-detail.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-site-domain-detail.png
rename to windows/configuration/images/upgrade-analytics-site-domain-detail.png
diff --git a/windows/configure/images/upgrade-analytics-telemetry.png b/windows/configuration/images/upgrade-analytics-telemetry.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-telemetry.png
rename to windows/configuration/images/upgrade-analytics-telemetry.png
diff --git a/windows/configure/images/upgrade-analytics-unsubscribe.png b/windows/configuration/images/upgrade-analytics-unsubscribe.png
similarity index 100%
rename from windows/configure/images/upgrade-analytics-unsubscribe.png
rename to windows/configuration/images/upgrade-analytics-unsubscribe.png
diff --git a/windows/configure/images/upgrade-process.png b/windows/configuration/images/upgrade-process.png
similarity index 100%
rename from windows/configure/images/upgrade-process.png
rename to windows/configuration/images/upgrade-process.png
diff --git a/windows/configure/images/upgradecfg-fig2-upgrading.png b/windows/configuration/images/upgradecfg-fig2-upgrading.png
similarity index 100%
rename from windows/configure/images/upgradecfg-fig2-upgrading.png
rename to windows/configuration/images/upgradecfg-fig2-upgrading.png
diff --git a/windows/configure/images/upgradecfg-fig3-upgrade.png b/windows/configuration/images/upgradecfg-fig3-upgrade.png
similarity index 100%
rename from windows/configure/images/upgradecfg-fig3-upgrade.png
rename to windows/configuration/images/upgradecfg-fig3-upgrade.png
diff --git a/windows/configure/images/upgrademdt-fig1-machines.png b/windows/configuration/images/upgrademdt-fig1-machines.png
similarity index 100%
rename from windows/configure/images/upgrademdt-fig1-machines.png
rename to windows/configuration/images/upgrademdt-fig1-machines.png
diff --git a/windows/configure/images/upgrademdt-fig2-importedos.png b/windows/configuration/images/upgrademdt-fig2-importedos.png
similarity index 100%
rename from windows/configure/images/upgrademdt-fig2-importedos.png
rename to windows/configuration/images/upgrademdt-fig2-importedos.png
diff --git a/windows/configure/images/upgrademdt-fig3-tasksequence.png b/windows/configuration/images/upgrademdt-fig3-tasksequence.png
similarity index 100%
rename from windows/configure/images/upgrademdt-fig3-tasksequence.png
rename to windows/configuration/images/upgrademdt-fig3-tasksequence.png
diff --git a/windows/configure/images/upgrademdt-fig4-selecttask.png b/windows/configuration/images/upgrademdt-fig4-selecttask.png
similarity index 100%
rename from windows/configure/images/upgrademdt-fig4-selecttask.png
rename to windows/configuration/images/upgrademdt-fig4-selecttask.png
diff --git a/windows/configure/images/upgrademdt-fig5-winupgrade.png b/windows/configuration/images/upgrademdt-fig5-winupgrade.png
similarity index 100%
rename from windows/configure/images/upgrademdt-fig5-winupgrade.png
rename to windows/configuration/images/upgrademdt-fig5-winupgrade.png
diff --git a/windows/configure/images/uwp-dependencies.PNG b/windows/configuration/images/uwp-dependencies.PNG
similarity index 100%
rename from windows/configure/images/uwp-dependencies.PNG
rename to windows/configuration/images/uwp-dependencies.PNG
diff --git a/windows/configure/images/uwp-family.PNG b/windows/configuration/images/uwp-family.PNG
similarity index 100%
rename from windows/configure/images/uwp-family.PNG
rename to windows/configuration/images/uwp-family.PNG
diff --git a/windows/configure/images/uwp-license.PNG b/windows/configuration/images/uwp-license.PNG
similarity index 100%
rename from windows/configure/images/uwp-license.PNG
rename to windows/configuration/images/uwp-license.PNG
diff --git a/windows/configure/images/vamtuserinterfaceupdated.jpg b/windows/configuration/images/vamtuserinterfaceupdated.jpg
similarity index 100%
rename from windows/configure/images/vamtuserinterfaceupdated.jpg
rename to windows/configuration/images/vamtuserinterfaceupdated.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-01.jpg b/windows/configuration/images/volumeactivationforwindows81-01.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-01.jpg
rename to windows/configuration/images/volumeactivationforwindows81-01.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-02.jpg b/windows/configuration/images/volumeactivationforwindows81-02.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-02.jpg
rename to windows/configuration/images/volumeactivationforwindows81-02.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-03.jpg b/windows/configuration/images/volumeactivationforwindows81-03.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-03.jpg
rename to windows/configuration/images/volumeactivationforwindows81-03.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-04.jpg b/windows/configuration/images/volumeactivationforwindows81-04.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-04.jpg
rename to windows/configuration/images/volumeactivationforwindows81-04.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-05.jpg b/windows/configuration/images/volumeactivationforwindows81-05.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-05.jpg
rename to windows/configuration/images/volumeactivationforwindows81-05.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-06.jpg b/windows/configuration/images/volumeactivationforwindows81-06.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-06.jpg
rename to windows/configuration/images/volumeactivationforwindows81-06.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-07.jpg b/windows/configuration/images/volumeactivationforwindows81-07.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-07.jpg
rename to windows/configuration/images/volumeactivationforwindows81-07.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-08.jpg b/windows/configuration/images/volumeactivationforwindows81-08.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-08.jpg
rename to windows/configuration/images/volumeactivationforwindows81-08.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-09.jpg b/windows/configuration/images/volumeactivationforwindows81-09.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-09.jpg
rename to windows/configuration/images/volumeactivationforwindows81-09.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-10.jpg b/windows/configuration/images/volumeactivationforwindows81-10.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-10.jpg
rename to windows/configuration/images/volumeactivationforwindows81-10.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-11.jpg b/windows/configuration/images/volumeactivationforwindows81-11.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-11.jpg
rename to windows/configuration/images/volumeactivationforwindows81-11.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-12.jpg b/windows/configuration/images/volumeactivationforwindows81-12.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-12.jpg
rename to windows/configuration/images/volumeactivationforwindows81-12.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-13.jpg b/windows/configuration/images/volumeactivationforwindows81-13.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-13.jpg
rename to windows/configuration/images/volumeactivationforwindows81-13.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-14.jpg b/windows/configuration/images/volumeactivationforwindows81-14.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-14.jpg
rename to windows/configuration/images/volumeactivationforwindows81-14.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-15.jpg b/windows/configuration/images/volumeactivationforwindows81-15.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-15.jpg
rename to windows/configuration/images/volumeactivationforwindows81-15.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-16.jpg b/windows/configuration/images/volumeactivationforwindows81-16.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-16.jpg
rename to windows/configuration/images/volumeactivationforwindows81-16.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-17.jpg b/windows/configuration/images/volumeactivationforwindows81-17.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-17.jpg
rename to windows/configuration/images/volumeactivationforwindows81-17.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-18.jpg b/windows/configuration/images/volumeactivationforwindows81-18.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-18.jpg
rename to windows/configuration/images/volumeactivationforwindows81-18.jpg
diff --git a/windows/configure/images/volumeactivationforwindows81-19.jpg b/windows/configuration/images/volumeactivationforwindows81-19.jpg
similarity index 100%
rename from windows/configure/images/volumeactivationforwindows81-19.jpg
rename to windows/configuration/images/volumeactivationforwindows81-19.jpg
diff --git a/windows/configure/images/w10servicing-f1-branches.png b/windows/configuration/images/w10servicing-f1-branches.png
similarity index 100%
rename from windows/configure/images/w10servicing-f1-branches.png
rename to windows/configuration/images/w10servicing-f1-branches.png
diff --git a/windows/configure/images/waas-active-hours-policy.PNG b/windows/configuration/images/waas-active-hours-policy.PNG
similarity index 100%
rename from windows/configure/images/waas-active-hours-policy.PNG
rename to windows/configuration/images/waas-active-hours-policy.PNG
diff --git a/windows/configure/images/waas-active-hours.PNG b/windows/configuration/images/waas-active-hours.PNG
similarity index 100%
rename from windows/configure/images/waas-active-hours.PNG
rename to windows/configuration/images/waas-active-hours.PNG
diff --git a/windows/configure/images/waas-auto-update-policy.PNG b/windows/configuration/images/waas-auto-update-policy.PNG
similarity index 100%
rename from windows/configure/images/waas-auto-update-policy.PNG
rename to windows/configuration/images/waas-auto-update-policy.PNG
diff --git a/windows/configure/images/waas-do-fig1.png b/windows/configuration/images/waas-do-fig1.png
similarity index 100%
rename from windows/configure/images/waas-do-fig1.png
rename to windows/configuration/images/waas-do-fig1.png
diff --git a/windows/configure/images/waas-do-fig2.png b/windows/configuration/images/waas-do-fig2.png
similarity index 100%
rename from windows/configure/images/waas-do-fig2.png
rename to windows/configuration/images/waas-do-fig2.png
diff --git a/windows/configure/images/waas-do-fig3.png b/windows/configuration/images/waas-do-fig3.png
similarity index 100%
rename from windows/configure/images/waas-do-fig3.png
rename to windows/configuration/images/waas-do-fig3.png
diff --git a/windows/configure/images/waas-do-fig4.png b/windows/configuration/images/waas-do-fig4.png
similarity index 100%
rename from windows/configure/images/waas-do-fig4.png
rename to windows/configuration/images/waas-do-fig4.png
diff --git a/windows/configure/images/waas-overview-patch.png b/windows/configuration/images/waas-overview-patch.png
similarity index 100%
rename from windows/configure/images/waas-overview-patch.png
rename to windows/configuration/images/waas-overview-patch.png
diff --git a/windows/configure/images/waas-restart-policy.PNG b/windows/configuration/images/waas-restart-policy.PNG
similarity index 100%
rename from windows/configure/images/waas-restart-policy.PNG
rename to windows/configuration/images/waas-restart-policy.PNG
diff --git a/windows/configure/images/waas-rings.png b/windows/configuration/images/waas-rings.png
similarity index 100%
rename from windows/configure/images/waas-rings.png
rename to windows/configuration/images/waas-rings.png
diff --git a/windows/configure/images/waas-sccm-fig1.png b/windows/configuration/images/waas-sccm-fig1.png
similarity index 100%
rename from windows/configure/images/waas-sccm-fig1.png
rename to windows/configuration/images/waas-sccm-fig1.png
diff --git a/windows/configure/images/waas-sccm-fig10.png b/windows/configuration/images/waas-sccm-fig10.png
similarity index 100%
rename from windows/configure/images/waas-sccm-fig10.png
rename to windows/configuration/images/waas-sccm-fig10.png
diff --git a/windows/configure/images/waas-sccm-fig11.png b/windows/configuration/images/waas-sccm-fig11.png
similarity index 100%
rename from windows/configure/images/waas-sccm-fig11.png
rename to windows/configuration/images/waas-sccm-fig11.png
diff --git a/windows/configure/images/waas-sccm-fig12.png b/windows/configuration/images/waas-sccm-fig12.png
similarity index 100%
rename from windows/configure/images/waas-sccm-fig12.png
rename to windows/configuration/images/waas-sccm-fig12.png
diff --git a/windows/configure/images/waas-sccm-fig2.png b/windows/configuration/images/waas-sccm-fig2.png
similarity index 100%
rename from windows/configure/images/waas-sccm-fig2.png
rename to windows/configuration/images/waas-sccm-fig2.png
diff --git a/windows/configure/images/waas-sccm-fig3.png b/windows/configuration/images/waas-sccm-fig3.png
similarity index 100%
rename from windows/configure/images/waas-sccm-fig3.png
rename to windows/configuration/images/waas-sccm-fig3.png
diff --git a/windows/configure/images/waas-sccm-fig4.png b/windows/configuration/images/waas-sccm-fig4.png
similarity index 100%
rename from windows/configure/images/waas-sccm-fig4.png
rename to windows/configuration/images/waas-sccm-fig4.png
diff --git a/windows/configure/images/waas-sccm-fig5.png b/windows/configuration/images/waas-sccm-fig5.png
similarity index 100%
rename from windows/configure/images/waas-sccm-fig5.png
rename to windows/configuration/images/waas-sccm-fig5.png
diff --git a/windows/configure/images/waas-sccm-fig6.png b/windows/configuration/images/waas-sccm-fig6.png
similarity index 100%
rename from windows/configure/images/waas-sccm-fig6.png
rename to windows/configuration/images/waas-sccm-fig6.png
diff --git a/windows/configure/images/waas-sccm-fig7.png b/windows/configuration/images/waas-sccm-fig7.png
similarity index 100%
rename from windows/configure/images/waas-sccm-fig7.png
rename to windows/configuration/images/waas-sccm-fig7.png
diff --git a/windows/configure/images/waas-sccm-fig8.png b/windows/configuration/images/waas-sccm-fig8.png
similarity index 100%
rename from windows/configure/images/waas-sccm-fig8.png
rename to windows/configuration/images/waas-sccm-fig8.png
diff --git a/windows/configure/images/waas-sccm-fig9.png b/windows/configuration/images/waas-sccm-fig9.png
similarity index 100%
rename from windows/configure/images/waas-sccm-fig9.png
rename to windows/configuration/images/waas-sccm-fig9.png
diff --git a/windows/configure/images/waas-strategy-fig1a.png b/windows/configuration/images/waas-strategy-fig1a.png
similarity index 100%
rename from windows/configure/images/waas-strategy-fig1a.png
rename to windows/configuration/images/waas-strategy-fig1a.png
diff --git a/windows/configure/images/waas-wsus-fig1.png b/windows/configuration/images/waas-wsus-fig1.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig1.png
rename to windows/configuration/images/waas-wsus-fig1.png
diff --git a/windows/configure/images/waas-wsus-fig10.png b/windows/configuration/images/waas-wsus-fig10.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig10.png
rename to windows/configuration/images/waas-wsus-fig10.png
diff --git a/windows/configure/images/waas-wsus-fig11.png b/windows/configuration/images/waas-wsus-fig11.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig11.png
rename to windows/configuration/images/waas-wsus-fig11.png
diff --git a/windows/configure/images/waas-wsus-fig12.png b/windows/configuration/images/waas-wsus-fig12.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig12.png
rename to windows/configuration/images/waas-wsus-fig12.png
diff --git a/windows/configure/images/waas-wsus-fig13.png b/windows/configuration/images/waas-wsus-fig13.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig13.png
rename to windows/configuration/images/waas-wsus-fig13.png
diff --git a/windows/configure/images/waas-wsus-fig14.png b/windows/configuration/images/waas-wsus-fig14.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig14.png
rename to windows/configuration/images/waas-wsus-fig14.png
diff --git a/windows/configure/images/waas-wsus-fig15.png b/windows/configuration/images/waas-wsus-fig15.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig15.png
rename to windows/configuration/images/waas-wsus-fig15.png
diff --git a/windows/configure/images/waas-wsus-fig16.png b/windows/configuration/images/waas-wsus-fig16.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig16.png
rename to windows/configuration/images/waas-wsus-fig16.png
diff --git a/windows/configure/images/waas-wsus-fig17.png b/windows/configuration/images/waas-wsus-fig17.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig17.png
rename to windows/configuration/images/waas-wsus-fig17.png
diff --git a/windows/configure/images/waas-wsus-fig18.png b/windows/configuration/images/waas-wsus-fig18.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig18.png
rename to windows/configuration/images/waas-wsus-fig18.png
diff --git a/windows/configure/images/waas-wsus-fig19.png b/windows/configuration/images/waas-wsus-fig19.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig19.png
rename to windows/configuration/images/waas-wsus-fig19.png
diff --git a/windows/configure/images/waas-wsus-fig2.png b/windows/configuration/images/waas-wsus-fig2.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig2.png
rename to windows/configuration/images/waas-wsus-fig2.png
diff --git a/windows/configure/images/waas-wsus-fig20.png b/windows/configuration/images/waas-wsus-fig20.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig20.png
rename to windows/configuration/images/waas-wsus-fig20.png
diff --git a/windows/configure/images/waas-wsus-fig3.png b/windows/configuration/images/waas-wsus-fig3.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig3.png
rename to windows/configuration/images/waas-wsus-fig3.png
diff --git a/windows/configure/images/waas-wsus-fig4.png b/windows/configuration/images/waas-wsus-fig4.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig4.png
rename to windows/configuration/images/waas-wsus-fig4.png
diff --git a/windows/configure/images/waas-wsus-fig5.png b/windows/configuration/images/waas-wsus-fig5.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig5.png
rename to windows/configuration/images/waas-wsus-fig5.png
diff --git a/windows/configure/images/waas-wsus-fig6.png b/windows/configuration/images/waas-wsus-fig6.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig6.png
rename to windows/configuration/images/waas-wsus-fig6.png
diff --git a/windows/configure/images/waas-wsus-fig7.png b/windows/configuration/images/waas-wsus-fig7.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig7.png
rename to windows/configuration/images/waas-wsus-fig7.png
diff --git a/windows/configure/images/waas-wsus-fig8.png b/windows/configuration/images/waas-wsus-fig8.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig8.png
rename to windows/configuration/images/waas-wsus-fig8.png
diff --git a/windows/configure/images/waas-wsus-fig9.png b/windows/configuration/images/waas-wsus-fig9.png
similarity index 100%
rename from windows/configure/images/waas-wsus-fig9.png
rename to windows/configuration/images/waas-wsus-fig9.png
diff --git a/windows/configure/images/waas-wufb-gp-broad.png b/windows/configuration/images/waas-wufb-gp-broad.png
similarity index 100%
rename from windows/configure/images/waas-wufb-gp-broad.png
rename to windows/configuration/images/waas-wufb-gp-broad.png
diff --git a/windows/configure/images/waas-wufb-gp-cb2-settings.png b/windows/configuration/images/waas-wufb-gp-cb2-settings.png
similarity index 100%
rename from windows/configure/images/waas-wufb-gp-cb2-settings.png
rename to windows/configuration/images/waas-wufb-gp-cb2-settings.png
diff --git a/windows/configure/images/waas-wufb-gp-cb2.png b/windows/configuration/images/waas-wufb-gp-cb2.png
similarity index 100%
rename from windows/configure/images/waas-wufb-gp-cb2.png
rename to windows/configuration/images/waas-wufb-gp-cb2.png
diff --git a/windows/configure/images/waas-wufb-gp-cbb1-settings.png b/windows/configuration/images/waas-wufb-gp-cbb1-settings.png
similarity index 100%
rename from windows/configure/images/waas-wufb-gp-cbb1-settings.png
rename to windows/configuration/images/waas-wufb-gp-cbb1-settings.png
diff --git a/windows/configure/images/waas-wufb-gp-cbb2-settings.png b/windows/configuration/images/waas-wufb-gp-cbb2-settings.png
similarity index 100%
rename from windows/configure/images/waas-wufb-gp-cbb2-settings.png
rename to windows/configuration/images/waas-wufb-gp-cbb2-settings.png
diff --git a/windows/configure/images/waas-wufb-gp-cbb2q-settings.png b/windows/configuration/images/waas-wufb-gp-cbb2q-settings.png
similarity index 100%
rename from windows/configure/images/waas-wufb-gp-cbb2q-settings.png
rename to windows/configuration/images/waas-wufb-gp-cbb2q-settings.png
diff --git a/windows/configure/images/waas-wufb-gp-create.png b/windows/configuration/images/waas-wufb-gp-create.png
similarity index 100%
rename from windows/configure/images/waas-wufb-gp-create.png
rename to windows/configuration/images/waas-wufb-gp-create.png
diff --git a/windows/configure/images/waas-wufb-gp-edit-defer.png b/windows/configuration/images/waas-wufb-gp-edit-defer.png
similarity index 100%
rename from windows/configure/images/waas-wufb-gp-edit-defer.png
rename to windows/configuration/images/waas-wufb-gp-edit-defer.png
diff --git a/windows/configure/images/waas-wufb-gp-edit.png b/windows/configuration/images/waas-wufb-gp-edit.png
similarity index 100%
rename from windows/configure/images/waas-wufb-gp-edit.png
rename to windows/configuration/images/waas-wufb-gp-edit.png
diff --git a/windows/configure/images/waas-wufb-gp-scope-cb2.png b/windows/configuration/images/waas-wufb-gp-scope-cb2.png
similarity index 100%
rename from windows/configure/images/waas-wufb-gp-scope-cb2.png
rename to windows/configuration/images/waas-wufb-gp-scope-cb2.png
diff --git a/windows/configure/images/waas-wufb-gp-scope.png b/windows/configuration/images/waas-wufb-gp-scope.png
similarity index 100%
rename from windows/configure/images/waas-wufb-gp-scope.png
rename to windows/configuration/images/waas-wufb-gp-scope.png
diff --git a/windows/configure/images/waas-wufb-intune-cb2a.png b/windows/configuration/images/waas-wufb-intune-cb2a.png
similarity index 100%
rename from windows/configure/images/waas-wufb-intune-cb2a.png
rename to windows/configuration/images/waas-wufb-intune-cb2a.png
diff --git a/windows/configure/images/waas-wufb-intune-cbb1a.png b/windows/configuration/images/waas-wufb-intune-cbb1a.png
similarity index 100%
rename from windows/configure/images/waas-wufb-intune-cbb1a.png
rename to windows/configuration/images/waas-wufb-intune-cbb1a.png
diff --git a/windows/configure/images/waas-wufb-intune-cbb2a.png b/windows/configuration/images/waas-wufb-intune-cbb2a.png
similarity index 100%
rename from windows/configure/images/waas-wufb-intune-cbb2a.png
rename to windows/configuration/images/waas-wufb-intune-cbb2a.png
diff --git a/windows/configure/images/waas-wufb-intune-step11a.png b/windows/configuration/images/waas-wufb-intune-step11a.png
similarity index 100%
rename from windows/configure/images/waas-wufb-intune-step11a.png
rename to windows/configuration/images/waas-wufb-intune-step11a.png
diff --git a/windows/configure/images/waas-wufb-intune-step19a.png b/windows/configuration/images/waas-wufb-intune-step19a.png
similarity index 100%
rename from windows/configure/images/waas-wufb-intune-step19a.png
rename to windows/configuration/images/waas-wufb-intune-step19a.png
diff --git a/windows/configure/images/waas-wufb-intune-step2a.png b/windows/configuration/images/waas-wufb-intune-step2a.png
similarity index 100%
rename from windows/configure/images/waas-wufb-intune-step2a.png
rename to windows/configuration/images/waas-wufb-intune-step2a.png
diff --git a/windows/configure/images/waas-wufb-intune-step7a.png b/windows/configuration/images/waas-wufb-intune-step7a.png
similarity index 100%
rename from windows/configure/images/waas-wufb-intune-step7a.png
rename to windows/configuration/images/waas-wufb-intune-step7a.png
diff --git a/windows/configure/images/wcd-app-commands.PNG b/windows/configuration/images/wcd-app-commands.PNG
similarity index 100%
rename from windows/configure/images/wcd-app-commands.PNG
rename to windows/configuration/images/wcd-app-commands.PNG
diff --git a/windows/configure/images/wcd-app-name.PNG b/windows/configuration/images/wcd-app-name.PNG
similarity index 100%
rename from windows/configure/images/wcd-app-name.PNG
rename to windows/configuration/images/wcd-app-name.PNG
diff --git a/windows/configure/images/who-owns-pc.png b/windows/configuration/images/who-owns-pc.png
similarity index 100%
rename from windows/configure/images/who-owns-pc.png
rename to windows/configuration/images/who-owns-pc.png
diff --git a/windows/configure/images/wifisense-grouppolicy.png b/windows/configuration/images/wifisense-grouppolicy.png
similarity index 100%
rename from windows/configure/images/wifisense-grouppolicy.png
rename to windows/configuration/images/wifisense-grouppolicy.png
diff --git a/windows/configure/images/wifisense-registry.png b/windows/configuration/images/wifisense-registry.png
similarity index 100%
rename from windows/configure/images/wifisense-registry.png
rename to windows/configuration/images/wifisense-registry.png
diff --git a/windows/configure/images/wifisense-settingscreens.png b/windows/configuration/images/wifisense-settingscreens.png
similarity index 100%
rename from windows/configure/images/wifisense-settingscreens.png
rename to windows/configuration/images/wifisense-settingscreens.png
diff --git a/windows/configure/images/win-10-adk-select.png b/windows/configuration/images/win-10-adk-select.png
similarity index 100%
rename from windows/configure/images/win-10-adk-select.png
rename to windows/configuration/images/win-10-adk-select.png
diff --git a/windows/configure/images/win10-mobile-mdm-fig1.png b/windows/configuration/images/win10-mobile-mdm-fig1.png
similarity index 100%
rename from windows/configure/images/win10-mobile-mdm-fig1.png
rename to windows/configuration/images/win10-mobile-mdm-fig1.png
diff --git a/windows/configure/images/win10-set-up-work-or-school.png b/windows/configuration/images/win10-set-up-work-or-school.png
similarity index 100%
rename from windows/configure/images/win10-set-up-work-or-school.png
rename to windows/configuration/images/win10-set-up-work-or-school.png
diff --git a/windows/configure/images/win10servicing-fig2-featureupgrade.png b/windows/configuration/images/win10servicing-fig2-featureupgrade.png
similarity index 100%
rename from windows/configure/images/win10servicing-fig2-featureupgrade.png
rename to windows/configuration/images/win10servicing-fig2-featureupgrade.png
diff --git a/windows/configure/images/win10servicing-fig3.png b/windows/configuration/images/win10servicing-fig3.png
similarity index 100%
rename from windows/configure/images/win10servicing-fig3.png
rename to windows/configuration/images/win10servicing-fig3.png
diff --git a/windows/configure/images/win10servicing-fig4-upgradereleases.png b/windows/configuration/images/win10servicing-fig4-upgradereleases.png
similarity index 100%
rename from windows/configure/images/win10servicing-fig4-upgradereleases.png
rename to windows/configuration/images/win10servicing-fig4-upgradereleases.png
diff --git a/windows/configure/images/win10servicing-fig5.png b/windows/configuration/images/win10servicing-fig5.png
similarity index 100%
rename from windows/configure/images/win10servicing-fig5.png
rename to windows/configuration/images/win10servicing-fig5.png
diff --git a/windows/configure/images/win10servicing-fig6.png b/windows/configuration/images/win10servicing-fig6.png
similarity index 100%
rename from windows/configure/images/win10servicing-fig6.png
rename to windows/configuration/images/win10servicing-fig6.png
diff --git a/windows/configure/images/win10servicing-fig7.png b/windows/configuration/images/win10servicing-fig7.png
similarity index 100%
rename from windows/configure/images/win10servicing-fig7.png
rename to windows/configuration/images/win10servicing-fig7.png
diff --git a/windows/manage/images/windows-10-management-cyod-byod-flow.png b/windows/configuration/images/windows-10-management-cyod-byod-flow.png
similarity index 100%
rename from windows/manage/images/windows-10-management-cyod-byod-flow.png
rename to windows/configuration/images/windows-10-management-cyod-byod-flow.png
diff --git a/windows/manage/images/windows-10-management-gp-intune-flow.png b/windows/configuration/images/windows-10-management-gp-intune-flow.png
similarity index 100%
rename from windows/manage/images/windows-10-management-gp-intune-flow.png
rename to windows/configuration/images/windows-10-management-gp-intune-flow.png
diff --git a/windows/manage/images/windows-10-management-range-of-options.png b/windows/configuration/images/windows-10-management-range-of-options.png
similarity index 100%
rename from windows/manage/images/windows-10-management-range-of-options.png
rename to windows/configuration/images/windows-10-management-range-of-options.png
diff --git a/windows/configure/images/windows-icd.png b/windows/configuration/images/windows-icd.png
similarity index 100%
rename from windows/configure/images/windows-icd.png
rename to windows/configuration/images/windows-icd.png
diff --git a/windows/manage/images/wsfb-distribute.png b/windows/configuration/images/wsfb-distribute.png
similarity index 100%
rename from windows/manage/images/wsfb-distribute.png
rename to windows/configuration/images/wsfb-distribute.png
diff --git a/windows/manage/images/wsfb-firstrun.png b/windows/configuration/images/wsfb-firstrun.png
similarity index 100%
rename from windows/manage/images/wsfb-firstrun.png
rename to windows/configuration/images/wsfb-firstrun.png
diff --git a/windows/manage/images/wsfb-inventory-viewlicense.png b/windows/configuration/images/wsfb-inventory-viewlicense.png
similarity index 100%
rename from windows/manage/images/wsfb-inventory-viewlicense.png
rename to windows/configuration/images/wsfb-inventory-viewlicense.png
diff --git a/windows/manage/images/wsfb-inventory.png b/windows/configuration/images/wsfb-inventory.png
similarity index 100%
rename from windows/manage/images/wsfb-inventory.png
rename to windows/configuration/images/wsfb-inventory.png
diff --git a/windows/manage/images/wsfb-inventoryaddprivatestore.png b/windows/configuration/images/wsfb-inventoryaddprivatestore.png
similarity index 100%
rename from windows/manage/images/wsfb-inventoryaddprivatestore.png
rename to windows/configuration/images/wsfb-inventoryaddprivatestore.png
diff --git a/windows/manage/images/wsfb-landing.png b/windows/configuration/images/wsfb-landing.png
similarity index 100%
rename from windows/manage/images/wsfb-landing.png
rename to windows/configuration/images/wsfb-landing.png
diff --git a/windows/manage/images/wsfb-licenseassign.png b/windows/configuration/images/wsfb-licenseassign.png
similarity index 100%
rename from windows/manage/images/wsfb-licenseassign.png
rename to windows/configuration/images/wsfb-licenseassign.png
diff --git a/windows/manage/images/wsfb-licensedetails.png b/windows/configuration/images/wsfb-licensedetails.png
similarity index 100%
rename from windows/manage/images/wsfb-licensedetails.png
rename to windows/configuration/images/wsfb-licensedetails.png
diff --git a/windows/manage/images/wsfb-licensereclaim.png b/windows/configuration/images/wsfb-licensereclaim.png
similarity index 100%
rename from windows/manage/images/wsfb-licensereclaim.png
rename to windows/configuration/images/wsfb-licensereclaim.png
diff --git a/windows/manage/images/wsfb-manageinventory.png b/windows/configuration/images/wsfb-manageinventory.png
similarity index 100%
rename from windows/manage/images/wsfb-manageinventory.png
rename to windows/configuration/images/wsfb-manageinventory.png
diff --git a/windows/manage/images/wsfb-offline-distribute-mdm.png b/windows/configuration/images/wsfb-offline-distribute-mdm.png
similarity index 100%
rename from windows/manage/images/wsfb-offline-distribute-mdm.png
rename to windows/configuration/images/wsfb-offline-distribute-mdm.png
diff --git a/windows/manage/images/wsfb-onboard-1.png b/windows/configuration/images/wsfb-onboard-1.png
similarity index 100%
rename from windows/manage/images/wsfb-onboard-1.png
rename to windows/configuration/images/wsfb-onboard-1.png
diff --git a/windows/manage/images/wsfb-onboard-2.png b/windows/configuration/images/wsfb-onboard-2.png
similarity index 100%
rename from windows/manage/images/wsfb-onboard-2.png
rename to windows/configuration/images/wsfb-onboard-2.png
diff --git a/windows/manage/images/wsfb-onboard-3.png b/windows/configuration/images/wsfb-onboard-3.png
similarity index 100%
rename from windows/manage/images/wsfb-onboard-3.png
rename to windows/configuration/images/wsfb-onboard-3.png
diff --git a/windows/manage/images/wsfb-onboard-4.png b/windows/configuration/images/wsfb-onboard-4.png
similarity index 100%
rename from windows/manage/images/wsfb-onboard-4.png
rename to windows/configuration/images/wsfb-onboard-4.png
diff --git a/windows/manage/images/wsfb-onboard-5.png b/windows/configuration/images/wsfb-onboard-5.png
similarity index 100%
rename from windows/manage/images/wsfb-onboard-5.png
rename to windows/configuration/images/wsfb-onboard-5.png
diff --git a/windows/manage/images/wsfb-onboard-7.png b/windows/configuration/images/wsfb-onboard-7.png
similarity index 100%
rename from windows/manage/images/wsfb-onboard-7.png
rename to windows/configuration/images/wsfb-onboard-7.png
diff --git a/windows/manage/images/wsfb-online-distribute-mdm.png b/windows/configuration/images/wsfb-online-distribute-mdm.png
similarity index 100%
rename from windows/manage/images/wsfb-online-distribute-mdm.png
rename to windows/configuration/images/wsfb-online-distribute-mdm.png
diff --git a/windows/manage/images/wsfb-paid-app-temp.png b/windows/configuration/images/wsfb-paid-app-temp.png
similarity index 100%
rename from windows/manage/images/wsfb-paid-app-temp.png
rename to windows/configuration/images/wsfb-paid-app-temp.png
diff --git a/windows/manage/images/wsfb-permissions-assignrole.png b/windows/configuration/images/wsfb-permissions-assignrole.png
similarity index 100%
rename from windows/manage/images/wsfb-permissions-assignrole.png
rename to windows/configuration/images/wsfb-permissions-assignrole.png
diff --git a/windows/manage/images/wsfb-private-store-gpo.PNG b/windows/configuration/images/wsfb-private-store-gpo.PNG
similarity index 100%
rename from windows/manage/images/wsfb-private-store-gpo.PNG
rename to windows/configuration/images/wsfb-private-store-gpo.PNG
diff --git a/windows/manage/images/wsfb-privatestore.png b/windows/configuration/images/wsfb-privatestore.png
similarity index 100%
rename from windows/manage/images/wsfb-privatestore.png
rename to windows/configuration/images/wsfb-privatestore.png
diff --git a/windows/manage/images/wsfb-privatestoreapps.png b/windows/configuration/images/wsfb-privatestoreapps.png
similarity index 100%
rename from windows/manage/images/wsfb-privatestoreapps.png
rename to windows/configuration/images/wsfb-privatestoreapps.png
diff --git a/windows/manage/images/wsfb-renameprivatestore.png b/windows/configuration/images/wsfb-renameprivatestore.png
similarity index 100%
rename from windows/manage/images/wsfb-renameprivatestore.png
rename to windows/configuration/images/wsfb-renameprivatestore.png
diff --git a/windows/manage/images/wsfb-settings-mgmt.png b/windows/configuration/images/wsfb-settings-mgmt.png
similarity index 100%
rename from windows/manage/images/wsfb-settings-mgmt.png
rename to windows/configuration/images/wsfb-settings-mgmt.png
diff --git a/windows/manage/images/wsfb-settings-permissions.png b/windows/configuration/images/wsfb-settings-permissions.png
similarity index 100%
rename from windows/manage/images/wsfb-settings-permissions.png
rename to windows/configuration/images/wsfb-settings-permissions.png
diff --git a/windows/manage/images/wsfb-wsappaddacct.png b/windows/configuration/images/wsfb-wsappaddacct.png
similarity index 100%
rename from windows/manage/images/wsfb-wsappaddacct.png
rename to windows/configuration/images/wsfb-wsappaddacct.png
diff --git a/windows/manage/images/wsfb-wsappprivatestore.png b/windows/configuration/images/wsfb-wsappprivatestore.png
similarity index 100%
rename from windows/manage/images/wsfb-wsappprivatestore.png
rename to windows/configuration/images/wsfb-wsappprivatestore.png
diff --git a/windows/manage/images/wsfb-wsappsignin.png b/windows/configuration/images/wsfb-wsappsignin.png
similarity index 100%
rename from windows/manage/images/wsfb-wsappsignin.png
rename to windows/configuration/images/wsfb-wsappsignin.png
diff --git a/windows/manage/images/wsfb-wsappworkacct.png b/windows/configuration/images/wsfb-wsappworkacct.png
similarity index 100%
rename from windows/manage/images/wsfb-wsappworkacct.png
rename to windows/configuration/images/wsfb-wsappworkacct.png
diff --git a/windows/configure/images/wufb-config1a.png b/windows/configuration/images/wufb-config1a.png
similarity index 100%
rename from windows/configure/images/wufb-config1a.png
rename to windows/configuration/images/wufb-config1a.png
diff --git a/windows/configure/images/wufb-config2.png b/windows/configuration/images/wufb-config2.png
similarity index 100%
rename from windows/configure/images/wufb-config2.png
rename to windows/configuration/images/wufb-config2.png
diff --git a/windows/configure/images/wufb-config3a.png b/windows/configuration/images/wufb-config3a.png
similarity index 100%
rename from windows/configure/images/wufb-config3a.png
rename to windows/configuration/images/wufb-config3a.png
diff --git a/windows/configure/images/wufb-do.png b/windows/configuration/images/wufb-do.png
similarity index 100%
rename from windows/configure/images/wufb-do.png
rename to windows/configuration/images/wufb-do.png
diff --git a/windows/configure/images/wufb-groups.png b/windows/configuration/images/wufb-groups.png
similarity index 100%
rename from windows/configure/images/wufb-groups.png
rename to windows/configuration/images/wufb-groups.png
diff --git a/windows/configure/images/wufb-pause-feature.png b/windows/configuration/images/wufb-pause-feature.png
similarity index 100%
rename from windows/configure/images/wufb-pause-feature.png
rename to windows/configuration/images/wufb-pause-feature.png
diff --git a/windows/configure/images/wufb-qual.png b/windows/configuration/images/wufb-qual.png
similarity index 100%
rename from windows/configure/images/wufb-qual.png
rename to windows/configuration/images/wufb-qual.png
diff --git a/windows/configure/images/wufb-sccm.png b/windows/configuration/images/wufb-sccm.png
similarity index 100%
rename from windows/configure/images/wufb-sccm.png
rename to windows/configuration/images/wufb-sccm.png
diff --git a/windows/configure/images/x_blk.png b/windows/configuration/images/x_blk.png
similarity index 100%
rename from windows/configure/images/x_blk.png
rename to windows/configuration/images/x_blk.png
diff --git a/windows/configure/index.md b/windows/configuration/index.md
similarity index 74%
rename from windows/configure/index.md
rename to windows/configuration/index.md
index 649861698b..d89e7a237b 100644
--- a/windows/configure/index.md
+++ b/windows/configuration/index.md
@@ -19,15 +19,17 @@ Enterprises often need to apply custom configurations to devices for their users
| Topic | Description |
| --- | --- |
| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. |
+| [Basic level Windows diagnostic data](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. |
+| [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703. |
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. |
-| [Configure Windows 10 Mobile devices](configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. |
+| [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. |
| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. |
| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. |
-| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. |
+| [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. |
| [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. |
-| [Provisioning packages for Windows 10](provisioning-packages.md) | Learn how to use the Windows Configuration Designer and provisioning packages to easily configure multiple devices. |
+| [Provisioning packages for Windows 10](provisioning-packages/provisioning-packages.md) | Learn how to use the Windows Configuration Designer and provisioning packages to easily configure multiple devices. |
| [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. |
| [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) | This topic lists new and updated topics in the Configure Windows 10 documentation for Windows 10 and Windows 10 Mobile. |
diff --git a/windows/configure/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md
similarity index 84%
rename from windows/configure/kiosk-shared-pc.md
rename to windows/configuration/kiosk-shared-pc.md
index 2afc67e022..d5d72c26b4 100644
--- a/windows/configure/kiosk-shared-pc.md
+++ b/windows/configuration/kiosk-shared-pc.md
@@ -17,7 +17,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a common
| Topic | Description |
| --- | --- |
-| [Set up a shared or guest PC with Windows 10](set-up-a-device-for-anyone-to-use.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. |
+| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. |
| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. |
| [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
\ No newline at end of file
diff --git a/windows/configure/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
similarity index 96%
rename from windows/configure/lock-down-windows-10-to-specific-apps.md
rename to windows/configuration/lock-down-windows-10-to-specific-apps.md
index 8ae79ef7f2..4430902cec 100644
--- a/windows/configure/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -22,9 +22,9 @@ localizationpriority: high
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
-You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](../keep-secure/applocker-overview.md). AppLocker rules specify which apps are allowed to run on the device.
+You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
-AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](../keep-secure/how-applocker-works-techref.md).
+AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
diff --git a/windows/configure/lock-down-windows-10.md b/windows/configuration/lock-down-windows-10.md
similarity index 100%
rename from windows/configure/lock-down-windows-10.md
rename to windows/configuration/lock-down-windows-10.md
diff --git a/windows/configure/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md
similarity index 99%
rename from windows/configure/lockdown-features-windows-10.md
rename to windows/configuration/lockdown-features-windows-10.md
index c6eaa7e68d..7c72bb6e2b 100644
--- a/windows/configure/lockdown-features-windows-10.md
+++ b/windows/configuration/lockdown-features-windows-10.md
@@ -61,7 +61,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
[Dialog Filter](https://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run
Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.
Control over which processes are able to run will now be provided by AppLocker.
diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
similarity index 96%
rename from windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
rename to windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 86503c42e8..e81b1db45a 100644
--- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -25,7 +25,7 @@ If you want to minimize connections from Windows to Microsoft services, or confi
You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
+To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
@@ -290,7 +290,7 @@ You can prevent Windows from setting the time automatically.
-or -
-- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero).
+- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero).
-or-
@@ -300,7 +300,7 @@ You can prevent Windows from setting the time automatically.
To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
-You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one).
+You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one).
### 5. Find My Device
@@ -312,7 +312,7 @@ To turn off Find My Device:
- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
-You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one).
+You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one).
### 6. Font streaming
@@ -322,6 +322,8 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later:
- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**.
+- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\System\\EnableFontProviders** to 0 (zero).
+
- In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
- **false**. Font streaming is disabled.
@@ -358,7 +360,7 @@ To turn off Insider Preview builds for Windows 10:
-or -
-- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\PreviewBuilds!AllowBuildPreview** to 0 (zero)
+- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds!AllowBuildPreview** to 0 (zero)
-or-
@@ -418,8 +420,9 @@ You can also use registry entries to set these Group Policies.
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
| Choose whether employees can configure Compatibility View. | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation!MSCompatibilityMode REG_DWORD: 0|
| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled REG_DWORD: 0|
-| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus DWORD:0 |
+| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus REG_DWORD:0 |
+To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**
### 8.1 ActiveX control blocking
@@ -443,7 +446,9 @@ To turn off Live Tiles:
-or-
-- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one).
+- Create a REG\_DWORD registry setting called **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one).
+
+You must also unpin all tiles that are pinned to Start.
### 10. Mail synchronization
@@ -465,7 +470,7 @@ To turn off the Windows Mail app:
-or-
-- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows Mail!ManualLaunchAllowed**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail!ManualLaunchAllowed**, with a value of 0 (zero).
### 11. Microsoft Account
@@ -473,6 +478,8 @@ To prevent communication to the Microsoft Account cloud authentication service.
- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**.
+ -or-
+- Create a REG\_DWORD registry setting called **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System!NoConnectedUser**, with a value of 3.
To disable the Microsoft Account Sign-In Assistant:
- Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
@@ -495,7 +502,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions. Default: Enabled |
| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off. Default: Enabled |
| Allow web content on New Tab page | Choose whether a new tab page appears. Default: Enabled |
-| Configure Home pages | Choose the corporate Home page for domain-joined devices. Set this to **about:blank** |
+| Configure Start pages | Choose the Start page for domain-joined devices. Set this to **about:blank** |
The Windows 10, version 1511 Microsoft Edge Group Policy names are:
@@ -555,7 +562,7 @@ You can turn off NCSI by doing one of the following:
-or-
-- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator!NoActiveProbe**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator!NoActiveProbe**, with a value of 1 (one).
### 14. Offline maps
@@ -565,7 +572,7 @@ You can turn off the ability to download and update offline maps.
-or-
-- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AutoDownloadAndUpdateMapData**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps!AutoDownloadAndUpdateMapData**, with a value of 0 (zero).
-and-
@@ -573,7 +580,7 @@ You can turn off the ability to download and update offline maps.
-or-
-- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AllowUntriggeredNetworkTrafficOnSettingsPage**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps!AllowUntriggeredNetworkTrafficOnSettingsPage**, with a value of 0 (zero).
### 15. OneDrive
@@ -583,7 +590,7 @@ To turn off OneDrive in your organization:
-or-
-- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\OneDrive!DisableFileSyncNGSC**, with a value of 1 (one).
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive!DisableFileSyncNGSC**, with a value of 1 (one).
### 16. Preinstalled apps
@@ -770,7 +777,7 @@ To turn off **Let apps use advertising ID to make ads more interesting to you ba
-or-
-- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one).
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one).
To turn off **Let websites provide locally relevant content by accessing my language list**:
@@ -807,7 +814,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin
-or-
-- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one).
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one).
To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**:
@@ -839,7 +846,7 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window
-or-
-- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\System!EnableSmartScreen**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System!EnableSmartScreen**, with a value of 0 (zero).
To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
@@ -876,7 +883,7 @@ To turn off **Let apps on my other devices open apps and continue experiences on
-or-
-- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\System!EnableCdp**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System!EnableCdp**, with a value of 0 (zero).
To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**:
@@ -1281,7 +1288,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
-or-
-- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!AllowTelemetry**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry**, with a value of 0 (zero).
-or-
@@ -1596,7 +1603,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
- Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one).
-For more info, see [Windows Spotlight on the lock screen](../configure/windows-spotlight.md).
+For more info, see [Windows Spotlight on the lock screen](windows-spotlight.md).
### 25. Windows Store
diff --git a/windows/configure/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md
similarity index 97%
rename from windows/configure/manage-tips-and-suggestions.md
rename to windows/configuration/manage-tips-and-suggestions.md
index c3394002a8..333e59cee7 100644
--- a/windows/configure/manage-tips-and-suggestions.md
+++ b/windows/configuration/manage-tips-and-suggestions.md
@@ -49,8 +49,8 @@ Windows 10, version 1607 (also known as the Anniversary Update), provides organi
## Related topics
- [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md)
-- [Cortana integration in your business or enterprise](cortana-at-work-overview.md)
-- [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md)
+- [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md)
+- [Windows spotlight on the lock screen](windows-spotlight.md)
- [Windows 10 editions for education customers](https://technet.microsoft.com/en-us/edu/windows/windows-editions-for-education-customers)
diff --git a/windows/configure/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md
similarity index 100%
rename from windows/configure/manage-wifi-sense-in-enterprise.md
rename to windows/configuration/manage-wifi-sense-in-enterprise.md
diff --git a/windows/configure/configure-mobile.md b/windows/configuration/mobile-devices/configure-mobile.md
similarity index 100%
rename from windows/configure/configure-mobile.md
rename to windows/configuration/mobile-devices/configure-mobile.md
diff --git a/windows/manage/images/doneicon.png b/windows/configuration/mobile-devices/images/doneicon.png
similarity index 100%
rename from windows/manage/images/doneicon.png
rename to windows/configuration/mobile-devices/images/doneicon.png
diff --git a/windows/configure/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md
similarity index 96%
rename from windows/configure/lockdown-xml.md
rename to windows/configuration/mobile-devices/lockdown-xml.md
index 36fa6806f7..a6904b3499 100644
--- a/windows/configure/lockdown-xml.md
+++ b/windows/configuration/mobile-devices/lockdown-xml.md
@@ -24,9 +24,9 @@ This is accomplished using Lockdown XML, an XML file that contains settings for
In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-csp). This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. You can also use the [Lockdown Designer app](mobile-lockdown-designer.md) to configure and export your lockdown XML file.
> [!NOTE]
-> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
+> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](../set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
-If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) first.
+If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](../provisioning-packages/how-it-pros-can-use-configuration-service-providers.md) first.
## Overview of the lockdown XML file
@@ -57,7 +57,7 @@ The settings for the Default role and other roles must be listed in your XML fil
## Action Center
-
+
The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.
@@ -87,7 +87,7 @@ The following example is a complete lockdown XML file that disables Action Cente
## Apps
-
+
The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running.
@@ -105,7 +105,7 @@ The following example makes Outlook Calendar available on the device.
When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size).
-
+
Tile sizes are:
* Small: 1x1
@@ -147,7 +147,7 @@ In the following example, Outlook Calendar and Outlook Mail are pinned to the St
That layout would appear on a device like this:
-
+
You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start.
@@ -198,7 +198,7 @@ When an app is contained in a folder, its **PinToStart** configuration (tile siz
## Buttons
-
+
In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify.
@@ -208,11 +208,11 @@ When a user taps a button that is in the lockdown list, nothing will happen. The
Button | Press | PressAndHold | All
---|:---:|:---:|:--:|-
-Start |  |  | 
-Back |  |  | 
-Search |  |  | 
-Camera |  |  | 
-Custom 1, 2, and 3 |  |  | 
+Start |  |  | 
+Back |  |  | 
+Search |  |  | 
+Camera |  |  | 
+Custom 1, 2, and 3 |  |  | 
> [!NOTE]
> Custom buttons are hardware buttons that can be added to devices by OEMs.
@@ -265,7 +265,7 @@ In the following example, when a user presses the Search button, the phone diale
## CSPRunner
-
+
You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](https://go.microsoft.com/fwlink/p/?LinkID=717460) or [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx).
@@ -312,7 +312,7 @@ SyncML entry | Description
## Menu items
-
+
Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create.
@@ -324,7 +324,7 @@ Use DisableMenuItems to prevent use of the context menu, which is displayed when
## Settings
-
+
The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings.
@@ -358,7 +358,7 @@ For a list of the settings and quick actions that you can allow or block, see [S
## Tiles
- 
+ 
By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
@@ -441,7 +441,7 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (
3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
- 
+ 
4. On the **File** menu, select **Save.**
diff --git a/windows/configure/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
similarity index 66%
rename from windows/configure/mobile-lockdown-designer.md
rename to windows/configuration/mobile-devices/mobile-lockdown-designer.md
index bc580504e6..4ae14d1eaa 100644
--- a/windows/configure/mobile-lockdown-designer.md
+++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
@@ -11,7 +11,7 @@ author: jdeckerMS
# Use the Lockdown Designer app to create a Lockdown XML file
-
+
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile.
@@ -50,7 +50,7 @@ Perform these steps on the device running Windows 10 Mobile that you will use to
>[!IMPORTANT]
>Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**.
>
->
+>
## Prepare the PC
@@ -84,7 +84,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
3. Click **Pair**.
- 
+ 
**Connect to remote device** appears.
@@ -94,7 +94,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
- 
+ 
7. Click the **Save** icon and enter a name for your project.
@@ -108,7 +108,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
3. On the **Project setting** > **General settings** page, click **Pair**.
- 
+ 
**Connect to remote device** appears.
@@ -118,7 +118,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
- 
+ 
7. Click the **Save** icon and enter a name for your project.
@@ -129,13 +129,13 @@ The apps and settings available in the pages of Lockdown Designer should now be
| Page | Description |
| --- | --- |
-|  | Each app from the test mobile device is listed. Select the apps that you want visible to users.You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
-|  | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) |
-|  | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. |
-|  | On this page, you select the settings that you want visible to users. |
-|  | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
-|  | This page contains several settings that you can configure:- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. |
-|  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
+|  | Each app from the test mobile device is listed. Select the apps that you want visible to users.You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
+|  | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) |
+|  | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. |
+|  | On this page, you select the settings that you want visible to users. |
+|  | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
+|  | This page contains several settings that you can configure:- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. |
+|  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
## Validate and export
@@ -164,7 +164,7 @@ You can create additional roles for the device and have unique configurations fo
4. Configure the settings for the role as above, but make sure on each page that you select the correct role.
- 
+ 
diff --git a/windows/configure/product-ids-in-windows-10-mobile.md b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
similarity index 100%
rename from windows/configure/product-ids-in-windows-10-mobile.md
rename to windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
diff --git a/windows/configure/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
similarity index 58%
rename from windows/configure/provisioning-configure-mobile.md
rename to windows/configuration/mobile-devices/provisioning-configure-mobile.md
index 5c1a5048cf..06784fdafb 100644
--- a/windows/configure/provisioning-configure-mobile.md
+++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
@@ -16,7 +16,7 @@ Windows provisioning makes it easy for IT administrators to configure end-user d
A provisioning package (.ppkg) is a container for a collection of configuration settings. Using Windows Configuration Designer, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
-Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). Windows Configuration Designer is also available as an app in the Windows Store. [Learn more about installing Windows Configuration Designer.](provisioning-install-icd.md)
+Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). Windows Configuration Designer is also available as an app in the Windows Store. [Learn more about installing Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md)
## Create a provisioning package using the wizard
@@ -39,10 +39,10 @@ The **Provision Windows mobile devices** wizard lets you configure common settin
### Configure settings in the wizard
-
Enter a device name. Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise.
 Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.
-
 Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
-
 You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
+
Enter a device name. Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise.
 Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.
+
 Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
+
 You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
@@ -61,13 +61,13 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us
1. Insert an SD card containing the provisioning package into the device.
2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
- 
+ 
3. Click **Add**.
4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
- 
+ 
### Copying the provisioning package to the device
@@ -77,7 +77,7 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us
3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
- 
+ 
## Related topics
diff --git a/windows/configure/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md
similarity index 99%
rename from windows/configure/provisioning-nfc.md
rename to windows/configuration/mobile-devices/provisioning-nfc.md
index fad3428d0c..96659b0229 100644
--- a/windows/configure/provisioning-nfc.md
+++ b/windows/configuration/mobile-devices/provisioning-nfc.md
@@ -25,7 +25,7 @@ All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provi
On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning.
-
+
If there is an error during NFC provisioning, the device will show a message if any of the following errors occur:
diff --git a/windows/configure/provisioning-package-splitter.md b/windows/configuration/mobile-devices/provisioning-package-splitter.md
similarity index 92%
rename from windows/configure/provisioning-package-splitter.md
rename to windows/configuration/mobile-devices/provisioning-package-splitter.md
index 00a62a1ae4..a6842ac37c 100644
--- a/windows/configure/provisioning-package-splitter.md
+++ b/windows/configuration/mobile-devices/provisioning-package-splitter.md
@@ -23,14 +23,14 @@ Enterprise IT professionals who want to use a barcode to provision mobile device
The smallest provisioning package is typically 5-6 KB, which cannot fit into one single barcode. The package splitter tool allows partners to split the original provisioning package into multiple smaller sized chunks that are encoded with Base64 so that enterprises can leverage their existing tools to convert these files into barcodes.
-When you [install Windows Configuration Designer](provisioning-install-icd.md) from the Windows Assessment and Deployment Kit (ADK), **ppkgtobase64.exe** is installed to the same folder.
+When you [install Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md) from the Windows Assessment and Deployment Kit (ADK), **ppkgtobase64.exe** is installed to the same folder.
## Prerequisites
Before you can use the tool, you must have a built provisioning package. The package file is the input to the package splitter tool.
- To build a provisioning package using the Windows Configuration Designer UI, see [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md).
-- To build a provisioning package using the Windows Configuration Designer CLI, see [Windows Configuration Designer command-line interface](provisioning-command-line.md).
+- To build a provisioning package using the Windows Configuration Designer CLI, see [Windows Configuration Designer command-line interface](../provisioning-packages/provisioning-command-line.md).
## To use the package splitter tool (ppkgtobase64.exe)
diff --git a/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
similarity index 91%
rename from windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
rename to windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index 3ef7f7e374..6eb9545022 100644
--- a/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -53,7 +53,7 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r
#### Create the provisioning package
-1. [Install Windows Configuration Designer.](provisioning-install-icd.md)
+1. [Install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md)
2. Open Windows Configuration Designer (if you installed it from the Windows ADK, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
@@ -163,33 +163,33 @@ Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or
**To set up Apps Corner**
-1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner**.
+1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner**.
-2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done 
+2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done .
-3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back**  to the Apps Corner settings.
+3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back**  to the Apps Corner settings.
4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode.
5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them.
-6. Press **Back**  when you're done.
+6. Press **Back**  when you're done.
**To use Apps Corner**
-1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner** > launch .
+1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner** > launch .
>[!TIP]
>Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen.
2. Give the device to someone else, so they can use the device and only the one app you chose.
-3. When they're done and you get the device back, press and hold Power , and then swipe right to exit Apps Corner.
+3. When they're done and you get the device back, press and hold Power , and then swipe right to exit Apps Corner.
## Related topics
-[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
+[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
diff --git a/windows/configure/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
similarity index 100%
rename from windows/configure/settings-that-can-be-locked-down.md
rename to windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
diff --git a/windows/configure/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
similarity index 96%
rename from windows/configure/start-layout-xml-mobile.md
rename to windows/configuration/mobile-devices/start-layout-xml-mobile.md
index f25c2d2413..8096be33e4 100644
--- a/windows/configure/start-layout-xml-mobile.md
+++ b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
@@ -31,7 +31,7 @@ On Windows 10 Mobile, the customized Start works by:
The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support.
-
+
The diagrams show:
@@ -370,13 +370,13 @@ This should set the value of **StartLayout**. The setting appears in the **Selec
## Related topics
-- [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
-- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-- [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-- [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
-- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
+- [Manage Windows 10 Start layout options](../windows-10-start-layout-options-and-policies.md)
+- [Configure Windows 10 taskbar](../configure-windows-10-taskbar.md)
+- [Customize Windows 10 Start and taskbar with Group Policy](../customize-windows-10-start-screens-by-using-group-policy.md)
+- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Customize Windows 10 Start with mobile device management (MDM)](../customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Changes to Group Policy settings for Windows 10 Start](../changes-to-start-policies-in-windows-10.md)
+- [Start layout XML for desktop editions of Windows 10 (reference)](../start-layout-xml-desktop.md)
diff --git a/windows/configure/provisioning-apn.md b/windows/configuration/provisioning-apn.md
similarity index 100%
rename from windows/configure/provisioning-apn.md
rename to windows/configuration/provisioning-apn.md
diff --git a/windows/configure/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
similarity index 93%
rename from windows/configure/how-it-pros-can-use-configuration-service-providers.md
rename to windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 4a4fc4883a..87a452fa0f 100644
--- a/windows/configure/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -37,7 +37,7 @@ Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](http
CSPs are behind many of the management tasks and policies for Windows 10 in Microsoft Intune and non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244).
-
+
CSPs receive configuration policies in the XML-based SyncML format pushed to it from an MDM-compliant management server such as Microsoft Intune. Traditional enterprise management systems, such as System Center Configuration Manager, can also target CSPs by using a client-side WMI-to-CSP bridge.
@@ -58,7 +58,7 @@ Generally, enterprises rely on Group Policy or MDM to configure and manage devic
In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried.
-In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](cortana-at-work-overview.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
+In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](/windows/windows-10) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](../cortana-at-work/cortana-at-work-overview.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
### CSPs in Windows Configuration Designer
@@ -66,7 +66,7 @@ You can use Windows Configuration Designer to create [provisioning packages](htt
Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
-
+
[Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
@@ -78,7 +78,7 @@ When a CSP is available but is not explicitly included in your MDM solution, you
### CSPs in Lockdown XML
-Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). In Windows 10, version 1703, you can also use the new [Lockdown Designer app](mobile-lockdown-designer.md) to configure your Lockdown XML.
+Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](../mobile-devices/lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). In Windows 10, version 1703, you can also use the new [Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) to configure your Lockdown XML.
## How do you use the CSP documentation?
@@ -87,7 +87,7 @@ All CSPs in Windows 10 are documented in the [Configuration service provider re
The [main CSP topic](https://go.microsoft.com/fwlink/p/?LinkId=717390) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP.
-
+
The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format.
@@ -95,7 +95,7 @@ The full path to a specific configuration setting is represented by its Open Mob
The following example shows the diagram for the [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes and rectangular elements are settings or policies for which a value must be supplied.
-
+
The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see it uses the [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608).
@@ -105,7 +105,7 @@ The element in the tree diagram after the root node tells you the name of the CS
When an element in the diagram uses italic font, it indicates a placeholder for specific information, such as the tenant ID in the following example.
-
+
After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed.
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
new file mode 100644
index 0000000000..eba24fd12d
--- /dev/null
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -0,0 +1,117 @@
+---
+title: Provision PCs with common settings (Windows 10)
+description: Create a provisioning package to apply common settings to a PC running Windows 10.
+ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
+keywords: ["runtime provisioning", "provisioning package"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Provision PCs with common settings for initial deployment (desktop wizard)
+
+
+**Applies to**
+
+- Windows 10
+
+This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.
+
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
+
+## Advantages
+- You can configure new devices without reimaging.
+
+- Works on both mobile and desktop devices.
+
+- No network connectivity required.
+
+- Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md)
+
+## What does the desktop wizard do?
+
+The desktop wizard helps you configure the following settings in a provisioning package:
+
+- Set device name
+- Upgrade product edition
+- Configure the device for shared use
+- Remove pre-installed software
+- Configure Wi-Fi network
+- Enroll device in Active Directory or Azure Active Directory
+- Create local administrator account
+- Add applications and certificates
+
+>[!WARNING]
+>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
+
+Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+
+> [!TIP]
+> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
+>
+>
+
+## Create the provisioning package
+
+Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
+
+1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Provision desktop devices**.
+
+ 
+
+3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps.
+
+ 
+
+> [!IMPORTANT]
+> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+## Configure settings
+
+
+
+
Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](../set-up-shared-or-guest-pc.md)You can also select to remove pre-installed software from the device.
+
 Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.
+
 Enable account management if you want to configure settings on this page. You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions. To create a local administrator account, select that option and enter a user name and password. **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.
+
 You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md).
+
 To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.
+
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
+
+
+After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
+
+ **Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
+
+
+## Learn more
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md)
+- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md)
+- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
+
+
+
+
diff --git a/windows/configure/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
similarity index 92%
rename from windows/configure/provision-pcs-with-apps-and-certificates.md
rename to windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
index b5e03dbb14..137062fe5d 100644
--- a/windows/configure/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
@@ -1,7 +1,6 @@
---
title: Provision PCs with apps and certificates (Windows 10)
description: Create a provisioning package to apply settings to a PC running Windows 10.
-ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: W10
ms.mktglfcycl: deploy
@@ -42,7 +41,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
2. Click **Advanced provisioning**.
- 
+ 
3. Name your project and click **Next**.
@@ -63,25 +62,25 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
### Add a universal app to your package
-Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
+Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](/microsoft-store/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page.
- 
+ 
3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
- 
+ 
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
- In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
- 
+ 
- Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
@@ -89,7 +88,7 @@ Universal apps that you can distribute in the provisioning package can be line-o
7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed **.**ms-windows-store-license**, and select the license file.
-[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md)
+[Learn more about distributing offline apps from the Windows Store for Business.](/microsoft-store/distribute-offline-apps)
> [!NOTE]
> Removing a provisioning package will not remove any apps installed by device context in that provisioning package.
@@ -190,8 +189,8 @@ If your build is successful, the name of the provisioning package, output direct
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Use the package splitter tool](provisioning-package-splitter.md)
+- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md)
+- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/configure/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
similarity index 92%
rename from windows/configure/provision-pcs-with-apps.md
rename to windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index 26703f40c9..ea6c976ffe 100644
--- a/windows/configure/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -1,7 +1,6 @@
---
title: Provision PCs with apps (Windows 10)
description: Add apps to a Windows 10 provisioning package.
-ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: W10
ms.mktglfcycl: deploy
@@ -63,33 +62,33 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
2. Enter a name for the first app, and then click **Add**.
- 
+ 
3. [Configure the settings for the appropriate installer type.](#settings-for-classic-windows-apps)
- 
+ 
### Add a universal app to your package
-Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
+Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](/microsoft-store/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page.
- 
+ 
3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
- 
+ 
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
- In Windows Store for Business, generate the unencoded license for the app on the app's download page.
- 
+ 
- Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
@@ -97,7 +96,7 @@ Universal apps that you can distribute in the provisioning package can be line-o
7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed **.**ms-windows-store-license**, and select the license file.
-[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md)
+[Learn more about distributing offline apps from the Windows Store for Business.](/microsoft-store/distribute-offline-apps)
> [!NOTE]
> Removing a provisioning package will not remove any apps installed by device context in that provisioning package.
@@ -199,8 +198,8 @@ If your build is successful, the name of the provisioning package, output direct
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Use the package splitter tool](provisioning-package-splitter.md)
+- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md)
+- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/configure/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
similarity index 85%
rename from windows/configure/provisioning-apply-package.md
rename to windows/configuration/provisioning-packages/provisioning-apply-package.md
index 2725bb140c..bc88e92479 100644
--- a/windows/configure/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -24,23 +24,23 @@ Provisioning packages can be applied to a device during the first-run experience
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
- 
+ 
2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
- 
+ 
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
- 
+ 
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
- 
+ 
5. Select **Yes, add it**.
- 
+ 
@@ -48,7 +48,7 @@ Provisioning packages can be applied to a device during the first-run experience
Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network forlder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
-
+
## Mobile editions
@@ -57,13 +57,13 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account
1. Insert an SD card containing the provisioning package into the device.
2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
- 
+ 
3. Click **Add**.
4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
- 
+ 
### Copying the provisioning package to the device
@@ -73,7 +73,7 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account
3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
- 
+ 
diff --git a/windows/configure/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md
similarity index 100%
rename from windows/configure/provisioning-command-line.md
rename to windows/configuration/provisioning-packages/provisioning-command-line.md
diff --git a/windows/configure/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
similarity index 88%
rename from windows/configure/provisioning-create-package.md
rename to windows/configuration/provisioning-packages/provisioning-create-package.md
index a73b54f4f8..3beb70be19 100644
--- a/windows/configure/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -34,13 +34,13 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg)
2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
- 
+ 
- The wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices. Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizardS](provisioning-packages.md#configuration-designer-wizards).
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
- - [Instructions for the mobile wizard](provisioning-configure-mobile.md)
- - [Instructions for the kiosk wizard](set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
+ - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
+ - [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
- [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning)
- [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub)
@@ -49,7 +49,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg)
>[!TIP]
> You can start a project in the simple wizard editor and then switch the project to the advanced editor.
>
- > 
+ > 
3. Enter a name for your project, and then click **Next**.
@@ -78,30 +78,30 @@ After you click **Finish**, Windows Configuration Designer will open the **Avail
For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings.
-
+
The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
The process for configuring settings is similar for all settings. The following table shows an example.
Enter a value for the setting. Click **Add** if the button is displayed.
-
Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and additional settings are displayed.
-
When the setting is configured, it is displayed in the **Selected customizations** pane.
Enter a value for the setting. Click **Add** if the button is displayed.
+
Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and additional settings are displayed.
+
When the setting is configured, it is displayed in the **Selected customizations** pane.
For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image.
-
+
## Build package
1. After you're done configuring your customizations, click **Export** and select **Provisioning Package**.
- 
+ 
2. In the **Describe the provisioning package** window, enter the following information, and then click **Next**:
- **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
diff --git a/windows/configure/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
similarity index 100%
rename from windows/configure/provisioning-how-it-works.md
rename to windows/configuration/provisioning-packages/provisioning-how-it-works.md
diff --git a/windows/configure/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
similarity index 98%
rename from windows/configure/provisioning-install-icd.md
rename to windows/configuration/provisioning-packages/provisioning-install-icd.md
index 16ae7f94d5..29a9eb537c 100644
--- a/windows/configure/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -61,7 +61,7 @@ On devices running Windows 10, you can install [the Windows Configuration Design
6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**.
- 
+ 
## Current Windows Configuration Designer limitations
diff --git a/windows/configure/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
similarity index 98%
rename from windows/configure/provisioning-multivariant.md
rename to windows/configuration/provisioning-packages/provisioning-multivariant.md
index d28ac354ee..e3479458a2 100644
--- a/windows/configure/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -30,12 +30,12 @@ In the XML file, you provide an **Id**, or friendly name, for each **Target**. E
A **Target** can have more than one **TargetState**, and a **TargetState** can have more than one **Condition**.
-
+
The following table describes the logic for the target definition.
-
When all **Condition** elements are TRUE, **TargetState** is TRUE.
-
If any of the **TargetState** elements is TRUE, **Target** is TRUE, and the **Id** can be used for setting customizations.
+
When all **Condition** elements are TRUE, **TargetState** is TRUE.
+
If any of the **TargetState** elements is TRUE, **Target** is TRUE, and the **Id** can be used for setting customizations.
### Conditions
diff --git a/windows/configure/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
similarity index 86%
rename from windows/configure/provisioning-packages.md
rename to windows/configuration/provisioning-packages/provisioning-packages.md
index 8732d8c5a3..d04fbce120 100644
--- a/windows/configure/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -70,18 +70,18 @@ Provisioning packages can be:
The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages.
(Only device name and upgrade key)
-
Set up network
Connect to a Wi-Fit network
-
Account management
Enroll device in Active Directory,enroll device in Azure Active Directory,or create a local administrator account
-
Bulk Enrollment in Azure AD
Enroll device in Azure Active DirectoryBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).
-
Add applications
Install applications using the provisioning package.
-
Add certificates
Include a certificate file in the provisioning package.
-
Configure kiosk account and app
Create local account to run the kiosk mode app,specify the app to run in kiosk mode
-
Configure kiosk common settings
Set tablet mode,configure welcome and shutdown screens,turn off timeout settings
(Only device name and upgrade key)
+
Set up network
Connect to a Wi-Fit network
+
Account management
Enroll device in Active Directory,enroll device in Azure Active Directory,or create a local administrator account
+
Bulk Enrollment in Azure AD
Enroll device in Azure Active DirectoryBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).
+
Add applications
Install applications using the provisioning package.
+
Add certificates
Include a certificate file in the provisioning package.
+
Configure kiosk account and app
Create local account to run the kiosk mode app,specify the app to run in kiosk mode
+
Configure kiosk common settings
Set tablet mode,configure welcome and shutdown screens,turn off timeout settings
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
-- [Instructions for the mobile wizard](provisioning-configure-mobile.md)
-- [Instructions for the kiosk wizard](set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
+- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
+- [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
@@ -115,7 +115,7 @@ For details about the settings you can customize in provisioning packages, see [
Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios.
-
+
Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators:
@@ -153,7 +153,7 @@ Windows ICD in Windows 10, version 1607, supported the following scenarios for I
- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md)
+- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](../mobile-devices/provisioning-configure-mobile.md)
diff --git a/windows/configure/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md
similarity index 100%
rename from windows/configure/provisioning-powershell.md
rename to windows/configuration/provisioning-packages/provisioning-powershell.md
diff --git a/windows/configure/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
similarity index 98%
rename from windows/configure/provisioning-script-to-install-app.md
rename to windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
index 639ca1ea2f..d4b208b83a 100644
--- a/windows/configure/provisioning-script-to-install-app.md
+++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
@@ -16,7 +16,7 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
-This walkthrough describes how to leverage the ability to include scripts in a Windows 10 provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed, however, some care is needed in order to avoid unintended behavior during script execution (see Remarks below).
+This walkthrough describes how to leverage the ability to include scripts in a Windows 10 provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed, however, some care is needed in order to avoid unintended behavior during script execution (see [Remarks](#remarks) below).
>**Prerequisite**: [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), version 1511 or higher
@@ -184,13 +184,13 @@ cmd /c InstallMyApp.bat
In Windows Configuration Designer, this looks like:
-
+
You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files.
In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting.
-
+
When you are done, [build the package](provisioning-create-package.md#build-package).
diff --git a/windows/configure/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
similarity index 100%
rename from windows/configure/provisioning-uninstall-package.md
rename to windows/configuration/provisioning-packages/provisioning-uninstall-package.md
diff --git a/windows/configure/set-up-a-device-for-anyone-to-use.md b/windows/configuration/set-up-a-device-for-anyone-to-use.md
similarity index 95%
rename from windows/configure/set-up-a-device-for-anyone-to-use.md
rename to windows/configuration/set-up-a-device-for-anyone-to-use.md
index 7a58deaa8f..cecb14db32 100644
--- a/windows/configure/set-up-a-device-for-anyone-to-use.md
+++ b/windows/configuration/set-up-a-device-for-anyone-to-use.md
@@ -8,7 +8,6 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
-redirect_url: https://technet.microsoft.com/itpro/windows/configure/kiosk-shared-pc
---
# Set up a device for anyone to use (kiosk mode)
@@ -70,7 +69,7 @@ The following table identifies the type of application that can be used on each
A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the assigned access feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use Shell Launcher to set a custom user interface as the shell.
-
[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
+
[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.
diff --git a/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
similarity index 95%
rename from windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
rename to windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index e9f19dfa8f..fd1177208a 100644
--- a/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -49,7 +49,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-[Install Windows Configuration Designer](provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
+[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
@@ -57,7 +57,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
Enable device setup if you want to configure settings on this page.**If enabled:**Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.You can also select to remove pre-installed software from the device.
 Enable network setup if you want to configure settings on this page.**If enabled:**Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.
 Enable account management if you want to configure settings on this page. **If enabled:**You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.To create a local administrator account, select that option and enter a user name and password. **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.
-
 You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md)**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application.
+
 You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application.
 To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.
 **Important:** You must use the Windows Configuration Designer app from Windows Store to select a Classic Windows application as the kiosk app in a provisioning package.You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.
 On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.
@@ -72,7 +72,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
-[Learn how to apply a provisioning package.](provisioning-apply-package.md)
+[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
@@ -427,7 +427,7 @@ For a more secure kiosk experience, we recommend that you make the following con
## Related topics
-- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
+- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
diff --git a/windows/configure/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
similarity index 71%
rename from windows/configure/set-up-shared-or-guest-pc.md
rename to windows/configuration/set-up-shared-or-guest-pc.md
index d0998d18c6..d89c6c3063 100644
--- a/windows/configure/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -16,24 +16,26 @@ localizationpriority: high
- Windows 10
-Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
+Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
> [!NOTE]
> If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
##Shared PC mode concepts
-A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. Users who sign-in are signed in as standard users, not admin users.
+A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen.
###Account models
-It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC as a standard user. The user who originally joined the PC to the domain will have administrative rights when they sign in. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Start without an account** option on the sign-in screen, which doesn't require any user credentials or authentication and creates a new local account.
+It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows 10, version 1703, introduces a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode.
###Account management
-When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Start without an account** option. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low.
+When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows 10, version 1703, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days.
###Maintenance and sleep
Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not is use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods.
-While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. Use one of the following methods to configure Windows Update:
+While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates.
+
+Use one of the following methods to configure Windows Update:
- Group Policy: Set **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** to `4` and check **Install during automatic maintenance**.
- MDM: Set **Update/AllowAutoUpdate** to `4`.
@@ -43,21 +45,31 @@ While shared PC mode does not configure Windows Update itself, it is strongly re
###App behavior
-Apps can take advantage of shared PC mode by changing their app behavior to align with temporary use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences. For information on how an app can query for shared PC mode, see [SharedModeSettings class](https://msdn.microsoft.com/en-us/library/windows/apps/windows.system.profile.sharedmodesettings.aspx).
+Apps can take advantage of shared PC mode with the following three APIs:
+
+- [IsEnabled](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences.
+- [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app.
+- [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) - This informs apps when the PC is used in an education environment. Apps may want to handle telemetry differently or hide advertising functionality.
+
###Customization
Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table.
| Setting | Value |
|:---|:---|
-| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. |
-| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Start without an account** option to the sign-in screen and enable anonymous guest access to the PC. - **Only guest** allows anyone to use the PC as a local standard (non-admin) account. - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account. - **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
-| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out. - **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. |
+| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. |
+| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC. - **Only guest** allows anyone to use the PC as a local standard (non-admin) account. - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account. - **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
+| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out. - **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. - **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** |
| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
+| AccountManagement: InactiveThreshold | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. |
| AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
+| AccountManagement: KioskModeAUMID | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](https://msdn.microsoft.com/library/dn449300.aspx) |
+| AccountManagement: KioskModeUserTileDisplayText | Sets the display text on the kiosk account if **KioskModeAUMID** has been set. |
| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
-| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional settings are applied: - Local storage locations are restricted. Users can only save files to the cloud. - Custom Start and taskbar layouts are set.\* - A custom sign-in screen background image is set.\* - Additional educational policies are applied (see full list below).
\*Only applies to Windows 10 Pro Education, Enterprise, and Education |
+| Customization: MaxPageFileSizeMB | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. |
+| Customization: RestrictLocalStorage | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) |
+| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](https://docs.microsoft.com/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) |
| Customization: SetPowerPolicies | When set as **True**: - Prevents users from changing power settings - Turns off hibernate - Overrides all power state transitions to sleep (e.g. lid close) |
| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
@@ -73,10 +85,32 @@ You can configure Windows to be in shared PC mode in a couple different ways:
+- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For example, open PowerShell as an administrator and enter the following:
+
+```
+$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
+$sharedPC.EnableSharedPCMode = $True
+$sharedPC.SetEduPolicies = $True
+$sharedPC.SetPowerPolicies = $True
+$sharedPC.MaintenanceStartTime = 0
+$sharedPC.SignInOnResume = $True
+$sharedPC.SleepTimeout = 0
+$sharedPC.EnableAccountManager = $True
+$sharedPC.AccountModel = 2
+$sharedPC.DeletionPolicy = 1
+$sharedPC.DiskLevelDeletion = 25
+$sharedPC.DiskLevelCaching = 50
+$sharedPC.RestrictLocalStorage = $False
+$sharedPC.KioskModeAUMID = ""
+$sharedPC.KioskModeUserTileDisplayText = ""
+$sharedPC.InactiveThreshold = 0
+Set-CimInstance -CimInstance $sharedPC
+Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass
+```
### Create a provisioning package for shared use
-1. [install Windows Configuration Designer](provisioning-install-icd.md)
+1. [install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md)
1. Open Windows Configuration Designer.
@@ -86,7 +120,7 @@ You can configure Windows to be in shared PC mode in a couple different ways:
4. Select **All Windows desktop editions**, and click **Next**.
-5. Click **Finish**. Your project opens in Windows ICD.
+5. Click **Finish**. Your project opens in Windows Configuration Designer.
6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization)
@@ -104,7 +138,7 @@ You can configure Windows to be in shared PC mode in a couple different ways:
> [!IMPORTANT]
> We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
-12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
@@ -127,45 +161,20 @@ You can configure Windows to be in shared PC mode in a couple different ways:
You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up.
**During initial setup**
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+1. Start with a PC on the setup screen.
-2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. If there is only one provisioning package on the USB drive, you don't need to press the Windows key five times, Windows will automatically ask you if you want to set up the device. Select **Set up**.
+2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
+
+ - If there is only one provisioning package on the USB drive, the provisioning package is applied.
+
+ - If there is more than one provisioning package on the USB drive, the **Set up device?** message displays. Click **Set up**, and select the provisioning package that you want to install.
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
- 
-
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
-
- 
-
-5. Select **Yes, add it**.
-
- 
-
-6. Read and accept the Microsoft Software License Terms.
-
- 
-
-7. Select **Use Express settings**.
-
- 
-
-8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
-
- 
-
-9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
-
- 
-
-10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
-
- 
+3. Complete the setup process.
**After setup**
@@ -180,11 +189,11 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
## Guidance for accounts on shared PCs
* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
-* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out.
+* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will also be deleted automatically at sign out.
* On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
-* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out.
+* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out.
* If admin accounts are necessary on the PC
* Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
* Create admin accounts before setting up shared PC mode, or
@@ -209,7 +218,7 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
> [!IMPORTANT]
-> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
+> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
@@ -240,6 +249,8 @@ Shared PC mode sets local group policies to configure the device. Some of these
Admin Templates>System>Power Management>Video and Display Settings
Admin Templates>Windows Components>Windows Hello for Business
+
Use phone sign-in
Disabled
Always
+
Use Windows Hello for Business
Disabled
Always
+
Use biometrics
Disabled
Always
+
Admin Templates>Windows Components>OneDrive
+
Prevent the usage of OneDrive for file storage
Enabled
Always
Windows Settings>Security Settings>Local Policies>Security Options
Interactive logon: Do not display last user name
Enabled, Disabled when account model is only guest
Always
diff --git a/windows/configure/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
similarity index 99%
rename from windows/configure/start-layout-xml-desktop.md
rename to windows/configuration/start-layout-xml-desktop.md
index b8a3205aa6..5e6da82bec 100644
--- a/windows/configure/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -483,7 +483,7 @@ Once you have created the LayoutModification.xml file and it is present in the d
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-- [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)
+- [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md)
diff --git a/windows/configure/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
similarity index 98%
rename from windows/configure/start-secondary-tiles.md
rename to windows/configuration/start-secondary-tiles.md
index ab51c826f2..83495bc80c 100644
--- a/windows/configure/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -44,7 +44,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
2. Open Windows PowerShell and enter the following command:
```
- export-startlayout -path .xml
+ Export-StartLayout -path .xml
```
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
@@ -59,7 +59,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
4. In Windows PowerShell, enter the following command:
```
- export-StartLayoutEdgeAssets assets.xml
+ Export-StartLayoutEdgeAssets assets.xml
```
## Configure policy settings
@@ -82,7 +82,7 @@ In addition to the `./User/Vendor/MSFT/Policy/Config/Start/StartLayout` setting,
### Using a provisioning package
-
+
#### Prepare the Start layout and Edge assets XML files
The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce XML files. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout and Edge assets sections to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout and Edge assets sections to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters.
@@ -97,7 +97,7 @@ The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce
#### Create a provisioning package that contains a customized Start layout
-Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
+Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
diff --git a/windows/configure/start-taskbar-lockscreen.md b/windows/configuration/start-taskbar-lockscreen.md
similarity index 94%
rename from windows/configure/start-taskbar-lockscreen.md
rename to windows/configuration/start-taskbar-lockscreen.md
index 966ef97fca..d10dad3276 100644
--- a/windows/configure/start-taskbar-lockscreen.md
+++ b/windows/configuration/start-taskbar-lockscreen.md
@@ -24,4 +24,4 @@ author: jdeckerMS
## Related topics
-- [Configure Windows 10 Mobile devices](configure-mobile.md)
\ No newline at end of file
+- [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md)
\ No newline at end of file
diff --git a/windows/configure/stop-employees-from-using-the-windows-store.md b/windows/configuration/stop-employees-from-using-the-windows-store.md
similarity index 87%
rename from windows/configure/stop-employees-from-using-the-windows-store.md
rename to windows/configuration/stop-employees-from-using-the-windows-store.md
index 04c5aa20d2..4868f99cb9 100644
--- a/windows/configure/stop-employees-from-using-the-windows-store.md
+++ b/windows/configuration/stop-employees-from-using-the-windows-store.md
@@ -34,7 +34,7 @@ Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile
AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers.
-For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-is-applocker.md) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md).
+For more information on AppLocker, see [What is AppLocker?](/windows/device-security/applocker/what-is-applocker) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps).
**To block Windows Store using AppLocker**
@@ -52,7 +52,7 @@ For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-
7. On **Select applications**, find and click **Store** under **Applications** column, and then click **OK**. Click **Next**.
- [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md) has more information on reference options and setting the scope on packaged app rules.
+ [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules.
8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**.
@@ -89,7 +89,7 @@ When your MDM tool supports Windows Store for Business, the MDM can use these CS
- [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only)
-For more information, see [Configure an MDM provider](../manage/configure-mdm-provider-windows-store-for-business.md).
+For more information, see [Configure an MDM provider](/microsoft-store/configure-mdm-provider-windows-store-for-business).
## Show private store only using Group Policy
Applies to Windows 10 Enterprise, version 1607, Windows 10 Education
@@ -110,9 +110,9 @@ If you're using Windows Store for Business and you want employees to only see ap
## Related topics
-[Distribute apps using your private store](../manage/distribute-apps-from-your-private-store.md)
+[Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store)
-[Manage access to private store](../manage/manage-access-to-private-store.md)
+[Manage access to private store](/microsoft-store/manage-access-to-private-store)
diff --git a/windows/configure/images/uev-adk-select-uev-feature.png b/windows/configuration/ue-v/images/uev-adk-select-uev-feature.png
similarity index 100%
rename from windows/configure/images/uev-adk-select-uev-feature.png
rename to windows/configuration/ue-v/images/uev-adk-select-uev-feature.png
diff --git a/windows/configure/images/uev-archdiagram.png b/windows/configuration/ue-v/images/uev-archdiagram.png
similarity index 100%
rename from windows/configure/images/uev-archdiagram.png
rename to windows/configuration/ue-v/images/uev-archdiagram.png
diff --git a/windows/configure/images/uev-checklist-box.gif b/windows/configuration/ue-v/images/uev-checklist-box.gif
similarity index 100%
rename from windows/configure/images/uev-checklist-box.gif
rename to windows/configuration/ue-v/images/uev-checklist-box.gif
diff --git a/windows/configure/images/uev-deployment-preparation.png b/windows/configuration/ue-v/images/uev-deployment-preparation.png
similarity index 100%
rename from windows/configure/images/uev-deployment-preparation.png
rename to windows/configuration/ue-v/images/uev-deployment-preparation.png
diff --git a/windows/configure/images/uev-generator-process.png b/windows/configuration/ue-v/images/uev-generator-process.png
similarity index 100%
rename from windows/configure/images/uev-generator-process.png
rename to windows/configuration/ue-v/images/uev-generator-process.png
diff --git a/windows/manage/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
similarity index 100%
rename from windows/manage/uev-administering-uev-with-windows-powershell-and-wmi.md
rename to windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
diff --git a/windows/manage/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md
similarity index 100%
rename from windows/manage/uev-administering-uev.md
rename to windows/configuration/ue-v/uev-administering-uev.md
diff --git a/windows/manage/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
similarity index 100%
rename from windows/manage/uev-application-template-schema-reference.md
rename to windows/configuration/ue-v/uev-application-template-schema-reference.md
diff --git a/windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
similarity index 100%
rename from windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md
rename to windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
diff --git a/windows/manage/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
similarity index 100%
rename from windows/manage/uev-configuring-uev-with-group-policy-objects.md
rename to windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
diff --git a/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
similarity index 100%
rename from windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md
rename to windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
diff --git a/windows/manage/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md
similarity index 100%
rename from windows/manage/uev-deploy-required-features.md
rename to windows/configuration/ue-v/uev-deploy-required-features.md
diff --git a/windows/manage/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
similarity index 100%
rename from windows/manage/uev-deploy-uev-for-custom-applications.md
rename to windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
diff --git a/windows/manage/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md
similarity index 100%
rename from windows/manage/uev-for-windows.md
rename to windows/configuration/ue-v/uev-for-windows.md
diff --git a/windows/manage/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md
similarity index 100%
rename from windows/manage/uev-getting-started.md
rename to windows/configuration/ue-v/uev-getting-started.md
diff --git a/windows/manage/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
similarity index 100%
rename from windows/manage/uev-manage-administrative-backup-and-restore.md
rename to windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
diff --git a/windows/manage/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md
similarity index 100%
rename from windows/manage/uev-manage-configurations.md
rename to windows/configuration/ue-v/uev-manage-configurations.md
diff --git a/windows/manage/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
similarity index 100%
rename from windows/manage/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
rename to windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
diff --git a/windows/manage/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
similarity index 100%
rename from windows/manage/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
rename to windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
diff --git a/windows/manage/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md
similarity index 100%
rename from windows/manage/uev-migrating-settings-packages.md
rename to windows/configuration/ue-v/uev-migrating-settings-packages.md
diff --git a/windows/manage/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
similarity index 100%
rename from windows/manage/uev-prepare-for-deployment.md
rename to windows/configuration/ue-v/uev-prepare-for-deployment.md
diff --git a/windows/manage/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md
similarity index 100%
rename from windows/manage/uev-release-notes-1607.md
rename to windows/configuration/ue-v/uev-release-notes-1607.md
diff --git a/windows/manage/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md
similarity index 100%
rename from windows/manage/uev-security-considerations.md
rename to windows/configuration/ue-v/uev-security-considerations.md
diff --git a/windows/manage/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md
similarity index 100%
rename from windows/manage/uev-sync-methods.md
rename to windows/configuration/ue-v/uev-sync-methods.md
diff --git a/windows/manage/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md
similarity index 100%
rename from windows/manage/uev-sync-trigger-events.md
rename to windows/configuration/ue-v/uev-sync-trigger-events.md
diff --git a/windows/manage/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
similarity index 100%
rename from windows/manage/uev-synchronizing-microsoft-office-with-uev.md
rename to windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
diff --git a/windows/manage/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md
similarity index 100%
rename from windows/manage/uev-technical-reference.md
rename to windows/configuration/ue-v/uev-technical-reference.md
diff --git a/windows/manage/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md
similarity index 100%
rename from windows/manage/uev-troubleshooting.md
rename to windows/configuration/ue-v/uev-troubleshooting.md
diff --git a/windows/manage/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
similarity index 100%
rename from windows/manage/uev-upgrade-uev-from-previous-releases.md
rename to windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
diff --git a/windows/manage/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
similarity index 100%
rename from windows/manage/uev-using-uev-with-application-virtualization-applications.md
rename to windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
diff --git a/windows/manage/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
similarity index 100%
rename from windows/manage/uev-whats-new-in-uev-for-windows.md
rename to windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
diff --git a/windows/manage/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
similarity index 100%
rename from windows/manage/uev-working-with-custom-templates-and-the-uev-generator.md
rename to windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
diff --git a/windows/configure/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
similarity index 100%
rename from windows/configure/windows-10-start-layout-options-and-policies.md
rename to windows/configuration/windows-10-start-layout-options-and-policies.md
diff --git a/windows/configuration/windows-diagnostic-data.md b/windows/configuration/windows-diagnostic-data.md
new file mode 100644
index 0000000000..7818844702
--- /dev/null
+++ b/windows/configuration/windows-diagnostic-data.md
@@ -0,0 +1,117 @@
+---
+title: Windows 10, version 1703 Diagnostic Data (Windows 10)
+description: Use this article to learn about the types of that is collected the the Full telemetry level.
+keywords: privacy,Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Windows 10, version 1703 Diagnostic Data
+
+Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md).
+
+
+The data covered in this article is grouped into the following categories:
+
+- Common Data (diagnostic header information)
+- Device, Connectivity, and Configuration data
+- Product and Service Usage data
+- Product and Service Performance data
+- Software Setup and Inventory data
+- Content Consumption data
+- Browsing, Search and Query data
+- Inking, Typing, and Speech Utterance data
+- Licensing and Purchase data
+
+> [!NOTE]
+> The majority of diagnostic data falls into the first four categories.
+
+## Common data
+
+Most diagnostic events contain a header of common data:
+
+| Category Name | Examples |
+| - | - |
+| Common Data | Information that is added to most diagnostic events, if relevant and available:
OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)
User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data
Xbox UserID
Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags
HTTP header information including IP address. This is not the IP address of the device but the source address in the network packet header received by the diagnostics ingestion service.
Various IDs that are used to correlate and sequence related events together.
Device ID. This is not the user provided device name, but an ID that is unique for that device.
Device class -- Desktop, Server, or Mobile
Event collection time
Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into
|
+
+## Device, Connectivity, and Configuration data
+
+This type of data includes details about the device, its configuration and connectivity capabilities, and status.
+
+| Category Name | Examples |
+| - | - |
+| Device properties | Information about the OS and device hardware, such as:
OS - version name, Edition
Installation type, subscription status, and genuine OS status
Processor architecture, speed, number of cores, manufacturer, and model
OEM details --manufacturer, model, and serial number
Device identifier and Xbox serial number
Firmware/BIOS -- type, manufacturer, model, and version
Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
Storage -- total capacity and disk type
Battery -- charge capacity and InstantOn support
Hardware chassis type, color, and form factor
Is this a virtual machine?
|
+| Device capabilities | Information about the specific device capabilities such as:
Camera -- whether the device has a front facing, a rear facing camera, or both.
Touch screen -- does the device include a touch screen? If so, how many hardware touch points are supported?
Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
Trusted Platform Module (TPM) – whether present and what version
Virtualization hardware -- whether an IOMMU is present, SLAT support, is virtualization enabled in the firmware
Voice – whether voice interaction is supported and the number of active microphones
Number of displays, resolutions, DPI
Wireless capabilities
OEM or platform face detection
OEM or platform video stabilization and quality level set
Advanced Camera Capture mode (HDR vs. LowLight), OEM vs. platform implementation, HDR probability, and Low Light probability
|
+| Device preferences and settings | Information about the device settings and user preferences such as:
User Settings – System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
User-provided device name
Whether device is domain-joined, or cloud-domain joined (i.e. part of a company-managed network)
Hashed representation of the domain name
MDM (mobile device management) enrollment settings and status
BitLocker, Secure Boot, encryption settings, and status
Windows Update settings and status
Developer Unlock settings and status
Default app choices
Default browser choice
Default language settings for app, input, keyboard, speech, and display
App store update settings
Enterprise OrganizationID, Commercial ID
|
+| Device peripherals | Information about the device peripherals such as:
Peripheral name, device model, class, manufacturer and description
Peripheral device state, install state, and checksum
Driver name, package name, version, and manufacturer
HWID - A hardware vendor defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
Driver state, problem code, and checksum
Whether driver is kernel mode, signed, and image size
|
+| Device network info | Information about the device network configuration such as:
Network system capabilities
Local or Internet connectivity status
Proxy, gateway, DHCP, DNS details and addresses
Paid or free network
Wireless driver is emulated or not
Access point mode capable
Access point manufacturer, model, and MAC address
WDI Version
Name of networking driver service
Wi-Fi Direct details
Wi-Fi device hardware ID and manufacturer
Wi-Fi scan attempt counts and item counts
Mac randomization is supported/enabled or not
Number of spatial streams and channel frequencies supported
Manual or Auto Connect enabled
Time and result of each connection attempt
Airplane mode status and attempts
Interface description provided by the manufacturer
Data transfer rates
Cipher algorithm
Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
Mobile operator and service provider name
Available SSIDs and BSSIDs
IP Address type -- IPv4 or IPv6
Signal Quality percentage and changes
Hotspot presence detection and success rate
TCP connection performance
Miracast device names
Hashed IP address
+
+## Product and Service Usage data
+
+This type of data includes details about the usage of the device, operating system, applications and services.
+
+| Category Name | Examples |
+| - | - |
+| App usage | Information about Windows and application usage such as:
OS component and app feature usage
User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites.
Time of and count of app/component launches, duration of use, session GUID, and process ID
App time in various states – running foreground or background, sleeping, or receiving active user interaction
User interaction method and duration – whether and length of time user used the keyboard, mouse, pen, touch, speech, or game controller
Cortana launch entry point/reason
Notification delivery requests and status
Apps used to edit images and videos
SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary line
Incoming and Outgoing calls and Voicemail usage statistics on primary or secondary line
Emergency alerts are received or displayed statistics
|
+| App or product state | Information about Windows and application state such as:
Start Menu and Taskbar pins
Online/Offline status
App launch state –- with deep-link such as Groove launched with an audio track to play, or share contract such as MMS launched to share a picture.
Personalization impressions delivered
Whether the user clicked or hovered on UI controls or hotspots
User feedback Like or Dislike or rating was provided
Caret location or position within documents and media files -- how much of a book has been read in a single session or how much of a song has been listened to.
|
+| Login properties |
Login success or failure
Login sessions and state
|
+
+
+## Product and Service Performance data
+
+This type of data includes details about the health of the device, operating system, apps and drivers.
+
+| Category Name | Description and Examples |
+| - | - |
+| Device health and crash data | Information about the device and software health such as:
Error codes and error messages, name and ID of the app, and process reporting the error
DLL library predicted to be the source of the error -- xyz.dll
System generated files -- app or product logs and trace files to help diagnose a crash or hang
System settings such as registry keys
User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
Details and counts of abnormal shutdowns, hangs, and crashes
Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
Crash and Hang dumps
The recorded state of the working memory at the point of the crash.
Memory in use by the kernel at the point of the crash.
Memory in use by the application at the point of the crash.
All the physical memory used by Windows at the point of the crash.
Class and function name within the module that failed.
|
+| Device performance and reliability data | Information about the device and software performance such as:
User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Windows Store transaction.
User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
Disk footprint -- Free disk space, out of memory conditions, and disk score.
Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
+
+## Software Setup and Inventory data
+
+This type of data includes software installation and update information on the device.
+
+| Category Name | Data Examples |
+| - | - |
+| Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:
App, driver, update package, or component’s Name, ID, or Package Family Name
Product, SKU, availability, catalog, content, and Bundle IDs
OS component, app or driver publisher, language, version and type (Win32 or UWP)
Install date, method, and install directory, count of install attempts
MSI package code and product code
Original OS version at install time
User or administrator or mandatory installation/update
Installation type – clean install, repair, restore, OEM, retail, upgrade, and update
|
+| Device update information | Information about Windows Update such as:
Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
Number of applicable updates, importance, type
Update download size and source -- CDN or LAN peers
Delay upgrade status and configuration
OS uninstall and rollback status and count
Windows Update server and service URL
Windows Update machine ID
Windows Insider build details
+
+## Content Consumption data
+
+This type of data includes diagnostic details about Microsoft applications that provide media consumption functionality (such as Groove Music), and is not intended to capture user viewing, listening or reading habits.
+
+| Category Name | Examples |
+| - | - |
+| Movies | Information about movie consumption functionality on the device such as:
Video Width, height, color pallet, encoding (compression) type, and encryption type
Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
URL for a specific two second chunk of content if there is an error
Full screen viewing mode details
|
+| Music & TV | Information about music and TV consumption on the device such as:
Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
Content type (video, audio, surround audio)
Local media library collection statistics -- number of purchased tracks, number of playlists
Region mismatch -- User OS Region, and Xbox Live region
|
+| Reading | Information about reading consumption functionality on the device such as:
App accessing content and status and options used to open a Windows Store book
Language of the book
Time spent reading content
Content type and size details
|
+| Photos App | Information about photos usage on the device such as:
File source data -- local, SD card, network device, and OneDrive
Image & video resolution, video length, file sizes types and encoding
Collection view or full screen viewer use and duration of view
+
+## Browsing, Search and Query data
+
+This type of data includes details about web browsing, search and query activity in the Microsoft browsers and Cortana, and local file searches on the device.
+
+| Category Name | Description and Examples |
+| - | - |
+| Microsoft browser data | Information about Address bar and search box performance on the device such as:
Text typed in address bar and search box
Text selected for Ask Cortana search
Service response time
Auto-completed text if there was an auto-complete
Navigation suggestions provided based on local history and favorites
Browser ID
URLs (which may include search terms)
Page title
|
+| On-device file query | Information about local search activity on the device such as:
Kind of query issued and index type (ConstraintIndex, SystemIndex)
Number of items requested and retrieved
File extension of search result user interacted with
Launched item kind, file extension, index of origin, and the App ID of the opening app.
Name of process calling the indexer and time to service the query.
A hash of the search scope (file, Outlook, OneNote, IE history)
The state of the indices (fully optimized, partially optimized, being built)
|
+
+
+## Inking Typing and Speech Utterance data
+
+This type of data gathers details about the voice, inking, and typing input features on the device.
+
+| Category Name | Description and Examples |
+| - | - |
+| Voice, inking, and typing | Information about voice, inking and typing features such as:
Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as names, email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
Text of speech recognition results -- result codes and recognized text
Language and model of the recognizer, System Speech language
App ID using speech features
Whether user is known to be a child
Confidence and Success/Failure of speech recognition
|
+
+## Licensing and Purchase data
+
+This type of data includes diagnostic details about the purchase and entitlement activity on the device.
+
+| Category Name | Data Examples |
+| - | - |
+| Purchase history | Information about purchases made on the device such as:
Product ID, edition ID and product URI
Offer details -- price
Order requested date/time
Store client type -- web or native client
Purchase quantity and price
Payment type -- credit card type and PayPal
|
+| Entitlements | Information about entitlements on the device such as:
Service subscription status and errors
DRM and license rights details -- Groove subscription or OS volume license
Entitlement ID, lease ID, and package ID of the install package
Entitlement revocation
License type (trial, offline vs online) and duration
License usage session
|
\ No newline at end of file
diff --git a/windows/configure/windows-spotlight.md b/windows/configuration/windows-spotlight.md
similarity index 98%
rename from windows/configure/windows-spotlight.md
rename to windows/configuration/windows-spotlight.md
index c3a078d793..42bb79449f 100644
--- a/windows/configure/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -79,7 +79,7 @@ Pay attention to the checkbox in **Options**. In addition to providing the path
## Related topics
-[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md)
+[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
diff --git a/windows/configure/TOC.md b/windows/configure/TOC.md
deleted file mode 100644
index 1a5956c808..0000000000
--- a/windows/configure/TOC.md
+++ /dev/null
@@ -1,63 +0,0 @@
-# [Configure Windows 10](index.md)
-## [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
-## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
-## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md)
-### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
-### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
-### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
-### [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md)
-## [Configure Windows 10 Mobile devices](configure-mobile.md)
-### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
-### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md)
-#### [NFC-based device provisioning](provisioning-nfc.md)
-#### [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md)
-### [Use the Lockdown Designer app to create a Lockdown XML file](mobile-lockdown-designer.md)
-### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
-### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
-### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
-### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)
-## [Configure cellular settings for tablets and PCs](provisioning-apn.md)
-## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md)
-### [Configure Windows Spotlight on the lock screen](windows-spotlight.md)
-### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
-### [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
-#### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-#### [Customize and export Start layout](customize-and-export-start-layout.md)
-#### [Add image for secondary tiles](start-secondary-tiles.md)
-#### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
-#### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-#### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-#### [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-#### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-## [Cortana integration in your business or enterprise](cortana-at-work-overview.md)
-### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md)
-#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md)
-#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
-#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md)
-#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md)
-#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md)
-#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email}(cortana-at-work-scenario-6.md)
-#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-7.md)
-### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md)
-### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md)
-### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md)
-### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work-voice-commands.md)
-### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work-policy-settings.md)
-### [Send feedback about Cortana at work back to Microsoft](cortana-at-work-feedback.md)
-## [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
-## [Provisioning packages for Windows 10](provisioning-packages.md)
-### [How provisioning works in Windows 10](provisioning-how-it-works.md)
-### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
-### [Install Windows Configuration Designer](provisioning-install-icd.md)
-### [Create a provisioning package](provisioning-create-package.md)
-### [Apply a provisioning package](provisioning-apply-package.md)
-### [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-### [Provision PCs with common settings for initial deployment (desktop wizard)](provision-pcs-for-initial-deployment.md)
-### [Provision PCs with apps](provision-pcs-with-apps.md)
-### [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
-### [Windows ICD command-line interface (reference)](provisioning-command-line.md)
-### [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)
-## [Change history for Configure Windows 10](change-history-for-configure-windows-10.md)
diff --git a/windows/configure/change-history-for-configure-windows-10.md b/windows/configure/change-history-for-configure-windows-10.md
deleted file mode 100644
index 4706cf6049..0000000000
--- a/windows/configure/change-history-for-configure-windows-10.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-title: Change history for Configure Windows 10 (Windows 10)
-description: This topic lists changes to documentation for configuring Windows 10.
-keywords:
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: high
-author: jdeckerMS
----
-
-# Change history for Configure Windows 10
-
-This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
-
-
-## RELEASE: Windows 10, version 1703
-
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update).
\ No newline at end of file
diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json
new file mode 100644
index 0000000000..fa97b029d7
--- /dev/null
+++ b/windows/configure/docfx.json
@@ -0,0 +1,37 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {},
+ "fileMetadata": {},
+ "template": [],
+ "dest": "windows-configure"
+ }
+}
\ No newline at end of file
diff --git a/windows/configure/images/account-management.PNG b/windows/configure/images/account-management.PNG
deleted file mode 100644
index 34165dfcd6..0000000000
Binary files a/windows/configure/images/account-management.PNG and /dev/null differ
diff --git a/windows/configure/images/add-applications-details.PNG b/windows/configure/images/add-applications-details.PNG
deleted file mode 100644
index 2efd3483ae..0000000000
Binary files a/windows/configure/images/add-applications-details.PNG and /dev/null differ
diff --git a/windows/configure/images/add-applications.PNG b/windows/configure/images/add-applications.PNG
deleted file mode 100644
index 2316deb2fd..0000000000
Binary files a/windows/configure/images/add-applications.PNG and /dev/null differ
diff --git a/windows/configure/images/add-certificates-details.PNG b/windows/configure/images/add-certificates-details.PNG
deleted file mode 100644
index 78cd783282..0000000000
Binary files a/windows/configure/images/add-certificates-details.PNG and /dev/null differ
diff --git a/windows/configure/images/add-certificates.PNG b/windows/configure/images/add-certificates.PNG
deleted file mode 100644
index 24cb605d1c..0000000000
Binary files a/windows/configure/images/add-certificates.PNG and /dev/null differ
diff --git a/windows/configure/images/apps.png b/windows/configure/images/apps.png
deleted file mode 100644
index 5cb3b7ec8f..0000000000
Binary files a/windows/configure/images/apps.png and /dev/null differ
diff --git a/windows/configure/images/developer-setup.PNG b/windows/configure/images/developer-setup.PNG
deleted file mode 100644
index 8c93d5ed91..0000000000
Binary files a/windows/configure/images/developer-setup.PNG and /dev/null differ
diff --git a/windows/configure/images/finish-details.png b/windows/configure/images/finish-details.png
deleted file mode 100644
index 727efac696..0000000000
Binary files a/windows/configure/images/finish-details.png and /dev/null differ
diff --git a/windows/configure/images/finish.PNG b/windows/configure/images/finish.PNG
deleted file mode 100644
index 7c65da1799..0000000000
Binary files a/windows/configure/images/finish.PNG and /dev/null differ
diff --git a/windows/configure/images/set-up-device.PNG b/windows/configure/images/set-up-device.PNG
deleted file mode 100644
index 0c9eb0e3ff..0000000000
Binary files a/windows/configure/images/set-up-device.PNG and /dev/null differ
diff --git a/windows/configure/images/set-up-network.PNG b/windows/configure/images/set-up-network.PNG
deleted file mode 100644
index a0e856c103..0000000000
Binary files a/windows/configure/images/set-up-network.PNG and /dev/null differ
diff --git a/windows/configure/provision-pcs-for-initial-deployment.md b/windows/configure/provision-pcs-for-initial-deployment.md
deleted file mode 100644
index c23f3d854c..0000000000
--- a/windows/configure/provision-pcs-for-initial-deployment.md
+++ /dev/null
@@ -1,117 +0,0 @@
----
-title: Provision PCs with common settings (Windows 10)
-description: Create a provisioning package to apply common settings to a PC running Windows 10.
-ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
-keywords: ["runtime provisioning", "provisioning package"]
-ms.prod: W10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: high
----
-
-# Provision PCs with common settings for initial deployment (desktop wizard)
-
-
-**Applies to**
-
-- Windows 10
-
-This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.
-
-You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
-
-## Advantages
-- You can configure new devices without reimaging.
-
-- Works on both mobile and desktop devices.
-
-- No network connectivity required.
-
-- Simple to apply.
-
-[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md)
-
-## What does the desktop wizard do?
-
-The desktop wizard helps you configure the following settings in a provisioning package:
-
-- Set device name
-- Upgrade product edition
-- Configure the device for shared use
-- Remove pre-installed software
-- Configure Wi-Fi network
-- Enroll device in Active Directory or Azure Active Directory
-- Create local administrator account
-- Add applications and certificates
-
->[!WARNING]
->You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
-
-Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
-
-> [!TIP]
-> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
->
->
-
-## Create the provisioning package
-
-Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
-
-1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
-
-2. Click **Provision desktop devices**.
-
- 
-
-3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps.
-
- 
-
-> [!IMPORTANT]
-> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-
-## Configure settings
-
-
-
-
Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](set-up-shared-or-guest-pc.md)You can also select to remove pre-installed software from the device.
-
 Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.
-
 Enable account management if you want to configure settings on this page. You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions. To create a local administrator account, select that option and enter a user name and password. **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.
-
 You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md).
-
 To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.
-
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
-
-
-After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
-
- **Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
-
-
-## Learn more
-
-- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-
-- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
-- [NFC-based device provisioning](provisioning-nfc.md)
-- [Use the package splitter tool](provisioning-package-splitter.md)
-- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
-
-
-
-
diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md
deleted file mode 100644
index a14e1d9f0d..0000000000
--- a/windows/deploy/TOC.md
+++ /dev/null
@@ -1,157 +0,0 @@
-# [Deploy Windows 10](index.md)
-## [What's new in Windows 10 deployment](deploy-whats-new.md)
-## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
-## [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
-### [Upgrade Readiness architecture](upgrade-readiness-architecture.md)
-### [Upgrade Readiness requirements](upgrade-readiness-requirements.md)
-### [Upgrade Readiness release notes](upgrade-readiness-release-notes.md)
-### [Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
-#### [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md)
-### [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md)
-#### [Upgrade overview](upgrade-readiness-upgrade-overview.md)
-#### [Step 1: Identify apps](upgrade-readiness-identify-apps.md)
-#### [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md)
-#### [Step 3: Deploy Windows](upgrade-readiness-deploy-windows.md)
-#### [Additional insights](upgrade-readiness-additional-insights.md)
-### [Troubleshoot Upgrade Readiness](troubleshoot-upgrade-readiness.md)
-## [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
-## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-#### [Key features in MDT](key-features-in-mdt.md)
-#### [MDT Lite Touch components](mdt-lite-touch-components.md)
-#### [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
-### [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-### [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-### [Perform an in-place upgrade to Windows 10 with MDT](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-### [Configure MDT settings](configure-mdt-settings.md)
-#### [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-#### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-#### [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-#### [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-#### [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-#### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-#### [Use web services in MDT](use-web-services-in-mdt.md)
-#### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
-## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-### [Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
-### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-### [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-### [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
-### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
-### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
-## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md)
-## [Convert MBR partition to GPT](mbr-to-gpt.md)
-## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
-## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
-## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
-## [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
-## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md)
-## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md)
-## [Volume Activation [client]](volume-activation-windows-10.md)
-### [Plan for volume activation [client]](plan-for-volume-activation-client.md)
-### [Activate using Key Management Service [client]](activate-using-key-management-service-vamt.md)
-### [Activate using Active Directory-based activation [client]](activate-using-active-directory-based-activation-client.md)
-### [Activate clients running Windows 10](activate-windows-10-clients-vamt.md)
-### [Monitor activation [client]](monitor-activation-client.md)
-### [Use the Volume Activation Management Tool [client]](use-the-volume-activation-management-tool-client.md)
-### [Appendix: Information sent to Microsoft during activation [client]](appendix-information-sent-to-microsoft-during-activation-client.md)
-## [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
-## [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md)
-### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
-### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
-### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation-management-tool.md)
-#### [Introduction to VAMT](introduction-vamt.md)
-#### [Active Directory-Based Activation Overview](active-directory-based-activation-overview.md)
-#### [Install and Configure VAMT](install-configure-vamt.md)
-##### [VAMT Requirements](vamt-requirements.md)
-##### [Install VAMT](install-vamt.md)
-##### [Configure Client Computers](configure-client-computers-vamt.md)
-#### [Add and Manage Products](add-manage-products-vamt.md)
-##### [Add and Remove Computers](add-remove-computers-vamt.md)
-##### [Update Product Status](update-product-status-vamt.md)
-##### [Remove Products](remove-products-vamt.md)
-#### [Manage Product Keys](manage-product-keys-vamt.md)
-##### [Add and Remove a Product Key](add-remove-product-key-vamt.md)
-##### [Install a Product Key](install-product-key-vamt.md)
-##### [Install a KMS Client Key](install-kms-client-key-vamt.md)
-#### [Manage Activations](manage-activations-vamt.md)
-##### [Perform Online Activation](online-activation-vamt.md)
-##### [Perform Proxy Activation](proxy-activation-vamt.md)
-##### [Perform KMS Activation](kms-activation-vamt.md)
-##### [Perform Local Reactivation](local-reactivation-vamt.md)
-##### [Activate an Active Directory Forest Online](activate-forest-vamt.md)
-##### [Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md)
-#### [Manage VAMT Data](manage-vamt-data.md)
-##### [Import and Export VAMT Data](import-export-vamt-data.md)
-##### [Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md)
-#### [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
-##### [Scenario 1: Online Activation](scenario-online-activation-vamt.md)
-##### [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md)
-##### [Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md)
-#### [VAMT Known Issues](vamt-known-issues.md)
-### [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
-#### [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-##### [User State Migration Tool (USMT) Overview](usmt-overview.md)
-##### [Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)
-##### [Windows Upgrade and Migration Considerations](windows-upgrade-and-migration-considerations.md)
-#### [User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
-##### [Exclude Files and Settings](usmt-exclude-files-and-settings.md)
-##### [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)
-##### [Include Files and Settings](usmt-include-files-and-settings.md)
-##### [Migrate Application Settings](migrate-application-settings.md)
-##### [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)
-##### [Migrate User Accounts](usmt-migrate-user-accounts.md)
-##### [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
-##### [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
-#### [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-##### [Common Issues](usmt-common-issues.md)
-##### [Frequently Asked Questions](usmt-faq.md)
-##### [Log Files](usmt-log-files.md)
-##### [Return Codes](usmt-return-codes.md)
-##### [USMT Resources](usmt-resources.md)
-#### [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
-##### [USMT Requirements](usmt-requirements.md)
-##### [USMT Best Practices](usmt-best-practices.md)
-##### [How USMT Works](usmt-how-it-works.md)
-##### [Plan Your Migration](usmt-plan-your-migration.md)
-###### [Common Migration Scenarios](usmt-common-migration-scenarios.md)
-###### [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
-###### [Choose a Migration Store Type](usmt-choose-migration-store-type.md)
-####### [Migration Store Types Overview](migration-store-types-overview.md)
-####### [Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
-####### [Hard-Link Migration Store](usmt-hard-link-migration-store.md)
-####### [Migration Store Encryption](usmt-migration-store-encryption.md)
-###### [Determine What to Migrate](usmt-determine-what-to-migrate.md)
-####### [Identify Users](usmt-identify-users.md)
-####### [Identify Applications Settings](usmt-identify-application-settings.md)
-####### [Identify Operating System Settings](usmt-identify-operating-system-settings.md)
-####### [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)
-###### [Test Your Migration](usmt-test-your-migration.md)
-##### [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
-###### [ScanState Syntax](usmt-scanstate-syntax.md)
-###### [LoadState Syntax](usmt-loadstate-syntax.md)
-###### [UsmtUtils Syntax](usmt-utilities.md)
-##### [USMT XML Reference](usmt-xml-reference.md)
-###### [Understanding Migration XML Files](understanding-migration-xml-files.md)
-###### [Config.xml File](usmt-configxml-file.md)
-###### [Customize USMT XML Files](usmt-customize-xml-files.md)
-###### [Custom XML Examples](usmt-custom-xml-examples.md)
-###### [Conflicts and Precedence](usmt-conflicts-and-precedence.md)
-###### [General Conventions](usmt-general-conventions.md)
-###### [XML File Requirements](xml-file-requirements.md)
-###### [Recognized Environment Variables](usmt-recognized-environment-variables.md)
-###### [XML Elements Library](usmt-xml-elements-library.md)
-##### [Offline Migration Reference](offline-migration-reference.md)
-## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
\ No newline at end of file
diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md
deleted file mode 100644
index f0c32cf285..0000000000
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-title: Change history for Deploy Windows 10 (Windows 10)
-description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile.
-ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: greg-lindsay
----
-
-# Change history for Deploy Windows 10
-This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
-
-## RELEASE: Windows 10, version 1703
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](../configure/index.md).
-
-## March 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [What's new in Windows 10 deployment](deploy-whats-new.md) | New |
-| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. |
-| [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. |
-| [Convert MBR partition to GPT](mbr-to-gpt.md) | New |
-
-## February 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) | Multiple topics updated, name changed from Upgrade Analytics to Upgrade Readiness, and other content updates. |
-| [USMT Requirements](usmt-requirements.md) | Updated: Vista support removed and other minor changes |
-| [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) | Updated structure and content |
-| [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md) | Added as a separate page from get started |
-| [Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md) | Updated with links to new content and information about the target OS setting |
-| [Upgrade Analytics - Upgrade overview](upgrade-analytics-upgrade-overview.md) | New |
-| [Upgrade Analytics - Step 1: Identify important apps](upgrade-analytics-identify-apps.md) | Updated topic title and content |
-| [Upgrade Analytics - Step 2: Resolve app and driver issues](upgrade-analytics-resolve-issues.md) | New |
-| [Upgrade Analytics - Step 3: Deploy Windows](upgrade-analytics-deploy-windows.md) | New |
-| [Upgrade Analytics - Additional insights](upgrade-analytics-additional-insights.md) | New |
-
-## January 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New |
-| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New |
-| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | New |
-| [Apply a provisioning package](provisioning-apply-package.md) | New (previously published in other topics) |
-| [Create a provisioning package for Windows 10](provisioning-create-package.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Create a provisioning package with multivariant settings](provisioning-multivariant.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [How provisioning works in Windows 10](provisioning-how-it-works.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [NFC-based device provisioning](provisioning-nfc.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Windows ICD command-line interface (reference)](provisioning-command-line.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog |
-| [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](provisioning-apply-package.md) |
-| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](provisioning-apply-package.md) |
-
-
-## October 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) | New |
-
-## September 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New |
-| [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) | Updated with prerequisites for site discovery |
-| [Resolve application and driver issues](upgrade-analytics-resolve-issues.md) | Updated with app status info for Ready For Windows |
-| [Review site discovery](upgrade-analytics-review-site-discovery.md) | New |
-
-## RELEASE: Windows 10, version 1607
-
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [Provision PCs with apps and certificates for initial deployment](provision-pcs-with-apps-and-certificates.md)
-- [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
-
-=======
-
-## August 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](windows-10-edition-upgrades.md) | Updated with reboot requirements |
-
-## July 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) | New |
-
-## June 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
-| [User State Migration Tool Technical Reference](usmt-technical-reference.md) | Updated support statement for Office 2016 |
-| [Windows 10 upgrade paths](windows-10-upgrade-paths.md) | New |
-
-## May 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) | New |
-
-## December 2015
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Activate using Key Management Service](activate-using-key-management-service-vamt.md) | Updated |
-| [Windows 10 edition upgrade](windows-10-edition-upgrades.md) | Updated |
-
-## November 2015
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](windows-10-edition-upgrades.md) | New |
-
-## Related topics
-- [Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
-- [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
-- [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
-- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
diff --git a/windows/deploy/docfx.json b/windows/deploy/docfx.json
new file mode 100644
index 0000000000..446c7aa4f2
--- /dev/null
+++ b/windows/deploy/docfx.json
@@ -0,0 +1,37 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {},
+ "fileMetadata": {},
+ "template": [],
+ "dest": "windows-deploy"
+ }
+}
\ No newline at end of file
diff --git a/windows/deploy/images/five.png b/windows/deploy/images/five.png
deleted file mode 100644
index 961f0e15b7..0000000000
Binary files a/windows/deploy/images/five.png and /dev/null differ
diff --git a/windows/deploy/images/four.png b/windows/deploy/images/four.png
deleted file mode 100644
index 0fef213b37..0000000000
Binary files a/windows/deploy/images/four.png and /dev/null differ
diff --git a/windows/deploy/images/sccm-assets.PNG b/windows/deploy/images/sccm-assets.PNG
deleted file mode 100644
index 2cc50f5758..0000000000
Binary files a/windows/deploy/images/sccm-assets.PNG and /dev/null differ
diff --git a/windows/deploy/images/sccm-software-cntr.PNG b/windows/deploy/images/sccm-software-cntr.PNG
deleted file mode 100644
index 9c920c6d39..0000000000
Binary files a/windows/deploy/images/sccm-software-cntr.PNG and /dev/null differ
diff --git a/windows/deploy/images/three.png b/windows/deploy/images/three.png
deleted file mode 100644
index 887fa270d7..0000000000
Binary files a/windows/deploy/images/three.png and /dev/null differ
diff --git a/windows/deploy/images/two.png b/windows/deploy/images/two.png
deleted file mode 100644
index b8c2d52eaf..0000000000
Binary files a/windows/deploy/images/two.png and /dev/null differ
diff --git a/windows/deploy/index.md b/windows/deploy/index.md
deleted file mode 100644
index 8058cf8890..0000000000
--- a/windows/deploy/index.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Deploy Windows 10 (Windows 10)
-description: Learn about deploying Windows 10 for IT professionals.
-ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-localizationpriority: high
-author: greg-lindsay
----
-
-# Deploy Windows 10
-Learn about deploying Windows 10 for IT professionals.
-
-## In this section
-
-|Topic |Description |
-|------|------------|
-|[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
-|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
-|[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
-|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
-|[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
-|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
-|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
-|[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
-|[Windows 10 upgrade paths](windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. |
-|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
-|[Sideload apps in Windows 10](sideload-apps-in-windows-10.md) |Sideload line-of-business apps in Windows 10. |
-|[Volume Activation [client]](volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. |
-|[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
-|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
-
-## Related topics
-- [Windows 10 and Windows 10 Mobile](../index.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md b/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md
deleted file mode 100644
index 9b25d3cea1..0000000000
--- a/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: Manage Windows upgrades with Upgrade Analytics (Windows 10)
-redirect_url: manage-windows-upgrades-with-upgrade-readiness
----
diff --git a/windows/deploy/troubleshoot-upgrade-analytics.md b/windows/deploy/troubleshoot-upgrade-analytics.md
deleted file mode 100644
index dc7f8428f2..0000000000
--- a/windows/deploy/troubleshoot-upgrade-analytics.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: Troubleshoot Upgrade Analytics (Windows 10)
-redirect_url: troubleshoot-upgrade-readiness
----
diff --git a/windows/deploy/upgrade-analytics-additional-insights.md b/windows/deploy/upgrade-analytics-additional-insights.md
deleted file mode 100644
index 3a3dd06910..0000000000
--- a/windows/deploy/upgrade-analytics-additional-insights.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: Upgrade Analytics - Additional insights
-redirect_url: upgrade-readiness-additional-insights
----
diff --git a/windows/deploy/upgrade-analytics-architecture.md b/windows/deploy/upgrade-analytics-architecture.md
deleted file mode 100644
index d1ab6fecdb..0000000000
--- a/windows/deploy/upgrade-analytics-architecture.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: Upgrade Analytics architecture (Windows 10)
-redirect_url: upgrade-readiness-architecture
----
diff --git a/windows/deploy/upgrade-analytics-deploy-windows.md b/windows/deploy/upgrade-analytics-deploy-windows.md
deleted file mode 100644
index 76c41c573a..0000000000
--- a/windows/deploy/upgrade-analytics-deploy-windows.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: Upgrade Analytics - Get a list of computers that are upgrade-ready (Windows 10)
-redirect_url: upgrade-readiness-deploy-windows
----
diff --git a/windows/deploy/upgrade-analytics-deployment-script.md b/windows/deploy/upgrade-analytics-deployment-script.md
deleted file mode 100644
index 0db5694e53..0000000000
--- a/windows/deploy/upgrade-analytics-deployment-script.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: Upgrade Analytics deployment script (Windows 10)
-redirect_url: upgrade-readiness-deployment-script
----
\ No newline at end of file
diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md
deleted file mode 100644
index 575fd2ed00..0000000000
--- a/windows/deploy/upgrade-analytics-get-started.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: Get started with Upgrade Analytics (Windows 10)
-redirect_url: upgrade-readiness-get-started
----
\ No newline at end of file
diff --git a/windows/deploy/upgrade-analytics-identify-apps.md b/windows/deploy/upgrade-analytics-identify-apps.md
deleted file mode 100644
index 6ff2df414c..0000000000
--- a/windows/deploy/upgrade-analytics-identify-apps.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Upgrade Analytics - Identify important apps (Windows 10)
-redirect_url: upgrade-readiness-identify-apps
----
-
diff --git a/windows/deploy/upgrade-analytics-requirements.md b/windows/deploy/upgrade-analytics-requirements.md
deleted file mode 100644
index 1b99be1621..0000000000
--- a/windows/deploy/upgrade-analytics-requirements.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Upgrade Analytics requirements (Windows 10)
-redirect_url: upgrade-readiness-requirements
----
-
diff --git a/windows/deploy/upgrade-analytics-resolve-issues.md b/windows/deploy/upgrade-analytics-resolve-issues.md
deleted file mode 100644
index 9514c81869..0000000000
--- a/windows/deploy/upgrade-analytics-resolve-issues.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Upgrade Analytics - Resolve application and driver issues (Windows 10)
-redirect_url: upgrade-readiness-resolve-issues
----
-
diff --git a/windows/deploy/upgrade-analytics-upgrade-overview.md b/windows/deploy/upgrade-analytics-upgrade-overview.md
deleted file mode 100644
index 72c4b10125..0000000000
--- a/windows/deploy/upgrade-analytics-upgrade-overview.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: Upgrade Analytics - Upgrade Overview (Windows 10)
-redirect_url: upgrade-readiness-upgrade-overview
----
diff --git a/windows/deploy/upgrade-readiness-deployment-script.md b/windows/deploy/upgrade-readiness-deployment-script.md
deleted file mode 100644
index f8d311cd6b..0000000000
--- a/windows/deploy/upgrade-readiness-deployment-script.md
+++ /dev/null
@@ -1,274 +0,0 @@
----
-title: Upgrade Readiness deployment script (Windows 10)
-description: Deployment script for Upgrade Readiness.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
----
-
-# Upgrade Readiness deployment script
-
-To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
-
->[!IMPORTANT]
->Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
-
-For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
-
-> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, please download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
-
-The Upgrade Readiness deployment script does the following:
-
-1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
-2. Verifies that user computers can send data to Microsoft.
-3. Checks whether the computer has a pending restart.
-4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
-5. If enabled, turns on verbose mode for troubleshooting.
-6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
-7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
-
-To run the Upgrade Readiness deployment script:
-
-1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
-
-2. Edit the following parameters in RunConfig.bat:
-
- 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
-
- 2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry.
-
- 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
-
- > *logMode = 0 log to console only*
- >
- > *logMode = 1 log to file and console*
- >
- > *logMode = 2 log to file only*
-
-3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
-
- > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
- >
- > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
- >
- > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
- >
- > *IEOptInLevel = 3 Data collection is enabled for all sites*
-
-4. The latest version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
-
- The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
-
- This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints:
-
- \*vortex\*.data.microsoft.com
- \*settings\*.data.microsoft.com
-
-5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
-
-The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
-
-
-
-
-
-
Exit code
-
Meaning
-
Suggested fix
-
-
0
-
Success
-
N/A
-
-
1
-
Unexpected error occurred while executing the script.
-
The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again.
-
-
2
-
Error when logging to console. $logMode = 0. (console only)
-
Try changing the $logMode value to **1** and try again. $logMode value 1 logs to both console and file.
-
-
3
-
Error when logging to console and file. $logMode = 1.
-
Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
-
-
4
-
Error when logging to file. $logMode = 2.
-
Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
-
-
5
-
Error when logging to console and file. $logMode = unknown.
-
Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
-
-
6
-
The commercialID parameter is set to unknown. Modify the runConfig.bat file to set the CommercialID value.
-
The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace.
- See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace.
-
-
Verify that the configuration script has access to this location.
-
-
12
-
Can’t connect to Microsoft - Vortex. Check your network/proxy settings.
-
**Http Get** on the end points did not return a success exit code.
-For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.
-For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive.
- If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
-
-
-
13
-
Can’t connect to Microsoft - setting.
-
An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
-
-
-
14
-
Can’t connect to Microsoft - compatexchange.
-
An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc . This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
-
-
15
-
Function CheckVortexConnectivity failed with an unexpected exception.
-
This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.
-
-
16
-
The computer requires a reboot before running the script.
-
A reboot is required to complete the installation of the compatibility update and related KBs. Reboot the computer before running the Upgrade Readiness deployment script.
-
-
17
-
Function **CheckRebootRequired** failed with an unexpected exception.
-
A reboot is required to complete installation of the compatibility update and related KBs. Check the logs for the exception message and the HResult.
-
-
18
-
Appraiser KBs not installed or **appraiser.dll** not found.
-
Either the Appraiser KBs are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser telemetry events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic.
-
-
19
-
Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception.
-
Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed.
-
-
20
-
An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at
The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key.
-
-
21
-
Function **SetRequestAllAppraiserVersions** failed with an unexpected exception.
-
Check the logs for the exception message and HResult.
-
-
22
-
**RunAppraiser** failed with unexpected exception.
-
Check the logs for the exception message and HResult. Check the **%windir%\System32*8 directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file.
-
-
23
-
Error finding system variable **%WINDIR%**.
-
Verify that this environment variable is configured on the computer.
-
-
24
-
The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at
This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult.
-
-
25
-
The function **SetIEDataOptIn** failed with unexpected exception.
-
Check the logs for the exception message and HResult.
-
-
26
-
The operating system is Server or LTSB SKU.
-
The script does not support Server or LTSB SKUs.
-
-
27
-
The script is not running under **System** account.
-
The Upgrade Readiness configuration script must be run as **System**.
-
-
28
-
Could not create log file at the specified **logPath**.
-
Make sure the deployment script has access to the location specified in the **logPath** parameter.
-
-
29
-
Connectivity check failed for proxy authentication.
-
Install the cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
- The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
- For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
- For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
-
-
30
-
Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.
-
The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
- For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
- For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
-
-
31
-
There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer.
-
Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.
-
-
32
-
Appraiser version on the machine is outdated.
-
The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for Windows 7 SP1/Windows 8.1.
-
-
33
-
**CompatTelRunner.exe** exited with an exit code
-
**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Please check the logs for more details.
-
-
34
-
Function **CheckProxySettings** failed with an unexpected exception.
-
Check the logs for the exception message and HResult.
-
-
35
-
Function **CheckAuthProxy** failed with an unexpected exception.
-
Check the logs for the exception message and HResult.
-
-
36
-
Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception.
-
Check the logs for the exception message and HResult.
-
-
37
-
**Diagnose_internal.cmd** failed with an unexpected exception.
-
Check the logs for the exception message and HResult.
-
-
38
-
Function **Get-SqmID** failed with an unexpected exception.
-
Check the logs for the exception message and HResult.
-
-
39
-
For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path
For Windows 10 machines, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will throw an error if this is not true. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
-
-
40
-
Function **CheckTelemetryOptIn** failed with an unexpected exception.
-
Check the logs for the exception message and HResult.
-
-
41
-
The script failed to impersonate the currently logged on user.
-
The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the logged on user. The script also tries to mimic this, but the process failed.
-
-
42
-
Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception.
-
Check the logs for the exception message and HResult.
-
-
43
-
Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception.
-
Check the logs for the exception message and HResult.
-
-
-
-
-
-
-
-
-
diff --git a/windows/deploy/upgrade-readiness-release-notes.md b/windows/deploy/upgrade-readiness-release-notes.md
deleted file mode 100644
index e023406035..0000000000
--- a/windows/deploy/upgrade-readiness-release-notes.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Upgrade Readiness release notes (Windows 10)
-description: Provides tips and limitations about Upgrade Readiness.
-redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-requirements#important-information-about-this-release
----
\ No newline at end of file
diff --git a/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md b/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
deleted file mode 100644
index 3d23267aa8..0000000000
--- a/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: Use Upgrade Analytics to manage Windows upgrades (Windows 10)
-redirect_url: use-upgrade-readiness-to-manage-windows-upgrades
----
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
new file mode 100644
index 0000000000..73fce9589a
--- /dev/null
+++ b/windows/deployment/TOC.md
@@ -0,0 +1,220 @@
+# [Deploy Windows 10](index.md)
+## [What's new in Windows 10 deployment](deploy-whats-new.md)
+## [Plan for Windows 10 deployment](planning/index.md)
+### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md)
+### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
+### [Windows 10 compatibility](planning/windows-10-compatibility.md)
+### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md)
+### [Windows To Go: feature overview](planning/windows-to-go-overview.md)
+#### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md)
+#### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md)
+#### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md)
+#### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md)
+#### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md)
+### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md)
+#### [SUA User's Guide](planning/sua-users-guide.md)
+##### [Using the SUA Wizard](planning/using-the-sua-wizard.md)
+##### [Using the SUA Tool](planning/using-the-sua-tool.md)
+###### [Tabs on the SUA Tool Interface](planning/tabs-on-the-sua-tool-interface.md)
+###### [Showing Messages Generated by the SUA Tool](planning/showing-messages-generated-by-the-sua-tool.md)
+###### [Applying Filters to Data in the SUA Tool](planning/applying-filters-to-data-in-the-sua-tool.md)
+###### [Fixing Applications by Using the SUA Tool](planning/fixing-applications-by-using-the-sua-tool.md)
+#### [Compatibility Administrator User's Guide](planning/compatibility-administrator-users-guide.md)
+##### [Using the Compatibility Administrator Tool](planning/using-the-compatibility-administrator-tool.md)
+###### [Available Data Types and Operators in Compatibility Administrator](planning/available-data-types-and-operators-in-compatibility-administrator.md)
+###### [Searching for Fixed Applications in Compatibility Administrator](planning/searching-for-fixed-applications-in-compatibility-administrator.md)
+###### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)
+###### [Creating a Custom Compatibility Fix in Compatibility Administrator](planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md)
+###### [Creating a Custom Compatibility Mode in Compatibility Administrator](planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
+###### [Creating an AppHelp Message in Compatibility Administrator](planning/creating-an-apphelp-message-in-compatibility-administrator.md)
+###### [Viewing the Events Screen in Compatibility Administrator](planning/viewing-the-events-screen-in-compatibility-administrator.md)
+###### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)
+###### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)
+##### [Managing Application-Compatibility Fixes and Custom Fix Databases](planning/managing-application-compatibility-fixes-and-custom-fix-databases.md)
+###### [Understanding and Using Compatibility Fixes](planning/understanding-and-using-compatibility-fixes.md)
+###### [Compatibility Fix Database Management Strategies and Deployment](planning/compatibility-fix-database-management-strategies-and-deployment.md)
+###### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md)
+##### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md)
+#### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
+### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md)
+## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+## Upgrade Windows
+### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
+### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
+### [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
+### [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
+### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
+#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
+#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
+#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
+##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
+#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
+##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
+##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
+##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
+##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
+##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
+#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
+## [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
+### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
+#### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
+#### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
+#### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
+### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
+### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
+### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
+### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
+### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
+#### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md)
+#### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md)
+#### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md)
+#### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md)
+#### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+#### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md)
+#### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md)
+#### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md)
+## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
+### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
+### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md)
+### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
+## [Convert MBR partition to GPT](mbr-to-gpt.md)
+## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
+## [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
+## [Update Windows 10](update/index.md)
+### [Quick guide to Windows as a service](update/waas-quick-start.md)
+### [Overview of Windows as a service](update/waas-overview.md)
+### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
+### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
+### [Assign devices to servicing branches for Windows 10 updates](update/waas-servicing-branches-windows-10-updates.md)
+### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
+#### [Get started with Update Compliance](update/update-compliance-get-started.md)
+#### [Use Update Compliance](update/update-compliance-using.md)
+### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
+#### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
+#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
+### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md)
+### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md)
+#### [Configure Windows Update for Business](update/waas-configure-wufb.md)
+#### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md)
+#### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md)
+#### [Walkthrough: use Intune to configure Windows Update for Business](update/waas-wufb-intune.md)
+### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md)
+### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
+### [Manage device restarts after updates](update/waas-restart.md)
+### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
+#### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md)
+#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
+### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
+
+## [Volume Activation [client]](volume-activation/volume-activation-windows-10.md)
+### [Plan for volume activation [client]](volume-activation/plan-for-volume-activation-client.md)
+### [Activate using Key Management Service [client]](volume-activation/activate-using-key-management-service-vamt.md)
+### [Activate using Active Directory-based activation [client]](volume-activation/activate-using-active-directory-based-activation-client.md)
+### [Activate clients running Windows 10](volume-activation/activate-windows-10-clients-vamt.md)
+### [Monitor activation [client]](volume-activation/monitor-activation-client.md)
+### [Use the Volume Activation Management Tool [client]](volume-activation/use-the-volume-activation-management-tool-client.md)
+### [Appendix: Information sent to Microsoft during activation [client]](volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md)
+## [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
+## [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md)
+### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
+### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
+#### [Introduction to VAMT](volume-activation/introduction-vamt.md)
+#### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md)
+#### [Install and Configure VAMT](volume-activation/install-configure-vamt.md)
+##### [VAMT Requirements](volume-activation/vamt-requirements.md)
+##### [Install VAMT](volume-activation/install-vamt.md)
+##### [Configure Client Computers](volume-activation/configure-client-computers-vamt.md)
+#### [Add and Manage Products](volume-activation/add-manage-products-vamt.md)
+##### [Add and Remove Computers](volume-activation/add-remove-computers-vamt.md)
+##### [Update Product Status](volume-activation/update-product-status-vamt.md)
+##### [Remove Products](volume-activation/remove-products-vamt.md)
+#### [Manage Product Keys](volume-activation/manage-product-keys-vamt.md)
+##### [Add and Remove a Product Key](volume-activation/add-remove-product-key-vamt.md)
+##### [Install a Product Key](volume-activation/install-product-key-vamt.md)
+##### [Install a KMS Client Key](volume-activation/install-kms-client-key-vamt.md)
+#### [Manage Activations](volume-activation/manage-activations-vamt.md)
+##### [Perform Online Activation](volume-activation/online-activation-vamt.md)
+##### [Perform Proxy Activation](volume-activation/proxy-activation-vamt.md)
+##### [Perform KMS Activation](volume-activation/kms-activation-vamt.md)
+##### [Perform Local Reactivation](volume-activation/local-reactivation-vamt.md)
+##### [Activate an Active Directory Forest Online](volume-activation/activate-forest-vamt.md)
+##### [Activate by Proxy an Active Directory Forest](volume-activation/activate-forest-by-proxy-vamt.md)
+#### [Manage VAMT Data](volume-activation/manage-vamt-data.md)
+##### [Import and Export VAMT Data](volume-activation/import-export-vamt-data.md)
+##### [Use VAMT in Windows PowerShell](volume-activation/use-vamt-in-windows-powershell.md)
+#### [VAMT Step-by-Step Scenarios](volume-activation/vamt-step-by-step.md)
+##### [Scenario 1: Online Activation](volume-activation/scenario-online-activation-vamt.md)
+##### [Scenario 2: Proxy Activation](volume-activation/scenario-proxy-activation-vamt.md)
+##### [Scenario 3: KMS Client Activation](volume-activation/scenario-kms-activation-vamt.md)
+#### [VAMT Known Issues](volume-activation/vamt-known-issues.md)
+### [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
+#### [User State Migration Tool (USMT) Overview Topics](usmt/usmt-topics.md)
+##### [User State Migration Tool (USMT) Overview](usmt/usmt-overview.md)
+##### [Getting Started with the User State Migration Tool (USMT)](usmt/getting-started-with-the-user-state-migration-tool.md)
+##### [Windows Upgrade and Migration Considerations](upgrade/windows-upgrade-and-migration-considerations.md)
+#### [User State Migration Tool (USMT) How-to topics](usmt/usmt-how-to.md)
+##### [Exclude Files and Settings](usmt/usmt-exclude-files-and-settings.md)
+##### [Extract Files from a Compressed USMT Migration Store](usmt/usmt-extract-files-from-a-compressed-migration-store.md)
+##### [Include Files and Settings](usmt/usmt-include-files-and-settings.md)
+##### [Migrate Application Settings](usmt/migrate-application-settings.md)
+##### [Migrate EFS Files and Certificates](usmt/usmt-migrate-efs-files-and-certificates.md)
+##### [Migrate User Accounts](usmt/usmt-migrate-user-accounts.md)
+##### [Reroute Files and Settings](usmt/usmt-reroute-files-and-settings.md)
+##### [Verify the Condition of a Compressed Migration Store](usmt/verify-the-condition-of-a-compressed-migration-store.md)
+#### [User State Migration Tool (USMT) Troubleshooting](usmt/usmt-troubleshooting.md)
+##### [Common Issues](usmt/usmt-common-issues.md)
+##### [Frequently Asked Questions](usmt/usmt-faq.md)
+##### [Log Files](usmt/usmt-log-files.md)
+##### [Return Codes](usmt/usmt-return-codes.md)
+##### [USMT Resources](usmt/usmt-resources.md)
+#### [User State Migration Toolkit (USMT) Reference](usmt/usmt-reference.md)
+##### [USMT Requirements](usmt/usmt-requirements.md)
+##### [USMT Best Practices](usmt/usmt-best-practices.md)
+##### [How USMT Works](usmt/usmt-how-it-works.md)
+##### [Plan Your Migration](usmt/usmt-plan-your-migration.md)
+###### [Common Migration Scenarios](usmt/usmt-common-migration-scenarios.md)
+###### [What Does USMT Migrate?](usmt/usmt-what-does-usmt-migrate.md)
+###### [Choose a Migration Store Type](usmt/usmt-choose-migration-store-type.md)
+####### [Migration Store Types Overview](usmt/migration-store-types-overview.md)
+####### [Estimate Migration Store Size](usmt/usmt-estimate-migration-store-size.md)
+####### [Hard-Link Migration Store](usmt/usmt-hard-link-migration-store.md)
+####### [Migration Store Encryption](usmt/usmt-migration-store-encryption.md)
+###### [Determine What to Migrate](usmt/usmt-determine-what-to-migrate.md)
+####### [Identify Users](usmt/usmt-identify-users.md)
+####### [Identify Applications Settings](usmt/usmt-identify-application-settings.md)
+####### [Identify Operating System Settings](usmt/usmt-identify-operating-system-settings.md)
+####### [Identify File Types, Files, and Folders](usmt/usmt-identify-file-types-files-and-folders.md)
+###### [Test Your Migration](usmt/usmt-test-your-migration.md)
+##### [User State Migration Tool (USMT) Command-line Syntax](usmt/usmt-command-line-syntax.md)
+###### [ScanState Syntax](usmt/usmt-scanstate-syntax.md)
+###### [LoadState Syntax](usmt/usmt-loadstate-syntax.md)
+###### [UsmtUtils Syntax](usmt/usmt-utilities.md)
+##### [USMT XML Reference](usmt/usmt-xml-reference.md)
+###### [Understanding Migration XML Files](usmt/understanding-migration-xml-files.md)
+###### [Config.xml File](usmt/usmt-configxml-file.md)
+###### [Customize USMT XML Files](usmt/usmt-customize-xml-files.md)
+###### [Custom XML Examples](usmt/usmt-custom-xml-examples.md)
+###### [Conflicts and Precedence](usmt/usmt-conflicts-and-precedence.md)
+###### [General Conventions](usmt/usmt-general-conventions.md)
+###### [XML File Requirements](usmt/xml-file-requirements.md)
+###### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md)
+###### [XML Elements Library](usmt/usmt-xml-elements-library.md)
+##### [Offline Migration Reference](usmt/offline-migration-reference.md)
+## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
\ No newline at end of file
diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md
new file mode 100644
index 0000000000..56563526b0
--- /dev/null
+++ b/windows/deployment/change-history-for-deploy-windows-10.md
@@ -0,0 +1,128 @@
+---
+title: Change history for Deploy Windows 10 (Windows 10)
+description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile.
+ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: greg-lindsay
+---
+
+# Change history for Deploy Windows 10
+This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
+
+## April 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | Updated: The "refresh" and "replace" procedures were swapped in order so that it would not be necessary to save and restore VMs. Also a missing step was added to include the State migration point role. |
+| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)| Updated with minor fixes. |
+| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)| Updated child topics under this node to include new feature and user interface changes. |
+| [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)| Added a table summarizing connection scenarios under the Enable data sharing topic. |
+
+
+## RELEASE: Windows 10, version 1703
+The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index).
+
+
+## March 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [What's new in Windows 10 deployment](deploy-whats-new.md) | New |
+| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. |
+| [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. |
+| [Convert MBR partition to GPT](mbr-to-gpt.md) | New |
+
+## February 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | Multiple topics updated, name changed from Upgrade Analytics to Upgrade Readiness, and other content updates. |
+| [USMT Requirements](usmt/usmt-requirements.md) | Updated: Vista support removed and other minor changes |
+| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated structure and content |
+| [Upgrade Analytics deployment script](upgrade/upgrade-readiness-deployment-script.md) | Added as a separate page from get started |
+| [Use Upgrade Analytics to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) | Updated with links to new content and information about the target OS setting |
+| [Upgrade Analytics - Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md) | New |
+| [Upgrade Analytics - Step 1: Identify important apps](upgrade/upgrade-readiness-identify-apps.md) | Updated topic title and content |
+| [Upgrade Analytics - Step 2: Resolve app and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | New |
+| [Upgrade Analytics - Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) | New |
+| [Upgrade Analytics - Additional insights](upgrade/upgrade-readiness-additional-insights.md) | New |
+
+
+## January 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New |
+| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New |
+| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | New |
+| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package.md) | New (previously published in other topics) |
+| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog |
+| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package.md) |
+| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package.md) |
+
+
+## October 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) | New |
+
+## September 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New |
+| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated with prerequisites for site discovery |
+| [Resolve application and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | Updated with app status info for Ready For Windows |
+| [Review site discovery](upgrade/upgrade-readiness-additional-insights.md) | New |
+
+## RELEASE: Windows 10, version 1607
+
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
+
+- [Provisioning packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages.md)
+- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md)
+- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md)
+
+## August 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated with reboot requirements |
+
+## July 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Manage Windows upgrades with Upgrade Analytics](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | New |
+
+## June 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
+| [User State Migration Tool Technical Reference](usmt/usmt-technical-reference.md) | Updated support statement for Office 2016 |
+| [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) | New |
+
+## May 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) | New |
+
+## December 2015
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Activate using Key Management Service](volume-activation/activate-using-key-management-service-vamt.md) | Updated |
+| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated |
+
+## November 2015
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | New |
+
+## Related topics
+- [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment)
+- [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
+- [Change history for Access Protection](/windows/device-security/change-history-for-device-security)
+- [Change history for Access Protection](/windows/threat-protection/change-history-for-threat-protection)
diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
similarity index 100%
rename from windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
rename to windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
diff --git a/windows/deploy/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
similarity index 84%
rename from windows/deploy/deploy-whats-new.md
rename to windows/deployment/deploy-whats-new.md
index 9d6a1b0d15..a4e547e904 100644
--- a/windows/deploy/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -44,7 +44,7 @@ The development of Upgrade Readiness has been heavily influenced by input from t
For more information about Upgrade Readiness, see the following topics:
- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/)
-- [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
+- [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
### Update Compliance
@@ -53,7 +53,7 @@ Update Compliance helps you to keep Windows 10 devices in your organization secu
Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
-For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md).
+For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md).
### MBR2GPT
@@ -98,7 +98,7 @@ For more information, see the following guides:
## Troubleshooting guidance
-[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
+[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
## Online content change history
@@ -106,18 +106,18 @@ For more information, see the following guides:
The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10.
[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
- [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
- [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
+[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
+[Change history for Device Security](/windows/device-security/change-history-for-device-security)
+[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
## Related topics
-[Overview of Windows as a service](../manage/waas-overview.md)
- [Windows 10 deployment considerations](../plan/windows-10-deployment-considerations.md)
+[Overview of Windows as a service](update/waas-overview.md)
+ [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
[Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info.aspx)
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
- [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
+ [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
\ No newline at end of file
diff --git a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt-2013.md
similarity index 100%
rename from windows/deploy/assign-applications-using-roles-in-mdt-2013.md
rename to windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt-2013.md
diff --git a/windows/deploy/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
similarity index 97%
rename from windows/deploy/assign-applications-using-roles-in-mdt.md
rename to windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
index c2d8ed9f1b..7fbd9c8386 100644
--- a/windows/deploy/assign-applications-using-roles-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
@@ -23,7 +23,7 @@ This topic will show you how to add applications to a role in the MDT database a
2. Applications / Lite Touch Applications:
3. Install - Adobe Reader XI - x86
-
+
Figure 12. The Standard PC role with the application added
@@ -34,7 +34,7 @@ After creating the role, you can associate it with one or more computer entries.
2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
- Roles: Standard PC
-
+
Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database).
@@ -115,7 +115,7 @@ When the database is populated, you can use the MDT simulation environment to si
```
-
+
Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine.
diff --git a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
similarity index 97%
rename from windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
rename to windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index 5d6bf1b687..c253293a7e 100644
--- a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -20,7 +20,7 @@ In this topic, you will learn how to replicate your Windows 10 deployment share
We will use four machines for this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0006 is a blank machine to which you will deploy Windows 10. You will configure a second deployment server (MDT02) for a remote site (Stockholm) by replicating the deployment share in the original site (New York). MDT01, MDT02, and PC0006 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
+
Figure 1. The machines used in this topic.
@@ -50,7 +50,7 @@ Setting up DFS-R for replication is a quick and straightforward process. You pre
4. On the **Select server roles** page, expand **File and Storage Services (Installed)** and expand **File and iSCSI Services (Installed)**.
5. In the **Roles** list, select **DFS Replication**. In the **Add Roles and Features Wizard** dialog box, select **Add Features**, and then click **Next**.
- 
+ 
Figure 2. Adding the DFS Replication role to MDT01.
@@ -74,7 +74,7 @@ Setting up DFS-R for replication is a quick and straightforward process. You pre
1. On MDT02, using File Explorer, create the **E:\\MDTProduction** folder.
2. Share the **E:\\MDTProduction** folder as **MDTProduction$**. Use the default permissions.
- 
+ 
Figure 3. Sharing the **E:\\MDTProduction folder** on MDT02.
@@ -104,14 +104,14 @@ When you have multiple deployment servers sharing the same content, you need to
2. Save the Bootstrap.ini file.
3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**.
- 
+ 
Figure 4. Updating the MDT Production deployment share.
4. Use the default settings for the Update Deployment Share Wizard.
5. After the update is complete, use the Windows Deployment Services console. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
- 
+ 
Figure 5. Replacing the updated boot image in WDS.
@@ -124,7 +124,7 @@ Once the MDT01 and MDT02 servers are prepared, you are ready to configure the ac
3. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**.
4. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**.
- 
+ 
Figure 6. Adding the Replication Group Members.
@@ -135,7 +135,7 @@ Once the MDT01 and MDT02 servers are prepared, you are ready to configure the ac
9. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**.
10. On the **Edit** page, select the **Enabled** option, type in **E:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**.
- 
+ 
Figure 7. Configure the MDT02 member.
@@ -153,7 +153,7 @@ Once the MDT01 and MDT02 servers are prepared, you are ready to configure the ac
(Get-ChildItem E:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
```
- 
+ 
Figure 8. Configure the Staging settings.
@@ -175,7 +175,7 @@ It will take some time for the replication configuration to be picked up by the
7. On the **Review Settings and Create Report** page, click **Create**.
8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
-
+
Figure 9. The DFS Replication Health Report.
diff --git a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-2013-for-userexit-scripts.md
similarity index 100%
rename from windows/deploy/configure-mdt-2013-for-userexit-scripts.md
rename to windows/deployment/deploy-windows-mdt/configure-mdt-2013-for-userexit-scripts.md
diff --git a/windows/deploy/configure-mdt-2013-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-2013-settings.md
similarity index 100%
rename from windows/deploy/configure-mdt-2013-settings.md
rename to windows/deployment/deploy-windows-mdt/configure-mdt-2013-settings.md
diff --git a/windows/deploy/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
similarity index 100%
rename from windows/deploy/configure-mdt-deployment-share-rules.md
rename to windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
diff --git a/windows/deploy/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
similarity index 100%
rename from windows/deploy/configure-mdt-for-userexit-scripts.md
rename to windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
diff --git a/windows/deploy/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
similarity index 98%
rename from windows/deploy/configure-mdt-settings.md
rename to windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index f5e67fc5c6..b01d3341c6 100644
--- a/windows/deploy/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -16,7 +16,7 @@ author: mtniehaus
One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
+
Figure 1. The machines used in this topic.
diff --git a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
similarity index 87%
rename from windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
rename to windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 98e1ddb768..123fe228b3 100644
--- a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -110,7 +110,7 @@ After you create the task sequence, we recommend that you configure the task seq
>[!NOTE]
>You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
- 
+ 
*Figure 24. The driver package options*
@@ -118,7 +118,7 @@ After you create the task sequence, we recommend that you configure the task seq
8. Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list.
- 
+ 
*Figure 25. Add an application to the Configuration Manager task sequence*
@@ -169,27 +169,18 @@ While creating the task sequence with the MDT wizard, a few operating system dep
[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
+[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deploy/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
similarity index 98%
rename from windows/deploy/create-a-windows-10-reference-image.md
rename to windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 03ce967435..128b74d5b1 100644
--- a/windows/deploy/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -22,7 +22,7 @@ For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, an
**Note**
For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
+
Figure 1. The machines used in this topic.
@@ -49,7 +49,7 @@ With Windows 10, there is no hard requirement to create reference images; howev
- <default>
- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share.
-
+
Figure 2. The Deployment Workbench with the MDT Build Lab deployment share created.
@@ -63,7 +63,7 @@ In order to write the reference image back to the deployment share, you need to
icacls E:\MDTBuildLab\Captures /grant '"MDT_BA":(OI)(CI)(M)'
```
-
+
Figure 3. Permissions configured for the MDT\_BA user.
@@ -91,7 +91,7 @@ In these steps we assume that you have copied the content of a Windows 10 Enter
7. Destination directory name: W10EX64RTM
8. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image**
-
+
Figure 4. The imported Windows 10 operating system after renaming it.
@@ -129,7 +129,7 @@ You also can customize the Office installation using a Config.xml file. But we r
1. Using the Deployment Workbench in the MDT Build Lab deployment share, expand the **Applications / Microsoft** node, and double-click **Install - Microsoft Office 2013 Pro Plus x86**.
2. In the **Office Products** tab, click **Office Customization Tool**, and click **OK** in the **Information** dialog box.
- 
+ 
Figure 5. The Install - Microsoft Office 2013 Pro Plus - x86 application properties.
@@ -145,7 +145,7 @@ You also can customize the Office installation using a Config.xml file. But we r
2. Select I accept the terms in the License Agreement.
3. Select Display level: None
- 
+ 
Figure 6. The licensing and user interface screen in the Microsoft Office Customization Tool
@@ -335,7 +335,7 @@ The steps below walk you through the process of editing the Windows 10 referenc
**Important**
This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
- 
+ 
Figure 7. The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action.
@@ -359,11 +359,11 @@ The steps below walk you through the process of editing the Windows 10 referenc
The goal when creating a reference image is of course to automate everything. But sometimes you have a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine.
-
+
Figure 8. A task sequence with optional Suspend action (LTISuspend.wsf) added.
-
+
Figure 9. The Windows 10 desktop with the Resume Task Sequence shortcut.
@@ -384,7 +384,7 @@ Follow these steps to configure Internet Explorer settings in Unattend.xml for t
5. Save the Unattend.xml file, and close Windows SIM.
6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**.
-
+
Figure 10. Windows System Image Manager with the Windows 10 Unattend.xml.
@@ -431,7 +431,7 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which
SkipFinalSummary=YES
```
- 
+ 
Figure 11. The server-side rules for the MDT Build Lab deployment share.
@@ -448,7 +448,7 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which
SkipBDDWelcome=YES
```
- 
+ 
Figure 12. The boot image rules for the MDT Build Lab deployment share.
@@ -614,7 +614,7 @@ This steps below outline the process used to boot a virtual machine using an ISO
- Location: \\\\MDT01\\MDTBuildLab$\\Captures
3. File name: REFW10X64-001.wim
- 
+ 
Figure 13. The Windows Deployment Wizard for the Windows 10 reference image.
diff --git a/windows/deploy/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
similarity index 98%
rename from windows/deploy/deploy-a-windows-10-image-using-mdt.md
rename to windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index d7f9b691ff..7249255dfd 100644
--- a/windows/deploy/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -23,7 +23,7 @@ For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0
**Note**
For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
+
Figure 1. The machines used in this topic.
@@ -93,7 +93,7 @@ In these steps, we assume that you have completed the steps in the [Create a Win
**Note**
The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
-
+
Figure 2. The imported operating system after renaming it.
@@ -113,7 +113,7 @@ In this example, we assume that you have downloaded the Adobe Reader XI installa
7. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader XI - x86** and click **Next**.
8. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AdbeRdr11000\_eu\_ES.msi /q**, click **Next** twice, and then click **Finish**.
-
+
Figure 3. The Adobe Reader application added to the Deployment Workbench.
@@ -180,7 +180,7 @@ wmic csproduct get name
If you want a more standardized naming convention, try the ModelAliasExit.vbs script from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
-
+
Figure 4. The Out-of-Box Drivers structure in Deployment Workbench.
@@ -197,7 +197,7 @@ The drivers that are used for the boot images (Windows PE) are Windows 10 driver
1. Selection Profile name: WinPE x64
2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
-
+
Figure 5. Creating the WinPE x64 selection profile.
@@ -290,7 +290,7 @@ This section will show you how to create the task sequence used to deploy your p
4. State Restore. Enable the **Windows Update (Post-Application Installation)** action.
3. Click **OK**.
-
+
Figure 6. The task sequence for production deployment.
@@ -374,7 +374,7 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
It will take a while for the Deployment Workbench to create the monitoring database and web service.
-
+
Figure 7. The Windows PE tab for the x64 boot image.
@@ -463,7 +463,7 @@ In these steps, we assume that you downloaded MDOP 2015 R1 and copied DaRT 10 to
6. In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
7. In the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
- 
+ 
Figure 8. Selecting the DaRT 10 feature in the deployment share.
@@ -490,7 +490,7 @@ You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparati
1. Using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
2. Browse to the E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim file and add the image with the default settings.
-
+
Figure 9. The boot image added to the WDS console.
@@ -505,7 +505,7 @@ At this point, you should have a solution ready for deploying the Windows 10 cl
5. Hard disk: 60 GB (dynamic disk)
2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The machine will now load the Windows PE boot image from the WDS server.
- 
+ 
Figure 10. The initial PXE boot process of PC0005.
@@ -527,7 +527,7 @@ Now that you have enabled the monitoring on the MDT Production deployment share,
2. Select the **Monitoring** node, and wait until you see PC0005.
3. Double-click PC0005, and review the information.
-
+
Figure 11. The Monitoring node, showing the deployment progress of PC0005.
@@ -535,7 +535,7 @@ Figure 11. The Monitoring node, showing the deployment progress of PC0005.
When monitoring is enabled, MDT also writes information to the event viewer on MDT01. This information can be used to trigger notifications via scheduled tasks when deployment is completed. For example, you can configure scheduled tasks to send an email when a certain event is created in the event log.
-
+
Figure 12. The Event Viewer showing a successful deployment of PC0005.
@@ -557,7 +557,7 @@ Setting up MDT for multicast is straightforward. You enable multicast on the dep
3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**.
4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created.
-
+
Figure 13. The newly created multicast namespace.
@@ -635,7 +635,7 @@ Follow these steps to create a bootable USB stick from the offline media content
As referenced in [Windows 10 deployment tools](https://go.microsoft.com/fwlink/p/?LinkId=619546), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UFEI.
-
+
Figure 14. The partitions when deploying an UEFI-based machine.
diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
similarity index 90%
rename from windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
rename to windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
index 3cdcb17cd1..def335f1b1 100644
--- a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -37,13 +37,13 @@ To download the latest version of MDT, visit the [MDT resource page](https://go.
For the purposes of this guide, and the topics discussed herein, we will use the following servers and client machines: DC01, MDT01, CM01, PC0001, and PC0002.
-
+
Figure 1. The servers and machines used for examples in this guide.
DC01 is a domain controller; the other servers and client machines are members of the domain contoso.com for the fictitious Contoso Corporation.
-
+
Figure 2. The organizational unit (OU) structure used in this guide.
@@ -80,14 +80,14 @@ The information in this guide is designed to help you deploy Windows 10. In ord
[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+[Windows 10 deployment tools](../windows-deployment-scenarios-and-tools.md)
-[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-[Deploy Windows To Go in your organization](deploy-windows-to-go.md)
+[Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)
+[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
-[Volume Activation for Windows 10](volume-activation-windows-10.md)
+[Volume Activation for Windows 10](../volume-activation/volume-activation-windows-10.md)
diff --git a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
similarity index 98%
rename from windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
rename to windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index 7e5bf105f1..b27fa998b0 100644
--- a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -23,7 +23,7 @@ In addition to familiarizing you with the features and options available in MDT,
For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see
[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
+
Figure 1. The machines used in this topic.
diff --git a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt-2013.md
similarity index 100%
rename from windows/deploy/integrate-configuration-manager-with-mdt-2013.md
rename to windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt-2013.md
diff --git a/windows/deploy/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
similarity index 85%
rename from windows/deploy/integrate-configuration-manager-with-mdt.md
rename to windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
index 2b4560ff12..859c8043e2 100644
--- a/windows/deploy/integrate-configuration-manager-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
@@ -54,7 +54,7 @@ The task sequence uses instructions that allow you to reduce the number of task
MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
```
-
+
Figure 2. The Gather action in the task sequence is reading the rules.
@@ -62,7 +62,7 @@ Figure 2. The Gather action in the task sequence is reading the rules.
When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](configure-mdt-settings.md).
-
+
Figure 3. The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
@@ -70,7 +70,7 @@ Figure 3. The folder that contains the rules, a few scripts from MDT, and a cust
With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
-
+
Figure 4. View the real-time monitoring data with PowerShell.
@@ -78,7 +78,7 @@ Figure 4. View the real-time monitoring data with PowerShell.
For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
-
+
Figure 5. The optional UDI wizard open in the UDI Wizard Designer.
@@ -96,21 +96,21 @@ You can create reference images for Configuration Manager in Configuration Manag
## Related topics
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deploy/key-features-in-mdt-2013.md b/windows/deployment/deploy-windows-mdt/key-features-in-mdt-2013.md
similarity index 100%
rename from windows/deploy/key-features-in-mdt-2013.md
rename to windows/deployment/deploy-windows-mdt/key-features-in-mdt-2013.md
diff --git a/windows/deploy/key-features-in-mdt.md b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
similarity index 98%
rename from windows/deploy/key-features-in-mdt.md
rename to windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
index faeb651733..b7b5b506bc 100644
--- a/windows/deploy/key-features-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
@@ -26,7 +26,7 @@ MDT has many useful features, the most important of which are:
- **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI.
- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
- 
+ 
Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
@@ -41,7 +41,7 @@ MDT has many useful features, the most important of which are:
- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
- 
+ 
Figure 3. The offline USMT backup in action.
diff --git a/windows/deploy/mdt-2013-lite-touch-components.md b/windows/deployment/deploy-windows-mdt/mdt-2013-lite-touch-components.md
similarity index 100%
rename from windows/deploy/mdt-2013-lite-touch-components.md
rename to windows/deployment/deploy-windows-mdt/mdt-2013-lite-touch-components.md
diff --git a/windows/deploy/mdt-lite-touch-components.md b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
similarity index 99%
rename from windows/deploy/mdt-lite-touch-components.md
rename to windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
index 2b004d7fbb..f4e26d87e0 100644
--- a/windows/deploy/mdt-lite-touch-components.md
+++ b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
@@ -19,7 +19,7 @@ author: mtniehaus
This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
-
+
Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
@@ -36,7 +36,7 @@ The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The r
- Regional settings
You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
+
Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt-2013.md
similarity index 100%
rename from windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
rename to windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt-2013.md
diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
similarity index 97%
rename from windows/deploy/prepare-for-windows-deployment-with-mdt.md
rename to windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index 9274e2a90d..31098f8dce 100644
--- a/windows/deploy/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -70,7 +70,7 @@ If you do not have an organizational unit (OU) structure in your Active Director
5. In the **Contoso / Groups** OU, create the following OU:
- Security Groups
-
+
Figure 6. A sample of how the OU structure will look after all the OUs are created.
@@ -99,7 +99,7 @@ By default MDT stores the log files locally on the client. In order to capture a
icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
```
-
+
Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell.
@@ -107,11 +107,11 @@ Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShel
The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read.
-
+
Figure 8. An MDT log file opened in Notepad.
-
+
Figure 9. The same log file, opened in CMTrace, is much easier to read.
diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
similarity index 97%
rename from windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
rename to windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index 671ef7c573..b2f30e6e6d 100644
--- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -20,7 +20,7 @@ This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade
For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
+
Figure 1. The machines used in this topic.
@@ -109,7 +109,7 @@ After adding the additional USMT template and configuring the CustomSettings.ini
* Updates the operating system via your local Windows Server Update Services (WSUS) server.
* Restores user settings and data using USMT.
-
+
Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
similarity index 93%
rename from windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
rename to windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index 28c9c32005..aeae4e9b05 100644
--- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -19,7 +19,7 @@ author: mtniehaus
A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it.
For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, and PC0007. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. PC0002 is an old machine running Windows 7 SP1. It is going to be replaced by a new Windows 10 machine, PC0007. User State Migration Tool (USMT) will be used to backup and restore data and settings. MDT01, PC0002, and PC0007 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
+
Figure 1. The machines used in this topic.
@@ -57,7 +57,7 @@ When preparing for the computer replace, you need to create a folder in which to
3. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
- 
+ 
Figure 2. The Backup Only Task Sequence action list.
@@ -91,13 +91,13 @@ During a computer replace, these are the high-level steps that occur:
The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the machine.
- 
+ 
Figure 3. The new task sequence running the Capture User State action on PC0002.
5. On MDT01, verify that you have an USMT.MIG compressed backup file in the **E:\\MigData\\PC0002\\USMT** folder.
- 
+ 
Figure 4. The USMT backup of PC0002.
@@ -113,7 +113,7 @@ During a computer replace, these are the high-level steps that occur:
2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
- 
+ 
Figure 5. The initial PXE boot process of PC0005.
diff --git a/windows/deploy/set-up-mdt-2013-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-2013-for-bitlocker.md
similarity index 100%
rename from windows/deploy/set-up-mdt-2013-for-bitlocker.md
rename to windows/deployment/deploy-windows-mdt/set-up-mdt-2013-for-bitlocker.md
diff --git a/windows/deploy/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
similarity index 98%
rename from windows/deploy/set-up-mdt-for-bitlocker.md
rename to windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 5047b0b791..48879c632c 100644
--- a/windows/deploy/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -38,7 +38,7 @@ Depending on the Active Directory Schema version, you might need to update the S
In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
-
+
Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.
@@ -57,7 +57,7 @@ The BitLocker Drive Encryption Administration Utilities are added as features vi
3. BitLocker Recovery Password Viewer
7. On the **Confirm installation selections** page, click **Install** and then click **Close**.
-
+
Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.
@@ -90,7 +90,7 @@ In addition to the Group Policy created previously, you need to configure permis
cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
```
-
+
Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
diff --git a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
similarity index 97%
rename from windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
rename to windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
index ba135d788d..815df1eb56 100644
--- a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -30,7 +30,7 @@ For the purposes of this topic, you already will have either downloaded and inst
8. In the **C:\\MDT** folder, create a subfolder named **X64**.
9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**.
- 
+ 
Figure 6. The C:\\MDT folder with the files added for the simulation environment.
@@ -44,7 +44,7 @@ For the purposes of this topic, you already will have either downloaded and inst
Warnings or errors with regard to the Wizard.hta are expected. If the log file looks okay, you are ready to try a real deployment.
-
+
Figure 7. The ZTIGather.log file from PC0001, displaying some of its hardware capabilities.
diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt-2013.md
similarity index 100%
rename from windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
rename to windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt-2013.md
diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
similarity index 95%
rename from windows/deploy/use-orchestrator-runbooks-with-mdt.md
rename to windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
index ceb7766904..7b7aedc7f7 100644
--- a/windows/deploy/use-orchestrator-runbooks-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
@@ -42,13 +42,13 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
**Note**
Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt.
- 
+ 
Figure 23. The DeployLog.txt file.
3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder.
- 
+ 
Figure 24. Folder created in the Runbooks node.
@@ -60,14 +60,14 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
2. Text File Management / Append Line
8. Connect **Initialize Data** to **Append Line**.
- 
+ 
Figure 25. Activities added and connected.
9. Right-click the **Initialize Data** activity, and select **Properties**
10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**.
- 
+ 
Figure 26. The Initialize Data Properties window.
@@ -76,13 +76,13 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
13. In the **File** encoding drop-down list, select **ASCII**.
14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
- 
+ 
Figure 27. Expanding the Text area.
15. In the blank text box, right-click and select **Subscribe / Published Data**.
- 
+ 
Figure 28. Subscribing to data.
@@ -90,7 +90,7 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**.
- 
+ 
Figure 29. The expanded text box after all subscriptions have been added.
@@ -104,7 +104,7 @@ After the runbook is created, you are ready to test it.
4. Close the **Runbook Tester**.
5. On the ribbon bar, click **Check In**.
-
+
Figure 30. All tests completed.
@@ -128,7 +128,7 @@ Figure 30. All tests completed.
2. Use Browse to select **1.0 MDT / MDT Sample**.
8. Click **OK**.
-
+
Figure 31. The ready-made task sequence.
@@ -152,7 +152,7 @@ Make sure the account you are using has permissions to run runbooks on the Orche
3. Domain: CONTOSO
4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
-
+
Figure 32. The ready-made task sequence.
diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
similarity index 96%
rename from windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
rename to windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index b2bed4243a..8c3f5e61f8 100644
--- a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -38,7 +38,7 @@ Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXP
3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and click **Next**.
4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and click **Next**. Click **Next** again and then click **Finish**.
-
+
Figure 8. The MDT database added to MDT01.
@@ -49,7 +49,7 @@ After creating the database, you need to assign permissions to it. In MDT, the a
2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and click **Connect**.
3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**.
- 
+ 
Figure 9. The top-level Security node.
@@ -58,7 +58,7 @@ After creating the database, you need to assign permissions to it. In MDT, the a
2. public (default)
5. Click **OK**, and close SQL Server Management Studio.
-
+
Figure 10. Creating the login and settings permissions to the MDT database.
@@ -71,7 +71,7 @@ To start using the database, you add a computer entry and assign a description a
2. MacAddress: <PC00075 MAC Address in the 00:00:00:00:00:00 format>
3. Details Tab / OSDComputerName: PC00075
-
+
Figure 11. Adding the PC00075 computer to the database.
diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt-2013.md
similarity index 100%
rename from windows/deploy/use-web-services-in-mdt-2013.md
rename to windows/deployment/deploy-windows-mdt/use-web-services-in-mdt-2013.md
diff --git a/windows/deploy/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
similarity index 94%
rename from windows/deploy/use-web-services-in-mdt.md
rename to windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
index a7f2ce0996..73848f2618 100644
--- a/windows/deploy/use-web-services-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
@@ -28,7 +28,7 @@ In these steps we assume you have installed Microsoft Visual Studio Express 2013
1. Web.config
2. mdtsample.asmx
-
+
Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
@@ -44,7 +44,7 @@ This section assumes that you have enabled the Web Server (IIS) role on MDT01.
4. Select the **Start application pool immediately** check box.
5. Click **OK**.
-
+
Figure 16. The new MDTSample application.
@@ -55,7 +55,7 @@ Figure 16. The new MDTSample application.
2. Application pool: MDTSample
3. Physical Path: E:\\MDTSample
- 
+ 
Figure 17. Adding the MDTSample web application.
@@ -63,7 +63,7 @@ Figure 16. The new MDTSample application.
1. Anonymous Authentication: Enabled
2. ASP.NET Impersonation: Disabled
-
+
Figure 18. Configuring Authentication for the MDTSample web service.
@@ -72,14 +72,14 @@ Figure 18. Configuring Authentication for the MDTSample web service.
1. On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**.
2. Click the **GetComputerName** link.
- 
+ 
Figure 19. The MDT Sample web service.
3. On the **GetComputerName** page, type in the following settings, and click **Invoke**:
1. Model: Hewlett-Packard
2. SerialNumber: 123456789
-
+
Figure 20. The result from the MDT Sample web service.
@@ -98,7 +98,7 @@ After verifying the web service using Internet Explorer, you are ready to do the
Parameters=Model,SerialNumber
OSDComputerName=string
```
- 
+ 
Figure 21. The updated CustomSettings.ini file.
@@ -110,7 +110,7 @@ After verifying the web service using Internet Explorer, you are ready to do the
```
4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
-
+
Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
diff --git a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
similarity index 85%
rename from windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
rename to windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 47176515eb..5bc508fcfb 100644
--- a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -19,13 +19,13 @@ author: mtniehaus
Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft System Center 2012 R2 Configuration Manager, and how to distribute the image to a distribution point.
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
1. Using File Explorer, in the **E:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
2. Copy the REFW10-X64-001.wim file to the **E:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
- 
+ 
Figure 17. The Windows 10 image copied to the Sources folder structure.
@@ -41,14 +41,14 @@ For the purposes of this topic, we will use CM01, a machine running Windows Serv
8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed. You also can review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
- 
+ 
Figure 18. The distributed Windows 10 Enterprise x64 RTM package.
## Related topics
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -58,19 +58,10 @@ For the purposes of this topic, we will use CM01, a machine running Windows Serv
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
similarity index 88%
rename from windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
rename to windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 5be734a75b..26edb53a36 100644
--- a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -19,7 +19,7 @@ author: mtniehaus
In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## Add drivers for Windows PE
@@ -36,7 +36,7 @@ This section will show you how to import some network and storage drivers for Wi
5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice.
-
+
*Figure 21. Add drivers to Windows PE*
@@ -55,7 +55,7 @@ This section illustrates how to add drivers for Windows 10 through an example in
3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**.
- 
+ 
*Figure 22. Create driver categories*
@@ -74,14 +74,15 @@ This section illustrates how to add drivers for Windows 10 through an example in
>[!NOTE]
>If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
- 
+ 
*Figure 23. Drivers imported and a new driver package created*
## Related topics
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -91,19 +92,10 @@ This section illustrates how to add drivers for Windows 10 through an example in
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
similarity index 91%
rename from windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
rename to windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index acdd78a794..8f39c84fb0 100644
--- a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -19,7 +19,7 @@ author: mtniehaus
In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## Add DaRT 10 files and prepare to brand the boot image
@@ -56,7 +56,7 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
- 
+ 
Figure 15. Add the DaRT component to the Configuration Manager boot image.
@@ -71,7 +71,7 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
9. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image.
- 
+ 
Figure 16. Content status for the Zero Touch WinPE x64 boot image
@@ -86,7 +86,7 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
## Related topics
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -96,7 +96,7 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
@@ -106,9 +106,4 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
similarity index 88%
rename from windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
rename to windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 7bbe55f078..74a433d179 100644
--- a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -19,7 +19,7 @@ author: mtniehaus
Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use.
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
>[!NOTE]
>Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
@@ -47,7 +47,7 @@ The following steps show you how to create the Adobe Reader XI application. This
* \\AdbeRdr11000\_en\_US.msi
- 
+ 
*Figure 19. The Create Application Wizard*
@@ -60,7 +60,7 @@ The following steps show you how to create the Adobe Reader XI application. This
>[!NOTE]
>Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
- 
+ 
*Figure 20. Add the "OSD Install" suffix to the application name*
@@ -71,7 +71,7 @@ The following steps show you how to create the Adobe Reader XI application. This
## Related topics
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -81,7 +81,7 @@ The following steps show you how to create the Adobe Reader XI application. This
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
diff --git a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
similarity index 87%
rename from windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
rename to windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
index 3994cbff66..f79fad1745 100644
--- a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -19,11 +19,11 @@ author: mtniehaus
In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001.
-For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
1. Start the PC0001 machine. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
- 
+ 
Figure 31. PXE booting PC0001.
@@ -33,14 +33,14 @@ For the purposes of this topic, we will use two additional machines: DC01 and CM
4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
-
+
Figure 32. Typing in the computer name.
## Related topics
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -52,7 +52,7 @@ Figure 32. Typing in the computer name.
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
similarity index 88%
rename from windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
rename to windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
index 29ef0d6793..cad56a0160 100644
--- a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -19,16 +19,16 @@ author: mtniehaus
If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
-For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
+
Figure 1. The machines used in this topic.
## In this section
-- [Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
+- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -40,7 +40,7 @@ Figure 1. The machines used in this topic.
- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-- [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
@@ -69,7 +69,7 @@ Operating system deployment with Configuration Manager is part of the normal sof
- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
-- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
@@ -84,13 +84,13 @@ Operating system deployment with Configuration Manager is part of the normal sof
- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-- [Windows deployment tools](windows-deployment-scenarios-and-tools.md)
+- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
-- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
+- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
- [Sideload Windows Store apps](http://technet.microsoft.com/library/dn613831.aspx)
diff --git a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
similarity index 91%
rename from windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
rename to windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 1cd99cefee..5534680f26 100644
--- a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -19,7 +19,7 @@ author: mtniehaus
This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## Enable MDT monitoring
@@ -38,7 +38,7 @@ This section will walk you through the process of creating the E:\\MDTProduction
2. Right-click the **MDT Production** deployment share, and select **Properties**. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
- 
+ 
*Figure 26. Enable MDT monitoring for Configuration Manager*
@@ -82,7 +82,7 @@ This section will show you how to configure the rules (the Windows 10 x64 Settin
ApplyGPOPack=NO
```
- 
+ 
*Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment*
@@ -119,7 +119,7 @@ This sections provides steps to help you create a deployment for the task sequen
* Make available to the following: Only media and PXE
- 
+ 
*Figure 28. Configure the deployment settings*
@@ -131,14 +131,14 @@ This sections provides steps to help you create a deployment for the task sequen
7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
- 
+ 
*Figure 29. The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE*
## Configure Configuration Manager to prompt for the computer name during deployment (optional)
-You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](configure-mdt-settings.md).
+You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names.
@@ -155,14 +155,14 @@ This section provides steps to help you configure the All Unknown Computers coll
>[!NOTE]
>Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
- 
+ 
*Figure 30. Configure a collection variable*
## Related topics
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -174,7 +174,7 @@ This section provides steps to help you configure the All Unknown Computers coll
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
@@ -182,11 +182,4 @@ This section provides steps to help you configure the All Unknown Computers coll
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
similarity index 89%
rename from windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
rename to windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
index ecb875e202..1f778d1399 100644
--- a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
@@ -19,7 +19,7 @@ author: mtniehaus
In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
-For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
To monitor an operating system deployment conducted through System Center 2012 R2 Configuration Manager, you will use the Deployment Workbench in MDT as follows:
@@ -28,7 +28,7 @@ To monitor an operating system deployment conducted through System Center 2012 R
>[!NOTE]
>It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again.
- 
+ 
*Figure 33. PC0001 being deployed by Configuration Manager*
@@ -52,7 +52,7 @@ To monitor an operating system deployment conducted through System Center 2012 R
## Related topics
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -64,7 +64,7 @@ To monitor an operating system deployment conducted through System Center 2012 R
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
similarity index 93%
rename from windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
rename to windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 7e6facd287..5d3fafb49e 100644
--- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -38,7 +38,7 @@ In this topic, you will use an existing Configuration Manager server structure t
- System Center 2012 R2 Configuration Manager SP1 and any additional Windows 10 prerequisites are installed.
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01 and CM01 are both members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01 and CM01 are both members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## Create the Configuration Manager service accounts
@@ -69,7 +69,7 @@ To configure permissions for the various service accounts needed for operating s
* CM\_NAA: Configuration Manager Network Access Account
-
+
Figure 6. The Configuration Manager service accounts used for operating system deployment.
@@ -147,7 +147,7 @@ To support the packages you create in this section, the following folder structu
- E:\\Sources\\Software\\Microsoft
-
+
Figure 7. The E:\\Sources\\OSD folder structure.
@@ -170,7 +170,7 @@ To extend the Configuration Manager console with MDT wizards and templates, you
* Site code: PS1
-
+
Figure 8. Set up the MDT integration with Configuration Manager.
@@ -185,11 +185,11 @@ Most organizations want to display their name during deployment. In this section
3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**.
-
+
Figure 9. Configure the organization name in client settings.
-
+
Figure 10. The Contoso organization name displayed during deployment.
@@ -204,7 +204,7 @@ Configuration Manager uses the Network Access account during the Windows 10 depl
3. In the **Network Access Account** tab, configure the **CONTOSO\\CM\_NAA** user account (select New Account) as the Network Access account. Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
-
+
Figure 11. Test the connection for the Network Access account.
@@ -229,26 +229,26 @@ Configuration Manager has many options for starting a deployment, but starting v
* Password and Confirm password: Passw0rd!
- 
+ 
Figure 12. Configure the CM01 distribution point for PXE.
4. Using the Configuration Manager Trace Log Tool, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
- 
+ 
Figure 13. The distmgr.log displays a successful configuration of PXE on the distribution point.
5. Verify that you have seven files in each of the folders **E:\\RemoteInstall\\SMSBoot\\x86** and **E:\\RemoteInstall\\SMSBoot\\x64**.
- 
+ 
Figure 14. The contents of the E:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
## Related topics
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
@@ -258,7 +258,7 @@ Configuration Manager has many options for starting a deployment, but starting v
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
similarity index 92%
rename from windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
rename to windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 9e7878aea9..f8e6e98777 100644
--- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -17,7 +17,7 @@ author: mtniehaus
- Windows 10
-This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md).
+This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
A computer refresh with System Center 2012 R2 Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps:
@@ -31,7 +31,7 @@ A computer refresh with System Center 2012 R2 Configuration Manager works the sa
5. Data and settings are restored.
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed.
@@ -120,7 +120,7 @@ Now you can start the computer refresh on PC0003.
## Related topics
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -132,17 +132,8 @@ Now you can start the computer refresh on PC0003.
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
similarity index 93%
rename from windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
rename to windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 18d714b7ee..a30798b35b 100644
--- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -19,9 +19,9 @@ author: mtniehaus
In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10.
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
+In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
## Create a replace task sequence
@@ -52,7 +52,7 @@ In this topic, you will create a backup-only task sequence that you run on PC000
>[!NOTE]
>This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
-
+
Figure 34. The backup-only task sequence (named Replace Task Sequence).
@@ -75,7 +75,7 @@ This section walks you through the process of associating a blank machine, PC000
* Source Computer: PC0004
- 
+ 
Figure 35. Creating the computer association between PC0004 and PC0006.
@@ -204,7 +204,7 @@ When the process is complete, you will have a new Windows 10 machine in your dom
## Related topics
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -216,7 +216,7 @@ When the process is complete, you will have a new Windows 10 machine in your dom
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
diff --git a/windows/deploy/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md
similarity index 98%
rename from windows/deploy/deploy-windows-to-go.md
rename to windows/deployment/deploy-windows-to-go.md
index 4b8717343e..9cc9bc4c12 100644
--- a/windows/deploy/deploy-windows-to-go.md
+++ b/windows/deployment/deploy-windows-to-go.md
@@ -17,7 +17,7 @@ author: mtniehaus
- Windows 10
-This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.
+This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.
>[!NOTE]
>This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see [Using Cmdlets](http://go.microsoft.com/fwlink/p/?linkid=230693).
@@ -26,7 +26,7 @@ This topic helps you to deploy Windows To Go in your organization. Before you be
The following is a list of items that you should be aware of before you start the deployment process:
-* Only use recommended USB drives for Windows To Go. Use of other drives is not supported. Check the list at [Windows To Go: feature overview](../plan/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives.
+* Only use recommended USB drives for Windows To Go. Use of other drives is not supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives.
* After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted.
@@ -978,15 +978,15 @@ In the PowerShell provisioning script, after the image has been applied, you can
## Related topics
-[Windows To Go: feature overview](../plan/windows-to-go-overview.md)
+[Windows To Go: feature overview](planning/windows-to-go-overview.md)
[Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949)
-[Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md)
+[Prepare your organization for Windows To Go](planning//prepare-your-organization-for-windows-to-go.md)
-[Deployment considerations for Windows To Go](../plan/deployment-considerations-for-windows-to-go.md)
+[Deployment considerations for Windows To Go](planning//deployment-considerations-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](../plan/security-and-data-protection-considerations-for-windows-to-go.md)
+[Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md)
[BitLocker overview](https://go.microsoft.com/fwlink/p/?LinkId=619173)
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
new file mode 100644
index 0000000000..652028bf85
--- /dev/null
+++ b/windows/deployment/docfx.json
@@ -0,0 +1,41 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg",
+ "**/*.gif"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ },
+ "fileMetadata": {},
+ "template": [],
+ "dest": "win-development"
+ }
+}
\ No newline at end of file
diff --git a/windows/deploy/images/ICD.png b/windows/deployment/images/ICD.png
similarity index 100%
rename from windows/deploy/images/ICD.png
rename to windows/deployment/images/ICD.png
diff --git a/windows/deploy/images/ICDstart-option.PNG b/windows/deployment/images/ICDstart-option.PNG
similarity index 100%
rename from windows/deploy/images/ICDstart-option.PNG
rename to windows/deployment/images/ICDstart-option.PNG
diff --git a/windows/deploy/images/ISE.PNG b/windows/deployment/images/ISE.PNG
similarity index 100%
rename from windows/deploy/images/ISE.PNG
rename to windows/deployment/images/ISE.PNG
diff --git a/windows/deploy/images/PoC-big.png b/windows/deployment/images/PoC-big.png
similarity index 100%
rename from windows/deploy/images/PoC-big.png
rename to windows/deployment/images/PoC-big.png
diff --git a/windows/deploy/images/PoC.png b/windows/deployment/images/PoC.png
similarity index 100%
rename from windows/deploy/images/PoC.png
rename to windows/deployment/images/PoC.png
diff --git a/windows/deployment/images/UR-lift-report.jpg b/windows/deployment/images/UR-lift-report.jpg
new file mode 100644
index 0000000000..f76ce5f481
Binary files /dev/null and b/windows/deployment/images/UR-lift-report.jpg differ
diff --git a/windows/deploy/images/adk-install.png b/windows/deployment/images/adk-install.png
similarity index 100%
rename from windows/deploy/images/adk-install.png
rename to windows/deployment/images/adk-install.png
diff --git a/windows/deploy/images/azureadjoined.png b/windows/deployment/images/azureadjoined.png
similarity index 100%
rename from windows/deploy/images/azureadjoined.png
rename to windows/deployment/images/azureadjoined.png
diff --git a/windows/deploy/images/check_blu.png b/windows/deployment/images/check_blu.png
similarity index 100%
rename from windows/deploy/images/check_blu.png
rename to windows/deployment/images/check_blu.png
diff --git a/windows/deploy/images/check_grn.png b/windows/deployment/images/check_grn.png
similarity index 100%
rename from windows/deploy/images/check_grn.png
rename to windows/deployment/images/check_grn.png
diff --git a/windows/manage/images/checkmark.png b/windows/deployment/images/checkmark.png
similarity index 100%
rename from windows/manage/images/checkmark.png
rename to windows/deployment/images/checkmark.png
diff --git a/windows/deploy/images/choose-package.png b/windows/deployment/images/choose-package.png
similarity index 100%
rename from windows/deploy/images/choose-package.png
rename to windows/deployment/images/choose-package.png
diff --git a/windows/deploy/images/connect-aad.png b/windows/deployment/images/connect-aad.png
similarity index 100%
rename from windows/deploy/images/connect-aad.png
rename to windows/deployment/images/connect-aad.png
diff --git a/windows/deploy/images/convert.png b/windows/deployment/images/convert.png
similarity index 100%
rename from windows/deploy/images/convert.png
rename to windows/deployment/images/convert.png
diff --git a/windows/manage/images/crossmark.png b/windows/deployment/images/crossmark.png
similarity index 100%
rename from windows/manage/images/crossmark.png
rename to windows/deployment/images/crossmark.png
diff --git a/windows/deploy/images/deploy-finish.PNG b/windows/deployment/images/deploy-finish.PNG
similarity index 100%
rename from windows/deploy/images/deploy-finish.PNG
rename to windows/deployment/images/deploy-finish.PNG
diff --git a/windows/deploy/images/disk2vhd-convert.PNG b/windows/deployment/images/disk2vhd-convert.PNG
similarity index 100%
rename from windows/deploy/images/disk2vhd-convert.PNG
rename to windows/deployment/images/disk2vhd-convert.PNG
diff --git a/windows/deploy/images/disk2vhd-gen2.PNG b/windows/deployment/images/disk2vhd-gen2.PNG
similarity index 100%
rename from windows/deploy/images/disk2vhd-gen2.PNG
rename to windows/deployment/images/disk2vhd-gen2.PNG
diff --git a/windows/deploy/images/disk2vhd.PNG b/windows/deployment/images/disk2vhd.PNG
similarity index 100%
rename from windows/deploy/images/disk2vhd.PNG
rename to windows/deployment/images/disk2vhd.PNG
diff --git a/windows/deploy/images/disk2vhd4.PNG b/windows/deployment/images/disk2vhd4.PNG
similarity index 100%
rename from windows/deploy/images/disk2vhd4.PNG
rename to windows/deployment/images/disk2vhd4.PNG
diff --git a/windows/deploy/images/download_vhd.png b/windows/deployment/images/download_vhd.png
similarity index 100%
rename from windows/deploy/images/download_vhd.png
rename to windows/deployment/images/download_vhd.png
diff --git a/windows/deploy/images/e3-activated.png b/windows/deployment/images/e3-activated.png
similarity index 100%
rename from windows/deploy/images/e3-activated.png
rename to windows/deployment/images/e3-activated.png
diff --git a/windows/deploy/images/enterprise-e3-ad-connect.png b/windows/deployment/images/enterprise-e3-ad-connect.png
similarity index 100%
rename from windows/deploy/images/enterprise-e3-ad-connect.png
rename to windows/deployment/images/enterprise-e3-ad-connect.png
diff --git a/windows/deploy/images/enterprise-e3-choose-how.png b/windows/deployment/images/enterprise-e3-choose-how.png
similarity index 100%
rename from windows/deploy/images/enterprise-e3-choose-how.png
rename to windows/deployment/images/enterprise-e3-choose-how.png
diff --git a/windows/deploy/images/enterprise-e3-connect-to-work-or-school.png b/windows/deployment/images/enterprise-e3-connect-to-work-or-school.png
similarity index 100%
rename from windows/deploy/images/enterprise-e3-connect-to-work-or-school.png
rename to windows/deployment/images/enterprise-e3-connect-to-work-or-school.png
diff --git a/windows/deploy/images/enterprise-e3-lets-get-2.png b/windows/deployment/images/enterprise-e3-lets-get-2.png
similarity index 100%
rename from windows/deploy/images/enterprise-e3-lets-get-2.png
rename to windows/deployment/images/enterprise-e3-lets-get-2.png
diff --git a/windows/deploy/images/enterprise-e3-lets-get.png b/windows/deployment/images/enterprise-e3-lets-get.png
similarity index 100%
rename from windows/deploy/images/enterprise-e3-lets-get.png
rename to windows/deployment/images/enterprise-e3-lets-get.png
diff --git a/windows/deploy/images/enterprise-e3-set-up-work-or-school.png b/windows/deployment/images/enterprise-e3-set-up-work-or-school.png
similarity index 100%
rename from windows/deploy/images/enterprise-e3-set-up-work-or-school.png
rename to windows/deployment/images/enterprise-e3-set-up-work-or-school.png
diff --git a/windows/deploy/images/enterprise-e3-sign-in.png b/windows/deployment/images/enterprise-e3-sign-in.png
similarity index 100%
rename from windows/deploy/images/enterprise-e3-sign-in.png
rename to windows/deployment/images/enterprise-e3-sign-in.png
diff --git a/windows/deploy/images/enterprise-e3-who-owns.png b/windows/deployment/images/enterprise-e3-who-owns.png
similarity index 100%
rename from windows/deploy/images/enterprise-e3-who-owns.png
rename to windows/deployment/images/enterprise-e3-who-owns.png
diff --git a/windows/deploy/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png b/windows/deployment/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png
similarity index 100%
rename from windows/deploy/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png
rename to windows/deployment/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png
diff --git a/windows/deploy/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png b/windows/deployment/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png
similarity index 100%
rename from windows/deploy/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png
rename to windows/deployment/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png
diff --git a/windows/deploy/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png b/windows/deployment/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png
similarity index 100%
rename from windows/deploy/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png
rename to windows/deployment/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png
diff --git a/windows/deploy/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png b/windows/deployment/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png
similarity index 100%
rename from windows/deploy/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png
rename to windows/deployment/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png
diff --git a/windows/deploy/images/express-settings.png b/windows/deployment/images/express-settings.png
similarity index 100%
rename from windows/deploy/images/express-settings.png
rename to windows/deployment/images/express-settings.png
diff --git a/windows/deploy/images/fig10-contosoinstall.png b/windows/deployment/images/fig10-contosoinstall.png
similarity index 100%
rename from windows/deploy/images/fig10-contosoinstall.png
rename to windows/deployment/images/fig10-contosoinstall.png
diff --git a/windows/deploy/images/fig10-unattend.png b/windows/deployment/images/fig10-unattend.png
similarity index 100%
rename from windows/deploy/images/fig10-unattend.png
rename to windows/deployment/images/fig10-unattend.png
diff --git a/windows/deploy/images/fig13-captureimage.png b/windows/deployment/images/fig13-captureimage.png
similarity index 100%
rename from windows/deploy/images/fig13-captureimage.png
rename to windows/deployment/images/fig13-captureimage.png
diff --git a/windows/deploy/images/fig16-contentstatus.png b/windows/deployment/images/fig16-contentstatus.png
similarity index 100%
rename from windows/deploy/images/fig16-contentstatus.png
rename to windows/deployment/images/fig16-contentstatus.png
diff --git a/windows/deploy/images/fig17-win10image.png b/windows/deployment/images/fig17-win10image.png
similarity index 100%
rename from windows/deploy/images/fig17-win10image.png
rename to windows/deployment/images/fig17-win10image.png
diff --git a/windows/deploy/images/fig18-distwindows.png b/windows/deployment/images/fig18-distwindows.png
similarity index 100%
rename from windows/deploy/images/fig18-distwindows.png
rename to windows/deployment/images/fig18-distwindows.png
diff --git a/windows/deploy/images/fig2-gather.png b/windows/deployment/images/fig2-gather.png
similarity index 100%
rename from windows/deploy/images/fig2-gather.png
rename to windows/deployment/images/fig2-gather.png
diff --git a/windows/deploy/images/fig2-importedos.png b/windows/deployment/images/fig2-importedos.png
similarity index 100%
rename from windows/deploy/images/fig2-importedos.png
rename to windows/deployment/images/fig2-importedos.png
diff --git a/windows/deploy/images/fig2-taskseq.png b/windows/deployment/images/fig2-taskseq.png
similarity index 100%
rename from windows/deploy/images/fig2-taskseq.png
rename to windows/deployment/images/fig2-taskseq.png
diff --git a/windows/deploy/images/fig21-add-drivers.png b/windows/deployment/images/fig21-add-drivers.png
similarity index 100%
rename from windows/deploy/images/fig21-add-drivers.png
rename to windows/deployment/images/fig21-add-drivers.png
diff --git a/windows/deploy/images/fig22-createcategories.png b/windows/deployment/images/fig22-createcategories.png
similarity index 100%
rename from windows/deploy/images/fig22-createcategories.png
rename to windows/deployment/images/fig22-createcategories.png
diff --git a/windows/deploy/images/fig27-driverpackage.png b/windows/deployment/images/fig27-driverpackage.png
similarity index 100%
rename from windows/deploy/images/fig27-driverpackage.png
rename to windows/deployment/images/fig27-driverpackage.png
diff --git a/windows/deploy/images/fig28-addapp.png b/windows/deployment/images/fig28-addapp.png
similarity index 100%
rename from windows/deploy/images/fig28-addapp.png
rename to windows/deployment/images/fig28-addapp.png
diff --git a/windows/deploy/images/fig30-settingspack.png b/windows/deployment/images/fig30-settingspack.png
similarity index 100%
rename from windows/deploy/images/fig30-settingspack.png
rename to windows/deployment/images/fig30-settingspack.png
diff --git a/windows/deploy/images/fig32-deploywiz.png b/windows/deployment/images/fig32-deploywiz.png
similarity index 100%
rename from windows/deploy/images/fig32-deploywiz.png
rename to windows/deployment/images/fig32-deploywiz.png
diff --git a/windows/deploy/images/fig4-oob-drivers.png b/windows/deployment/images/fig4-oob-drivers.png
similarity index 100%
rename from windows/deploy/images/fig4-oob-drivers.png
rename to windows/deployment/images/fig4-oob-drivers.png
diff --git a/windows/deploy/images/fig5-selectprofile.png b/windows/deployment/images/fig5-selectprofile.png
similarity index 100%
rename from windows/deploy/images/fig5-selectprofile.png
rename to windows/deployment/images/fig5-selectprofile.png
diff --git a/windows/deploy/images/fig6-taskseq.png b/windows/deployment/images/fig6-taskseq.png
similarity index 100%
rename from windows/deploy/images/fig6-taskseq.png
rename to windows/deployment/images/fig6-taskseq.png
diff --git a/windows/deploy/images/fig8-cust-tasks.png b/windows/deployment/images/fig8-cust-tasks.png
similarity index 100%
rename from windows/deploy/images/fig8-cust-tasks.png
rename to windows/deployment/images/fig8-cust-tasks.png
diff --git a/windows/deploy/images/fig8-suspend.png b/windows/deployment/images/fig8-suspend.png
similarity index 100%
rename from windows/deploy/images/fig8-suspend.png
rename to windows/deployment/images/fig8-suspend.png
diff --git a/windows/deploy/images/fig9-resumetaskseq.png b/windows/deployment/images/fig9-resumetaskseq.png
similarity index 100%
rename from windows/deploy/images/fig9-resumetaskseq.png
rename to windows/deployment/images/fig9-resumetaskseq.png
diff --git a/windows/deploy/images/figure4-deployment-workbench.png b/windows/deployment/images/figure4-deployment-workbench.png
similarity index 100%
rename from windows/deploy/images/figure4-deployment-workbench.png
rename to windows/deployment/images/figure4-deployment-workbench.png
diff --git a/windows/configure/images/five.png b/windows/deployment/images/five.png
similarity index 100%
rename from windows/configure/images/five.png
rename to windows/deployment/images/five.png
diff --git a/windows/configure/images/four.png b/windows/deployment/images/four.png
similarity index 100%
rename from windows/configure/images/four.png
rename to windows/deployment/images/four.png
diff --git a/windows/deploy/images/hyper-v-feature.png b/windows/deployment/images/hyper-v-feature.png
similarity index 100%
rename from windows/deploy/images/hyper-v-feature.png
rename to windows/deployment/images/hyper-v-feature.png
diff --git a/windows/deploy/images/icd-create-options-1703.PNG b/windows/deployment/images/icd-create-options-1703.PNG
similarity index 100%
rename from windows/deploy/images/icd-create-options-1703.PNG
rename to windows/deployment/images/icd-create-options-1703.PNG
diff --git a/windows/deploy/images/icd-create-options.PNG b/windows/deployment/images/icd-create-options.PNG
similarity index 100%
rename from windows/deploy/images/icd-create-options.PNG
rename to windows/deployment/images/icd-create-options.PNG
diff --git a/windows/deploy/images/icd-export-menu.png b/windows/deployment/images/icd-export-menu.png
similarity index 100%
rename from windows/deploy/images/icd-export-menu.png
rename to windows/deployment/images/icd-export-menu.png
diff --git a/windows/deploy/images/icd-install.PNG b/windows/deployment/images/icd-install.PNG
similarity index 100%
rename from windows/deploy/images/icd-install.PNG
rename to windows/deployment/images/icd-install.PNG
diff --git a/windows/deploy/images/icd-multi-target-true.png b/windows/deployment/images/icd-multi-target-true.png
similarity index 100%
rename from windows/deploy/images/icd-multi-target-true.png
rename to windows/deployment/images/icd-multi-target-true.png
diff --git a/windows/deploy/images/icd-multi-targetstate-true.png b/windows/deployment/images/icd-multi-targetstate-true.png
similarity index 100%
rename from windows/deploy/images/icd-multi-targetstate-true.png
rename to windows/deployment/images/icd-multi-targetstate-true.png
diff --git a/windows/deploy/images/icd-runtime.PNG b/windows/deployment/images/icd-runtime.PNG
similarity index 100%
rename from windows/deploy/images/icd-runtime.PNG
rename to windows/deployment/images/icd-runtime.PNG
diff --git a/windows/deploy/images/icd-script1.png b/windows/deployment/images/icd-script1.png
similarity index 100%
rename from windows/deploy/images/icd-script1.png
rename to windows/deployment/images/icd-script1.png
diff --git a/windows/deploy/images/icd-script2.png b/windows/deployment/images/icd-script2.png
similarity index 100%
rename from windows/deploy/images/icd-script2.png
rename to windows/deployment/images/icd-script2.png
diff --git a/windows/deploy/images/icd-setting-help.PNG b/windows/deployment/images/icd-setting-help.PNG
similarity index 100%
rename from windows/deploy/images/icd-setting-help.PNG
rename to windows/deployment/images/icd-setting-help.PNG
diff --git a/windows/deploy/images/icd-settings.PNG b/windows/deployment/images/icd-settings.PNG
similarity index 100%
rename from windows/deploy/images/icd-settings.PNG
rename to windows/deployment/images/icd-settings.PNG
diff --git a/windows/deploy/images/icd-simple-edit.png b/windows/deployment/images/icd-simple-edit.png
similarity index 100%
rename from windows/deploy/images/icd-simple-edit.png
rename to windows/deployment/images/icd-simple-edit.png
diff --git a/windows/deploy/images/icd-simple.PNG b/windows/deployment/images/icd-simple.PNG
similarity index 100%
rename from windows/deploy/images/icd-simple.PNG
rename to windows/deployment/images/icd-simple.PNG
diff --git a/windows/deploy/images/icd-step1.PNG b/windows/deployment/images/icd-step1.PNG
similarity index 100%
rename from windows/deploy/images/icd-step1.PNG
rename to windows/deployment/images/icd-step1.PNG
diff --git a/windows/deploy/images/icd-step2.PNG b/windows/deployment/images/icd-step2.PNG
similarity index 100%
rename from windows/deploy/images/icd-step2.PNG
rename to windows/deployment/images/icd-step2.PNG
diff --git a/windows/deploy/images/icd-step3.PNG b/windows/deployment/images/icd-step3.PNG
similarity index 100%
rename from windows/deploy/images/icd-step3.PNG
rename to windows/deployment/images/icd-step3.PNG
diff --git a/windows/deploy/images/icd-step4.PNG b/windows/deployment/images/icd-step4.PNG
similarity index 100%
rename from windows/deploy/images/icd-step4.PNG
rename to windows/deployment/images/icd-step4.PNG
diff --git a/windows/deploy/images/icd-step5.PNG b/windows/deployment/images/icd-step5.PNG
similarity index 100%
rename from windows/deploy/images/icd-step5.PNG
rename to windows/deployment/images/icd-step5.PNG
diff --git a/windows/deploy/images/icd-switch.PNG b/windows/deployment/images/icd-switch.PNG
similarity index 100%
rename from windows/deploy/images/icd-switch.PNG
rename to windows/deployment/images/icd-switch.PNG
diff --git a/windows/deploy/images/image.PNG b/windows/deployment/images/image.PNG
similarity index 100%
rename from windows/deploy/images/image.PNG
rename to windows/deployment/images/image.PNG
diff --git a/windows/deploy/images/installing-drivers.png b/windows/deployment/images/installing-drivers.png
similarity index 100%
rename from windows/deploy/images/installing-drivers.png
rename to windows/deployment/images/installing-drivers.png
diff --git a/windows/deploy/images/license-terms.png b/windows/deployment/images/license-terms.png
similarity index 100%
rename from windows/deploy/images/license-terms.png
rename to windows/deployment/images/license-terms.png
diff --git a/windows/deploy/images/mbr2gpt-volume.PNG b/windows/deployment/images/mbr2gpt-volume.PNG
similarity index 100%
rename from windows/deploy/images/mbr2gpt-volume.PNG
rename to windows/deployment/images/mbr2gpt-volume.PNG
diff --git a/windows/deploy/images/mbr2gpt-workflow.png b/windows/deployment/images/mbr2gpt-workflow.png
similarity index 100%
rename from windows/deploy/images/mbr2gpt-workflow.png
rename to windows/deployment/images/mbr2gpt-workflow.png
diff --git a/windows/deploy/images/mdt-01-fig01.png b/windows/deployment/images/mdt-01-fig01.png
similarity index 100%
rename from windows/deploy/images/mdt-01-fig01.png
rename to windows/deployment/images/mdt-01-fig01.png
diff --git a/windows/deploy/images/mdt-01-fig02.jpg b/windows/deployment/images/mdt-01-fig02.jpg
similarity index 100%
rename from windows/deploy/images/mdt-01-fig02.jpg
rename to windows/deployment/images/mdt-01-fig02.jpg
diff --git a/windows/deploy/images/mdt-03-fig01.png b/windows/deployment/images/mdt-03-fig01.png
similarity index 100%
rename from windows/deploy/images/mdt-03-fig01.png
rename to windows/deployment/images/mdt-03-fig01.png
diff --git a/windows/deploy/images/mdt-03-fig02.png b/windows/deployment/images/mdt-03-fig02.png
similarity index 100%
rename from windows/deploy/images/mdt-03-fig02.png
rename to windows/deployment/images/mdt-03-fig02.png
diff --git a/windows/deploy/images/mdt-03-fig03.png b/windows/deployment/images/mdt-03-fig03.png
similarity index 100%
rename from windows/deploy/images/mdt-03-fig03.png
rename to windows/deployment/images/mdt-03-fig03.png
diff --git a/windows/deploy/images/mdt-03-fig04.png b/windows/deployment/images/mdt-03-fig04.png
similarity index 100%
rename from windows/deploy/images/mdt-03-fig04.png
rename to windows/deployment/images/mdt-03-fig04.png
diff --git a/windows/deploy/images/mdt-03-fig05.png b/windows/deployment/images/mdt-03-fig05.png
similarity index 100%
rename from windows/deploy/images/mdt-03-fig05.png
rename to windows/deployment/images/mdt-03-fig05.png
diff --git a/windows/deploy/images/mdt-04-fig01.png b/windows/deployment/images/mdt-04-fig01.png
similarity index 100%
rename from windows/deploy/images/mdt-04-fig01.png
rename to windows/deployment/images/mdt-04-fig01.png
diff --git a/windows/deploy/images/mdt-05-fig01.png b/windows/deployment/images/mdt-05-fig01.png
similarity index 100%
rename from windows/deploy/images/mdt-05-fig01.png
rename to windows/deployment/images/mdt-05-fig01.png
diff --git a/windows/deploy/images/mdt-05-fig02.png b/windows/deployment/images/mdt-05-fig02.png
similarity index 100%
rename from windows/deploy/images/mdt-05-fig02.png
rename to windows/deployment/images/mdt-05-fig02.png
diff --git a/windows/deploy/images/mdt-05-fig03.png b/windows/deployment/images/mdt-05-fig03.png
similarity index 100%
rename from windows/deploy/images/mdt-05-fig03.png
rename to windows/deployment/images/mdt-05-fig03.png
diff --git a/windows/deploy/images/mdt-05-fig04.png b/windows/deployment/images/mdt-05-fig04.png
similarity index 100%
rename from windows/deploy/images/mdt-05-fig04.png
rename to windows/deployment/images/mdt-05-fig04.png
diff --git a/windows/deploy/images/mdt-05-fig05.png b/windows/deployment/images/mdt-05-fig05.png
similarity index 100%
rename from windows/deploy/images/mdt-05-fig05.png
rename to windows/deployment/images/mdt-05-fig05.png
diff --git a/windows/deploy/images/mdt-05-fig07.png b/windows/deployment/images/mdt-05-fig07.png
similarity index 100%
rename from windows/deploy/images/mdt-05-fig07.png
rename to windows/deployment/images/mdt-05-fig07.png
diff --git a/windows/deploy/images/mdt-05-fig08.png b/windows/deployment/images/mdt-05-fig08.png
similarity index 100%
rename from windows/deploy/images/mdt-05-fig08.png
rename to windows/deployment/images/mdt-05-fig08.png
diff --git a/windows/deploy/images/mdt-05-fig09.png b/windows/deployment/images/mdt-05-fig09.png
similarity index 100%
rename from windows/deploy/images/mdt-05-fig09.png
rename to windows/deployment/images/mdt-05-fig09.png
diff --git a/windows/deploy/images/mdt-05-fig10.png b/windows/deployment/images/mdt-05-fig10.png
similarity index 100%
rename from windows/deploy/images/mdt-05-fig10.png
rename to windows/deployment/images/mdt-05-fig10.png
diff --git a/windows/deploy/images/mdt-06-fig01.png b/windows/deployment/images/mdt-06-fig01.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig01.png
rename to windows/deployment/images/mdt-06-fig01.png
diff --git a/windows/deploy/images/mdt-06-fig03.png b/windows/deployment/images/mdt-06-fig03.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig03.png
rename to windows/deployment/images/mdt-06-fig03.png
diff --git a/windows/deploy/images/mdt-06-fig04.png b/windows/deployment/images/mdt-06-fig04.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig04.png
rename to windows/deployment/images/mdt-06-fig04.png
diff --git a/windows/deploy/images/mdt-06-fig05.png b/windows/deployment/images/mdt-06-fig05.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig05.png
rename to windows/deployment/images/mdt-06-fig05.png
diff --git a/windows/deploy/images/mdt-06-fig06.png b/windows/deployment/images/mdt-06-fig06.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig06.png
rename to windows/deployment/images/mdt-06-fig06.png
diff --git a/windows/deploy/images/mdt-06-fig07.png b/windows/deployment/images/mdt-06-fig07.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig07.png
rename to windows/deployment/images/mdt-06-fig07.png
diff --git a/windows/deploy/images/mdt-06-fig08.png b/windows/deployment/images/mdt-06-fig08.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig08.png
rename to windows/deployment/images/mdt-06-fig08.png
diff --git a/windows/deploy/images/mdt-06-fig10.png b/windows/deployment/images/mdt-06-fig10.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig10.png
rename to windows/deployment/images/mdt-06-fig10.png
diff --git a/windows/deploy/images/mdt-06-fig12.png b/windows/deployment/images/mdt-06-fig12.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig12.png
rename to windows/deployment/images/mdt-06-fig12.png
diff --git a/windows/deploy/images/mdt-06-fig13.png b/windows/deployment/images/mdt-06-fig13.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig13.png
rename to windows/deployment/images/mdt-06-fig13.png
diff --git a/windows/deploy/images/mdt-06-fig14.png b/windows/deployment/images/mdt-06-fig14.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig14.png
rename to windows/deployment/images/mdt-06-fig14.png
diff --git a/windows/deploy/images/mdt-06-fig15.png b/windows/deployment/images/mdt-06-fig15.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig15.png
rename to windows/deployment/images/mdt-06-fig15.png
diff --git a/windows/deploy/images/mdt-06-fig16.png b/windows/deployment/images/mdt-06-fig16.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig16.png
rename to windows/deployment/images/mdt-06-fig16.png
diff --git a/windows/deploy/images/mdt-06-fig20.png b/windows/deployment/images/mdt-06-fig20.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig20.png
rename to windows/deployment/images/mdt-06-fig20.png
diff --git a/windows/deploy/images/mdt-06-fig21.png b/windows/deployment/images/mdt-06-fig21.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig21.png
rename to windows/deployment/images/mdt-06-fig21.png
diff --git a/windows/deploy/images/mdt-06-fig26.png b/windows/deployment/images/mdt-06-fig26.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig26.png
rename to windows/deployment/images/mdt-06-fig26.png
diff --git a/windows/deploy/images/mdt-06-fig31.png b/windows/deployment/images/mdt-06-fig31.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig31.png
rename to windows/deployment/images/mdt-06-fig31.png
diff --git a/windows/deploy/images/mdt-06-fig33.png b/windows/deployment/images/mdt-06-fig33.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig33.png
rename to windows/deployment/images/mdt-06-fig33.png
diff --git a/windows/deploy/images/mdt-06-fig35.png b/windows/deployment/images/mdt-06-fig35.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig35.png
rename to windows/deployment/images/mdt-06-fig35.png
diff --git a/windows/deploy/images/mdt-06-fig36.png b/windows/deployment/images/mdt-06-fig36.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig36.png
rename to windows/deployment/images/mdt-06-fig36.png
diff --git a/windows/deploy/images/mdt-06-fig37.png b/windows/deployment/images/mdt-06-fig37.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig37.png
rename to windows/deployment/images/mdt-06-fig37.png
diff --git a/windows/deploy/images/mdt-06-fig39.png b/windows/deployment/images/mdt-06-fig39.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig39.png
rename to windows/deployment/images/mdt-06-fig39.png
diff --git a/windows/deploy/images/mdt-06-fig42.png b/windows/deployment/images/mdt-06-fig42.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig42.png
rename to windows/deployment/images/mdt-06-fig42.png
diff --git a/windows/deploy/images/mdt-06-fig43.png b/windows/deployment/images/mdt-06-fig43.png
similarity index 100%
rename from windows/deploy/images/mdt-06-fig43.png
rename to windows/deployment/images/mdt-06-fig43.png
diff --git a/windows/deploy/images/mdt-07-fig01.png b/windows/deployment/images/mdt-07-fig01.png
similarity index 100%
rename from windows/deploy/images/mdt-07-fig01.png
rename to windows/deployment/images/mdt-07-fig01.png
diff --git a/windows/deploy/images/mdt-07-fig03.png b/windows/deployment/images/mdt-07-fig03.png
similarity index 100%
rename from windows/deploy/images/mdt-07-fig03.png
rename to windows/deployment/images/mdt-07-fig03.png
diff --git a/windows/deploy/images/mdt-07-fig08.png b/windows/deployment/images/mdt-07-fig08.png
similarity index 100%
rename from windows/deploy/images/mdt-07-fig08.png
rename to windows/deployment/images/mdt-07-fig08.png
diff --git a/windows/deploy/images/mdt-07-fig09.png b/windows/deployment/images/mdt-07-fig09.png
similarity index 100%
rename from windows/deploy/images/mdt-07-fig09.png
rename to windows/deployment/images/mdt-07-fig09.png
diff --git a/windows/deploy/images/mdt-07-fig10.png b/windows/deployment/images/mdt-07-fig10.png
similarity index 100%
rename from windows/deploy/images/mdt-07-fig10.png
rename to windows/deployment/images/mdt-07-fig10.png
diff --git a/windows/deploy/images/mdt-07-fig11.png b/windows/deployment/images/mdt-07-fig11.png
similarity index 100%
rename from windows/deploy/images/mdt-07-fig11.png
rename to windows/deployment/images/mdt-07-fig11.png
diff --git a/windows/deploy/images/mdt-07-fig13.png b/windows/deployment/images/mdt-07-fig13.png
similarity index 100%
rename from windows/deploy/images/mdt-07-fig13.png
rename to windows/deployment/images/mdt-07-fig13.png
diff --git a/windows/deploy/images/mdt-07-fig14.png b/windows/deployment/images/mdt-07-fig14.png
similarity index 100%
rename from windows/deploy/images/mdt-07-fig14.png
rename to windows/deployment/images/mdt-07-fig14.png
diff --git a/windows/deploy/images/mdt-07-fig15.png b/windows/deployment/images/mdt-07-fig15.png
similarity index 100%
rename from windows/deploy/images/mdt-07-fig15.png
rename to windows/deployment/images/mdt-07-fig15.png
diff --git a/windows/deploy/images/mdt-07-fig16.png b/windows/deployment/images/mdt-07-fig16.png
similarity index 100%
rename from windows/deploy/images/mdt-07-fig16.png
rename to windows/deployment/images/mdt-07-fig16.png
diff --git a/windows/deploy/images/mdt-08-fig01.png b/windows/deployment/images/mdt-08-fig01.png
similarity index 100%
rename from windows/deploy/images/mdt-08-fig01.png
rename to windows/deployment/images/mdt-08-fig01.png
diff --git a/windows/deploy/images/mdt-08-fig02.png b/windows/deployment/images/mdt-08-fig02.png
similarity index 100%
rename from windows/deploy/images/mdt-08-fig02.png
rename to windows/deployment/images/mdt-08-fig02.png
diff --git a/windows/deploy/images/mdt-08-fig03.png b/windows/deployment/images/mdt-08-fig03.png
similarity index 100%
rename from windows/deploy/images/mdt-08-fig03.png
rename to windows/deployment/images/mdt-08-fig03.png
diff --git a/windows/deploy/images/mdt-08-fig05.png b/windows/deployment/images/mdt-08-fig05.png
similarity index 100%
rename from windows/deploy/images/mdt-08-fig05.png
rename to windows/deployment/images/mdt-08-fig05.png
diff --git a/windows/deploy/images/mdt-08-fig06.png b/windows/deployment/images/mdt-08-fig06.png
similarity index 100%
rename from windows/deploy/images/mdt-08-fig06.png
rename to windows/deployment/images/mdt-08-fig06.png
diff --git a/windows/deploy/images/mdt-08-fig14.png b/windows/deployment/images/mdt-08-fig14.png
similarity index 100%
rename from windows/deploy/images/mdt-08-fig14.png
rename to windows/deployment/images/mdt-08-fig14.png
diff --git a/windows/deploy/images/mdt-08-fig15.png b/windows/deployment/images/mdt-08-fig15.png
similarity index 100%
rename from windows/deploy/images/mdt-08-fig15.png
rename to windows/deployment/images/mdt-08-fig15.png
diff --git a/windows/deploy/images/mdt-09-fig01.png b/windows/deployment/images/mdt-09-fig01.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig01.png
rename to windows/deployment/images/mdt-09-fig01.png
diff --git a/windows/deploy/images/mdt-09-fig02.png b/windows/deployment/images/mdt-09-fig02.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig02.png
rename to windows/deployment/images/mdt-09-fig02.png
diff --git a/windows/deploy/images/mdt-09-fig03.png b/windows/deployment/images/mdt-09-fig03.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig03.png
rename to windows/deployment/images/mdt-09-fig03.png
diff --git a/windows/deploy/images/mdt-09-fig04.png b/windows/deployment/images/mdt-09-fig04.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig04.png
rename to windows/deployment/images/mdt-09-fig04.png
diff --git a/windows/deploy/images/mdt-09-fig06.png b/windows/deployment/images/mdt-09-fig06.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig06.png
rename to windows/deployment/images/mdt-09-fig06.png
diff --git a/windows/deploy/images/mdt-09-fig07.png b/windows/deployment/images/mdt-09-fig07.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig07.png
rename to windows/deployment/images/mdt-09-fig07.png
diff --git a/windows/deploy/images/mdt-09-fig08.png b/windows/deployment/images/mdt-09-fig08.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig08.png
rename to windows/deployment/images/mdt-09-fig08.png
diff --git a/windows/deploy/images/mdt-09-fig09.png b/windows/deployment/images/mdt-09-fig09.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig09.png
rename to windows/deployment/images/mdt-09-fig09.png
diff --git a/windows/deploy/images/mdt-09-fig10.png b/windows/deployment/images/mdt-09-fig10.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig10.png
rename to windows/deployment/images/mdt-09-fig10.png
diff --git a/windows/deploy/images/mdt-09-fig11.png b/windows/deployment/images/mdt-09-fig11.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig11.png
rename to windows/deployment/images/mdt-09-fig11.png
diff --git a/windows/deploy/images/mdt-09-fig12.png b/windows/deployment/images/mdt-09-fig12.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig12.png
rename to windows/deployment/images/mdt-09-fig12.png
diff --git a/windows/deploy/images/mdt-09-fig13.png b/windows/deployment/images/mdt-09-fig13.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig13.png
rename to windows/deployment/images/mdt-09-fig13.png
diff --git a/windows/deploy/images/mdt-09-fig14.png b/windows/deployment/images/mdt-09-fig14.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig14.png
rename to windows/deployment/images/mdt-09-fig14.png
diff --git a/windows/deploy/images/mdt-09-fig15.png b/windows/deployment/images/mdt-09-fig15.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig15.png
rename to windows/deployment/images/mdt-09-fig15.png
diff --git a/windows/deploy/images/mdt-09-fig16.png b/windows/deployment/images/mdt-09-fig16.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig16.png
rename to windows/deployment/images/mdt-09-fig16.png
diff --git a/windows/deploy/images/mdt-09-fig17.png b/windows/deployment/images/mdt-09-fig17.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig17.png
rename to windows/deployment/images/mdt-09-fig17.png
diff --git a/windows/deploy/images/mdt-09-fig18.png b/windows/deployment/images/mdt-09-fig18.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig18.png
rename to windows/deployment/images/mdt-09-fig18.png
diff --git a/windows/deploy/images/mdt-09-fig19.png b/windows/deployment/images/mdt-09-fig19.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig19.png
rename to windows/deployment/images/mdt-09-fig19.png
diff --git a/windows/deploy/images/mdt-09-fig20.png b/windows/deployment/images/mdt-09-fig20.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig20.png
rename to windows/deployment/images/mdt-09-fig20.png
diff --git a/windows/deploy/images/mdt-09-fig21.png b/windows/deployment/images/mdt-09-fig21.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig21.png
rename to windows/deployment/images/mdt-09-fig21.png
diff --git a/windows/deploy/images/mdt-09-fig22.png b/windows/deployment/images/mdt-09-fig22.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig22.png
rename to windows/deployment/images/mdt-09-fig22.png
diff --git a/windows/deploy/images/mdt-09-fig23.png b/windows/deployment/images/mdt-09-fig23.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig23.png
rename to windows/deployment/images/mdt-09-fig23.png
diff --git a/windows/deploy/images/mdt-09-fig24.png b/windows/deployment/images/mdt-09-fig24.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig24.png
rename to windows/deployment/images/mdt-09-fig24.png
diff --git a/windows/deploy/images/mdt-09-fig25.png b/windows/deployment/images/mdt-09-fig25.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig25.png
rename to windows/deployment/images/mdt-09-fig25.png
diff --git a/windows/deploy/images/mdt-09-fig26.png b/windows/deployment/images/mdt-09-fig26.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig26.png
rename to windows/deployment/images/mdt-09-fig26.png
diff --git a/windows/deploy/images/mdt-09-fig27.png b/windows/deployment/images/mdt-09-fig27.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig27.png
rename to windows/deployment/images/mdt-09-fig27.png
diff --git a/windows/deploy/images/mdt-09-fig28.png b/windows/deployment/images/mdt-09-fig28.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig28.png
rename to windows/deployment/images/mdt-09-fig28.png
diff --git a/windows/deploy/images/mdt-09-fig29.png b/windows/deployment/images/mdt-09-fig29.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig29.png
rename to windows/deployment/images/mdt-09-fig29.png
diff --git a/windows/deploy/images/mdt-09-fig30.png b/windows/deployment/images/mdt-09-fig30.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig30.png
rename to windows/deployment/images/mdt-09-fig30.png
diff --git a/windows/deploy/images/mdt-09-fig31.png b/windows/deployment/images/mdt-09-fig31.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig31.png
rename to windows/deployment/images/mdt-09-fig31.png
diff --git a/windows/deploy/images/mdt-09-fig32.png b/windows/deployment/images/mdt-09-fig32.png
similarity index 100%
rename from windows/deploy/images/mdt-09-fig32.png
rename to windows/deployment/images/mdt-09-fig32.png
diff --git a/windows/deploy/images/mdt-10-fig01.png b/windows/deployment/images/mdt-10-fig01.png
similarity index 100%
rename from windows/deploy/images/mdt-10-fig01.png
rename to windows/deployment/images/mdt-10-fig01.png
diff --git a/windows/deploy/images/mdt-10-fig02.png b/windows/deployment/images/mdt-10-fig02.png
similarity index 100%
rename from windows/deploy/images/mdt-10-fig02.png
rename to windows/deployment/images/mdt-10-fig02.png
diff --git a/windows/deploy/images/mdt-10-fig03.png b/windows/deployment/images/mdt-10-fig03.png
similarity index 100%
rename from windows/deploy/images/mdt-10-fig03.png
rename to windows/deployment/images/mdt-10-fig03.png
diff --git a/windows/deploy/images/mdt-10-fig04.png b/windows/deployment/images/mdt-10-fig04.png
similarity index 100%
rename from windows/deploy/images/mdt-10-fig04.png
rename to windows/deployment/images/mdt-10-fig04.png
diff --git a/windows/deploy/images/mdt-10-fig05.png b/windows/deployment/images/mdt-10-fig05.png
similarity index 100%
rename from windows/deploy/images/mdt-10-fig05.png
rename to windows/deployment/images/mdt-10-fig05.png
diff --git a/windows/deploy/images/mdt-10-fig06.png b/windows/deployment/images/mdt-10-fig06.png
similarity index 100%
rename from windows/deploy/images/mdt-10-fig06.png
rename to windows/deployment/images/mdt-10-fig06.png
diff --git a/windows/deploy/images/mdt-10-fig07.png b/windows/deployment/images/mdt-10-fig07.png
similarity index 100%
rename from windows/deploy/images/mdt-10-fig07.png
rename to windows/deployment/images/mdt-10-fig07.png
diff --git a/windows/deploy/images/mdt-10-fig08.png b/windows/deployment/images/mdt-10-fig08.png
similarity index 100%
rename from windows/deploy/images/mdt-10-fig08.png
rename to windows/deployment/images/mdt-10-fig08.png
diff --git a/windows/deploy/images/mdt-10-fig09.png b/windows/deployment/images/mdt-10-fig09.png
similarity index 100%
rename from windows/deploy/images/mdt-10-fig09.png
rename to windows/deployment/images/mdt-10-fig09.png
diff --git a/windows/deploy/images/mdt-11-fig05.png b/windows/deployment/images/mdt-11-fig05.png
similarity index 100%
rename from windows/deploy/images/mdt-11-fig05.png
rename to windows/deployment/images/mdt-11-fig05.png
diff --git a/windows/deploy/images/mdt-11-fig06.png b/windows/deployment/images/mdt-11-fig06.png
similarity index 100%
rename from windows/deploy/images/mdt-11-fig06.png
rename to windows/deployment/images/mdt-11-fig06.png
diff --git a/windows/deploy/images/mdt-11-fig07.png b/windows/deployment/images/mdt-11-fig07.png
similarity index 100%
rename from windows/deploy/images/mdt-11-fig07.png
rename to windows/deployment/images/mdt-11-fig07.png
diff --git a/windows/deploy/images/mdt-11-fig08.png b/windows/deployment/images/mdt-11-fig08.png
similarity index 100%
rename from windows/deploy/images/mdt-11-fig08.png
rename to windows/deployment/images/mdt-11-fig08.png
diff --git a/windows/deploy/images/mdt-11-fig09.png b/windows/deployment/images/mdt-11-fig09.png
similarity index 100%
rename from windows/deploy/images/mdt-11-fig09.png
rename to windows/deployment/images/mdt-11-fig09.png
diff --git a/windows/deploy/images/mdt-11-fig10.png b/windows/deployment/images/mdt-11-fig10.png
similarity index 100%
rename from windows/deploy/images/mdt-11-fig10.png
rename to windows/deployment/images/mdt-11-fig10.png
diff --git a/windows/deploy/images/mdt-11-fig11.png b/windows/deployment/images/mdt-11-fig11.png
similarity index 100%
rename from windows/deploy/images/mdt-11-fig11.png
rename to windows/deployment/images/mdt-11-fig11.png
diff --git a/windows/deploy/images/mdt-11-fig12.png b/windows/deployment/images/mdt-11-fig12.png
similarity index 100%
rename from windows/deploy/images/mdt-11-fig12.png
rename to windows/deployment/images/mdt-11-fig12.png
diff --git a/windows/deploy/images/mdt-11-fig13.png b/windows/deployment/images/mdt-11-fig13.png
similarity index 100%
rename from windows/deploy/images/mdt-11-fig13.png
rename to windows/deployment/images/mdt-11-fig13.png
diff --git a/windows/deploy/images/mdt-11-fig14.png b/windows/deployment/images/mdt-11-fig14.png
similarity index 100%
rename from windows/deploy/images/mdt-11-fig14.png
rename to windows/deployment/images/mdt-11-fig14.png
diff --git a/windows/deploy/images/mdt-11-fig15.png b/windows/deployment/images/mdt-11-fig15.png
similarity index 100%
rename from windows/deploy/images/mdt-11-fig15.png
rename to windows/deployment/images/mdt-11-fig15.png
diff --git a/windows/deploy/images/mdt-11-fig16.png b/windows/deployment/images/mdt-11-fig16.png
similarity index 100%
rename from windows/deploy/images/mdt-11-fig16.png
rename to windows/deployment/images/mdt-11-fig16.png
diff --git a/windows/deploy/images/multi-target.png b/windows/deployment/images/multi-target.png
similarity index 100%
rename from windows/deploy/images/multi-target.png
rename to windows/deployment/images/multi-target.png
diff --git a/windows/deploy/images/nfc.png b/windows/deployment/images/nfc.png
similarity index 100%
rename from windows/deploy/images/nfc.png
rename to windows/deployment/images/nfc.png
diff --git a/windows/deploy/images/one.png b/windows/deployment/images/one.png
similarity index 100%
rename from windows/deploy/images/one.png
rename to windows/deployment/images/one.png
diff --git a/windows/configure/images/oobe.jpg b/windows/deployment/images/oobe.jpg
similarity index 100%
rename from windows/configure/images/oobe.jpg
rename to windows/deployment/images/oobe.jpg
diff --git a/windows/deploy/images/package-trust.png b/windows/deployment/images/package-trust.png
similarity index 100%
rename from windows/deploy/images/package-trust.png
rename to windows/deployment/images/package-trust.png
diff --git a/windows/deploy/images/package.png b/windows/deployment/images/package.png
similarity index 100%
rename from windows/deploy/images/package.png
rename to windows/deployment/images/package.png
diff --git a/windows/deploy/images/packages-mobile.png b/windows/deployment/images/packages-mobile.png
similarity index 100%
rename from windows/deploy/images/packages-mobile.png
rename to windows/deployment/images/packages-mobile.png
diff --git a/windows/deployment/images/poc-computers.png b/windows/deployment/images/poc-computers.png
new file mode 100644
index 0000000000..6fd8039c56
Binary files /dev/null and b/windows/deployment/images/poc-computers.png differ
diff --git a/windows/deploy/images/prov.jpg b/windows/deployment/images/prov.jpg
similarity index 100%
rename from windows/deploy/images/prov.jpg
rename to windows/deployment/images/prov.jpg
diff --git a/windows/deploy/images/scanos.PNG b/windows/deployment/images/scanos.PNG
similarity index 100%
rename from windows/deploy/images/scanos.PNG
rename to windows/deployment/images/scanos.PNG
diff --git a/windows/deploy/images/sccm-asset.PNG b/windows/deployment/images/sccm-asset.PNG
similarity index 100%
rename from windows/deploy/images/sccm-asset.PNG
rename to windows/deployment/images/sccm-asset.PNG
diff --git a/windows/deployment/images/sccm-assets.PNG b/windows/deployment/images/sccm-assets.PNG
new file mode 100644
index 0000000000..264606c2ab
Binary files /dev/null and b/windows/deployment/images/sccm-assets.PNG differ
diff --git a/windows/deploy/images/sccm-client.PNG b/windows/deployment/images/sccm-client.PNG
similarity index 100%
rename from windows/deploy/images/sccm-client.PNG
rename to windows/deployment/images/sccm-client.PNG
diff --git a/windows/deploy/images/sccm-collection.PNG b/windows/deployment/images/sccm-collection.PNG
similarity index 100%
rename from windows/deploy/images/sccm-collection.PNG
rename to windows/deployment/images/sccm-collection.PNG
diff --git a/windows/deploy/images/sccm-install-os.PNG b/windows/deployment/images/sccm-install-os.PNG
similarity index 100%
rename from windows/deploy/images/sccm-install-os.PNG
rename to windows/deployment/images/sccm-install-os.PNG
diff --git a/windows/deploy/images/sccm-post-refresh.PNG b/windows/deployment/images/sccm-post-refresh.PNG
similarity index 100%
rename from windows/deploy/images/sccm-post-refresh.PNG
rename to windows/deployment/images/sccm-post-refresh.PNG
diff --git a/windows/deploy/images/sccm-pxe.PNG b/windows/deployment/images/sccm-pxe.PNG
similarity index 100%
rename from windows/deploy/images/sccm-pxe.PNG
rename to windows/deployment/images/sccm-pxe.PNG
diff --git a/windows/deploy/images/sccm-site.PNG b/windows/deployment/images/sccm-site.PNG
similarity index 100%
rename from windows/deploy/images/sccm-site.PNG
rename to windows/deployment/images/sccm-site.PNG
diff --git a/windows/deployment/images/sccm-software-cntr.PNG b/windows/deployment/images/sccm-software-cntr.PNG
new file mode 100644
index 0000000000..cd9520ed17
Binary files /dev/null and b/windows/deployment/images/sccm-software-cntr.PNG differ
diff --git a/windows/deploy/images/sec-bios.png b/windows/deployment/images/sec-bios.png
similarity index 100%
rename from windows/deploy/images/sec-bios.png
rename to windows/deployment/images/sec-bios.png
diff --git a/windows/configure/images/setupmsg.jpg b/windows/deployment/images/setupmsg.jpg
similarity index 100%
rename from windows/configure/images/setupmsg.jpg
rename to windows/deployment/images/setupmsg.jpg
diff --git a/windows/deploy/images/sign-in-prov.png b/windows/deployment/images/sign-in-prov.png
similarity index 100%
rename from windows/deploy/images/sign-in-prov.png
rename to windows/deployment/images/sign-in-prov.png
diff --git a/windows/deploy/images/six.png b/windows/deployment/images/six.png
similarity index 100%
rename from windows/deploy/images/six.png
rename to windows/deployment/images/six.png
diff --git a/windows/deploy/images/svr_mgr2.png b/windows/deployment/images/svr_mgr2.png
similarity index 100%
rename from windows/deploy/images/svr_mgr2.png
rename to windows/deployment/images/svr_mgr2.png
diff --git a/windows/configure/images/three.png b/windows/deployment/images/three.png
similarity index 100%
rename from windows/configure/images/three.png
rename to windows/deployment/images/three.png
diff --git a/windows/deploy/images/trust-package.png b/windows/deployment/images/trust-package.png
similarity index 100%
rename from windows/deploy/images/trust-package.png
rename to windows/deployment/images/trust-package.png
diff --git a/windows/configure/images/two.png b/windows/deployment/images/two.png
similarity index 100%
rename from windows/configure/images/two.png
rename to windows/deployment/images/two.png
diff --git a/windows/deploy/images/ua-cg-01.png b/windows/deployment/images/ua-cg-01.png
similarity index 100%
rename from windows/deploy/images/ua-cg-01.png
rename to windows/deployment/images/ua-cg-01.png
diff --git a/windows/deploy/images/ua-cg-02.png b/windows/deployment/images/ua-cg-02.png
similarity index 100%
rename from windows/deploy/images/ua-cg-02.png
rename to windows/deployment/images/ua-cg-02.png
diff --git a/windows/deploy/images/ua-cg-03.png b/windows/deployment/images/ua-cg-03.png
similarity index 100%
rename from windows/deploy/images/ua-cg-03.png
rename to windows/deployment/images/ua-cg-03.png
diff --git a/windows/deploy/images/ua-cg-04.png b/windows/deployment/images/ua-cg-04.png
similarity index 100%
rename from windows/deploy/images/ua-cg-04.png
rename to windows/deployment/images/ua-cg-04.png
diff --git a/windows/deploy/images/ua-cg-05.png b/windows/deployment/images/ua-cg-05.png
similarity index 100%
rename from windows/deploy/images/ua-cg-05.png
rename to windows/deployment/images/ua-cg-05.png
diff --git a/windows/deploy/images/ua-cg-06.png b/windows/deployment/images/ua-cg-06.png
similarity index 100%
rename from windows/deploy/images/ua-cg-06.png
rename to windows/deployment/images/ua-cg-06.png
diff --git a/windows/deploy/images/ua-cg-07.png b/windows/deployment/images/ua-cg-07.png
similarity index 100%
rename from windows/deploy/images/ua-cg-07.png
rename to windows/deployment/images/ua-cg-07.png
diff --git a/windows/deploy/images/ua-cg-08.png b/windows/deployment/images/ua-cg-08.png
similarity index 100%
rename from windows/deploy/images/ua-cg-08.png
rename to windows/deployment/images/ua-cg-08.png
diff --git a/windows/deploy/images/ua-cg-09-old.png b/windows/deployment/images/ua-cg-09-old.png
similarity index 100%
rename from windows/deploy/images/ua-cg-09-old.png
rename to windows/deployment/images/ua-cg-09-old.png
diff --git a/windows/deploy/images/ua-cg-09.png b/windows/deployment/images/ua-cg-09.png
similarity index 100%
rename from windows/deploy/images/ua-cg-09.png
rename to windows/deployment/images/ua-cg-09.png
diff --git a/windows/deploy/images/ua-cg-10.png b/windows/deployment/images/ua-cg-10.png
similarity index 100%
rename from windows/deploy/images/ua-cg-10.png
rename to windows/deployment/images/ua-cg-10.png
diff --git a/windows/deploy/images/ua-cg-11.png b/windows/deployment/images/ua-cg-11.png
similarity index 100%
rename from windows/deploy/images/ua-cg-11.png
rename to windows/deployment/images/ua-cg-11.png
diff --git a/windows/deploy/images/ua-cg-12.png b/windows/deployment/images/ua-cg-12.png
similarity index 100%
rename from windows/deploy/images/ua-cg-12.png
rename to windows/deployment/images/ua-cg-12.png
diff --git a/windows/deploy/images/ua-cg-13.png b/windows/deployment/images/ua-cg-13.png
similarity index 100%
rename from windows/deploy/images/ua-cg-13.png
rename to windows/deployment/images/ua-cg-13.png
diff --git a/windows/deploy/images/ua-cg-14.png b/windows/deployment/images/ua-cg-14.png
similarity index 100%
rename from windows/deploy/images/ua-cg-14.png
rename to windows/deployment/images/ua-cg-14.png
diff --git a/windows/deploy/images/ua-cg-15.png b/windows/deployment/images/ua-cg-15.png
similarity index 100%
rename from windows/deploy/images/ua-cg-15.png
rename to windows/deployment/images/ua-cg-15.png
diff --git a/windows/deploy/images/ua-cg-16.png b/windows/deployment/images/ua-cg-16.png
similarity index 100%
rename from windows/deploy/images/ua-cg-16.png
rename to windows/deployment/images/ua-cg-16.png
diff --git a/windows/deploy/images/ua-cg-17.png b/windows/deployment/images/ua-cg-17.png
similarity index 100%
rename from windows/deploy/images/ua-cg-17.png
rename to windows/deployment/images/ua-cg-17.png
diff --git a/windows/deploy/images/upgrade-analytics-apps-known-issues.png b/windows/deployment/images/upgrade-analytics-apps-known-issues.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-apps-known-issues.png
rename to windows/deployment/images/upgrade-analytics-apps-known-issues.png
diff --git a/windows/deploy/images/upgrade-analytics-apps-no-known-issues.png b/windows/deployment/images/upgrade-analytics-apps-no-known-issues.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-apps-no-known-issues.png
rename to windows/deployment/images/upgrade-analytics-apps-no-known-issues.png
diff --git a/windows/deploy/images/upgrade-analytics-architecture.png b/windows/deployment/images/upgrade-analytics-architecture.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-architecture.png
rename to windows/deployment/images/upgrade-analytics-architecture.png
diff --git a/windows/deploy/images/upgrade-analytics-create-iedataoptin.png b/windows/deployment/images/upgrade-analytics-create-iedataoptin.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-create-iedataoptin.png
rename to windows/deployment/images/upgrade-analytics-create-iedataoptin.png
diff --git a/windows/deploy/images/upgrade-analytics-deploy-eligible.png b/windows/deployment/images/upgrade-analytics-deploy-eligible.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-deploy-eligible.png
rename to windows/deployment/images/upgrade-analytics-deploy-eligible.png
diff --git a/windows/deploy/images/upgrade-analytics-drivers-known.png b/windows/deployment/images/upgrade-analytics-drivers-known.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-drivers-known.png
rename to windows/deployment/images/upgrade-analytics-drivers-known.png
diff --git a/windows/deploy/images/upgrade-analytics-most-active-sites.png b/windows/deployment/images/upgrade-analytics-most-active-sites.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-most-active-sites.png
rename to windows/deployment/images/upgrade-analytics-most-active-sites.png
diff --git a/windows/deploy/images/upgrade-analytics-namepub-rollup.PNG b/windows/deployment/images/upgrade-analytics-namepub-rollup.PNG
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-namepub-rollup.PNG
rename to windows/deployment/images/upgrade-analytics-namepub-rollup.PNG
diff --git a/windows/deploy/images/upgrade-analytics-overview.png b/windows/deployment/images/upgrade-analytics-overview.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-overview.png
rename to windows/deployment/images/upgrade-analytics-overview.png
diff --git a/windows/deploy/images/upgrade-analytics-pilot.png b/windows/deployment/images/upgrade-analytics-pilot.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-pilot.png
rename to windows/deployment/images/upgrade-analytics-pilot.png
diff --git a/windows/deploy/images/upgrade-analytics-prioritize.png b/windows/deployment/images/upgrade-analytics-prioritize.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-prioritize.png
rename to windows/deployment/images/upgrade-analytics-prioritize.png
diff --git a/windows/deploy/images/upgrade-analytics-query-activex-name.png b/windows/deployment/images/upgrade-analytics-query-activex-name.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-query-activex-name.png
rename to windows/deployment/images/upgrade-analytics-query-activex-name.png
diff --git a/windows/deploy/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG b/windows/deployment/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG
rename to windows/deployment/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG
diff --git a/windows/deploy/images/upgrade-analytics-ready-for-windows-status.PNG b/windows/deployment/images/upgrade-analytics-ready-for-windows-status.PNG
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-ready-for-windows-status.PNG
rename to windows/deployment/images/upgrade-analytics-ready-for-windows-status.PNG
diff --git a/windows/deploy/images/upgrade-analytics-site-activity-by-doc-mode.png b/windows/deployment/images/upgrade-analytics-site-activity-by-doc-mode.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-site-activity-by-doc-mode.png
rename to windows/deployment/images/upgrade-analytics-site-activity-by-doc-mode.png
diff --git a/windows/deploy/images/upgrade-analytics-site-domain-detail.png b/windows/deployment/images/upgrade-analytics-site-domain-detail.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-site-domain-detail.png
rename to windows/deployment/images/upgrade-analytics-site-domain-detail.png
diff --git a/windows/deploy/images/upgrade-analytics-telemetry.png b/windows/deployment/images/upgrade-analytics-telemetry.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-telemetry.png
rename to windows/deployment/images/upgrade-analytics-telemetry.png
diff --git a/windows/deploy/images/upgrade-analytics-unsubscribe.png b/windows/deployment/images/upgrade-analytics-unsubscribe.png
similarity index 100%
rename from windows/deploy/images/upgrade-analytics-unsubscribe.png
rename to windows/deployment/images/upgrade-analytics-unsubscribe.png
diff --git a/windows/deploy/images/upgrade-process.png b/windows/deployment/images/upgrade-process.png
similarity index 100%
rename from windows/deploy/images/upgrade-process.png
rename to windows/deployment/images/upgrade-process.png
diff --git a/windows/deploy/images/upgradecfg-fig2-upgrading.png b/windows/deployment/images/upgradecfg-fig2-upgrading.png
similarity index 100%
rename from windows/deploy/images/upgradecfg-fig2-upgrading.png
rename to windows/deployment/images/upgradecfg-fig2-upgrading.png
diff --git a/windows/deploy/images/upgradecfg-fig3-upgrade.png b/windows/deployment/images/upgradecfg-fig3-upgrade.png
similarity index 100%
rename from windows/deploy/images/upgradecfg-fig3-upgrade.png
rename to windows/deployment/images/upgradecfg-fig3-upgrade.png
diff --git a/windows/deploy/images/upgrademdt-fig1-machines.png b/windows/deployment/images/upgrademdt-fig1-machines.png
similarity index 100%
rename from windows/deploy/images/upgrademdt-fig1-machines.png
rename to windows/deployment/images/upgrademdt-fig1-machines.png
diff --git a/windows/deploy/images/upgrademdt-fig2-importedos.png b/windows/deployment/images/upgrademdt-fig2-importedos.png
similarity index 100%
rename from windows/deploy/images/upgrademdt-fig2-importedos.png
rename to windows/deployment/images/upgrademdt-fig2-importedos.png
diff --git a/windows/deploy/images/upgrademdt-fig3-tasksequence.png b/windows/deployment/images/upgrademdt-fig3-tasksequence.png
similarity index 100%
rename from windows/deploy/images/upgrademdt-fig3-tasksequence.png
rename to windows/deployment/images/upgrademdt-fig3-tasksequence.png
diff --git a/windows/deploy/images/upgrademdt-fig4-selecttask.png b/windows/deployment/images/upgrademdt-fig4-selecttask.png
similarity index 100%
rename from windows/deploy/images/upgrademdt-fig4-selecttask.png
rename to windows/deployment/images/upgrademdt-fig4-selecttask.png
diff --git a/windows/deploy/images/upgrademdt-fig5-winupgrade.png b/windows/deployment/images/upgrademdt-fig5-winupgrade.png
similarity index 100%
rename from windows/deploy/images/upgrademdt-fig5-winupgrade.png
rename to windows/deployment/images/upgrademdt-fig5-winupgrade.png
diff --git a/windows/deploy/images/ur-arch-diagram.png b/windows/deployment/images/ur-arch-diagram.png
similarity index 100%
rename from windows/deploy/images/ur-arch-diagram.png
rename to windows/deployment/images/ur-arch-diagram.png
diff --git a/windows/deploy/images/ur-overview.PNG b/windows/deployment/images/ur-overview.PNG
similarity index 100%
rename from windows/deploy/images/ur-overview.PNG
rename to windows/deployment/images/ur-overview.PNG
diff --git a/windows/deploy/images/ur-settings.PNG b/windows/deployment/images/ur-settings.PNG
similarity index 100%
rename from windows/deploy/images/ur-settings.PNG
rename to windows/deployment/images/ur-settings.PNG
diff --git a/windows/deploy/images/ur-target-version.png b/windows/deployment/images/ur-target-version.png
similarity index 100%
rename from windows/deploy/images/ur-target-version.png
rename to windows/deployment/images/ur-target-version.png
diff --git a/windows/deploy/images/uwp-dependencies.PNG b/windows/deployment/images/uwp-dependencies.PNG
similarity index 100%
rename from windows/deploy/images/uwp-dependencies.PNG
rename to windows/deployment/images/uwp-dependencies.PNG
diff --git a/windows/deploy/images/uwp-family.PNG b/windows/deployment/images/uwp-family.PNG
similarity index 100%
rename from windows/deploy/images/uwp-family.PNG
rename to windows/deployment/images/uwp-family.PNG
diff --git a/windows/deploy/images/uwp-license.PNG b/windows/deployment/images/uwp-license.PNG
similarity index 100%
rename from windows/deploy/images/uwp-license.PNG
rename to windows/deployment/images/uwp-license.PNG
diff --git a/windows/deploy/images/volumeactivationforwindows81-01.jpg b/windows/deployment/images/volumeactivationforwindows81-01.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-01.jpg
rename to windows/deployment/images/volumeactivationforwindows81-01.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-02.jpg b/windows/deployment/images/volumeactivationforwindows81-02.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-02.jpg
rename to windows/deployment/images/volumeactivationforwindows81-02.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-03.jpg b/windows/deployment/images/volumeactivationforwindows81-03.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-03.jpg
rename to windows/deployment/images/volumeactivationforwindows81-03.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-04.jpg b/windows/deployment/images/volumeactivationforwindows81-04.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-04.jpg
rename to windows/deployment/images/volumeactivationforwindows81-04.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-05.jpg b/windows/deployment/images/volumeactivationforwindows81-05.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-05.jpg
rename to windows/deployment/images/volumeactivationforwindows81-05.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-06.jpg b/windows/deployment/images/volumeactivationforwindows81-06.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-06.jpg
rename to windows/deployment/images/volumeactivationforwindows81-06.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-07.jpg b/windows/deployment/images/volumeactivationforwindows81-07.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-07.jpg
rename to windows/deployment/images/volumeactivationforwindows81-07.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-08.jpg b/windows/deployment/images/volumeactivationforwindows81-08.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-08.jpg
rename to windows/deployment/images/volumeactivationforwindows81-08.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-09.jpg b/windows/deployment/images/volumeactivationforwindows81-09.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-09.jpg
rename to windows/deployment/images/volumeactivationforwindows81-09.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-10.jpg b/windows/deployment/images/volumeactivationforwindows81-10.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-10.jpg
rename to windows/deployment/images/volumeactivationforwindows81-10.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-11.jpg b/windows/deployment/images/volumeactivationforwindows81-11.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-11.jpg
rename to windows/deployment/images/volumeactivationforwindows81-11.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-12.jpg b/windows/deployment/images/volumeactivationforwindows81-12.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-12.jpg
rename to windows/deployment/images/volumeactivationforwindows81-12.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-13.jpg b/windows/deployment/images/volumeactivationforwindows81-13.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-13.jpg
rename to windows/deployment/images/volumeactivationforwindows81-13.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-14.jpg b/windows/deployment/images/volumeactivationforwindows81-14.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-14.jpg
rename to windows/deployment/images/volumeactivationforwindows81-14.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-15.jpg b/windows/deployment/images/volumeactivationforwindows81-15.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-15.jpg
rename to windows/deployment/images/volumeactivationforwindows81-15.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-16.jpg b/windows/deployment/images/volumeactivationforwindows81-16.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-16.jpg
rename to windows/deployment/images/volumeactivationforwindows81-16.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-17.jpg b/windows/deployment/images/volumeactivationforwindows81-17.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-17.jpg
rename to windows/deployment/images/volumeactivationforwindows81-17.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-18.jpg b/windows/deployment/images/volumeactivationforwindows81-18.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-18.jpg
rename to windows/deployment/images/volumeactivationforwindows81-18.jpg
diff --git a/windows/deploy/images/volumeactivationforwindows81-19.jpg b/windows/deployment/images/volumeactivationforwindows81-19.jpg
similarity index 100%
rename from windows/deploy/images/volumeactivationforwindows81-19.jpg
rename to windows/deployment/images/volumeactivationforwindows81-19.jpg
diff --git a/windows/deploy/images/who-owns-pc.png b/windows/deployment/images/who-owns-pc.png
similarity index 100%
rename from windows/deploy/images/who-owns-pc.png
rename to windows/deployment/images/who-owns-pc.png
diff --git a/windows/deploy/images/win-10-adk-select.png b/windows/deployment/images/win-10-adk-select.png
similarity index 100%
rename from windows/deploy/images/win-10-adk-select.png
rename to windows/deployment/images/win-10-adk-select.png
diff --git a/windows/deploy/images/win10-set-up-work-or-school.png b/windows/deployment/images/win10-set-up-work-or-school.png
similarity index 100%
rename from windows/deploy/images/win10-set-up-work-or-school.png
rename to windows/deployment/images/win10-set-up-work-or-school.png
diff --git a/windows/deploy/images/windows-icd.png b/windows/deployment/images/windows-icd.png
similarity index 100%
rename from windows/deploy/images/windows-icd.png
rename to windows/deployment/images/windows-icd.png
diff --git a/windows/deploy/images/x_blk.png b/windows/deployment/images/x_blk.png
similarity index 100%
rename from windows/deploy/images/x_blk.png
rename to windows/deployment/images/x_blk.png
diff --git a/windows/deployment/index.md b/windows/deployment/index.md
new file mode 100644
index 0000000000..2ef5fbaf96
--- /dev/null
+++ b/windows/deployment/index.md
@@ -0,0 +1,47 @@
+---
+title: Deploy Windows 10 (Windows 10)
+description: Learn about deploying Windows 10 for IT professionals.
+ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+localizationpriority: high
+author: greg-lindsay
+---
+
+# Deploy Windows 10
+Learn about deploying Windows 10 for IT professionals.
+
+## In this section
+
+|Topic |Description |
+|------|------------|
+|[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
+|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
+|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
+|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
+|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
+|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. |
+|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
+|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
+|[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) |Sideload line-of-business apps in Windows 10. |
+|[Volume Activation [client]](volume-activation/volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. |
+|[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
+|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). |
+
+## Related topics
+- [Windows 10 and Windows 10 Mobile](/windows/windows-10)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deploy/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
similarity index 98%
rename from windows/deploy/mbr-to-gpt.md
rename to windows/deployment/mbr-to-gpt.md
index 76aa003b02..b01537fa06 100644
--- a/windows/deploy/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -36,6 +36,8 @@ Offline conversion of system disks with earlier versions of Windows installed, s
>[!IMPORTANT]
>After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode. Make sure that your device supports UEFI before attempting to convert the disk.
+
+
## Syntax
@@ -216,7 +218,7 @@ Before any change to the disk is made, MBR2GPT validates the layout and geometry
- There are at most 3 primary partitions in the MBR partition table
- One of the partitions is set as active and is the system partition
- The BCD store on the system partition contains a default OS entry pointing to an OS partition
-- The volume IDs can retrieved for each volume which has a drive letter assigned
+- The volume IDs can be retrieved for each volume which has a drive letter assigned
- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
If any of these checks fails, the conversion will not proceed and an error will be returned.
diff --git a/windows/plan/TOC.md b/windows/deployment/planning/TOC.md
similarity index 100%
rename from windows/plan/TOC.md
rename to windows/deployment/planning/TOC.md
diff --git a/windows/plan/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md
similarity index 100%
rename from windows/plan/act-technical-reference.md
rename to windows/deployment/planning/act-technical-reference.md
diff --git a/windows/plan/applying-filters-to-data-in-the-sua-tool.md b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md
similarity index 100%
rename from windows/plan/applying-filters-to-data-in-the-sua-tool.md
rename to windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md
diff --git a/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
similarity index 100%
rename from windows/plan/available-data-types-and-operators-in-compatibility-administrator.md
rename to windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
diff --git a/windows/plan/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
similarity index 100%
rename from windows/plan/best-practice-recommendations-for-windows-to-go.md
rename to windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
similarity index 71%
rename from windows/plan/change-history-for-plan-for-windows-10-deployment.md
rename to windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
index 6d43bdcb7f..ec9afa1603 100644
--- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md
+++ b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
@@ -11,7 +11,13 @@ author: TrudyHa
# Change history for Plan for Windows 10 deployment
-This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
+
+
+## RELEASE: Windows 10, version 1703
+
+The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following is a new topic:
+- [Windows 10 Enterprise - FAQ for IT Professionals](windows-10-enterprise-faq-itpro.md)
## January 2017
| New or changed topic | Description |
@@ -36,8 +42,8 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.|
-| [Windows 10 servicing overview](windows-10-servicing-options.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../manage/introduction-to-windows-10-servicing.md) page. |
+|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.|
+| [Windows 10 servicing overview](../update/waas-overview.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) page. |
## May 2016
@@ -45,7 +51,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | New|
+| [Deploy Windows 10 in a school](/education/windows/deploy-windows-10-in-a-school) | New|
## December 2015
@@ -60,8 +66,8 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------|-------------|
-| [Chromebook migration guide](chromebook-migration-guide.md) | New |
-| [Windows Update for Business](windows-update-for-business.md) (multiple topics) | New |
+| [Chromebook migration guide](/education/windows/chromebook-migration-guide) | New |
+| [Windows Update for Business](../update/waas-manage-updates-wufb.md) (multiple topics) | New |
| [Windows To Go: feature overview](windows-to-go-overview.md) (multiple topics) | Updated |
@@ -69,13 +75,10 @@ The topics in this library have been updated for Windows 10, version 1607 (also
## Related topics
-[Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
+[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10.md)
-[Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
+[Change history for Deploy Windows 10](../change-history-for-deploy-windows-10.md)
-[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
-
-[Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
diff --git a/windows/plan/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md
similarity index 100%
rename from windows/plan/compatibility-administrator-users-guide.md
rename to windows/deployment/planning/compatibility-administrator-users-guide.md
diff --git a/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
similarity index 100%
rename from windows/plan/compatibility-fix-database-management-strategies-and-deployment.md
rename to windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
diff --git a/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
similarity index 100%
rename from windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
rename to windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
diff --git a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
similarity index 100%
rename from windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
rename to windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
diff --git a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
similarity index 100%
rename from windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
rename to windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
diff --git a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
similarity index 100%
rename from windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md
rename to windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
diff --git a/windows/plan/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
similarity index 100%
rename from windows/plan/deployment-considerations-for-windows-to-go.md
rename to windows/deployment/planning/deployment-considerations-for-windows-to-go.md
diff --git a/windows/plan/device-dialog-box.md b/windows/deployment/planning/device-dialog-box.md
similarity index 100%
rename from windows/plan/device-dialog-box.md
rename to windows/deployment/planning/device-dialog-box.md
diff --git a/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
similarity index 100%
rename from windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
rename to windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
diff --git a/windows/plan/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
similarity index 100%
rename from windows/plan/fixing-applications-by-using-the-sua-tool.md
rename to windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
diff --git a/windows/plan/images/branch.png b/windows/deployment/planning/images/branch.png
similarity index 100%
rename from windows/plan/images/branch.png
rename to windows/deployment/planning/images/branch.png
diff --git a/windows/plan/images/chromebook-fig1-googleadmin.png b/windows/deployment/planning/images/chromebook-fig1-googleadmin.png
similarity index 100%
rename from windows/plan/images/chromebook-fig1-googleadmin.png
rename to windows/deployment/planning/images/chromebook-fig1-googleadmin.png
diff --git a/windows/plan/images/dep-win8-e-act-addissue.gif b/windows/deployment/planning/images/dep-win8-e-act-addissue.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-addissue.gif
rename to windows/deployment/planning/images/dep-win8-e-act-addissue.gif
diff --git a/windows/plan/images/dep-win8-e-act-addsolution.gif b/windows/deployment/planning/images/dep-win8-e-act-addsolution.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-addsolution.gif
rename to windows/deployment/planning/images/dep-win8-e-act-addsolution.gif
diff --git a/windows/plan/images/dep-win8-e-act-categorize.gif b/windows/deployment/planning/images/dep-win8-e-act-categorize.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-categorize.gif
rename to windows/deployment/planning/images/dep-win8-e-act-categorize.gif
diff --git a/windows/plan/images/dep-win8-e-act-communityexample.gif b/windows/deployment/planning/images/dep-win8-e-act-communityexample.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-communityexample.gif
rename to windows/deployment/planning/images/dep-win8-e-act-communityexample.gif
diff --git a/windows/plan/images/dep-win8-e-act-createnewdcp.gif b/windows/deployment/planning/images/dep-win8-e-act-createnewdcp.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-createnewdcp.gif
rename to windows/deployment/planning/images/dep-win8-e-act-createnewdcp.gif
diff --git a/windows/plan/images/dep-win8-e-act-delete.gif b/windows/deployment/planning/images/dep-win8-e-act-delete.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-delete.gif
rename to windows/deployment/planning/images/dep-win8-e-act-delete.gif
diff --git a/windows/plan/images/dep-win8-e-act-deploymentstatus.gif b/windows/deployment/planning/images/dep-win8-e-act-deploymentstatus.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-deploymentstatus.gif
rename to windows/deployment/planning/images/dep-win8-e-act-deploymentstatus.gif
diff --git a/windows/plan/images/dep-win8-e-act-doesnotwork64icon.gif b/windows/deployment/planning/images/dep-win8-e-act-doesnotwork64icon.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-doesnotwork64icon.gif
rename to windows/deployment/planning/images/dep-win8-e-act-doesnotwork64icon.gif
diff --git a/windows/plan/images/dep-win8-e-act-doesnotworkicon.gif b/windows/deployment/planning/images/dep-win8-e-act-doesnotworkicon.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-doesnotworkicon.gif
rename to windows/deployment/planning/images/dep-win8-e-act-doesnotworkicon.gif
diff --git a/windows/plan/images/dep-win8-e-act-exportdcp.gif b/windows/deployment/planning/images/dep-win8-e-act-exportdcp.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-exportdcp.gif
rename to windows/deployment/planning/images/dep-win8-e-act-exportdcp.gif
diff --git a/windows/plan/images/dep-win8-e-act-exportreportdata.gif b/windows/deployment/planning/images/dep-win8-e-act-exportreportdata.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-exportreportdata.gif
rename to windows/deployment/planning/images/dep-win8-e-act-exportreportdata.gif
diff --git a/windows/plan/images/dep-win8-e-act-filterdata.gif b/windows/deployment/planning/images/dep-win8-e-act-filterdata.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-filterdata.gif
rename to windows/deployment/planning/images/dep-win8-e-act-filterdata.gif
diff --git a/windows/plan/images/dep-win8-e-act-filterexampleallapps0activeissues.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0activeissues.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-filterexampleallapps0activeissues.gif
rename to windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0activeissues.gif
diff --git a/windows/plan/images/dep-win8-e-act-filterexampleallapps0issues.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0issues.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-filterexampleallapps0issues.gif
rename to windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0issues.gif
diff --git a/windows/plan/images/dep-win8-e-act-filterexampleallappswissues.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleallappswissues.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-filterexampleallappswissues.gif
rename to windows/deployment/planning/images/dep-win8-e-act-filterexampleallappswissues.gif
diff --git a/windows/plan/images/dep-win8-e-act-filterexamplecategory.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexamplecategory.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-filterexamplecategory.gif
rename to windows/deployment/planning/images/dep-win8-e-act-filterexamplecategory.gif
diff --git a/windows/plan/images/dep-win8-e-act-filterexampleforissueswsolutions.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleforissueswsolutions.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-filterexampleforissueswsolutions.gif
rename to windows/deployment/planning/images/dep-win8-e-act-filterexampleforissueswsolutions.gif
diff --git a/windows/plan/images/dep-win8-e-act-filterexampleforspecificsolutions.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleforspecificsolutions.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-filterexampleforspecificsolutions.gif
rename to windows/deployment/planning/images/dep-win8-e-act-filterexampleforspecificsolutions.gif
diff --git a/windows/plan/images/dep-win8-e-act-greenworks64icon.gif b/windows/deployment/planning/images/dep-win8-e-act-greenworks64icon.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-greenworks64icon.gif
rename to windows/deployment/planning/images/dep-win8-e-act-greenworks64icon.gif
diff --git a/windows/plan/images/dep-win8-e-act-greenworksicon.gif b/windows/deployment/planning/images/dep-win8-e-act-greenworksicon.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-greenworksicon.gif
rename to windows/deployment/planning/images/dep-win8-e-act-greenworksicon.gif
diff --git a/windows/plan/images/dep-win8-e-act-help.gif b/windows/deployment/planning/images/dep-win8-e-act-help.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-help.gif
rename to windows/deployment/planning/images/dep-win8-e-act-help.gif
diff --git a/windows/plan/images/dep-win8-e-act-home.gif b/windows/deployment/planning/images/dep-win8-e-act-home.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-home.gif
rename to windows/deployment/planning/images/dep-win8-e-act-home.gif
diff --git a/windows/plan/images/dep-win8-e-act-info64icon.gif b/windows/deployment/planning/images/dep-win8-e-act-info64icon.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-info64icon.gif
rename to windows/deployment/planning/images/dep-win8-e-act-info64icon.gif
diff --git a/windows/plan/images/dep-win8-e-act-infoicon.gif b/windows/deployment/planning/images/dep-win8-e-act-infoicon.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-infoicon.gif
rename to windows/deployment/planning/images/dep-win8-e-act-infoicon.gif
diff --git a/windows/plan/images/dep-win8-e-act-minorissues64icon.gif b/windows/deployment/planning/images/dep-win8-e-act-minorissues64icon.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-minorissues64icon.gif
rename to windows/deployment/planning/images/dep-win8-e-act-minorissues64icon.gif
diff --git a/windows/plan/images/dep-win8-e-act-minorissuesicon.png b/windows/deployment/planning/images/dep-win8-e-act-minorissuesicon.png
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-minorissuesicon.png
rename to windows/deployment/planning/images/dep-win8-e-act-minorissuesicon.png
diff --git a/windows/plan/images/dep-win8-e-act-moveupanddown.gif b/windows/deployment/planning/images/dep-win8-e-act-moveupanddown.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-moveupanddown.gif
rename to windows/deployment/planning/images/dep-win8-e-act-moveupanddown.gif
diff --git a/windows/plan/images/dep-win8-e-act-open.gif b/windows/deployment/planning/images/dep-win8-e-act-open.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-open.gif
rename to windows/deployment/planning/images/dep-win8-e-act-open.gif
diff --git a/windows/plan/images/dep-win8-e-act-prioritize.gif b/windows/deployment/planning/images/dep-win8-e-act-prioritize.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-prioritize.gif
rename to windows/deployment/planning/images/dep-win8-e-act-prioritize.gif
diff --git a/windows/plan/images/dep-win8-e-act-reactivate-resolved-issue.gif b/windows/deployment/planning/images/dep-win8-e-act-reactivate-resolved-issue.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-reactivate-resolved-issue.gif
rename to windows/deployment/planning/images/dep-win8-e-act-reactivate-resolved-issue.gif
diff --git a/windows/plan/images/dep-win8-e-act-refresh.gif b/windows/deployment/planning/images/dep-win8-e-act-refresh.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-refresh.gif
rename to windows/deployment/planning/images/dep-win8-e-act-refresh.gif
diff --git a/windows/plan/images/dep-win8-e-act-riskassessment.gif b/windows/deployment/planning/images/dep-win8-e-act-riskassessment.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-riskassessment.gif
rename to windows/deployment/planning/images/dep-win8-e-act-riskassessment.gif
diff --git a/windows/plan/images/dep-win8-e-act-save.gif b/windows/deployment/planning/images/dep-win8-e-act-save.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-save.gif
rename to windows/deployment/planning/images/dep-win8-e-act-save.gif
diff --git a/windows/plan/images/dep-win8-e-act-savereport.gif b/windows/deployment/planning/images/dep-win8-e-act-savereport.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-savereport.gif
rename to windows/deployment/planning/images/dep-win8-e-act-savereport.gif
diff --git a/windows/plan/images/dep-win8-e-act-sendandreceive.gif b/windows/deployment/planning/images/dep-win8-e-act-sendandreceive.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-sendandreceive.gif
rename to windows/deployment/planning/images/dep-win8-e-act-sendandreceive.gif
diff --git a/windows/plan/images/dep-win8-e-act-sendandreceiveicon.gif b/windows/deployment/planning/images/dep-win8-e-act-sendandreceiveicon.gif
similarity index 100%
rename from windows/plan/images/dep-win8-e-act-sendandreceiveicon.gif
rename to windows/deployment/planning/images/dep-win8-e-act-sendandreceiveicon.gif
diff --git a/windows/plan/images/dep-win8-l-act-appcallosthroughiat.jpg b/windows/deployment/planning/images/dep-win8-l-act-appcallosthroughiat.jpg
similarity index 100%
rename from windows/plan/images/dep-win8-l-act-appcallosthroughiat.jpg
rename to windows/deployment/planning/images/dep-win8-l-act-appcallosthroughiat.jpg
diff --git a/windows/plan/images/dep-win8-l-act-appredirectwithcompatfix.jpg b/windows/deployment/planning/images/dep-win8-l-act-appredirectwithcompatfix.jpg
similarity index 100%
rename from windows/plan/images/dep-win8-l-act-appredirectwithcompatfix.jpg
rename to windows/deployment/planning/images/dep-win8-l-act-appredirectwithcompatfix.jpg
diff --git a/windows/plan/images/dep-win8-l-act-communityworkflowdiagram.jpg b/windows/deployment/planning/images/dep-win8-l-act-communityworkflowdiagram.jpg
similarity index 100%
rename from windows/plan/images/dep-win8-l-act-communityworkflowdiagram.jpg
rename to windows/deployment/planning/images/dep-win8-l-act-communityworkflowdiagram.jpg
diff --git a/windows/plan/images/dep-win8-l-act-compatadminflowchart.jpg b/windows/deployment/planning/images/dep-win8-l-act-compatadminflowchart.jpg
similarity index 100%
rename from windows/plan/images/dep-win8-l-act-compatadminflowchart.jpg
rename to windows/deployment/planning/images/dep-win8-l-act-compatadminflowchart.jpg
diff --git a/windows/plan/images/dep-win8-l-act-suaflowchart.jpg b/windows/deployment/planning/images/dep-win8-l-act-suaflowchart.jpg
similarity index 100%
rename from windows/plan/images/dep-win8-l-act-suaflowchart.jpg
rename to windows/deployment/planning/images/dep-win8-l-act-suaflowchart.jpg
diff --git a/windows/plan/images/dep-win8-l-act-suawizardflowchart.jpg b/windows/deployment/planning/images/dep-win8-l-act-suawizardflowchart.jpg
similarity index 100%
rename from windows/plan/images/dep-win8-l-act-suawizardflowchart.jpg
rename to windows/deployment/planning/images/dep-win8-l-act-suawizardflowchart.jpg
diff --git a/windows/plan/images/dep-win8-l-act-supportedtopologies.jpg b/windows/deployment/planning/images/dep-win8-l-act-supportedtopologies.jpg
similarity index 100%
rename from windows/plan/images/dep-win8-l-act-supportedtopologies.jpg
rename to windows/deployment/planning/images/dep-win8-l-act-supportedtopologies.jpg
diff --git a/windows/plan/images/deploy-win-10-school-figure1.png b/windows/deployment/planning/images/deploy-win-10-school-figure1.png
similarity index 100%
rename from windows/plan/images/deploy-win-10-school-figure1.png
rename to windows/deployment/planning/images/deploy-win-10-school-figure1.png
diff --git a/windows/plan/images/deploy-win-10-school-figure2.png b/windows/deployment/planning/images/deploy-win-10-school-figure2.png
similarity index 100%
rename from windows/plan/images/deploy-win-10-school-figure2.png
rename to windows/deployment/planning/images/deploy-win-10-school-figure2.png
diff --git a/windows/plan/images/deploy-win-10-school-figure3.png b/windows/deployment/planning/images/deploy-win-10-school-figure3.png
similarity index 100%
rename from windows/plan/images/deploy-win-10-school-figure3.png
rename to windows/deployment/planning/images/deploy-win-10-school-figure3.png
diff --git a/windows/plan/images/deploy-win-10-school-figure4.png b/windows/deployment/planning/images/deploy-win-10-school-figure4.png
similarity index 100%
rename from windows/plan/images/deploy-win-10-school-figure4.png
rename to windows/deployment/planning/images/deploy-win-10-school-figure4.png
diff --git a/windows/plan/images/deploy-win-10-school-figure5.png b/windows/deployment/planning/images/deploy-win-10-school-figure5.png
similarity index 100%
rename from windows/plan/images/deploy-win-10-school-figure5.png
rename to windows/deployment/planning/images/deploy-win-10-school-figure5.png
diff --git a/windows/plan/images/deploy-win-10-school-figure6.png b/windows/deployment/planning/images/deploy-win-10-school-figure6.png
similarity index 100%
rename from windows/plan/images/deploy-win-10-school-figure6.png
rename to windows/deployment/planning/images/deploy-win-10-school-figure6.png
diff --git a/windows/plan/images/deploy-win-10-school-figure7.png b/windows/deployment/planning/images/deploy-win-10-school-figure7.png
similarity index 100%
rename from windows/plan/images/deploy-win-10-school-figure7.png
rename to windows/deployment/planning/images/deploy-win-10-school-figure7.png
diff --git a/windows/plan/images/fig2-locallyconfig.png b/windows/deployment/planning/images/fig2-locallyconfig.png
similarity index 100%
rename from windows/plan/images/fig2-locallyconfig.png
rename to windows/deployment/planning/images/fig2-locallyconfig.png
diff --git a/windows/plan/images/fig4-wsuslist.png b/windows/deployment/planning/images/fig4-wsuslist.png
similarity index 100%
rename from windows/plan/images/fig4-wsuslist.png
rename to windows/deployment/planning/images/fig4-wsuslist.png
diff --git a/windows/plan/images/wtg-first-boot-home.gif b/windows/deployment/planning/images/wtg-first-boot-home.gif
similarity index 100%
rename from windows/plan/images/wtg-first-boot-home.gif
rename to windows/deployment/planning/images/wtg-first-boot-home.gif
diff --git a/windows/plan/images/wtg-first-boot-work.gif b/windows/deployment/planning/images/wtg-first-boot-work.gif
similarity index 100%
rename from windows/plan/images/wtg-first-boot-work.gif
rename to windows/deployment/planning/images/wtg-first-boot-work.gif
diff --git a/windows/plan/images/wtg-gpt-uefi.gif b/windows/deployment/planning/images/wtg-gpt-uefi.gif
similarity index 100%
rename from windows/plan/images/wtg-gpt-uefi.gif
rename to windows/deployment/planning/images/wtg-gpt-uefi.gif
diff --git a/windows/plan/images/wtg-image-deployment.gif b/windows/deployment/planning/images/wtg-image-deployment.gif
similarity index 100%
rename from windows/plan/images/wtg-image-deployment.gif
rename to windows/deployment/planning/images/wtg-image-deployment.gif
diff --git a/windows/plan/images/wtg-mbr-bios.gif b/windows/deployment/planning/images/wtg-mbr-bios.gif
similarity index 100%
rename from windows/plan/images/wtg-mbr-bios.gif
rename to windows/deployment/planning/images/wtg-mbr-bios.gif
diff --git a/windows/plan/images/wtg-mbr-firmware-roaming.gif b/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif
similarity index 100%
rename from windows/plan/images/wtg-mbr-firmware-roaming.gif
rename to windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif
diff --git a/windows/plan/images/wtg-startup-options.gif b/windows/deployment/planning/images/wtg-startup-options.gif
similarity index 100%
rename from windows/plan/images/wtg-startup-options.gif
rename to windows/deployment/planning/images/wtg-startup-options.gif
diff --git a/windows/plan/images/wuforbus-fig1-manuallyset.png b/windows/deployment/planning/images/wuforbus-fig1-manuallyset.png
similarity index 100%
rename from windows/plan/images/wuforbus-fig1-manuallyset.png
rename to windows/deployment/planning/images/wuforbus-fig1-manuallyset.png
diff --git a/windows/plan/images/wuforbusiness-fig10-sccmconsole.png b/windows/deployment/planning/images/wuforbusiness-fig10-sccmconsole.png
similarity index 100%
rename from windows/plan/images/wuforbusiness-fig10-sccmconsole.png
rename to windows/deployment/planning/images/wuforbusiness-fig10-sccmconsole.png
diff --git a/windows/plan/images/wuforbusiness-fig11-intune.png b/windows/deployment/planning/images/wuforbusiness-fig11-intune.png
similarity index 100%
rename from windows/plan/images/wuforbusiness-fig11-intune.png
rename to windows/deployment/planning/images/wuforbusiness-fig11-intune.png
diff --git a/windows/plan/images/wuforbusiness-fig12a-updates.png b/windows/deployment/planning/images/wuforbusiness-fig12a-updates.png
similarity index 100%
rename from windows/plan/images/wuforbusiness-fig12a-updates.png
rename to windows/deployment/planning/images/wuforbusiness-fig12a-updates.png
diff --git a/windows/plan/images/wuforbusiness-fig13a-upgrades.png b/windows/deployment/planning/images/wuforbusiness-fig13a-upgrades.png
similarity index 100%
rename from windows/plan/images/wuforbusiness-fig13a-upgrades.png
rename to windows/deployment/planning/images/wuforbusiness-fig13a-upgrades.png
diff --git a/windows/plan/images/wuforbusiness-fig2-gp.png b/windows/deployment/planning/images/wuforbusiness-fig2-gp.png
similarity index 100%
rename from windows/plan/images/wuforbusiness-fig2-gp.png
rename to windows/deployment/planning/images/wuforbusiness-fig2-gp.png
diff --git a/windows/plan/images/wuforbusiness-fig3-mdm.png b/windows/deployment/planning/images/wuforbusiness-fig3-mdm.png
similarity index 100%
rename from windows/plan/images/wuforbusiness-fig3-mdm.png
rename to windows/deployment/planning/images/wuforbusiness-fig3-mdm.png
diff --git a/windows/plan/images/wuforbusiness-fig4-localpoleditor.png b/windows/deployment/planning/images/wuforbusiness-fig4-localpoleditor.png
similarity index 100%
rename from windows/plan/images/wuforbusiness-fig4-localpoleditor.png
rename to windows/deployment/planning/images/wuforbusiness-fig4-localpoleditor.png
diff --git a/windows/plan/images/wuforbusiness-fig5-deferupgrade.png b/windows/deployment/planning/images/wuforbusiness-fig5-deferupgrade.png
similarity index 100%
rename from windows/plan/images/wuforbusiness-fig5-deferupgrade.png
rename to windows/deployment/planning/images/wuforbusiness-fig5-deferupgrade.png
diff --git a/windows/plan/images/wuforbusiness-fig6-pause.png b/windows/deployment/planning/images/wuforbusiness-fig6-pause.png
similarity index 100%
rename from windows/plan/images/wuforbusiness-fig6-pause.png
rename to windows/deployment/planning/images/wuforbusiness-fig6-pause.png
diff --git a/windows/plan/images/wuforbusiness-fig7-validationgroup.png b/windows/deployment/planning/images/wuforbusiness-fig7-validationgroup.png
similarity index 100%
rename from windows/plan/images/wuforbusiness-fig7-validationgroup.png
rename to windows/deployment/planning/images/wuforbusiness-fig7-validationgroup.png
diff --git a/windows/plan/images/wuforbusiness-fig8a-chooseupdates.png b/windows/deployment/planning/images/wuforbusiness-fig8a-chooseupdates.png
similarity index 100%
rename from windows/plan/images/wuforbusiness-fig8a-chooseupdates.png
rename to windows/deployment/planning/images/wuforbusiness-fig8a-chooseupdates.png
diff --git a/windows/plan/images/wuforbusiness-fig9-dosettings.jpg b/windows/deployment/planning/images/wuforbusiness-fig9-dosettings.jpg
similarity index 100%
rename from windows/plan/images/wuforbusiness-fig9-dosettings.jpg
rename to windows/deployment/planning/images/wuforbusiness-fig9-dosettings.jpg
diff --git a/windows/plan/index.md b/windows/deployment/planning/index.md
similarity index 74%
rename from windows/plan/index.md
rename to windows/deployment/planning/index.md
index 125db28968..2448b16d8b 100644
--- a/windows/plan/index.md
+++ b/windows/deployment/planning/index.md
@@ -22,22 +22,12 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
|[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
|[Windows To Go: feature overview](windows-to-go-overview.md) |Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. |
|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. |
-|[Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) |This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
## Related topics
-- [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md)
-- [Deploy Windows 10 with MDT 2013 Update 1](../deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Deploy Windows 10 with Configuration Manager and MDT 2013 Update 1](../deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-- [Upgrade to Windows 10 with MDT 2013 Update 1](../deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with Configuration Manager](../deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+- [Windows 10 servicing options for updates and upgrades](../update/index.md)
+- [Deploy Windows 10 with MDT 2013 Update 1](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Deploy Windows 10 with Configuration Manager and MDT 2013 Update 1](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+- [Upgrade to Windows 10 with MDT 2013 Update 1](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911)
-- [Windows 10 and Windows 10 Mobile](../index.md)
-
-
-
-
-
-
-
-
diff --git a/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
similarity index 100%
rename from windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
rename to windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
diff --git a/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
similarity index 100%
rename from windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md
rename to windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
diff --git a/windows/plan/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
similarity index 100%
rename from windows/plan/prepare-your-organization-for-windows-to-go.md
rename to windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
diff --git a/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
similarity index 100%
rename from windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md
rename to windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
diff --git a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
similarity index 100%
rename from windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
rename to windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
diff --git a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
similarity index 100%
rename from windows/plan/security-and-data-protection-considerations-for-windows-to-go.md
rename to windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
diff --git a/windows/plan/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
similarity index 100%
rename from windows/plan/showing-messages-generated-by-the-sua-tool.md
rename to windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
diff --git a/windows/plan/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md
similarity index 100%
rename from windows/plan/sua-users-guide.md
rename to windows/deployment/planning/sua-users-guide.md
diff --git a/windows/plan/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
similarity index 100%
rename from windows/plan/tabs-on-the-sua-tool-interface.md
rename to windows/deployment/planning/tabs-on-the-sua-tool-interface.md
diff --git a/windows/plan/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md
similarity index 100%
rename from windows/plan/testing-your-application-mitigation-packages.md
rename to windows/deployment/planning/testing-your-application-mitigation-packages.md
diff --git a/windows/plan/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
similarity index 100%
rename from windows/plan/understanding-and-using-compatibility-fixes.md
rename to windows/deployment/planning/understanding-and-using-compatibility-fixes.md
diff --git a/windows/plan/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
similarity index 100%
rename from windows/plan/using-the-compatibility-administrator-tool.md
rename to windows/deployment/planning/using-the-compatibility-administrator-tool.md
diff --git a/windows/plan/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
similarity index 100%
rename from windows/plan/using-the-sdbinstexe-command-line-tool.md
rename to windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
diff --git a/windows/plan/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md
similarity index 100%
rename from windows/plan/using-the-sua-tool.md
rename to windows/deployment/planning/using-the-sua-tool.md
diff --git a/windows/plan/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md
similarity index 100%
rename from windows/plan/using-the-sua-wizard.md
rename to windows/deployment/planning/using-the-sua-wizard.md
diff --git a/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
similarity index 100%
rename from windows/plan/viewing-the-events-screen-in-compatibility-administrator.md
rename to windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
diff --git a/windows/plan/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
similarity index 97%
rename from windows/plan/windows-10-compatibility.md
rename to windows/deployment/planning/windows-10-compatibility.md
index 013a715282..2ce0b1abdd 100644
--- a/windows/plan/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -40,7 +40,7 @@ Historically, organizations have performed extensive, and often exhaustive, test
## Related topics
-[Windows 10 servicing options](windows-10-servicing-options.md)
+[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
diff --git a/windows/plan/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
similarity index 99%
rename from windows/plan/windows-10-deployment-considerations.md
rename to windows/deployment/planning/windows-10-deployment-considerations.md
index 9c2cb27ef4..9ddd7ab954 100644
--- a/windows/plan/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -126,8 +126,6 @@ Over time, this upgrade process will be optimized to reduce the overall time and
## Related topics
-[Windows 10 servicing options](windows-10-servicing-options.md)
-
[Windows 10 compatibility](windows-10-compatibility.md)
[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
diff --git a/windows/plan/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
similarity index 100%
rename from windows/plan/windows-10-enterprise-faq-itpro.md
rename to windows/deployment/planning/windows-10-enterprise-faq-itpro.md
diff --git a/windows/plan/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
similarity index 97%
rename from windows/plan/windows-10-infrastructure-requirements.md
rename to windows/deployment/planning/windows-10-infrastructure-requirements.md
index ff50a10a6c..f886d6391f 100644
--- a/windows/plan/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -47,7 +47,7 @@ For System Center Configuration Manager, Windows 10 support is offered with var
>Note: Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require System Center Configuration Manager current branch for supported management.
-For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
## Management tools
@@ -115,7 +115,7 @@ Note that Windows 10 Enterprise and Windows 10 Enterprise LTSB installations u
## Related topics
-[Windows 10 servicing options](windows-10-servicing-options.md)
+[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
[Windows 10 compatibility](windows-10-compatibility.md)
diff --git a/windows/plan/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
similarity index 100%
rename from windows/plan/windows-to-go-frequently-asked-questions.md
rename to windows/deployment/planning/windows-to-go-frequently-asked-questions.md
diff --git a/windows/plan/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
similarity index 100%
rename from windows/plan/windows-to-go-overview.md
rename to windows/deployment/planning/windows-to-go-overview.md
diff --git a/windows/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md
similarity index 65%
rename from windows/update/change-history-for-update-windows-10.md
rename to windows/deployment/update/change-history-for-update-windows-10.md
index d1a178004f..97ece9af22 100644
--- a/windows/update/change-history-for-update-windows-10.md
+++ b/windows/deployment/update/change-history-for-update-windows-10.md
@@ -15,5 +15,7 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc
## RELEASE: Windows 10, version 1703
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update).
-
+The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:
+* [Windows Insider Program for Business](waas-windows-insider-for-business.md)
+* [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
+* [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
\ No newline at end of file
diff --git a/windows/manage/images/ActionCenterXML.jpg b/windows/deployment/update/images/ActionCenterXML.jpg
similarity index 100%
rename from windows/manage/images/ActionCenterXML.jpg
rename to windows/deployment/update/images/ActionCenterXML.jpg
diff --git a/windows/manage/images/AppsXML.jpg b/windows/deployment/update/images/AppsXML.jpg
similarity index 100%
rename from windows/manage/images/AppsXML.jpg
rename to windows/deployment/update/images/AppsXML.jpg
diff --git a/windows/manage/images/AppsXML.png b/windows/deployment/update/images/AppsXML.png
similarity index 100%
rename from windows/manage/images/AppsXML.png
rename to windows/deployment/update/images/AppsXML.png
diff --git a/windows/manage/images/ButtonsXML.jpg b/windows/deployment/update/images/ButtonsXML.jpg
similarity index 100%
rename from windows/manage/images/ButtonsXML.jpg
rename to windows/deployment/update/images/ButtonsXML.jpg
diff --git a/windows/manage/images/CSPRunnerXML.jpg b/windows/deployment/update/images/CSPRunnerXML.jpg
similarity index 100%
rename from windows/manage/images/CSPRunnerXML.jpg
rename to windows/deployment/update/images/CSPRunnerXML.jpg
diff --git a/windows/manage/images/ICDstart-option.PNG b/windows/deployment/update/images/ICDstart-option.PNG
similarity index 100%
rename from windows/manage/images/ICDstart-option.PNG
rename to windows/deployment/update/images/ICDstart-option.PNG
diff --git a/windows/manage/images/MenuItemsXML.png b/windows/deployment/update/images/MenuItemsXML.png
similarity index 100%
rename from windows/manage/images/MenuItemsXML.png
rename to windows/deployment/update/images/MenuItemsXML.png
diff --git a/windows/manage/images/SettingsXML.png b/windows/deployment/update/images/SettingsXML.png
similarity index 100%
rename from windows/manage/images/SettingsXML.png
rename to windows/deployment/update/images/SettingsXML.png
diff --git a/windows/manage/images/StartGrid.jpg b/windows/deployment/update/images/StartGrid.jpg
similarity index 100%
rename from windows/manage/images/StartGrid.jpg
rename to windows/deployment/update/images/StartGrid.jpg
diff --git a/windows/manage/images/StartGridPinnedApps.jpg b/windows/deployment/update/images/StartGridPinnedApps.jpg
similarity index 100%
rename from windows/manage/images/StartGridPinnedApps.jpg
rename to windows/deployment/update/images/StartGridPinnedApps.jpg
diff --git a/windows/manage/images/TilesXML.png b/windows/deployment/update/images/TilesXML.png
similarity index 100%
rename from windows/manage/images/TilesXML.png
rename to windows/deployment/update/images/TilesXML.png
diff --git a/windows/update/images/admin-tools-folder.png b/windows/deployment/update/images/admin-tools-folder.png
similarity index 100%
rename from windows/update/images/admin-tools-folder.png
rename to windows/deployment/update/images/admin-tools-folder.png
diff --git a/windows/update/images/admin-tools.png b/windows/deployment/update/images/admin-tools.png
similarity index 100%
rename from windows/update/images/admin-tools.png
rename to windows/deployment/update/images/admin-tools.png
diff --git a/windows/update/images/allow-rdp.png b/windows/deployment/update/images/allow-rdp.png
similarity index 100%
rename from windows/update/images/allow-rdp.png
rename to windows/deployment/update/images/allow-rdp.png
diff --git a/windows/update/images/app-v-in-adk.png b/windows/deployment/update/images/app-v-in-adk.png
similarity index 100%
rename from windows/update/images/app-v-in-adk.png
rename to windows/deployment/update/images/app-v-in-adk.png
diff --git a/windows/manage/images/apprule.png b/windows/deployment/update/images/apprule.png
similarity index 100%
rename from windows/manage/images/apprule.png
rename to windows/deployment/update/images/apprule.png
diff --git a/windows/manage/images/appwarning.png b/windows/deployment/update/images/appwarning.png
similarity index 100%
rename from windows/manage/images/appwarning.png
rename to windows/deployment/update/images/appwarning.png
diff --git a/windows/manage/images/backicon.png b/windows/deployment/update/images/backicon.png
similarity index 100%
rename from windows/manage/images/backicon.png
rename to windows/deployment/update/images/backicon.png
diff --git a/windows/update/images/checklistbox.gif b/windows/deployment/update/images/checklistbox.gif
similarity index 100%
rename from windows/update/images/checklistbox.gif
rename to windows/deployment/update/images/checklistbox.gif
diff --git a/windows/manage/images/checklistdone.png b/windows/deployment/update/images/checklistdone.png
similarity index 100%
rename from windows/manage/images/checklistdone.png
rename to windows/deployment/update/images/checklistdone.png
diff --git a/windows/update/images/checkmark.png b/windows/deployment/update/images/checkmark.png
similarity index 100%
rename from windows/update/images/checkmark.png
rename to windows/deployment/update/images/checkmark.png
diff --git a/windows/manage/images/choose-package.png b/windows/deployment/update/images/choose-package.png
similarity index 100%
rename from windows/manage/images/choose-package.png
rename to windows/deployment/update/images/choose-package.png
diff --git a/windows/manage/images/config-policy.png b/windows/deployment/update/images/config-policy.png
similarity index 100%
rename from windows/manage/images/config-policy.png
rename to windows/deployment/update/images/config-policy.png
diff --git a/windows/manage/images/config-source.png b/windows/deployment/update/images/config-source.png
similarity index 100%
rename from windows/manage/images/config-source.png
rename to windows/deployment/update/images/config-source.png
diff --git a/windows/manage/images/configconflict.png b/windows/deployment/update/images/configconflict.png
similarity index 100%
rename from windows/manage/images/configconflict.png
rename to windows/deployment/update/images/configconflict.png
diff --git a/windows/manage/images/connect-aad.png b/windows/deployment/update/images/connect-aad.png
similarity index 100%
rename from windows/manage/images/connect-aad.png
rename to windows/deployment/update/images/connect-aad.png
diff --git a/windows/update/images/copy-to-change.png b/windows/deployment/update/images/copy-to-change.png
similarity index 100%
rename from windows/update/images/copy-to-change.png
rename to windows/deployment/update/images/copy-to-change.png
diff --git a/windows/update/images/copy-to-path.png b/windows/deployment/update/images/copy-to-path.png
similarity index 100%
rename from windows/update/images/copy-to-path.png
rename to windows/deployment/update/images/copy-to-path.png
diff --git a/windows/update/images/copy-to.PNG b/windows/deployment/update/images/copy-to.PNG
similarity index 100%
rename from windows/update/images/copy-to.PNG
rename to windows/deployment/update/images/copy-to.PNG
diff --git a/windows/update/images/cortana-about-me.png b/windows/deployment/update/images/cortana-about-me.png
similarity index 100%
rename from windows/update/images/cortana-about-me.png
rename to windows/deployment/update/images/cortana-about-me.png
diff --git a/windows/update/images/cortana-add-reminder.png b/windows/deployment/update/images/cortana-add-reminder.png
similarity index 100%
rename from windows/update/images/cortana-add-reminder.png
rename to windows/deployment/update/images/cortana-add-reminder.png
diff --git a/windows/update/images/cortana-chicago-weather.png b/windows/deployment/update/images/cortana-chicago-weather.png
similarity index 100%
rename from windows/update/images/cortana-chicago-weather.png
rename to windows/deployment/update/images/cortana-chicago-weather.png
diff --git a/windows/update/images/cortana-complete-send-email-coworker-mic.png b/windows/deployment/update/images/cortana-complete-send-email-coworker-mic.png
similarity index 100%
rename from windows/update/images/cortana-complete-send-email-coworker-mic.png
rename to windows/deployment/update/images/cortana-complete-send-email-coworker-mic.png
diff --git a/windows/update/images/cortana-connect-crm.png b/windows/deployment/update/images/cortana-connect-crm.png
similarity index 100%
rename from windows/update/images/cortana-connect-crm.png
rename to windows/deployment/update/images/cortana-connect-crm.png
diff --git a/windows/update/images/cortana-connect-o365.png b/windows/deployment/update/images/cortana-connect-o365.png
similarity index 100%
rename from windows/update/images/cortana-connect-o365.png
rename to windows/deployment/update/images/cortana-connect-o365.png
diff --git a/windows/update/images/cortana-connect-uber.png b/windows/deployment/update/images/cortana-connect-uber.png
similarity index 100%
rename from windows/update/images/cortana-connect-uber.png
rename to windows/deployment/update/images/cortana-connect-uber.png
diff --git a/windows/update/images/cortana-crm-screen.png b/windows/deployment/update/images/cortana-crm-screen.png
similarity index 100%
rename from windows/update/images/cortana-crm-screen.png
rename to windows/deployment/update/images/cortana-crm-screen.png
diff --git a/windows/update/images/cortana-feedback.png b/windows/deployment/update/images/cortana-feedback.png
similarity index 100%
rename from windows/update/images/cortana-feedback.png
rename to windows/deployment/update/images/cortana-feedback.png
diff --git a/windows/update/images/cortana-final-reminder.png b/windows/deployment/update/images/cortana-final-reminder.png
similarity index 100%
rename from windows/update/images/cortana-final-reminder.png
rename to windows/deployment/update/images/cortana-final-reminder.png
diff --git a/windows/update/images/cortana-meeting-specific-time.png b/windows/deployment/update/images/cortana-meeting-specific-time.png
similarity index 100%
rename from windows/update/images/cortana-meeting-specific-time.png
rename to windows/deployment/update/images/cortana-meeting-specific-time.png
diff --git a/windows/update/images/cortana-meeting-tomorrow.png b/windows/deployment/update/images/cortana-meeting-tomorrow.png
similarity index 100%
rename from windows/update/images/cortana-meeting-tomorrow.png
rename to windows/deployment/update/images/cortana-meeting-tomorrow.png
diff --git a/windows/update/images/cortana-newyork-weather.png b/windows/deployment/update/images/cortana-newyork-weather.png
similarity index 100%
rename from windows/update/images/cortana-newyork-weather.png
rename to windows/deployment/update/images/cortana-newyork-weather.png
diff --git a/windows/update/images/cortana-o365-screen.png b/windows/deployment/update/images/cortana-o365-screen.png
similarity index 100%
rename from windows/update/images/cortana-o365-screen.png
rename to windows/deployment/update/images/cortana-o365-screen.png
diff --git a/windows/update/images/cortana-place-reminder.png b/windows/deployment/update/images/cortana-place-reminder.png
similarity index 100%
rename from windows/update/images/cortana-place-reminder.png
rename to windows/deployment/update/images/cortana-place-reminder.png
diff --git a/windows/update/images/cortana-powerbi-create-report.png b/windows/deployment/update/images/cortana-powerbi-create-report.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-create-report.png
rename to windows/deployment/update/images/cortana-powerbi-create-report.png
diff --git a/windows/update/images/cortana-powerbi-expand-nav.png b/windows/deployment/update/images/cortana-powerbi-expand-nav.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-expand-nav.png
rename to windows/deployment/update/images/cortana-powerbi-expand-nav.png
diff --git a/windows/update/images/cortana-powerbi-field-selection.png b/windows/deployment/update/images/cortana-powerbi-field-selection.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-field-selection.png
rename to windows/deployment/update/images/cortana-powerbi-field-selection.png
diff --git a/windows/update/images/cortana-powerbi-getdata-samples.png b/windows/deployment/update/images/cortana-powerbi-getdata-samples.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-getdata-samples.png
rename to windows/deployment/update/images/cortana-powerbi-getdata-samples.png
diff --git a/windows/update/images/cortana-powerbi-getdata.png b/windows/deployment/update/images/cortana-powerbi-getdata.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-getdata.png
rename to windows/deployment/update/images/cortana-powerbi-getdata.png
diff --git a/windows/update/images/cortana-powerbi-myreport.png b/windows/deployment/update/images/cortana-powerbi-myreport.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-myreport.png
rename to windows/deployment/update/images/cortana-powerbi-myreport.png
diff --git a/windows/update/images/cortana-powerbi-pagesize.png b/windows/deployment/update/images/cortana-powerbi-pagesize.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-pagesize.png
rename to windows/deployment/update/images/cortana-powerbi-pagesize.png
diff --git a/windows/update/images/cortana-powerbi-report-qna.png b/windows/deployment/update/images/cortana-powerbi-report-qna.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-report-qna.png
rename to windows/deployment/update/images/cortana-powerbi-report-qna.png
diff --git a/windows/update/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/deployment/update/images/cortana-powerbi-retail-analysis-dashboard.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-retail-analysis-dashboard.png
rename to windows/deployment/update/images/cortana-powerbi-retail-analysis-dashboard.png
diff --git a/windows/update/images/cortana-powerbi-retail-analysis-dataset.png b/windows/deployment/update/images/cortana-powerbi-retail-analysis-dataset.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-retail-analysis-dataset.png
rename to windows/deployment/update/images/cortana-powerbi-retail-analysis-dataset.png
diff --git a/windows/update/images/cortana-powerbi-retail-analysis-sample.png b/windows/deployment/update/images/cortana-powerbi-retail-analysis-sample.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-retail-analysis-sample.png
rename to windows/deployment/update/images/cortana-powerbi-retail-analysis-sample.png
diff --git a/windows/update/images/cortana-powerbi-search.png b/windows/deployment/update/images/cortana-powerbi-search.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-search.png
rename to windows/deployment/update/images/cortana-powerbi-search.png
diff --git a/windows/update/images/cortana-powerbi-settings.png b/windows/deployment/update/images/cortana-powerbi-settings.png
similarity index 100%
rename from windows/update/images/cortana-powerbi-settings.png
rename to windows/deployment/update/images/cortana-powerbi-settings.png
diff --git a/windows/update/images/cortana-redmond-weather.png b/windows/deployment/update/images/cortana-redmond-weather.png
similarity index 100%
rename from windows/update/images/cortana-redmond-weather.png
rename to windows/deployment/update/images/cortana-redmond-weather.png
diff --git a/windows/update/images/cortana-reminder-edit.png b/windows/deployment/update/images/cortana-reminder-edit.png
similarity index 100%
rename from windows/update/images/cortana-reminder-edit.png
rename to windows/deployment/update/images/cortana-reminder-edit.png
diff --git a/windows/update/images/cortana-reminder-list.png b/windows/deployment/update/images/cortana-reminder-list.png
similarity index 100%
rename from windows/update/images/cortana-reminder-list.png
rename to windows/deployment/update/images/cortana-reminder-list.png
diff --git a/windows/update/images/cortana-reminder-mic.png b/windows/deployment/update/images/cortana-reminder-mic.png
similarity index 100%
rename from windows/update/images/cortana-reminder-mic.png
rename to windows/deployment/update/images/cortana-reminder-mic.png
diff --git a/windows/update/images/cortana-reminder-pending-mic.png b/windows/deployment/update/images/cortana-reminder-pending-mic.png
similarity index 100%
rename from windows/update/images/cortana-reminder-pending-mic.png
rename to windows/deployment/update/images/cortana-reminder-pending-mic.png
diff --git a/windows/update/images/cortana-reminder-pending.png b/windows/deployment/update/images/cortana-reminder-pending.png
similarity index 100%
rename from windows/update/images/cortana-reminder-pending.png
rename to windows/deployment/update/images/cortana-reminder-pending.png
diff --git a/windows/update/images/cortana-send-email-coworker-mic.png b/windows/deployment/update/images/cortana-send-email-coworker-mic.png
similarity index 100%
rename from windows/update/images/cortana-send-email-coworker-mic.png
rename to windows/deployment/update/images/cortana-send-email-coworker-mic.png
diff --git a/windows/update/images/cortana-send-email-coworker.png b/windows/deployment/update/images/cortana-send-email-coworker.png
similarity index 100%
rename from windows/update/images/cortana-send-email-coworker.png
rename to windows/deployment/update/images/cortana-send-email-coworker.png
diff --git a/windows/update/images/cortana-weather-multipanel.png b/windows/deployment/update/images/cortana-weather-multipanel.png
similarity index 100%
rename from windows/update/images/cortana-weather-multipanel.png
rename to windows/deployment/update/images/cortana-weather-multipanel.png
diff --git a/windows/update/images/crossmark.png b/windows/deployment/update/images/crossmark.png
similarity index 100%
rename from windows/update/images/crossmark.png
rename to windows/deployment/update/images/crossmark.png
diff --git a/windows/manage/images/csp-placeholder.png b/windows/deployment/update/images/csp-placeholder.png
similarity index 100%
rename from windows/manage/images/csp-placeholder.png
rename to windows/deployment/update/images/csp-placeholder.png
diff --git a/windows/manage/images/cspinicd.png b/windows/deployment/update/images/cspinicd.png
similarity index 100%
rename from windows/manage/images/cspinicd.png
rename to windows/deployment/update/images/cspinicd.png
diff --git a/windows/manage/images/csptable.png b/windows/deployment/update/images/csptable.png
similarity index 100%
rename from windows/manage/images/csptable.png
rename to windows/deployment/update/images/csptable.png
diff --git a/windows/manage/images/deploymentworkflow.png b/windows/deployment/update/images/deploymentworkflow.png
similarity index 100%
rename from windows/manage/images/deploymentworkflow.png
rename to windows/deployment/update/images/deploymentworkflow.png
diff --git a/windows/update/images/doneicon.png b/windows/deployment/update/images/doneicon.png
similarity index 100%
rename from windows/update/images/doneicon.png
rename to windows/deployment/update/images/doneicon.png
diff --git a/windows/manage/images/export-mgt-desktop.png b/windows/deployment/update/images/export-mgt-desktop.png
similarity index 100%
rename from windows/manage/images/export-mgt-desktop.png
rename to windows/deployment/update/images/export-mgt-desktop.png
diff --git a/windows/manage/images/export-mgt-mobile.png b/windows/deployment/update/images/export-mgt-mobile.png
similarity index 100%
rename from windows/manage/images/export-mgt-mobile.png
rename to windows/deployment/update/images/export-mgt-mobile.png
diff --git a/windows/manage/images/express-settings.png b/windows/deployment/update/images/express-settings.png
similarity index 100%
rename from windows/manage/images/express-settings.png
rename to windows/deployment/update/images/express-settings.png
diff --git a/windows/manage/images/fig1-deferupgrades.png b/windows/deployment/update/images/fig1-deferupgrades.png
similarity index 100%
rename from windows/manage/images/fig1-deferupgrades.png
rename to windows/deployment/update/images/fig1-deferupgrades.png
diff --git a/windows/manage/images/fig2-deploymenttimeline.png b/windows/deployment/update/images/fig2-deploymenttimeline.png
similarity index 100%
rename from windows/manage/images/fig2-deploymenttimeline.png
rename to windows/deployment/update/images/fig2-deploymenttimeline.png
diff --git a/windows/manage/images/fig3-overlaprelease.png b/windows/deployment/update/images/fig3-overlaprelease.png
similarity index 100%
rename from windows/manage/images/fig3-overlaprelease.png
rename to windows/deployment/update/images/fig3-overlaprelease.png
diff --git a/windows/manage/images/funfacts.png b/windows/deployment/update/images/funfacts.png
similarity index 100%
rename from windows/manage/images/funfacts.png
rename to windows/deployment/update/images/funfacts.png
diff --git a/windows/manage/images/genrule.png b/windows/deployment/update/images/genrule.png
similarity index 100%
rename from windows/manage/images/genrule.png
rename to windows/deployment/update/images/genrule.png
diff --git a/windows/manage/images/gp-branch.png b/windows/deployment/update/images/gp-branch.png
similarity index 100%
rename from windows/manage/images/gp-branch.png
rename to windows/deployment/update/images/gp-branch.png
diff --git a/windows/manage/images/gp-exclude-drivers.png b/windows/deployment/update/images/gp-exclude-drivers.png
similarity index 100%
rename from windows/manage/images/gp-exclude-drivers.png
rename to windows/deployment/update/images/gp-exclude-drivers.png
diff --git a/windows/manage/images/gp-feature.png b/windows/deployment/update/images/gp-feature.png
similarity index 100%
rename from windows/manage/images/gp-feature.png
rename to windows/deployment/update/images/gp-feature.png
diff --git a/windows/manage/images/gp-quality.png b/windows/deployment/update/images/gp-quality.png
similarity index 100%
rename from windows/manage/images/gp-quality.png
rename to windows/deployment/update/images/gp-quality.png
diff --git a/windows/manage/images/icd-adv-shared-pc.PNG b/windows/deployment/update/images/icd-adv-shared-pc.PNG
similarity index 100%
rename from windows/manage/images/icd-adv-shared-pc.PNG
rename to windows/deployment/update/images/icd-adv-shared-pc.PNG
diff --git a/windows/manage/images/icd-school.PNG b/windows/deployment/update/images/icd-school.PNG
similarity index 100%
rename from windows/manage/images/icd-school.PNG
rename to windows/deployment/update/images/icd-school.PNG
diff --git a/windows/manage/images/icd-simple.PNG b/windows/deployment/update/images/icd-simple.PNG
similarity index 100%
rename from windows/manage/images/icd-simple.PNG
rename to windows/deployment/update/images/icd-simple.PNG
diff --git a/windows/manage/images/icdbrowse.png b/windows/deployment/update/images/icdbrowse.png
similarity index 100%
rename from windows/manage/images/icdbrowse.png
rename to windows/deployment/update/images/icdbrowse.png
diff --git a/windows/manage/images/identitychoices.png b/windows/deployment/update/images/identitychoices.png
similarity index 100%
rename from windows/manage/images/identitychoices.png
rename to windows/deployment/update/images/identitychoices.png
diff --git a/windows/manage/images/launchicon.png b/windows/deployment/update/images/launchicon.png
similarity index 100%
rename from windows/manage/images/launchicon.png
rename to windows/deployment/update/images/launchicon.png
diff --git a/windows/manage/images/license-terms.png b/windows/deployment/update/images/license-terms.png
similarity index 100%
rename from windows/manage/images/license-terms.png
rename to windows/deployment/update/images/license-terms.png
diff --git a/windows/manage/images/lockdownapps.png b/windows/deployment/update/images/lockdownapps.png
similarity index 100%
rename from windows/manage/images/lockdownapps.png
rename to windows/deployment/update/images/lockdownapps.png
diff --git a/windows/manage/images/lockscreen.png b/windows/deployment/update/images/lockscreen.png
similarity index 100%
rename from windows/manage/images/lockscreen.png
rename to windows/deployment/update/images/lockscreen.png
diff --git a/windows/manage/images/lockscreenpolicy.png b/windows/deployment/update/images/lockscreenpolicy.png
similarity index 100%
rename from windows/manage/images/lockscreenpolicy.png
rename to windows/deployment/update/images/lockscreenpolicy.png
diff --git a/windows/manage/images/mdm-diag-report-powershell.PNG b/windows/deployment/update/images/mdm-diag-report-powershell.PNG
similarity index 100%
rename from windows/manage/images/mdm-diag-report-powershell.PNG
rename to windows/deployment/update/images/mdm-diag-report-powershell.PNG
diff --git a/windows/manage/images/mdm.png b/windows/deployment/update/images/mdm.png
similarity index 100%
rename from windows/manage/images/mdm.png
rename to windows/deployment/update/images/mdm.png
diff --git a/windows/manage/images/mobile-start-layout.png b/windows/deployment/update/images/mobile-start-layout.png
similarity index 100%
rename from windows/manage/images/mobile-start-layout.png
rename to windows/deployment/update/images/mobile-start-layout.png
diff --git a/windows/manage/images/oma-uri-shared-pc.png b/windows/deployment/update/images/oma-uri-shared-pc.png
similarity index 100%
rename from windows/manage/images/oma-uri-shared-pc.png
rename to windows/deployment/update/images/oma-uri-shared-pc.png
diff --git a/windows/deploy/images/oobe.jpg b/windows/deployment/update/images/oobe.jpg
similarity index 100%
rename from windows/deploy/images/oobe.jpg
rename to windows/deployment/update/images/oobe.jpg
diff --git a/windows/manage/images/package.png b/windows/deployment/update/images/package.png
similarity index 100%
rename from windows/manage/images/package.png
rename to windows/deployment/update/images/package.png
diff --git a/windows/update/images/packageaddfileandregistrydata-global.png b/windows/deployment/update/images/packageaddfileandregistrydata-global.png
similarity index 100%
rename from windows/update/images/packageaddfileandregistrydata-global.png
rename to windows/deployment/update/images/packageaddfileandregistrydata-global.png
diff --git a/windows/update/images/packageaddfileandregistrydata-stream.png b/windows/deployment/update/images/packageaddfileandregistrydata-stream.png
similarity index 100%
rename from windows/update/images/packageaddfileandregistrydata-stream.png
rename to windows/deployment/update/images/packageaddfileandregistrydata-stream.png
diff --git a/windows/update/images/packageaddfileandregistrydata.png b/windows/deployment/update/images/packageaddfileandregistrydata.png
similarity index 100%
rename from windows/update/images/packageaddfileandregistrydata.png
rename to windows/deployment/update/images/packageaddfileandregistrydata.png
diff --git a/windows/manage/images/phoneprovision.png b/windows/deployment/update/images/phoneprovision.png
similarity index 100%
rename from windows/manage/images/phoneprovision.png
rename to windows/deployment/update/images/phoneprovision.png
diff --git a/windows/manage/images/policytocsp.png b/windows/deployment/update/images/policytocsp.png
similarity index 100%
rename from windows/manage/images/policytocsp.png
rename to windows/deployment/update/images/policytocsp.png
diff --git a/windows/manage/images/powericon.png b/windows/deployment/update/images/powericon.png
similarity index 100%
rename from windows/manage/images/powericon.png
rename to windows/deployment/update/images/powericon.png
diff --git a/windows/manage/images/priv-telemetry-levels.png b/windows/deployment/update/images/priv-telemetry-levels.png
similarity index 100%
rename from windows/manage/images/priv-telemetry-levels.png
rename to windows/deployment/update/images/priv-telemetry-levels.png
diff --git a/windows/manage/images/prov.jpg b/windows/deployment/update/images/prov.jpg
similarity index 100%
rename from windows/manage/images/prov.jpg
rename to windows/deployment/update/images/prov.jpg
diff --git a/windows/manage/images/provisioning-csp-assignedaccess.png b/windows/deployment/update/images/provisioning-csp-assignedaccess.png
similarity index 100%
rename from windows/manage/images/provisioning-csp-assignedaccess.png
rename to windows/deployment/update/images/provisioning-csp-assignedaccess.png
diff --git a/windows/update/images/rdp.png b/windows/deployment/update/images/rdp.png
similarity index 100%
rename from windows/update/images/rdp.png
rename to windows/deployment/update/images/rdp.png
diff --git a/windows/manage/images/resetdevice.png b/windows/deployment/update/images/resetdevice.png
similarity index 100%
rename from windows/manage/images/resetdevice.png
rename to windows/deployment/update/images/resetdevice.png
diff --git a/windows/manage/images/settings-table.png b/windows/deployment/update/images/settings-table.png
similarity index 100%
rename from windows/manage/images/settings-table.png
rename to windows/deployment/update/images/settings-table.png
diff --git a/windows/manage/images/settingsicon.png b/windows/deployment/update/images/settingsicon.png
similarity index 100%
rename from windows/manage/images/settingsicon.png
rename to windows/deployment/update/images/settingsicon.png
diff --git a/windows/deploy/images/setupmsg.jpg b/windows/deployment/update/images/setupmsg.jpg
similarity index 100%
rename from windows/deploy/images/setupmsg.jpg
rename to windows/deployment/update/images/setupmsg.jpg
diff --git a/windows/manage/images/sign-in-prov.png b/windows/deployment/update/images/sign-in-prov.png
similarity index 100%
rename from windows/manage/images/sign-in-prov.png
rename to windows/deployment/update/images/sign-in-prov.png
diff --git a/windows/manage/images/spotlight.png b/windows/deployment/update/images/spotlight.png
similarity index 100%
rename from windows/manage/images/spotlight.png
rename to windows/deployment/update/images/spotlight.png
diff --git a/windows/manage/images/spotlight2.png b/windows/deployment/update/images/spotlight2.png
similarity index 100%
rename from windows/manage/images/spotlight2.png
rename to windows/deployment/update/images/spotlight2.png
diff --git a/windows/manage/images/start-pinned-app.png b/windows/deployment/update/images/start-pinned-app.png
similarity index 100%
rename from windows/manage/images/start-pinned-app.png
rename to windows/deployment/update/images/start-pinned-app.png
diff --git a/windows/manage/images/startannotated.png b/windows/deployment/update/images/startannotated.png
similarity index 100%
rename from windows/manage/images/startannotated.png
rename to windows/deployment/update/images/startannotated.png
diff --git a/windows/manage/images/starticon.png b/windows/deployment/update/images/starticon.png
similarity index 100%
rename from windows/manage/images/starticon.png
rename to windows/deployment/update/images/starticon.png
diff --git a/windows/manage/images/startlayoutpolicy.jpg b/windows/deployment/update/images/startlayoutpolicy.jpg
similarity index 100%
rename from windows/manage/images/startlayoutpolicy.jpg
rename to windows/deployment/update/images/startlayoutpolicy.jpg
diff --git a/windows/manage/images/starttemplate.jpg b/windows/deployment/update/images/starttemplate.jpg
similarity index 100%
rename from windows/manage/images/starttemplate.jpg
rename to windows/deployment/update/images/starttemplate.jpg
diff --git a/windows/update/images/sysprep-error.png b/windows/deployment/update/images/sysprep-error.png
similarity index 100%
rename from windows/update/images/sysprep-error.png
rename to windows/deployment/update/images/sysprep-error.png
diff --git a/windows/manage/images/taskbar-blank.png b/windows/deployment/update/images/taskbar-blank.png
similarity index 100%
rename from windows/manage/images/taskbar-blank.png
rename to windows/deployment/update/images/taskbar-blank.png
diff --git a/windows/manage/images/taskbar-default-plus.png b/windows/deployment/update/images/taskbar-default-plus.png
similarity index 100%
rename from windows/manage/images/taskbar-default-plus.png
rename to windows/deployment/update/images/taskbar-default-plus.png
diff --git a/windows/manage/images/taskbar-default-removed.png b/windows/deployment/update/images/taskbar-default-removed.png
similarity index 100%
rename from windows/manage/images/taskbar-default-removed.png
rename to windows/deployment/update/images/taskbar-default-removed.png
diff --git a/windows/manage/images/taskbar-default.png b/windows/deployment/update/images/taskbar-default.png
similarity index 100%
rename from windows/manage/images/taskbar-default.png
rename to windows/deployment/update/images/taskbar-default.png
diff --git a/windows/manage/images/taskbar-generic.png b/windows/deployment/update/images/taskbar-generic.png
similarity index 100%
rename from windows/manage/images/taskbar-generic.png
rename to windows/deployment/update/images/taskbar-generic.png
diff --git a/windows/manage/images/taskbar-region-defr.png b/windows/deployment/update/images/taskbar-region-defr.png
similarity index 100%
rename from windows/manage/images/taskbar-region-defr.png
rename to windows/deployment/update/images/taskbar-region-defr.png
diff --git a/windows/manage/images/taskbar-region-other.png b/windows/deployment/update/images/taskbar-region-other.png
similarity index 100%
rename from windows/manage/images/taskbar-region-other.png
rename to windows/deployment/update/images/taskbar-region-other.png
diff --git a/windows/manage/images/taskbar-region-usuk.png b/windows/deployment/update/images/taskbar-region-usuk.png
similarity index 100%
rename from windows/manage/images/taskbar-region-usuk.png
rename to windows/deployment/update/images/taskbar-region-usuk.png
diff --git a/windows/manage/images/taskbarSTARTERBLANK.png b/windows/deployment/update/images/taskbarSTARTERBLANK.png
similarity index 100%
rename from windows/manage/images/taskbarSTARTERBLANK.png
rename to windows/deployment/update/images/taskbarSTARTERBLANK.png
diff --git a/windows/manage/images/trust-package.png b/windows/deployment/update/images/trust-package.png
similarity index 100%
rename from windows/manage/images/trust-package.png
rename to windows/deployment/update/images/trust-package.png
diff --git a/windows/manage/images/twain.png b/windows/deployment/update/images/twain.png
similarity index 100%
rename from windows/manage/images/twain.png
rename to windows/deployment/update/images/twain.png
diff --git a/windows/manage/images/uc-01.png b/windows/deployment/update/images/uc-01.png
similarity index 100%
rename from windows/manage/images/uc-01.png
rename to windows/deployment/update/images/uc-01.png
diff --git a/windows/manage/images/uc-02.png b/windows/deployment/update/images/uc-02.png
similarity index 100%
rename from windows/manage/images/uc-02.png
rename to windows/deployment/update/images/uc-02.png
diff --git a/windows/manage/images/uc-02a.png b/windows/deployment/update/images/uc-02a.png
similarity index 100%
rename from windows/manage/images/uc-02a.png
rename to windows/deployment/update/images/uc-02a.png
diff --git a/windows/manage/images/uc-03.png b/windows/deployment/update/images/uc-03.png
similarity index 100%
rename from windows/manage/images/uc-03.png
rename to windows/deployment/update/images/uc-03.png
diff --git a/windows/manage/images/uc-03a.png b/windows/deployment/update/images/uc-03a.png
similarity index 100%
rename from windows/manage/images/uc-03a.png
rename to windows/deployment/update/images/uc-03a.png
diff --git a/windows/manage/images/uc-04.png b/windows/deployment/update/images/uc-04.png
similarity index 100%
rename from windows/manage/images/uc-04.png
rename to windows/deployment/update/images/uc-04.png
diff --git a/windows/manage/images/uc-04a.png b/windows/deployment/update/images/uc-04a.png
similarity index 100%
rename from windows/manage/images/uc-04a.png
rename to windows/deployment/update/images/uc-04a.png
diff --git a/windows/manage/images/uc-05.png b/windows/deployment/update/images/uc-05.png
similarity index 100%
rename from windows/manage/images/uc-05.png
rename to windows/deployment/update/images/uc-05.png
diff --git a/windows/manage/images/uc-05a.png b/windows/deployment/update/images/uc-05a.png
similarity index 100%
rename from windows/manage/images/uc-05a.png
rename to windows/deployment/update/images/uc-05a.png
diff --git a/windows/manage/images/uc-06.png b/windows/deployment/update/images/uc-06.png
similarity index 100%
rename from windows/manage/images/uc-06.png
rename to windows/deployment/update/images/uc-06.png
diff --git a/windows/manage/images/uc-06a.png b/windows/deployment/update/images/uc-06a.png
similarity index 100%
rename from windows/manage/images/uc-06a.png
rename to windows/deployment/update/images/uc-06a.png
diff --git a/windows/manage/images/uc-07.png b/windows/deployment/update/images/uc-07.png
similarity index 100%
rename from windows/manage/images/uc-07.png
rename to windows/deployment/update/images/uc-07.png
diff --git a/windows/manage/images/uc-07a.png b/windows/deployment/update/images/uc-07a.png
similarity index 100%
rename from windows/manage/images/uc-07a.png
rename to windows/deployment/update/images/uc-07a.png
diff --git a/windows/manage/images/uc-08.png b/windows/deployment/update/images/uc-08.png
similarity index 100%
rename from windows/manage/images/uc-08.png
rename to windows/deployment/update/images/uc-08.png
diff --git a/windows/manage/images/uc-08a.png b/windows/deployment/update/images/uc-08a.png
similarity index 100%
rename from windows/manage/images/uc-08a.png
rename to windows/deployment/update/images/uc-08a.png
diff --git a/windows/manage/images/uc-09.png b/windows/deployment/update/images/uc-09.png
similarity index 100%
rename from windows/manage/images/uc-09.png
rename to windows/deployment/update/images/uc-09.png
diff --git a/windows/manage/images/uc-09a.png b/windows/deployment/update/images/uc-09a.png
similarity index 100%
rename from windows/manage/images/uc-09a.png
rename to windows/deployment/update/images/uc-09a.png
diff --git a/windows/manage/images/uc-10.png b/windows/deployment/update/images/uc-10.png
similarity index 100%
rename from windows/manage/images/uc-10.png
rename to windows/deployment/update/images/uc-10.png
diff --git a/windows/manage/images/uc-10a.png b/windows/deployment/update/images/uc-10a.png
similarity index 100%
rename from windows/manage/images/uc-10a.png
rename to windows/deployment/update/images/uc-10a.png
diff --git a/windows/manage/images/uc-11.png b/windows/deployment/update/images/uc-11.png
similarity index 100%
rename from windows/manage/images/uc-11.png
rename to windows/deployment/update/images/uc-11.png
diff --git a/windows/manage/images/uc-12.png b/windows/deployment/update/images/uc-12.png
similarity index 100%
rename from windows/manage/images/uc-12.png
rename to windows/deployment/update/images/uc-12.png
diff --git a/windows/manage/images/uc-13.png b/windows/deployment/update/images/uc-13.png
similarity index 100%
rename from windows/manage/images/uc-13.png
rename to windows/deployment/update/images/uc-13.png
diff --git a/windows/manage/images/uc-14.png b/windows/deployment/update/images/uc-14.png
similarity index 100%
rename from windows/manage/images/uc-14.png
rename to windows/deployment/update/images/uc-14.png
diff --git a/windows/manage/images/uc-15.png b/windows/deployment/update/images/uc-15.png
similarity index 100%
rename from windows/manage/images/uc-15.png
rename to windows/deployment/update/images/uc-15.png
diff --git a/windows/manage/images/uc-16.png b/windows/deployment/update/images/uc-16.png
similarity index 100%
rename from windows/manage/images/uc-16.png
rename to windows/deployment/update/images/uc-16.png
diff --git a/windows/manage/images/uc-17.png b/windows/deployment/update/images/uc-17.png
similarity index 100%
rename from windows/manage/images/uc-17.png
rename to windows/deployment/update/images/uc-17.png
diff --git a/windows/manage/images/uc-18.png b/windows/deployment/update/images/uc-18.png
similarity index 100%
rename from windows/manage/images/uc-18.png
rename to windows/deployment/update/images/uc-18.png
diff --git a/windows/manage/images/uc-19.png b/windows/deployment/update/images/uc-19.png
similarity index 100%
rename from windows/manage/images/uc-19.png
rename to windows/deployment/update/images/uc-19.png
diff --git a/windows/manage/images/uc-20.png b/windows/deployment/update/images/uc-20.png
similarity index 100%
rename from windows/manage/images/uc-20.png
rename to windows/deployment/update/images/uc-20.png
diff --git a/windows/manage/images/uc-21.png b/windows/deployment/update/images/uc-21.png
similarity index 100%
rename from windows/manage/images/uc-21.png
rename to windows/deployment/update/images/uc-21.png
diff --git a/windows/manage/images/uc-22.png b/windows/deployment/update/images/uc-22.png
similarity index 100%
rename from windows/manage/images/uc-22.png
rename to windows/deployment/update/images/uc-22.png
diff --git a/windows/manage/images/uc-23.png b/windows/deployment/update/images/uc-23.png
similarity index 100%
rename from windows/manage/images/uc-23.png
rename to windows/deployment/update/images/uc-23.png
diff --git a/windows/manage/images/uc-24.png b/windows/deployment/update/images/uc-24.png
similarity index 100%
rename from windows/manage/images/uc-24.png
rename to windows/deployment/update/images/uc-24.png
diff --git a/windows/manage/images/uc-25.png b/windows/deployment/update/images/uc-25.png
similarity index 100%
rename from windows/manage/images/uc-25.png
rename to windows/deployment/update/images/uc-25.png
diff --git a/windows/manage/images/uev-adk-select-uev-feature.png b/windows/deployment/update/images/uev-adk-select-uev-feature.png
similarity index 100%
rename from windows/manage/images/uev-adk-select-uev-feature.png
rename to windows/deployment/update/images/uev-adk-select-uev-feature.png
diff --git a/windows/manage/images/uev-archdiagram.png b/windows/deployment/update/images/uev-archdiagram.png
similarity index 100%
rename from windows/manage/images/uev-archdiagram.png
rename to windows/deployment/update/images/uev-archdiagram.png
diff --git a/windows/manage/images/uev-checklist-box.gif b/windows/deployment/update/images/uev-checklist-box.gif
similarity index 100%
rename from windows/manage/images/uev-checklist-box.gif
rename to windows/deployment/update/images/uev-checklist-box.gif
diff --git a/windows/manage/images/uev-deployment-preparation.png b/windows/deployment/update/images/uev-deployment-preparation.png
similarity index 100%
rename from windows/manage/images/uev-deployment-preparation.png
rename to windows/deployment/update/images/uev-deployment-preparation.png
diff --git a/windows/manage/images/uev-generator-process.png b/windows/deployment/update/images/uev-generator-process.png
similarity index 100%
rename from windows/manage/images/uev-generator-process.png
rename to windows/deployment/update/images/uev-generator-process.png
diff --git a/windows/manage/images/w10servicing-f1-branches.png b/windows/deployment/update/images/w10servicing-f1-branches.png
similarity index 100%
rename from windows/manage/images/w10servicing-f1-branches.png
rename to windows/deployment/update/images/w10servicing-f1-branches.png
diff --git a/windows/manage/images/waas-active-hours-policy.PNG b/windows/deployment/update/images/waas-active-hours-policy.PNG
similarity index 100%
rename from windows/manage/images/waas-active-hours-policy.PNG
rename to windows/deployment/update/images/waas-active-hours-policy.PNG
diff --git a/windows/manage/images/waas-active-hours.PNG b/windows/deployment/update/images/waas-active-hours.PNG
similarity index 100%
rename from windows/manage/images/waas-active-hours.PNG
rename to windows/deployment/update/images/waas-active-hours.PNG
diff --git a/windows/manage/images/waas-auto-update-policy.PNG b/windows/deployment/update/images/waas-auto-update-policy.PNG
similarity index 100%
rename from windows/manage/images/waas-auto-update-policy.PNG
rename to windows/deployment/update/images/waas-auto-update-policy.PNG
diff --git a/windows/manage/images/waas-do-fig1.png b/windows/deployment/update/images/waas-do-fig1.png
similarity index 100%
rename from windows/manage/images/waas-do-fig1.png
rename to windows/deployment/update/images/waas-do-fig1.png
diff --git a/windows/manage/images/waas-do-fig2.png b/windows/deployment/update/images/waas-do-fig2.png
similarity index 100%
rename from windows/manage/images/waas-do-fig2.png
rename to windows/deployment/update/images/waas-do-fig2.png
diff --git a/windows/manage/images/waas-do-fig3.png b/windows/deployment/update/images/waas-do-fig3.png
similarity index 100%
rename from windows/manage/images/waas-do-fig3.png
rename to windows/deployment/update/images/waas-do-fig3.png
diff --git a/windows/manage/images/waas-do-fig4.png b/windows/deployment/update/images/waas-do-fig4.png
similarity index 100%
rename from windows/manage/images/waas-do-fig4.png
rename to windows/deployment/update/images/waas-do-fig4.png
diff --git a/windows/manage/images/waas-overview-patch.png b/windows/deployment/update/images/waas-overview-patch.png
similarity index 100%
rename from windows/manage/images/waas-overview-patch.png
rename to windows/deployment/update/images/waas-overview-patch.png
diff --git a/windows/manage/images/waas-restart-policy.PNG b/windows/deployment/update/images/waas-restart-policy.PNG
similarity index 100%
rename from windows/manage/images/waas-restart-policy.PNG
rename to windows/deployment/update/images/waas-restart-policy.PNG
diff --git a/windows/manage/images/waas-rings.png b/windows/deployment/update/images/waas-rings.png
similarity index 100%
rename from windows/manage/images/waas-rings.png
rename to windows/deployment/update/images/waas-rings.png
diff --git a/windows/manage/images/waas-sccm-fig1.png b/windows/deployment/update/images/waas-sccm-fig1.png
similarity index 100%
rename from windows/manage/images/waas-sccm-fig1.png
rename to windows/deployment/update/images/waas-sccm-fig1.png
diff --git a/windows/manage/images/waas-sccm-fig10.png b/windows/deployment/update/images/waas-sccm-fig10.png
similarity index 100%
rename from windows/manage/images/waas-sccm-fig10.png
rename to windows/deployment/update/images/waas-sccm-fig10.png
diff --git a/windows/manage/images/waas-sccm-fig11.png b/windows/deployment/update/images/waas-sccm-fig11.png
similarity index 100%
rename from windows/manage/images/waas-sccm-fig11.png
rename to windows/deployment/update/images/waas-sccm-fig11.png
diff --git a/windows/manage/images/waas-sccm-fig12.png b/windows/deployment/update/images/waas-sccm-fig12.png
similarity index 100%
rename from windows/manage/images/waas-sccm-fig12.png
rename to windows/deployment/update/images/waas-sccm-fig12.png
diff --git a/windows/manage/images/waas-sccm-fig2.png b/windows/deployment/update/images/waas-sccm-fig2.png
similarity index 100%
rename from windows/manage/images/waas-sccm-fig2.png
rename to windows/deployment/update/images/waas-sccm-fig2.png
diff --git a/windows/manage/images/waas-sccm-fig3.png b/windows/deployment/update/images/waas-sccm-fig3.png
similarity index 100%
rename from windows/manage/images/waas-sccm-fig3.png
rename to windows/deployment/update/images/waas-sccm-fig3.png
diff --git a/windows/manage/images/waas-sccm-fig4.png b/windows/deployment/update/images/waas-sccm-fig4.png
similarity index 100%
rename from windows/manage/images/waas-sccm-fig4.png
rename to windows/deployment/update/images/waas-sccm-fig4.png
diff --git a/windows/manage/images/waas-sccm-fig5.png b/windows/deployment/update/images/waas-sccm-fig5.png
similarity index 100%
rename from windows/manage/images/waas-sccm-fig5.png
rename to windows/deployment/update/images/waas-sccm-fig5.png
diff --git a/windows/manage/images/waas-sccm-fig6.png b/windows/deployment/update/images/waas-sccm-fig6.png
similarity index 100%
rename from windows/manage/images/waas-sccm-fig6.png
rename to windows/deployment/update/images/waas-sccm-fig6.png
diff --git a/windows/manage/images/waas-sccm-fig7.png b/windows/deployment/update/images/waas-sccm-fig7.png
similarity index 100%
rename from windows/manage/images/waas-sccm-fig7.png
rename to windows/deployment/update/images/waas-sccm-fig7.png
diff --git a/windows/manage/images/waas-sccm-fig8.png b/windows/deployment/update/images/waas-sccm-fig8.png
similarity index 100%
rename from windows/manage/images/waas-sccm-fig8.png
rename to windows/deployment/update/images/waas-sccm-fig8.png
diff --git a/windows/manage/images/waas-sccm-fig9.png b/windows/deployment/update/images/waas-sccm-fig9.png
similarity index 100%
rename from windows/manage/images/waas-sccm-fig9.png
rename to windows/deployment/update/images/waas-sccm-fig9.png
diff --git a/windows/manage/images/waas-strategy-fig1a.png b/windows/deployment/update/images/waas-strategy-fig1a.png
similarity index 100%
rename from windows/manage/images/waas-strategy-fig1a.png
rename to windows/deployment/update/images/waas-strategy-fig1a.png
diff --git a/windows/deployment/update/images/waas-wipfb-aad-classicaad.png b/windows/deployment/update/images/waas-wipfb-aad-classicaad.png
new file mode 100644
index 0000000000..424f4bca0a
Binary files /dev/null and b/windows/deployment/update/images/waas-wipfb-aad-classicaad.png differ
diff --git a/windows/deployment/update/images/waas-wipfb-aad-classicenable.png b/windows/deployment/update/images/waas-wipfb-aad-classicenable.png
new file mode 100644
index 0000000000..9cc78c2736
Binary files /dev/null and b/windows/deployment/update/images/waas-wipfb-aad-classicenable.png differ
diff --git a/windows/deployment/update/images/waas-wipfb-aad-consent.png b/windows/deployment/update/images/waas-wipfb-aad-consent.png
new file mode 100644
index 0000000000..aeb78e5ddf
Binary files /dev/null and b/windows/deployment/update/images/waas-wipfb-aad-consent.png differ
diff --git a/windows/deployment/update/images/waas-wipfb-aad-error.png b/windows/deployment/update/images/waas-wipfb-aad-error.png
new file mode 100644
index 0000000000..83e6ca9974
Binary files /dev/null and b/windows/deployment/update/images/waas-wipfb-aad-error.png differ
diff --git a/windows/deployment/update/images/waas-wipfb-aad-newaad.png b/windows/deployment/update/images/waas-wipfb-aad-newaad.png
new file mode 100644
index 0000000000..87a6f5e750
Binary files /dev/null and b/windows/deployment/update/images/waas-wipfb-aad-newaad.png differ
diff --git a/windows/deployment/update/images/waas-wipfb-aad-newdirectorybutton.png b/windows/deployment/update/images/waas-wipfb-aad-newdirectorybutton.png
new file mode 100644
index 0000000000..9da18db5d1
Binary files /dev/null and b/windows/deployment/update/images/waas-wipfb-aad-newdirectorybutton.png differ
diff --git a/windows/deployment/update/images/waas-wipfb-aad-newenable.png b/windows/deployment/update/images/waas-wipfb-aad-newenable.png
new file mode 100644
index 0000000000..f9bbe57b26
Binary files /dev/null and b/windows/deployment/update/images/waas-wipfb-aad-newenable.png differ
diff --git a/windows/deployment/update/images/waas-wipfb-aad-newusersettings.png b/windows/deployment/update/images/waas-wipfb-aad-newusersettings.png
new file mode 100644
index 0000000000..ab28da5cbc
Binary files /dev/null and b/windows/deployment/update/images/waas-wipfb-aad-newusersettings.png differ
diff --git a/windows/update/images/waas-wipfb-accounts.png b/windows/deployment/update/images/waas-wipfb-accounts.png
similarity index 100%
rename from windows/update/images/waas-wipfb-accounts.png
rename to windows/deployment/update/images/waas-wipfb-accounts.png
diff --git a/windows/update/images/waas-wipfb-change-user.png b/windows/deployment/update/images/waas-wipfb-change-user.png
similarity index 100%
rename from windows/update/images/waas-wipfb-change-user.png
rename to windows/deployment/update/images/waas-wipfb-change-user.png
diff --git a/windows/update/images/waas-wipfb-work-account.jpg b/windows/deployment/update/images/waas-wipfb-work-account.jpg
similarity index 100%
rename from windows/update/images/waas-wipfb-work-account.jpg
rename to windows/deployment/update/images/waas-wipfb-work-account.jpg
diff --git a/windows/manage/images/waas-wsus-fig1.png b/windows/deployment/update/images/waas-wsus-fig1.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig1.png
rename to windows/deployment/update/images/waas-wsus-fig1.png
diff --git a/windows/manage/images/waas-wsus-fig10.png b/windows/deployment/update/images/waas-wsus-fig10.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig10.png
rename to windows/deployment/update/images/waas-wsus-fig10.png
diff --git a/windows/manage/images/waas-wsus-fig11.png b/windows/deployment/update/images/waas-wsus-fig11.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig11.png
rename to windows/deployment/update/images/waas-wsus-fig11.png
diff --git a/windows/manage/images/waas-wsus-fig12.png b/windows/deployment/update/images/waas-wsus-fig12.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig12.png
rename to windows/deployment/update/images/waas-wsus-fig12.png
diff --git a/windows/manage/images/waas-wsus-fig13.png b/windows/deployment/update/images/waas-wsus-fig13.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig13.png
rename to windows/deployment/update/images/waas-wsus-fig13.png
diff --git a/windows/manage/images/waas-wsus-fig14.png b/windows/deployment/update/images/waas-wsus-fig14.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig14.png
rename to windows/deployment/update/images/waas-wsus-fig14.png
diff --git a/windows/manage/images/waas-wsus-fig15.png b/windows/deployment/update/images/waas-wsus-fig15.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig15.png
rename to windows/deployment/update/images/waas-wsus-fig15.png
diff --git a/windows/manage/images/waas-wsus-fig16.png b/windows/deployment/update/images/waas-wsus-fig16.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig16.png
rename to windows/deployment/update/images/waas-wsus-fig16.png
diff --git a/windows/manage/images/waas-wsus-fig17.png b/windows/deployment/update/images/waas-wsus-fig17.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig17.png
rename to windows/deployment/update/images/waas-wsus-fig17.png
diff --git a/windows/manage/images/waas-wsus-fig18.png b/windows/deployment/update/images/waas-wsus-fig18.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig18.png
rename to windows/deployment/update/images/waas-wsus-fig18.png
diff --git a/windows/manage/images/waas-wsus-fig19.png b/windows/deployment/update/images/waas-wsus-fig19.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig19.png
rename to windows/deployment/update/images/waas-wsus-fig19.png
diff --git a/windows/manage/images/waas-wsus-fig2.png b/windows/deployment/update/images/waas-wsus-fig2.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig2.png
rename to windows/deployment/update/images/waas-wsus-fig2.png
diff --git a/windows/manage/images/waas-wsus-fig20.png b/windows/deployment/update/images/waas-wsus-fig20.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig20.png
rename to windows/deployment/update/images/waas-wsus-fig20.png
diff --git a/windows/manage/images/waas-wsus-fig3.png b/windows/deployment/update/images/waas-wsus-fig3.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig3.png
rename to windows/deployment/update/images/waas-wsus-fig3.png
diff --git a/windows/manage/images/waas-wsus-fig4.png b/windows/deployment/update/images/waas-wsus-fig4.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig4.png
rename to windows/deployment/update/images/waas-wsus-fig4.png
diff --git a/windows/manage/images/waas-wsus-fig5.png b/windows/deployment/update/images/waas-wsus-fig5.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig5.png
rename to windows/deployment/update/images/waas-wsus-fig5.png
diff --git a/windows/manage/images/waas-wsus-fig6.png b/windows/deployment/update/images/waas-wsus-fig6.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig6.png
rename to windows/deployment/update/images/waas-wsus-fig6.png
diff --git a/windows/manage/images/waas-wsus-fig7.png b/windows/deployment/update/images/waas-wsus-fig7.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig7.png
rename to windows/deployment/update/images/waas-wsus-fig7.png
diff --git a/windows/manage/images/waas-wsus-fig8.png b/windows/deployment/update/images/waas-wsus-fig8.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig8.png
rename to windows/deployment/update/images/waas-wsus-fig8.png
diff --git a/windows/manage/images/waas-wsus-fig9.png b/windows/deployment/update/images/waas-wsus-fig9.png
similarity index 100%
rename from windows/manage/images/waas-wsus-fig9.png
rename to windows/deployment/update/images/waas-wsus-fig9.png
diff --git a/windows/manage/images/waas-wufb-gp-broad.png b/windows/deployment/update/images/waas-wufb-gp-broad.png
similarity index 100%
rename from windows/manage/images/waas-wufb-gp-broad.png
rename to windows/deployment/update/images/waas-wufb-gp-broad.png
diff --git a/windows/manage/images/waas-wufb-gp-cb2-settings.png b/windows/deployment/update/images/waas-wufb-gp-cb2-settings.png
similarity index 100%
rename from windows/manage/images/waas-wufb-gp-cb2-settings.png
rename to windows/deployment/update/images/waas-wufb-gp-cb2-settings.png
diff --git a/windows/manage/images/waas-wufb-gp-cb2.png b/windows/deployment/update/images/waas-wufb-gp-cb2.png
similarity index 100%
rename from windows/manage/images/waas-wufb-gp-cb2.png
rename to windows/deployment/update/images/waas-wufb-gp-cb2.png
diff --git a/windows/manage/images/waas-wufb-gp-cbb1-settings.png b/windows/deployment/update/images/waas-wufb-gp-cbb1-settings.png
similarity index 100%
rename from windows/manage/images/waas-wufb-gp-cbb1-settings.png
rename to windows/deployment/update/images/waas-wufb-gp-cbb1-settings.png
diff --git a/windows/manage/images/waas-wufb-gp-cbb2-settings.png b/windows/deployment/update/images/waas-wufb-gp-cbb2-settings.png
similarity index 100%
rename from windows/manage/images/waas-wufb-gp-cbb2-settings.png
rename to windows/deployment/update/images/waas-wufb-gp-cbb2-settings.png
diff --git a/windows/manage/images/waas-wufb-gp-cbb2q-settings.png b/windows/deployment/update/images/waas-wufb-gp-cbb2q-settings.png
similarity index 100%
rename from windows/manage/images/waas-wufb-gp-cbb2q-settings.png
rename to windows/deployment/update/images/waas-wufb-gp-cbb2q-settings.png
diff --git a/windows/manage/images/waas-wufb-gp-create.png b/windows/deployment/update/images/waas-wufb-gp-create.png
similarity index 100%
rename from windows/manage/images/waas-wufb-gp-create.png
rename to windows/deployment/update/images/waas-wufb-gp-create.png
diff --git a/windows/manage/images/waas-wufb-gp-edit-defer.png b/windows/deployment/update/images/waas-wufb-gp-edit-defer.png
similarity index 100%
rename from windows/manage/images/waas-wufb-gp-edit-defer.png
rename to windows/deployment/update/images/waas-wufb-gp-edit-defer.png
diff --git a/windows/manage/images/waas-wufb-gp-edit.png b/windows/deployment/update/images/waas-wufb-gp-edit.png
similarity index 100%
rename from windows/manage/images/waas-wufb-gp-edit.png
rename to windows/deployment/update/images/waas-wufb-gp-edit.png
diff --git a/windows/manage/images/waas-wufb-gp-scope-cb2.png b/windows/deployment/update/images/waas-wufb-gp-scope-cb2.png
similarity index 100%
rename from windows/manage/images/waas-wufb-gp-scope-cb2.png
rename to windows/deployment/update/images/waas-wufb-gp-scope-cb2.png
diff --git a/windows/manage/images/waas-wufb-gp-scope.png b/windows/deployment/update/images/waas-wufb-gp-scope.png
similarity index 100%
rename from windows/manage/images/waas-wufb-gp-scope.png
rename to windows/deployment/update/images/waas-wufb-gp-scope.png
diff --git a/windows/manage/images/waas-wufb-intune-cb2a.png b/windows/deployment/update/images/waas-wufb-intune-cb2a.png
similarity index 100%
rename from windows/manage/images/waas-wufb-intune-cb2a.png
rename to windows/deployment/update/images/waas-wufb-intune-cb2a.png
diff --git a/windows/manage/images/waas-wufb-intune-cbb1a.png b/windows/deployment/update/images/waas-wufb-intune-cbb1a.png
similarity index 100%
rename from windows/manage/images/waas-wufb-intune-cbb1a.png
rename to windows/deployment/update/images/waas-wufb-intune-cbb1a.png
diff --git a/windows/manage/images/waas-wufb-intune-cbb2a.png b/windows/deployment/update/images/waas-wufb-intune-cbb2a.png
similarity index 100%
rename from windows/manage/images/waas-wufb-intune-cbb2a.png
rename to windows/deployment/update/images/waas-wufb-intune-cbb2a.png
diff --git a/windows/manage/images/waas-wufb-intune-step11a.png b/windows/deployment/update/images/waas-wufb-intune-step11a.png
similarity index 100%
rename from windows/manage/images/waas-wufb-intune-step11a.png
rename to windows/deployment/update/images/waas-wufb-intune-step11a.png
diff --git a/windows/manage/images/waas-wufb-intune-step19a.png b/windows/deployment/update/images/waas-wufb-intune-step19a.png
similarity index 100%
rename from windows/manage/images/waas-wufb-intune-step19a.png
rename to windows/deployment/update/images/waas-wufb-intune-step19a.png
diff --git a/windows/manage/images/waas-wufb-intune-step2a.png b/windows/deployment/update/images/waas-wufb-intune-step2a.png
similarity index 100%
rename from windows/manage/images/waas-wufb-intune-step2a.png
rename to windows/deployment/update/images/waas-wufb-intune-step2a.png
diff --git a/windows/manage/images/waas-wufb-intune-step7a.png b/windows/deployment/update/images/waas-wufb-intune-step7a.png
similarity index 100%
rename from windows/manage/images/waas-wufb-intune-step7a.png
rename to windows/deployment/update/images/waas-wufb-intune-step7a.png
diff --git a/windows/update/images/waas-wufb-settings-branch.jpg b/windows/deployment/update/images/waas-wufb-settings-branch.jpg
similarity index 100%
rename from windows/update/images/waas-wufb-settings-branch.jpg
rename to windows/deployment/update/images/waas-wufb-settings-branch.jpg
diff --git a/windows/update/images/waas-wufb-settings-defer.jpg b/windows/deployment/update/images/waas-wufb-settings-defer.jpg
similarity index 100%
rename from windows/update/images/waas-wufb-settings-defer.jpg
rename to windows/deployment/update/images/waas-wufb-settings-defer.jpg
diff --git a/windows/manage/images/waas-wufb-update-compliance.png b/windows/deployment/update/images/waas-wufb-update-compliance.png
similarity index 100%
rename from windows/manage/images/waas-wufb-update-compliance.png
rename to windows/deployment/update/images/waas-wufb-update-compliance.png
diff --git a/windows/manage/images/who-owns-pc.png b/windows/deployment/update/images/who-owns-pc.png
similarity index 100%
rename from windows/manage/images/who-owns-pc.png
rename to windows/deployment/update/images/who-owns-pc.png
diff --git a/windows/manage/images/wifisense-grouppolicy.png b/windows/deployment/update/images/wifisense-grouppolicy.png
similarity index 100%
rename from windows/manage/images/wifisense-grouppolicy.png
rename to windows/deployment/update/images/wifisense-grouppolicy.png
diff --git a/windows/manage/images/wifisense-registry.png b/windows/deployment/update/images/wifisense-registry.png
similarity index 100%
rename from windows/manage/images/wifisense-registry.png
rename to windows/deployment/update/images/wifisense-registry.png
diff --git a/windows/manage/images/wifisense-settingscreens.png b/windows/deployment/update/images/wifisense-settingscreens.png
similarity index 100%
rename from windows/manage/images/wifisense-settingscreens.png
rename to windows/deployment/update/images/wifisense-settingscreens.png
diff --git a/windows/manage/images/win10-mobile-mdm-fig1.png b/windows/deployment/update/images/win10-mobile-mdm-fig1.png
similarity index 100%
rename from windows/manage/images/win10-mobile-mdm-fig1.png
rename to windows/deployment/update/images/win10-mobile-mdm-fig1.png
diff --git a/windows/manage/images/win10servicing-fig2-featureupgrade.png b/windows/deployment/update/images/win10servicing-fig2-featureupgrade.png
similarity index 100%
rename from windows/manage/images/win10servicing-fig2-featureupgrade.png
rename to windows/deployment/update/images/win10servicing-fig2-featureupgrade.png
diff --git a/windows/manage/images/win10servicing-fig3.png b/windows/deployment/update/images/win10servicing-fig3.png
similarity index 100%
rename from windows/manage/images/win10servicing-fig3.png
rename to windows/deployment/update/images/win10servicing-fig3.png
diff --git a/windows/manage/images/win10servicing-fig4-upgradereleases.png b/windows/deployment/update/images/win10servicing-fig4-upgradereleases.png
similarity index 100%
rename from windows/manage/images/win10servicing-fig4-upgradereleases.png
rename to windows/deployment/update/images/win10servicing-fig4-upgradereleases.png
diff --git a/windows/manage/images/win10servicing-fig5.png b/windows/deployment/update/images/win10servicing-fig5.png
similarity index 100%
rename from windows/manage/images/win10servicing-fig5.png
rename to windows/deployment/update/images/win10servicing-fig5.png
diff --git a/windows/manage/images/win10servicing-fig6.png b/windows/deployment/update/images/win10servicing-fig6.png
similarity index 100%
rename from windows/manage/images/win10servicing-fig6.png
rename to windows/deployment/update/images/win10servicing-fig6.png
diff --git a/windows/manage/images/win10servicing-fig7.png b/windows/deployment/update/images/win10servicing-fig7.png
similarity index 100%
rename from windows/manage/images/win10servicing-fig7.png
rename to windows/deployment/update/images/win10servicing-fig7.png
diff --git a/windows/update/images/windows-10-management-cyod-byod-flow.png b/windows/deployment/update/images/windows-10-management-cyod-byod-flow.png
similarity index 100%
rename from windows/update/images/windows-10-management-cyod-byod-flow.png
rename to windows/deployment/update/images/windows-10-management-cyod-byod-flow.png
diff --git a/windows/update/images/windows-10-management-gp-intune-flow.png b/windows/deployment/update/images/windows-10-management-gp-intune-flow.png
similarity index 100%
rename from windows/update/images/windows-10-management-gp-intune-flow.png
rename to windows/deployment/update/images/windows-10-management-gp-intune-flow.png
diff --git a/windows/update/images/windows-10-management-range-of-options.png b/windows/deployment/update/images/windows-10-management-range-of-options.png
similarity index 100%
rename from windows/update/images/windows-10-management-range-of-options.png
rename to windows/deployment/update/images/windows-10-management-range-of-options.png
diff --git a/windows/update/images/wsfb-distribute.png b/windows/deployment/update/images/wsfb-distribute.png
similarity index 100%
rename from windows/update/images/wsfb-distribute.png
rename to windows/deployment/update/images/wsfb-distribute.png
diff --git a/windows/update/images/wsfb-firstrun.png b/windows/deployment/update/images/wsfb-firstrun.png
similarity index 100%
rename from windows/update/images/wsfb-firstrun.png
rename to windows/deployment/update/images/wsfb-firstrun.png
diff --git a/windows/update/images/wsfb-inventory-viewlicense.png b/windows/deployment/update/images/wsfb-inventory-viewlicense.png
similarity index 100%
rename from windows/update/images/wsfb-inventory-viewlicense.png
rename to windows/deployment/update/images/wsfb-inventory-viewlicense.png
diff --git a/windows/update/images/wsfb-inventory.png b/windows/deployment/update/images/wsfb-inventory.png
similarity index 100%
rename from windows/update/images/wsfb-inventory.png
rename to windows/deployment/update/images/wsfb-inventory.png
diff --git a/windows/update/images/wsfb-inventoryaddprivatestore.png b/windows/deployment/update/images/wsfb-inventoryaddprivatestore.png
similarity index 100%
rename from windows/update/images/wsfb-inventoryaddprivatestore.png
rename to windows/deployment/update/images/wsfb-inventoryaddprivatestore.png
diff --git a/windows/update/images/wsfb-landing.png b/windows/deployment/update/images/wsfb-landing.png
similarity index 100%
rename from windows/update/images/wsfb-landing.png
rename to windows/deployment/update/images/wsfb-landing.png
diff --git a/windows/update/images/wsfb-licenseassign.png b/windows/deployment/update/images/wsfb-licenseassign.png
similarity index 100%
rename from windows/update/images/wsfb-licenseassign.png
rename to windows/deployment/update/images/wsfb-licenseassign.png
diff --git a/windows/update/images/wsfb-licensedetails.png b/windows/deployment/update/images/wsfb-licensedetails.png
similarity index 100%
rename from windows/update/images/wsfb-licensedetails.png
rename to windows/deployment/update/images/wsfb-licensedetails.png
diff --git a/windows/update/images/wsfb-licensereclaim.png b/windows/deployment/update/images/wsfb-licensereclaim.png
similarity index 100%
rename from windows/update/images/wsfb-licensereclaim.png
rename to windows/deployment/update/images/wsfb-licensereclaim.png
diff --git a/windows/update/images/wsfb-manageinventory.png b/windows/deployment/update/images/wsfb-manageinventory.png
similarity index 100%
rename from windows/update/images/wsfb-manageinventory.png
rename to windows/deployment/update/images/wsfb-manageinventory.png
diff --git a/windows/update/images/wsfb-offline-distribute-mdm.png b/windows/deployment/update/images/wsfb-offline-distribute-mdm.png
similarity index 100%
rename from windows/update/images/wsfb-offline-distribute-mdm.png
rename to windows/deployment/update/images/wsfb-offline-distribute-mdm.png
diff --git a/windows/update/images/wsfb-onboard-1.png b/windows/deployment/update/images/wsfb-onboard-1.png
similarity index 100%
rename from windows/update/images/wsfb-onboard-1.png
rename to windows/deployment/update/images/wsfb-onboard-1.png
diff --git a/windows/update/images/wsfb-onboard-2.png b/windows/deployment/update/images/wsfb-onboard-2.png
similarity index 100%
rename from windows/update/images/wsfb-onboard-2.png
rename to windows/deployment/update/images/wsfb-onboard-2.png
diff --git a/windows/update/images/wsfb-onboard-3.png b/windows/deployment/update/images/wsfb-onboard-3.png
similarity index 100%
rename from windows/update/images/wsfb-onboard-3.png
rename to windows/deployment/update/images/wsfb-onboard-3.png
diff --git a/windows/update/images/wsfb-onboard-4.png b/windows/deployment/update/images/wsfb-onboard-4.png
similarity index 100%
rename from windows/update/images/wsfb-onboard-4.png
rename to windows/deployment/update/images/wsfb-onboard-4.png
diff --git a/windows/update/images/wsfb-onboard-5.png b/windows/deployment/update/images/wsfb-onboard-5.png
similarity index 100%
rename from windows/update/images/wsfb-onboard-5.png
rename to windows/deployment/update/images/wsfb-onboard-5.png
diff --git a/windows/update/images/wsfb-onboard-7.png b/windows/deployment/update/images/wsfb-onboard-7.png
similarity index 100%
rename from windows/update/images/wsfb-onboard-7.png
rename to windows/deployment/update/images/wsfb-onboard-7.png
diff --git a/windows/update/images/wsfb-online-distribute-mdm.png b/windows/deployment/update/images/wsfb-online-distribute-mdm.png
similarity index 100%
rename from windows/update/images/wsfb-online-distribute-mdm.png
rename to windows/deployment/update/images/wsfb-online-distribute-mdm.png
diff --git a/windows/update/images/wsfb-paid-app-temp.png b/windows/deployment/update/images/wsfb-paid-app-temp.png
similarity index 100%
rename from windows/update/images/wsfb-paid-app-temp.png
rename to windows/deployment/update/images/wsfb-paid-app-temp.png
diff --git a/windows/update/images/wsfb-permissions-assignrole.png b/windows/deployment/update/images/wsfb-permissions-assignrole.png
similarity index 100%
rename from windows/update/images/wsfb-permissions-assignrole.png
rename to windows/deployment/update/images/wsfb-permissions-assignrole.png
diff --git a/windows/update/images/wsfb-private-store-gpo.PNG b/windows/deployment/update/images/wsfb-private-store-gpo.PNG
similarity index 100%
rename from windows/update/images/wsfb-private-store-gpo.PNG
rename to windows/deployment/update/images/wsfb-private-store-gpo.PNG
diff --git a/windows/update/images/wsfb-privatestore.png b/windows/deployment/update/images/wsfb-privatestore.png
similarity index 100%
rename from windows/update/images/wsfb-privatestore.png
rename to windows/deployment/update/images/wsfb-privatestore.png
diff --git a/windows/update/images/wsfb-privatestoreapps.png b/windows/deployment/update/images/wsfb-privatestoreapps.png
similarity index 100%
rename from windows/update/images/wsfb-privatestoreapps.png
rename to windows/deployment/update/images/wsfb-privatestoreapps.png
diff --git a/windows/update/images/wsfb-renameprivatestore.png b/windows/deployment/update/images/wsfb-renameprivatestore.png
similarity index 100%
rename from windows/update/images/wsfb-renameprivatestore.png
rename to windows/deployment/update/images/wsfb-renameprivatestore.png
diff --git a/windows/update/images/wsfb-settings-mgmt.png b/windows/deployment/update/images/wsfb-settings-mgmt.png
similarity index 100%
rename from windows/update/images/wsfb-settings-mgmt.png
rename to windows/deployment/update/images/wsfb-settings-mgmt.png
diff --git a/windows/update/images/wsfb-settings-permissions.png b/windows/deployment/update/images/wsfb-settings-permissions.png
similarity index 100%
rename from windows/update/images/wsfb-settings-permissions.png
rename to windows/deployment/update/images/wsfb-settings-permissions.png
diff --git a/windows/update/images/wsfb-wsappaddacct.png b/windows/deployment/update/images/wsfb-wsappaddacct.png
similarity index 100%
rename from windows/update/images/wsfb-wsappaddacct.png
rename to windows/deployment/update/images/wsfb-wsappaddacct.png
diff --git a/windows/update/images/wsfb-wsappprivatestore.png b/windows/deployment/update/images/wsfb-wsappprivatestore.png
similarity index 100%
rename from windows/update/images/wsfb-wsappprivatestore.png
rename to windows/deployment/update/images/wsfb-wsappprivatestore.png
diff --git a/windows/update/images/wsfb-wsappsignin.png b/windows/deployment/update/images/wsfb-wsappsignin.png
similarity index 100%
rename from windows/update/images/wsfb-wsappsignin.png
rename to windows/deployment/update/images/wsfb-wsappsignin.png
diff --git a/windows/update/images/wsfb-wsappworkacct.png b/windows/deployment/update/images/wsfb-wsappworkacct.png
similarity index 100%
rename from windows/update/images/wsfb-wsappworkacct.png
rename to windows/deployment/update/images/wsfb-wsappworkacct.png
diff --git a/windows/manage/images/wufb-config1a.png b/windows/deployment/update/images/wufb-config1a.png
similarity index 100%
rename from windows/manage/images/wufb-config1a.png
rename to windows/deployment/update/images/wufb-config1a.png
diff --git a/windows/manage/images/wufb-config2.png b/windows/deployment/update/images/wufb-config2.png
similarity index 100%
rename from windows/manage/images/wufb-config2.png
rename to windows/deployment/update/images/wufb-config2.png
diff --git a/windows/manage/images/wufb-config3a.png b/windows/deployment/update/images/wufb-config3a.png
similarity index 100%
rename from windows/manage/images/wufb-config3a.png
rename to windows/deployment/update/images/wufb-config3a.png
diff --git a/windows/manage/images/wufb-do.png b/windows/deployment/update/images/wufb-do.png
similarity index 100%
rename from windows/manage/images/wufb-do.png
rename to windows/deployment/update/images/wufb-do.png
diff --git a/windows/manage/images/wufb-groups.png b/windows/deployment/update/images/wufb-groups.png
similarity index 100%
rename from windows/manage/images/wufb-groups.png
rename to windows/deployment/update/images/wufb-groups.png
diff --git a/windows/manage/images/wufb-pause-feature.png b/windows/deployment/update/images/wufb-pause-feature.png
similarity index 100%
rename from windows/manage/images/wufb-pause-feature.png
rename to windows/deployment/update/images/wufb-pause-feature.png
diff --git a/windows/manage/images/wufb-qual.png b/windows/deployment/update/images/wufb-qual.png
similarity index 100%
rename from windows/manage/images/wufb-qual.png
rename to windows/deployment/update/images/wufb-qual.png
diff --git a/windows/manage/images/wufb-sccm.png b/windows/deployment/update/images/wufb-sccm.png
similarity index 100%
rename from windows/manage/images/wufb-sccm.png
rename to windows/deployment/update/images/wufb-sccm.png
diff --git a/windows/update/index.md b/windows/deployment/update/index.md
similarity index 89%
rename from windows/update/index.md
rename to windows/deployment/update/index.md
index 4346995b12..dad9a37627 100644
--- a/windows/update/index.md
+++ b/windows/deployment/update/index.md
@@ -36,12 +36,13 @@ Windows as a service provides a new way to think about building, deploying, and
| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider. |
| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization. |
| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
-| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. |
-| [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
-| [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
-| [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
+| [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. |
+| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
+| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
+| [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. |
+| [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
>[!TIP]
>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager).---
+>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
diff --git a/windows/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
similarity index 97%
rename from windows/update/update-compliance-get-started.md
rename to windows/deployment/update/update-compliance-get-started.md
index ad42d0a9ca..f6c1878943 100644
--- a/windows/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -14,14 +14,14 @@ This topic explains the steps necessary to configure your environment for Window
Steps are provided in sections that follow the recommended setup process:
1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
-2. [Add Update Compliance](#add-update-compliance-to-microsoft-operatiions-management-suite) to Microsoft Operations Management Suite
+2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite
3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices
## Update Compliance Prerequisites
Update Compliance has the following requirements:
1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
-2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](../configure/configure-windows-telemetry-in-your-organization.md).
+2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
diff --git a/windows/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
similarity index 100%
rename from windows/update/update-compliance-monitor.md
rename to windows/deployment/update/update-compliance-monitor.md
diff --git a/windows/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
similarity index 100%
rename from windows/update/update-compliance-using.md
rename to windows/deployment/update/update-compliance-using.md
diff --git a/windows/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
similarity index 95%
rename from windows/update/waas-branchcache.md
rename to windows/deployment/update/waas-branchcache.md
index 605234e7e2..4c15562191 100644
--- a/windows/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -55,12 +55,12 @@ In addition to these steps, there is one requirement for WSUS to be able to use
- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
similarity index 89%
rename from windows/update/waas-configure-wufb.md
rename to windows/deployment/update/waas-configure-wufb.md
index 0bfbe6c026..283aaf793a 100644
--- a/windows/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -23,7 +23,7 @@ You can use Group Policy or your mobile device management (MDM) service to confi
>[!IMPORTANT]
>For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system telemetry level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization#configure-the-operating-system-telemetry-level).
-Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md).
+Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md).
## Start by grouping devices
@@ -84,11 +84,11 @@ After you configure the servicing branch (CB or CBB), you can then define if, an
## Pause Feature Updates
-You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
+You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
-Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 60 days to the start date.
+Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date.
-In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 60 days by configuring a later start date.
+In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
With version 1703, pausing through the settings app will provide a more consistent experience:
- Any active restart notification are cleared or closed
@@ -98,6 +98,8 @@ With version 1703, pausing through the settings app will provide a more consiste
>[!IMPORTANT]
>This policy does not apply to Windows 10 Mobile Enterprise.
+>
+>Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has been changed to 35, similar to the number of days for quality updates.
**Pause Feature Updates policies**
@@ -110,7 +112,7 @@ With version 1703, pausing through the settings app will provide a more consiste
You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
-The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
| Value | Status|
| --- | --- |
@@ -234,12 +236,11 @@ When a client running a newer version sees an update available on Windows Update
In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other.
Group Policy keys
Version 1511 GPO keys
Version 1607 GPO keys
-
**DeferUpgrade**: *enable/disable*
-Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***Pause**: *enable/disable* Enabling will pause both upgrades and updates for a max of 35 days
**DeferFeatureUpdates**: *enable/disable***BranchReadinessLevel** Set device on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable* Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdates**: *Enable/disable***DeferQualityUpdatesPeriodinDays**: *0 - 35 days***PauseQualityUpdates**: *enable/disable* Enabling will pause Quality updates for a max of 35 days**ExcludeWUDrivers**: *enable/disable*
+
**DeferUpgrade**: *enable/disable*Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***Pause**: *enable/disable*Enabling will pause both upgrades and updates for a max of 35 days
**DeferFeatureUpdates**: *enable/disable***BranchReadinessLevel**Set device on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable*Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdates**: *Enable/disable***DeferQualityUpdatesPeriodinDays**: *0 - 35 days***PauseQualityUpdates**: *enable/disable*Enabling will pause Quality updates for a max of 35 days**ExcludeWUDrivers**: *enable/disable*
MDM keys
Version 1511 MDM keys
Version 1607 MDM keys
-
**RequireDeferUpgade**: *bool* Puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***PauseDeferrals**: *bool* Enabling will pause both upgrades and updates for a max of 35 days
**BranchReadinessLevel** Set system on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable* Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdatesPeriodinDays**: *0 - 35 days***PauseQualityUpdates**: *enable/disable* Enabling will pause Quality updates for a max of 35 days**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td>
+
**RequireDeferUpgade**: *bool*Puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***PauseDeferrals**: *bool*Enabling will pause both upgrades and updates for a max of 35 days
**BranchReadinessLevel**Set system on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable*Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdatesPeriodinDays**: *0 - 35 days***PauseQualityUpdates**: *enable/disable*Enabling will pause Quality updates for a max of 35 days**ExcludeWUDriversInQualityUpdate**: *enable/disable*
### Comparing the version 1607 keys to the version 1703 keys
@@ -259,11 +260,11 @@ Enabling allows user to set deferral periods for upgrades and updates. It also
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
similarity index 98%
rename from windows/update/waas-delivery-optimization.md
rename to windows/deployment/update/waas-delivery-optimization.md
index ffc4f91f43..070e8de2d1 100644
--- a/windows/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -206,12 +206,12 @@ On devices that are not preferred, you can choose to set the following policy to
- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
similarity index 73%
rename from windows/update/waas-deployment-rings-windows-10-updates.md
rename to windows/deployment/update/waas-deployment-rings-windows-10-updates.md
index 697b85bf4b..bec102fa51 100644
--- a/windows/update/waas-deployment-rings-windows-10-updates.md
+++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
@@ -51,24 +51,19 @@ As Table 1 shows, each combination of servicing branch and deployment group is t
## Steps to manage updates for Windows 10
-
-
[Learn about updates and servicing branches](waas-overview.md)
-
[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-
Build deployment rings for Windows 10 updates
-(this topic)
-
[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
-
[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-
[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
-
-
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | Build deployment rings for Windows 10 updates (this topic) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
- [Update Windows 10 in the enterprise](index.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
similarity index 96%
rename from windows/update/waas-integrate-wufb.md
rename to windows/deployment/update/waas-integrate-wufb.md
index f6058440b0..36bba4f716 100644
--- a/windows/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -100,12 +100,12 @@ For Windows 10, version 1607, organizations already managing their systems with
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md
similarity index 75%
rename from windows/update/waas-manage-updates-configuration-manager.md
rename to windows/deployment/update/waas-manage-updates-configuration-manager.md
index 9bdb0238e0..6d68004a30 100644
--- a/windows/update/waas-manage-updates-configuration-manager.md
+++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md
@@ -1,5 +1,5 @@
---
-title: Manage Windows 10 updates using System Center Configuration Manager (Windows 10)
+title: Deploy Windows 10 updates using System Center Configuration Manager (Windows 10)
description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10.
ms.prod: w10
ms.mktglfcycl: manage
@@ -8,7 +8,7 @@ author: DaniHalfin
localizationpriority: high
---
-# Manage Windows 10 updates using System Center Configuration Manager
+# Deploy Windows 10 updates using System Center Configuration Manager
**Applies to**
@@ -48,83 +48,6 @@ For the Windows 10 servicing dashboard to display information, you must adhere t
When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard.
-## Enable CBB clients in Windows 10, version 1511
-
-When you use System Center Configuration Manager to manage Windows 10 servicing, you must first set the **Defer Updates or Upgrades** policy on the clients that should be on the Current Branch for Business (CBB) servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in Current Branch (CB) mode.
-
-**To use Group Policy to configure a client for the CBB servicing branch**
-
->[!NOTE]
->In this example, a specific organizational unit (OU) called **Windows 10 – Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
-
-1. On a PC running the Remote Server Administration Tools or on a domain controller, open Group Policy Management Console (GPMC).
-
-2. Expand Forest\Domains\\*Your_Domain*.
-
-4. Right-click the **Windows 10 – Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**.
-
- 
-
-5. In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
-
- >[!NOTE]
- >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
-
-6. Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
-
-7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
-
-8. Right-click the **Defer Upgrades and Updates** setting, and then click **Edit**.
-
- 
-
-9. Enable the policy, and then click **OK**.
-
- >[!NOTE]
- >The additional options in this setting are only for Windows Update for Business, so be sure not to configure them when using System Center Configuration Manager for Windows 10 servicing.
-
-10. Close the Group Policy Management Editor.
-
-This policy will now be deployed to every device in the **Windows 10 – Current Branch for Business Machines** OU.
-
-
-## Enable CBB clients in Windows 10, version 1607
-
-When you use Configuration Manager to manage Windows 10 servicing, you must first set the **Select when Feature Updates** are received policy on the clients that should be on the CBB servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in CB mode.
-
->[!NOTE]
->System Center Configuration Manager version 1606 is required to manage devices running Windows 10, version 1607.
-
-**To use Group Policy to configure a client for the CBB servicing branch**
-
->[!NOTE]
->In this example, a specific organizational unit (OU) called **Windows 10 – Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
-
-1. On a PC running the Remote Server Administration Tools or on a domain controller, open GPMC.
-
-2. Expand Forest\Domains\\*Your_Domain*.
-
-3. Right-click the **Windows 10 – Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**.
-
- 
-
-5. In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
-
- >[!NOTE]
- >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
-
-6. Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
-
-7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates.
-
-8. Right-click the **Select when Feature Updates are received** setting, and then click **Edit**.
-
-9. Enable the policy, select the **CBB** branch readiness level, and then click **OK**.
-
-10. Close the Group Policy Management Editor.
-
-This policy will now be deployed to every device in the **Windows 10 – Current Branch for Business Machines** OU.
-
## Create collections for deployment rings
Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 4 Broad business users**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users.
@@ -364,32 +287,22 @@ With the task sequence created, you’re ready to deploy it. If you’re using t
12. Click **Close**.
-
-
-
-
## Steps to manage updates for Windows 10
-
-
[Learn about updates and servicing branches](waas-overview.md)
-
[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-
[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-
[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
-
[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-
[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or Manage Windows 10 updates using System Center Configuration Manager (this topic)
-
-
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or Deploy Windows 10 updates using System Center Configuration Manager (this topic) |
## See also
[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service)
-
-
-
## Related topics
- [Update Windows 10 in the enterprise](index.md)
@@ -400,11 +313,11 @@ or Manage Windows 10 updates using System Center Configuration Manager (this top
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
similarity index 91%
rename from windows/update/waas-manage-updates-wsus.md
rename to windows/deployment/update/waas-manage-updates-wsus.md
index d491319549..2c9f7a83e5 100644
--- a/windows/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -1,5 +1,5 @@
---
-title: Manage Windows 10 updates using Windows Server Update Services (Windows 10)
+title: Deploy Windows 10 updates using Windows Server Update Services (Windows 10)
description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
ms.prod: w10
ms.mktglfcycl: manage
@@ -8,7 +8,7 @@ author: DaniHalfin
localizationpriority: high
---
-# Manage Windows 10 updates using Windows Server Update Services (WSUS)
+# Deploy Windows 10 updates using Windows Server Update Services (WSUS)
**Applies to**
@@ -319,17 +319,14 @@ Now that you have the All Windows 10 Upgrades view, complete the following steps
## Steps to manage updates for Windows 10
-
-
[Learn about updates and servicing branches](waas-overview.md)
-
[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-
[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-
[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
-
[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-
[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or Manage Windows 10 updates using Windows Server Update Services (this topic)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
-
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows 10 updates using Windows Server Update Services (this topic)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
@@ -343,11 +340,11 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
similarity index 82%
rename from windows/update/waas-manage-updates-wufb.md
rename to windows/deployment/update/waas-manage-updates-wufb.md
index f38ac5333c..98b6cc928a 100644
--- a/windows/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -1,5 +1,5 @@
---
-title: Manage updates using Windows Update for Business (Windows 10)
+title: Deploy updates using Windows Update for Business (Windows 10)
description: Windows Update for Business lets you manage when devices received updates from Windows Update.
ms.prod: w10
ms.mktglfcycl: manage
@@ -8,7 +8,7 @@ author: DaniHalfin
localizationpriority: high
---
-# Manage updates using Windows Update for Business
+# Deploy updates using Windows Update for Business
**Applies to**
@@ -114,17 +114,14 @@ For more information about Update Compliance, see [Monitor Windows Updates using
## Steps to manage updates for Windows 10
-
-
[Learn about updates and servicing branches](waas-overview.md)
-
[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-
[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-
[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
-
[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-
Manage updates using Windows Update for Business (this topic)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
-
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | Deploy updates using Windows Update for Business (this topic) or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
- [Update Windows 10 in the enterprise](index.md)
@@ -135,13 +132,13 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md
similarity index 93%
rename from windows/update/waas-mobile-updates.md
rename to windows/deployment/update/waas-mobile-updates.md
index ce0c446a7a..570725361b 100644
--- a/windows/update/waas-mobile-updates.md
+++ b/windows/deployment/update/waas-mobile-updates.md
@@ -1,5 +1,5 @@
---
-title: Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10)
+title: Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: manage
@@ -8,7 +8,7 @@ author: DaniHalfin
localizationpriority: high
---
-# Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile
+# Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile
**Applies to**
@@ -71,13 +71,13 @@ If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, versi
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
similarity index 81%
rename from windows/update/waas-optimize-windows-10-updates.md
rename to windows/deployment/update/waas-optimize-windows-10-updates.md
index dba3ee72bb..0d6fac4aab 100644
--- a/windows/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -8,7 +8,7 @@ author: DaniHalfin
localizationpriority: high
---
-# Optimize update delivery for Windows 10 updates
+# Optimize Windows 10 update delivery
**Applies to**
@@ -49,7 +49,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
### How Microsoft supports Express
-- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager.
+- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update.
- **Express on WSUS Standalone**
Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
@@ -80,25 +80,21 @@ At this point, the download is complete and the update is ready to be installed.
## Steps to manage updates for Windows 10
-
-
[Learn about updates and servicing branches](waas-overview.md)
-
[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-
[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-
[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
-
Optimize update delivery for Windows 10 updates (this topic)
-
[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
-
-
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | Optimize update delivery for Windows 10 updates (this topic) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
- [Update Windows 10 in the enterprise](index.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/update/waas-overview.md b/windows/deployment/update/waas-overview.md
similarity index 93%
rename from windows/update/waas-overview.md
rename to windows/deployment/update/waas-overview.md
index 0df38fb0e2..764051919e 100644
--- a/windows/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -21,6 +21,8 @@ localizationpriority: high
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+
+
## Building
Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn’t work in today’s rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two to three times per year to help address these issues.
@@ -157,17 +159,14 @@ With all these options, which an organization chooses depends on the resources,
## Steps to manage updates for Windows 10
-
-
Learn about updates and servicing branches (this topic)
-
[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-
[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-
[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
-
[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-
[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
-
+| | |
+| --- | --- |
+|  | Learn about updates and servicing branches (this topic) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
@@ -175,7 +174,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
- [Update Windows 10 in the enterprise](index.md)
- [Quick guide to Windows as a service](waas-quick-start.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
similarity index 65%
rename from windows/update/waas-quick-start.md
rename to windows/deployment/update/waas-quick-start.md
index 28b2e3d36a..8b7414fd7d 100644
--- a/windows/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -22,19 +22,19 @@ Windows as a service is a new concept, introduced with the release of Windows 10
## Definitions
Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
-- **Feature updates** will be released two to three times per year. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
+- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update.
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
-- **Servicing branches** allow organizations to choose when to deploy new features. Current Branch (CB) deploys the fastest, soon after a feature update is released. Current Branch for Business (CBB) defers the installation of the same feature update by about four months, until that feature update is considered ready for broad deployment. Long Term Servicing Branch (LTSB) is different, used only for specialized devices (which typically don’t run Office) such as those that control medical equipment or ATM machines that need to be kept stable and secure.
+- **Servicing channels** allow organizations to choose when to deploy new features. The Semi-Annual Channel receives feature updates twice per year. The Long Term Servicing Channel, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
## Key Concepts
-New feature update releases are initially considered **Current Branch (CB) releases**; organizations will use these for pilot deployments to ensure compatibility with existing apps and infrastructure. After about four months, the feature update will be declared as **Current Branch for Business (CBB)**, indicating that it is ready for broad deployment.
+Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
-Each Windows 10 feature update (which initially begins as CB and then is declared as CBB) will be serviced with quality updates for a minimum of 18 months after it is released. The total length of time can be longer, as there will be two CBB releases serviced at all times. There will be a minimum of 60 days advanced notice (a grace period) after a CBB declaration occurs before an older feature update is no longer serviced.
+Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release.
Windows 10 Enterprise LTSB is a separate **Long Term Servicing Branch (LTSB)** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
@@ -42,11 +42,11 @@ See [Assign devices to servicing branches for Windows 10 updates](waas-servicing
## Staying up to date
-The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Upgrade Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
+The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
-Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps and CBB has been declared, broad deployment can begin.
+Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
-This process repeats with each new feature update, two to three times per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
+This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.
@@ -64,7 +64,7 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window
## Related topics
- [Update Windows 10 in the enterprise](index.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/update/waas-restart.md b/windows/deployment/update/waas-restart.md
similarity index 69%
rename from windows/update/waas-restart.md
rename to windows/deployment/update/waas-restart.md
index 8eb41f55fc..da651bccc2 100644
--- a/windows/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -63,8 +63,6 @@ To configure active hours using Group Policy, go to **Computer Configuration\Adm
-To configure max active hours range, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**. This is only available from Windows 10, version 1703.
-
### Configuring active hours with MDM
MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) and [Update/ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
@@ -84,10 +82,64 @@ For a detailed description of these regsitry keys, see [Registry keys used to ma
>
>
+### Configuring active hours max range
+
+With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time.
+
+To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**.
+
+To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-activehoursmaxrange).
+
## Limit restart delays
After an update is installed, Windows 10 attemtps automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
+## Control restart notifications
+
+In Windows 10, version 1703, we have added settings to control restart notifications for users.
+
+### Auto-restart notifications
+
+Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically.
+
+To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
+
+To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartRequiredNotificationDismissal)
+
+You can also configure the period prior to an update that this notification will show up on. The default value is 15 minutes.
+
+To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
+
+To change it through MDM, use [**Update/AutoRestartNotificationSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartNotificationSchedule).
+
+
+In some cases, you don't need a notification to show up.
+
+To do so through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Turn off auto-restart notifications for update installations**.
+
+To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-setautorestartnotificationdisable).
+
+### Scheduled auto-restart warnings
+
+Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled a restart. You can also configure a configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
+
+To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**.
+
+In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleRestartWarning) and the auto-restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleImminentRestartWarning).
+
+### Engaged restart
+
+Engaged restart is the period of time when users are required to schedule a restart. When this period ends (7 days by default), Windows transitions to auto-restart outside of active hours.
+
+The following settings can be adjusted for engaged restart:
+* Period of time before engaged restart transitions to auto-restart.
+* The number of days that users can snooze engaged restart reminder notifications.
+* The number of days before a pending restart automatically executes outside of working hours.
+
+In Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and pick **Specify Engaged restart transition and notification schedule for updates**.
+
+In MDM, use [**Update/EngagedRestartTransitionSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartTransitionSchedule), [**Update/EngagedRestartSnoozeSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartSnoozeSchedule) and [**Update/EngagedRestartDeadline**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartDeadline) respectively.
+
## Group Policy settings for restart
In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
diff --git a/windows/update/waas-servicing-branches-windows-10-updates.md b/windows/deployment/update/waas-servicing-branches-windows-10-updates.md
similarity index 87%
rename from windows/update/waas-servicing-branches-windows-10-updates.md
rename to windows/deployment/update/waas-servicing-branches-windows-10-updates.md
index dec5263d65..d92a5becf5 100644
--- a/windows/update/waas-servicing-branches-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-branches-windows-10-updates.md
@@ -182,21 +182,6 @@ During the life of a device, it may be necessary or desirable to switch between
-
-## Steps to manage updates for Windows 10
-
-
-
[Learn about updates and servicing branches](waas-overview.md)
-
[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-
[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-
Assign devices to servicing branches for Windows 10 updates (this topic)
-
[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-
[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
-
-
## Block user access to Windows Update settings
In Windows 10, administrators can control user access to Windows Update.
@@ -205,10 +190,21 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati
>[!NOTE]
> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
+## Steps to manage updates for Windows 10
+
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | Assign devices to servicing branches for Windows 10 updates (this topic) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
## Related topics
- [Update Windows 10 in the enterprise](index.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
similarity index 82%
rename from windows/update/waas-servicing-strategy-windows-10-updates.md
rename to windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index 6996fe3d0f..99c0566d7f 100644
--- a/windows/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -30,10 +30,10 @@ Windows 10 spreads the traditional deployment effort of a Windows upgrade, which
- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than CB or Current Branch for Business (CBB) can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
-- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics).
+- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
>[!NOTE]
->This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](https://technet.microsoft.com/itpro/windows/plan/index).
+>This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
@@ -44,23 +44,20 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou
## Steps to manage updates for Windows 10
-
-
[Learn about updates and servicing branches](waas-overview.md)
-
Prepare servicing strategy for Windows 10 updates (this topic)
-
[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-
[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
-
[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-
[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
-
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | Prepare servicing strategy for Windows 10 updates (this topic) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
- [Update Windows 10 in the enterprise](index.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/update/waas-windows-insider-for-business-aad.md b/windows/deployment/update/waas-windows-insider-for-business-aad.md
similarity index 68%
rename from windows/update/waas-windows-insider-for-business-aad.md
rename to windows/deployment/update/waas-windows-insider-for-business-aad.md
index f749ef1c36..5467e01600 100644
--- a/windows/update/waas-windows-insider-for-business-aad.md
+++ b/windows/deployment/update/waas-windows-insider-for-business-aad.md
@@ -37,12 +37,11 @@ Simply go to **Settings > Accounts > Access work or school**. If a corporate acc
## Enroll a device with an Azure Active Directory account
1. Visit [insider.windows.com](https://insider.windows.com). Sign-in with your corporate account in AAD and follow the on-screen registration directions.
2. On your Windows 10 device, go to **Settings > Updates & Security > Windows Insider Program**.
+3. Enter the AAD account that you used to register and follow the on-screen directions.
>[!NOTE]
>Make sure that you have administrator rights to the machine and that it has latest Windows updates.
-3. Enter the AAD account that you used to register and follow the on-screen directions.
-
## Switch device enrollment from your Microsoft account to your AAD account
1. Visit [insider.windows.com](https://insider.windows.com) to register your AAD account. If you are signed in with your Microsoft account, sign out, then sign back in with your corporate AAD account.
2. Click **Get started**, read and accept the privacy statement and program terms and click **Submit**.
@@ -55,6 +54,46 @@ Simply go to **Settings > Accounts > Access work or school**. If a corporate acc
>[!NOTE]
>Your device must be connected to your corporate account in AAD for the account to appear in the account list.
+## User consent requirement
+
+With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this:
+
+
+
+Once agreed, everything will work fine and that user won't be prompted for permission again.
+
+### Something went wrong
+
+The option for users to give consent for apps to access their profile data is controlled through Azure Active Directory. This means the AAD administrators have the ability to allow or block users from giving consent.
+
+In case the administrators blocked this option, when the user signs in with the AAD account, they will see the following error message:
+
+
+
+This blocks the user from signing in, which means they won't be able to use the Feedback Hub app with their AAD credentials.
+
+**To fix this issue**, an adminsitrator of the AAD directory will need to enable user consent for apps to access their data.
+
+To do this through the **classic Azure portal**:
+1. Go to https://manage.windowsazure.com/ .
+2. Switch to the **Active Directory** dashboard.
+ 
+3. Select the appropriate directory and go to the **Configure** tab.
+4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**.
+ 
+
+To do this through the **new Azure portal**:
+1. Go to https://portal.azure.com/ .
+2. Switch to the **Active Directory** dashboard.
+ 
+3. Switch to the appropriate directory.
+ 
+4. Under the **Manage** section, select **User settings**.
+ 
+5. In the **Enterprise applications** section, enable **Users can allow apps to access their data**.
+ 
+
+
## Frequently Asked Questions
### Will my test machines be affected by automatic registration?
diff --git a/windows/update/waas-windows-insider-for-business-faq.md b/windows/deployment/update/waas-windows-insider-for-business-faq.md
similarity index 97%
rename from windows/update/waas-windows-insider-for-business-faq.md
rename to windows/deployment/update/waas-windows-insider-for-business-faq.md
index 653d6d5c93..aa84530023 100644
--- a/windows/update/waas-windows-insider-for-business-faq.md
+++ b/windows/deployment/update/waas-windows-insider-for-business-faq.md
@@ -31,11 +31,12 @@ Hindi, Catalan, and Vietnamese can only be installed as a language pack over [su
> To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc).
### How do I register for the Windows Insider Program for Business?
-To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account \that you use for Office 365 and other Microsoft services.
+To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account that you use for Office 365 and other Microsoft services.
1. Visit https://insider.windows.com and click **Get Started**.
2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions.
-3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions.
+3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions.
+
>[!NOTE]
>Make sure that you have administrator rights to your machine and that it has latest Windows updates.
@@ -73,7 +74,7 @@ In just a few steps, you can switch your existing program registration from your
Sign in to the Feedback Hub using the same AAD account you are using to flight builds.
### Am I going to lose all the feedback I submitted and badges I earned with my MSA?
-No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badge you’ve earned.
+No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned.
### How is licensing handled for Windows 10 Insider builds?
All PCs need to have a valid Windows 10 license. This requirement applies whether the device is joined to the Windows Insider Program using a Microsoft account or an Azure Active Directory account.
diff --git a/windows/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md
similarity index 86%
rename from windows/update/waas-windows-insider-for-business.md
rename to windows/deployment/update/waas-windows-insider-for-business.md
index b25fa5f18b..5308d3e795 100644
--- a/windows/update/waas-windows-insider-for-business.md
+++ b/windows/deployment/update/waas-windows-insider-for-business.md
@@ -20,9 +20,9 @@ localizationpriority: high
For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation.
The Windows Insider Program for Business gives you the opportunity to:
-* Get early access to Windows Insider Preview Builds
+* Get early access to Windows Insider Preview Builds.
* Provide feedback to Microsoft in real-time via the Feedback Hub app.
-* Sign-in with coproate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs.
+* Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs.
Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app.
@@ -56,9 +56,8 @@ Best for Insiders who enjoy getting early access to updates for the Current Bran
Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
-* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch
-* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows
-Ring
+* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch.
+* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows.
### Slow
@@ -66,15 +65,16 @@ The Slow Windows Insider level is for users who enjoy seeing new builds of Windo
* Builds are sent to the Slow Ring after feedback has been received from Insiders within the Fast Ring and analyzed by our Engineering teams.
* These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis.
-* These builds are still may have issues that would be addressed in a future flight.
+* These builds still may have issues that would be addressed in a future flight.
### Fast
-Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great
+Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great.
* Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds.
* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations.
-* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. • Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum
+* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked.
+* Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum.
>[!NOTE]
>Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete.
@@ -85,11 +85,11 @@ During your time in the Windows Insider Program, you may want to change between
1. Go to **Settings > Updates & Security > Windows Insider Program**
2. Under **Choose your level**, select between the following rings -
- * [Windows Insider Fast](#fast)
- * [Windows Insider Slow](#slow)
- * [Release Preview](#release-preview)
+ * [Windows Insider Fast](#fast)
+ * [Windows Insider Slow](#slow)
+ * [Release Preview](#release-preview)
-## How to switch between you MSA and your Corporate AAD account
+## How to switch between your MSA and your Corporate AAD account
The Windows Insider Program for Business now gives users the option to register and enroll devices using a corporate account in [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) (AAD) as well as their Microsoft Account (MSA).
@@ -108,11 +108,16 @@ When providing feedback, please consider the following:
3. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible.
### How to use your corporate AAD account for additional Feedback Hub benefits
-Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that are using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization.
+Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that you're using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization.
>[!NOTE]
>If you signed into the Feedback Hub previously with your MSA, your feedback and badges will not be transferred to your AAD sing-in. However, you can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned.
+>[!IMPORTANT]
+>With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will se a popup asking for their permissions. Once agreed, everything will work fine and that user won't be asked for permissions again.
+>
+> If something goes wrong, it is possible that users aren't enabled to give persmissions to access their data. This can be resolved through the AAD portal. For more information about this, please see [User consent requirement](waas-windows-insider-for-business-aad.md#user-consent-requirement).
+
## Not receiving Windows 10 Insider Preview build updates?
In some cases, your PC may not update to the latest Insider Preview build as expected. Here are items that you can review to troubleshoot this issue:
@@ -126,7 +131,7 @@ Go to **Settings > Updates & Security**. Review available updates or select **Ch
### Make sure Windows is activated
Go to **Settings > Updates & Security > Activation** to verify Windows is activated.
-### Make sure your coporate account in AAD is connected to your device
+### Make sure your corporate account in AAD is connected to your device
Open **Settings \ Accounts \ Access work or school**. If your PC is not listed as connected to your account in AAD, click Connect and enter your AAD account.
### Make sure you have selected a flight ring
diff --git a/windows/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
similarity index 98%
rename from windows/update/waas-wufb-group-policy.md
rename to windows/deployment/update/waas-wufb-group-policy.md
index 9346bd5711..4b8c9d6362 100644
--- a/windows/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -342,11 +342,11 @@ The **Ring 4 Broad business users** deployment ring has now been configured. Fin
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
similarity index 98%
rename from windows/update/waas-wufb-intune.md
rename to windows/deployment/update/waas-wufb-intune.md
index 5b610b1336..fd8cb722f8 100644
--- a/windows/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -265,13 +265,13 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deploy/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
similarity index 89%
rename from windows/deploy/manage-windows-upgrades-with-upgrade-readiness.md
rename to windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
index de269889bf..c2744bd544 100644
--- a/windows/deploy/manage-windows-upgrades-with-upgrade-readiness.md
+++ b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
@@ -29,15 +29,15 @@ The Upgrade Readiness workflow steps you through the discovery and rationalizati
**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
-- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
-- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+- [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization)
+- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
##**Related topics**
[Upgrade Readiness architecture](upgrade-readiness-architecture.md)
[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
-[Upgrade Readiness release notes](upgrade-readiness-release-notes.md)
+[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md)
[Troubleshoot Upgrade Readiness](troubleshoot-upgrade-readiness.md)
diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
similarity index 98%
rename from windows/deploy/resolve-windows-10-upgrade-errors.md
rename to windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index a16acec410..2ec92b3418 100644
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -1,8 +1,7 @@
---
title: Resolve Windows 10 upgrade errors - Windows IT Pro
description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
-ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
-keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -52,7 +51,7 @@ The Windows Setup application is used to upgrade a computer to Windows 10, or to
**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
-
+
DU = Driver/device updates.
OOBE = Out of box experience.
@@ -553,20 +552,20 @@ Disconnect all peripheral devices that are connected to the system, except for t
For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).
-
Ensure you select the option to "Download and install updates (recommended)."
+
Ensure you select the option to "Download and install updates (recommended)."
-### 0x800xxxxx
+
0x800xxxxx
-Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
+
Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
-
+
diff --git a/windows/deploy/troubleshoot-upgrade-readiness.md b/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
similarity index 97%
rename from windows/deploy/troubleshoot-upgrade-readiness.md
rename to windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
index 2cc9bf9340..bb0caaf247 100644
--- a/windows/deploy/troubleshoot-upgrade-readiness.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
@@ -27,7 +27,7 @@ If you want to stop using Upgrade Readiness and stop sending telemetry data to M
1. Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
- 
+ 
2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to **Security**:
diff --git a/windows/deploy/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
similarity index 93%
rename from windows/deploy/upgrade-readiness-additional-insights.md
rename to windows/deployment/upgrade/upgrade-readiness-additional-insights.md
index e7a8b7a54c..8fe0d076bf 100644
--- a/windows/deploy/upgrade-readiness-additional-insights.md
+++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
@@ -46,7 +46,7 @@ Ensure the following prerequisites are met before using site discovery:
For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx).
- 
+ 
### Review most active sites
@@ -54,23 +54,23 @@ This blade indicates the most visited sites by computers in your environment. Re
For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL.
-
+
Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name.
-
+
### Review document modes in use
This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes).
-
+
### Run browser-related queries
You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries.
-
+
## Office add-ins
diff --git a/windows/deploy/upgrade-readiness-architecture.md b/windows/deployment/upgrade/upgrade-readiness-architecture.md
similarity index 77%
rename from windows/deploy/upgrade-readiness-architecture.md
rename to windows/deployment/upgrade/upgrade-readiness-architecture.md
index 93a028f925..ae5949405f 100644
--- a/windows/deploy/upgrade-readiness-architecture.md
+++ b/windows/deployment/upgrade/upgrade-readiness-architecture.md
@@ -13,18 +13,18 @@ Microsoft analyzes system, application, and driver telemetry data to help you de
-->
-
+
After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, telemetry data is analyzed by the Upgrade Readiness Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades.
For more information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
-[Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
-[Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+[Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization)
+[Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
[Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
##**Related topics**
[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
-[Upgrade Readiness release notes](upgrade-readiness-release-notes.md)
+[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
new file mode 100644
index 0000000000..dad2b5a63b
--- /dev/null
+++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
@@ -0,0 +1,55 @@
+---
+title: Upgrade Readiness data sharing
+description: Connectivity scenarios for data sharing with Upgrade Readiness
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Upgrade Readiness data sharing
+
+To enable data sharing with the Upgrade Readiness solution, the following endpoints must be accessible:
+
+
+| **Endpoint** | **Function** |
+|---------------------------------------------------------|-----------|
+| `https://v10.vortex-win.data.microsoft.com/collect/v1` `https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. |
+| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. |
+| `https://go.microsoft.com/fwlink/?LinkID=544713` `https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
+
+Whitelist these endpoints on your network. This might require working with your organizations's network security group.
+
+## Connectivity to the Internet
+
+There are several different methods your organization can use to connect to the Internet, and these methods can affect how authentication is performed by the deployment script.
+
+### Direct connection to the Internet
+
+This scenario is very simple since there is no proxy involved. If you are using a network firewall which is blocking outgoing traffic, please keep in mind that even though we provide DNS names for the endpoints needed to communicate to the Microsoft telemetry backend, We therefore do not recommend to attempt to whitelist endpoints on your firewall based on IP-addresses.
+
+In order to use the direct connection scenario, set the parameter **ClientProxy=Direct** in **runconfig.bat**.
+
+### Connection through the WinHTTP proxy
+
+This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication.
+
+In order to set the WinHTTP proxy system-wide on your computers, you need to
+•Use the command netsh winhttp set proxy \:\
+•Set ClientProxy=System in runconfig.bat
+
+The WinHTTP scenario is most appropriate for customers who use a single proxy or f. If you have more advanced proxy requirements, refer to Scenario 3.
+
+If you want to learn more about Proxy considerations on Windows, please take a look at this post in the ieinternals blog
+
+### Logged-in user’s Internet connection
+
+In order to accommodate complex proxy scenarios, we also support using the currently logged-in user’s internet connection. This scenario supports PAC scripts, proxy autodetection and authentication. Essentially, if the logged in user can reach the Windows Telemetry endpoints, the telemetry client can send data. If runconfig.bat runs while no user is logged in, telemetry events get written into a buffer which gets flushed when a user logs in.
+
+In order to enable this scenario, you need:
+- A current quality update Rollup for Windows 7, 8.1 or Windows 10 Version 1511. Updates shipped after October 2016 have the needed code
+- Set the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy to 0. If the value does not exist, create a new DWORD, name it DisableEnterpriseAuthProxy and set the value to 0. The deployment script will check this is configured correctly.
+- Set ClientProxy=User in bat.
+
+
diff --git a/windows/deploy/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md
similarity index 95%
rename from windows/deploy/upgrade-readiness-deploy-windows.md
rename to windows/deployment/upgrade/upgrade-readiness-deploy-windows.md
index bb54670f8d..642e0ed67b 100644
--- a/windows/deploy/upgrade-readiness-deploy-windows.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md
@@ -26,7 +26,7 @@ In this blade, computers grouped by upgrade decision are listed. The upgrade dec
-->
-
+
Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers.
@@ -42,7 +42,7 @@ Query based computer groups are recommended in the initial release of this featu
When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example:
-
+
To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example:
@@ -50,7 +50,7 @@ To create a computer group, open **Log Search** and create a query based on **Ty
Type=UAComputer Manufacturer=DELL
```
-
+
When you are satisfied that the query is returning the intended results, add the following text to your search:
@@ -60,25 +60,25 @@ When you are satisfied that the query is returning the intended results, add the
This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example:
-
+
Your new computer group will now be available in Upgrade Readiness. See the following example:
-
+
### Using Computer Groups
When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready.
-
+
Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**:
-
+
Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**:
-
+
A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed.
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
new file mode 100644
index 0000000000..2e289b8a5b
--- /dev/null
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -0,0 +1,263 @@
+---
+title: Upgrade Readiness deployment script (Windows 10)
+description: Deployment script for Upgrade Readiness.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Upgrade Readiness deployment script
+
+To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
+
+>[!IMPORTANT]
+>Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
+
+For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
+
+> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, please download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
+
+The Upgrade Readiness deployment script does the following:
+
+1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
+2. Verifies that user computers can send data to Microsoft.
+3. Checks whether the computer has a pending restart.
+4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
+5. If enabled, turns on verbose mode for troubleshooting.
+6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
+7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
+
+To run the Upgrade Readiness deployment script:
+
+1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+
+2. Edit the following parameters in RunConfig.bat:
+
+ 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
+
+ 2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry.
+
+ 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
+
+ > *logMode = 0 log to console only*
+ >
+ > *logMode = 1 log to file and console*
+ >
+ > *logMode = 2 log to file only*
+
+3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
+
+ > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
+ >
+ > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
+ >
+ > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
+ >
+ > *IEOptInLevel = 3 Data collection is enabled for all sites*
+
+4. The latest version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
+
+ The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
+
+ This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints:
+
+ \*vortex\*.data.microsoft.com
+ \*settings\*.data.microsoft.com
+
+5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+
+The deployment script displays the following exit codes to let ddfyou know if it was successful, or if an error was encountered.
+
+
+
+
+
Exit code and meaning
+
Suggested fix
+
+
0 - Success
+
N/A
+
+
+
1 - Unexpected error occurred while executiEng the script.
+
The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.
+
+
+
2 - Error when logging to console. $logMode = 0. (console only)
+
Try changing the $logMode value to **1** and try again. $logMode value 1 logs to both console and file.
+
+
+
3 - Error when logging to console and file. $logMode = 1.
+
Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+
+
+
4 - Error when logging to file. $logMode = 2.
+
Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+
+
+
5 - Error when logging to console and file. $logMode = unknown.
+
Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+
+
+
6 - The commercialID parameter is set to unknown. Modify the runConfig.bat file to set the CommercialID value.
+
The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace.
+ See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace.
+
+
+
8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
+
The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
+ Verify that the context under which the script in running has access to the registry key.
+
+
+
9 - The script failed to write Commercial Id to registry.
+ Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
+
+
Verify that the context under which the script in running has access to the registry key.
+
+
+
10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
+
Verify that the deployment script is running in a context that has access to the registry key.
+
+
+
11 - Function **SetupCommercialId** failed with an unexpected exception.
+
The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** Verify that the configuration script has access to this location.
+
+
+
12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings.
+
**Http Get** on the end points did not return a success exit code.
+ For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.
+ For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive.
+ If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
+
+
+
13 - Can’t connect to Microsoft - setting.
+
An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
+
+
+
14 - Can’t connect to Microsoft - compatexchange.
+
An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc . This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
+
+
+
15 - Function CheckVortexConnectivity failed with an unexpected exception.
+
This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.
+
+
+
16 - The computer requires a reboot before running the script.
+
A reboot is required to complete the installation of the compatibility update and related KBs. Reboot the computer before running the Upgrade Readiness deployment script.
+
+
+
17 - Function **CheckRebootRequired** failed with an unexpected exception.
+
A reboot is required to complete installation of the compatibility update and related KBs. Check the logs for the exception message and the HResult.
+
+
+
18 - Appraiser KBs not installed or **appraiser.dll** not found.
+
Either the Appraiser KBs are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser telemetry events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic.
+
+
+
19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception.
+
Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed.
+
+
+
20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser**
+
The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key.
+
+
+
21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception.
+
Check the logs for the exception message and HResult.
+
+
+
22 - **RunAppraiser** failed with unexpected exception.
+
Check the logs for the exception message and HResult. Check the **%windir%\System32*8 directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file.
+
+
+
23 - Error finding system variable **%WINDIR%**.
+
Verify that this environment variable is configured on the computer.
+
+
+
24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
+
This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult.
+
+
+
25 - The function **SetIEDataOptIn** failed with unexpected exception.
+
Check the logs for the exception message and HResult.
+
+
+
26 - The operating system is Server or LTSB SKU.
+
The script does not support Server or LTSB SKUs.
+
+
+
27 - The script is not running under **System** account.
+
The Upgrade Readiness configuration script must be run as **System**.
+
+
+
28 - Could not create log file at the specified **logPath**.
+
Make sure the deployment script has access to the location specified in the **logPath** parameter.
+
+
+
29 - Connectivity check failed for proxy authentication.
+
Install the cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
+ The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
+ For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
+ For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
+
+
+
30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.
+
The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
+ For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
+ For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
+
+
+
31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer.
+
Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.
+
+
+
32 - Appraiser version on the machine is outdated.
+
The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for Windows 7 SP1/Windows 8.1.
+
+
+
33 - **CompatTelRunner.exe** exited with an exit code
+
**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Please check the logs for more details.
+
+
+
34 - Function **CheckProxySettings** failed with an unexpected exception.
+
Check the logs for the exception message and HResult.>
+
+
+
35 - Function **CheckAuthProxy** failed with an unexpected exception.
+
Check the logs for the exception message and HResult.
+
+
+
36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception.
+
Check the logs for the exception message and HResult.
+
+
+
37 - **Diagnose_internal.cmd** failed with an unexpected exception.
+
Check the logs for the exception message and HResult.
+
+
+
38 - Function **Get-SqmID** failed with an unexpected exception.
+
Check the logs for the exception message and HResult.
+
+
+
39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**
+ or **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
+
For Windows 10 machines, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will throw an error if this is not true. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
+
+
+
40 - Function **CheckTelemetryOptIn** failed with an unexpected exception.
+
Check the logs for the exception message and HResult.
+
+
+
41 - The script failed to impersonate the currently logged on user.
+
The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the logged on user. The script also tries to mimic this, but the process failed.
+
+
+
42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception.
+
Check the logs for the exception message and HResult.
+
+
+
43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception.
+
Check the logs for the exception message and HResult.
+
+
diff --git a/windows/deploy/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
similarity index 86%
rename from windows/deploy/upgrade-readiness-get-started.md
rename to windows/deployment/upgrade/upgrade-readiness-get-started.md
index 7cb98c4cf2..bb6ce8f949 100644
--- a/windows/deploy/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -32,8 +32,8 @@ When you are ready to begin using Upgrade Readiness, perform the following steps
To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see the following topics:
-- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
-- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+- [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization)
+- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
## Add Upgrade Readiness to Operations Management Suite
@@ -61,7 +61,7 @@ Microsoft uses a unique commercial ID to map information from user computers to
1. On the Settings Dashboard, navigate to the **Windows telemetry** panel.
- 
+ 
2. On the Windows telemetry panel, copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Readiness deployment script later so it can be deployed to user computers.
@@ -79,14 +79,23 @@ For Upgrade Readiness to receive and display upgrade readiness data from Microso
To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
-Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) to learn what you need to do to run it under the logged on user account.
-
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
| `https://v10.vortex-win.data.microsoft.com/collect/v1` `https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. |
| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. |
| `https://go.microsoft.com/fwlink/?LinkID=544713` `https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
+Note: The compatibility update KB runs under the computer’s system account.
+
+### Connection settings
+
+The settings that are used to enable client computers to connect to Windows Telemetry depend on the type of connection scenario you use. These scenarios are discussed in [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) and are summarized below.
+
+| **Connection scenario** | **ClientProxy setting** in **runconfig.bat** | **Local computer configuration** |
+|---------------------------------------------------------|-----------|-----------|
+| Direct connection to the Internet (no proxy) | **ClientProxy=Direct** | No additional configuration necessary |
+| WinHTTP proxy | **ClientProxy=System** | Specify `netsh winhttp set proxy :` on client computers |
+| Other proxy | **ClientProxy=User** | Configure the Windows Registry value:
to 0 on client computers |
## Deploy the compatibility update and related KBs
@@ -104,7 +113,7 @@ If you are planning to enable IE Site Discovery, you will need to install a few
| **Site discovery** | **KB** |
|----------------------|-----------------------------------------------------------------------------|
-| [Review site discovery](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-additional-insights#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149) Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices. For more information about this KB, see
Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
+| [Review site discovery](upgrade-readiness-additional-insights.md#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149) Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices. For more information about this KB, see
Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
### Deploy the Upgrade Readiness deployment script
diff --git a/windows/deploy/upgrade-readiness-identify-apps.md b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md
similarity index 98%
rename from windows/deploy/upgrade-readiness-identify-apps.md
rename to windows/deployment/upgrade/upgrade-readiness-identify-apps.md
index 33b5d248c5..6beb49c163 100644
--- a/windows/deploy/upgrade-readiness-identify-apps.md
+++ b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md
@@ -13,7 +13,7 @@ This is the first step of the Upgrade Readiness workflow. In this step, applicat
-->
-
+
Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them.
diff --git a/windows/deployment/upgrade/upgrade-readiness-release-notes.md b/windows/deployment/upgrade/upgrade-readiness-release-notes.md
new file mode 100644
index 0000000000..38b0510215
--- /dev/null
+++ b/windows/deployment/upgrade/upgrade-readiness-release-notes.md
@@ -0,0 +1,5 @@
+---
+title: Upgrade Readiness release notes (Windows 10)
+description: Provides tips and limitations about Upgrade Readiness.
+redirect_url: https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-requirements#important-information-about-this-release
+---
\ No newline at end of file
diff --git a/windows/deploy/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md
similarity index 96%
rename from windows/deploy/upgrade-readiness-requirements.md
rename to windows/deployment/upgrade/upgrade-readiness-requirements.md
index 5593a4eb72..eb98ebd2cf 100644
--- a/windows/deploy/upgrade-readiness-requirements.md
+++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md
@@ -30,7 +30,7 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1
Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
-Windows 10 LTSB is not supported by Upgrade Readiness. The LTSB (long term servicing branch) of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#long-term-servicing-branch) to understand more about LTSB.
+Windows 10 LTSB is not supported by Upgrade Readiness. The LTSB (long term servicing branch) of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-branch) to understand more about LTSB.
## Operations Management Suite
@@ -50,7 +50,7 @@ Upgrade Readiness can be integrated with your installation of Configuration Mana
After you’ve signed in to Operations Management Suite and added the Upgrade Readiness solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Readiness.
-See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
+See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
diff --git a/windows/deploy/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
similarity index 70%
rename from windows/deploy/upgrade-readiness-resolve-issues.md
rename to windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
index bb0e2c452d..9ca055c5f5 100644
--- a/windows/deploy/upgrade-readiness-resolve-issues.md
+++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
@@ -9,7 +9,16 @@ author: greg-lindsay
This section of the Upgrade Readiness workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them.
-You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
+## In this section
+
+The blades in the **Step 2: Resolve issues** section are:
+
+- [Review applications with known issues](#review-applications-with-known-issues)
+- [Review applications with no known issues](#review-applications-with-no-known-issues)
+- [Review known driver issues](#review-known-driver-issues)
+- [Prioritize app and driver testing](#prioritize-app-and-driver-testing)
+
+>You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
Upgrade decisions include:
@@ -19,13 +28,6 @@ Upgrade decisions include:
| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.
Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.
| Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**. |
| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.
In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. |
| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.
Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade. | If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.
|
-
-The blades in the **Resolve issues** section are:
-
-- Review applications with known issues
-- Review applications with no known issues
-- Review drivers with known issues
-
As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/).
## Review applications with known issues
@@ -36,7 +38,7 @@ Applications with issues known to Microsoft are listed, grouped by upgrade asses
-->
-
+
To change an application's upgrade decision:
@@ -75,15 +77,15 @@ For applications assessed as **Fix available**, review the table below for detai
Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example:
-
+
If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance.
-
+
If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows.
-
+
>[!TIP]
>Within the Upgrade Readiness data model, an object of Type **UAApp** refers to a particular application installed on a specific computer.
@@ -109,7 +111,7 @@ The following table lists possible values for **ReadyForWindows** and what they
Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
-
+
Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
@@ -129,7 +131,7 @@ To change an application's upgrade decision:
Drivers that won’t migrate to the new operating system are listed, grouped by availability.
-
+
Availability categories are explained in the table below.
@@ -150,3 +152,55 @@ To change a driver’s upgrade decision:
4. Click **Save** when finished.
+## Prioritize app and driver testing
+
+Planning and executing an OS upgrade project can be overwhelming. When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan.
+
+### Proposed action plan
+
+The Upgrade Readiness proposed action plan is an optimally ordered list of apps and drivers that are in need of review. By testing apps and drivers in the order suggested by the proposed action plan, you are able to increase your number of “Ready to upgrade” computers in an efficient manner. The action plan can be a very powerful tool during upgrade planning – but it’s most helpful when it’s used correctly. This topic explains the proposed action plan, describes how to use it, and calls out a few misconceptions and invalid use cases that you should avoid.
+
+The proposed action plan represents the order thath Microsoft recommends you rationalize the upgrade-readiness of your apps and drivers. By validating apps and drivers in the order proposed, you can ensure that you are testing efficiently.
+
+Each item in the proposed action plan represents either an application or a driver that you have not yet marked “Ready to upgrade.”
+
+>Since “Low install count” apps are automatically marked “Ready to upgrade”, you will not see any of these apps in the proposed action plan.
+
+Each item in the plan has the following attributes:
+
+| Attribute | Description | Example value |
+|-----------------------|------------------------------------------|----------------|
+| ItemRank | The location of this item in the context of the proposed action plan. For example, the item with ItemRank 7 is the 7th item in the Plan. It is crucial that the Plan is viewed in order by increasing ItemRank. Sorting the Plan in any other way invalidates the insights that the Plan provides. | 7 |
+| ItemType | Whether this item is an app or driver -- possible values are: "App" and "Driver." | App |
+| ItemName | The name of the app or driver that is in need of review. | Microsoft Visual C++ 2005 Redistributable (x64) |
+| ItemVendor | The vendor of the app or driver. | Microsoft Corporation |
+| ItemVersion | The version of the app or driver. | 12.1.0.1 |
+| ItemLanguage | If this item is an application, then this field will be the language of the app. If the item is a driver, then this will say "N/A." | English |
+| ItemHardwareId | If this item is a driver, then this field will be the hardware id of the driver. If the item is an app, then this will say "N/A." | N/A |
+| Upgrade Decision | The upgrade decision you have provided for this app or driver. If you have not defined an upgrade decision, then you will see the default value of “Not reviewed.” | Review in progress |
+| ComputersUnblocked | Assuming you have already marked all previous items in the proposed action plan “Ready to upgrade”, this represents the number of additional computers that will become “Ready to upgrade” by testing this app or driver and giving it an upgrade decision of “Ready to upgrade”. For example, if ComputersUnblocked is 200, then resolving any issues associated with the app/driver in question will make 200 new computers “Ready to upgrade.” | 200 |
+| CumulativeUnblocked | The total number of computers that will become “Ready to upgrade” if you validate and mark this and all prior items in the proposed action plan “Ready to upgrade”. For example, if ItemRank is 7, and CumulativeUnblocked is 950, then fixing items 1 thru 7 in the proposed action plan will cause 950 of your computers to become “Ready to upgrade.” | 950 |
+| CumulativeUnblockedPct | The percentage of your machines that will become “Ready to upgrade” if you make this and all prior items in the proposed action plan “Ready to upgrade.” | 0.24 |
+
+See the following example action plan items (click the image for a full-size view):
+
+
+
+
+In this example, the 3rd item is an application: **Microsoft Bing Sports**, a modern app, version **4.20.951.0**, published by Microsoft. By validating this app and making its UpgradeDecision “Ready to upgrade”, you can potentially make **1014** computers “Ready to upgrade” – but only after you have already validated items 1 and 2 in the list. By marking items 1, 2, and 3 “Ready to upgrade”, 14779 of your computers will become upgrade-ready. This represents 10.96% of the machines in this workspace.
+
+#### Using the proposed action plan
+
+There are several valid use cases for the proposed action plan. But it’s always important to remember that the information presented in the Plan is only accurate when sorted by increasing Item Rank! Here are three potential cases in which you could use the proposed action plan:
+
+1. Quickly determine how many apps and drivers you’ll need to validate in order to make x% of your computers upgrade-ready. To determine this, simply find the first item in the Plan with a CumulativeUnblockedPct greater than or equal to your desired percentage of upgrade-ready computers. The corresponding ItemRank represents the smallest number of apps and drivers that you can validate in order to reach your upgrade readiness goal. The prior items in the proposed action plan itself represent the most efficient route to reaching your goal.
+
+2. Use the proposed action plan to prepare a small portion of your machines for a pilot of your target Operating System. Let’s say you want to test a new Operating System by upgrading a few hundred computers. You can use the proposed action plan to determine how many apps and drivers you will need to validate before you can be confident that your pilot will be successful.
+
+3. If your project deadline is approaching and you only have time to validate a few more apps and drivers, you can use the proposed action plan to determine which apps and drivers you should focus on to maximize the number of computers that you can confidently upgrade.
+
+#### Misconceptions and things to avoid
+
+The most common misconceptions about the proposed action plan involve the assumption that each item in the plan is independent of those around it. The apps and drivers in the plan must be considered in the correct order to draw valid conclusions. For example, if you choose to validate items 1, 3, 4, and 5 and mark each of them “Ready to upgrade,” the proposed action plan cannot tell you how many computers will become upgrade-ready as a result of your testing. Even the non-cumulative “ComputersUnblocked” count is dependent upon all prior issues having already been resolved.
+
+If an item with ItemRank = 7 has a ComputersUnblocked value of 50, do not assume that 50 of your computers will become upgrade-ready if you test this item. However, if you validate items 1 through 6 in the plan, you can make an additional 50 computers upgrade-ready by validating the 7th item in the plan.
\ No newline at end of file
diff --git a/windows/deploy/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
similarity index 98%
rename from windows/deploy/upgrade-readiness-upgrade-overview.md
rename to windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
index bf09694a38..bbbb2a155d 100644
--- a/windows/deploy/upgrade-readiness-upgrade-overview.md
+++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
@@ -36,7 +36,7 @@ Click on a row to drill down and see details about individual computers. If KBs
In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
-
+
[Code integrity](https://technet.microsoft.com/library/dd348642.aspx)
-[Protect derived domain credentials with Credential Guard](credential-guard.md)
+[Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
[Driver compatibility with Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
diff --git a/windows/keep-secure/images/device-guard-gp.png b/windows/device-security/device-guard/images/device-guard-gp.png
similarity index 100%
rename from windows/keep-secure/images/device-guard-gp.png
rename to windows/device-security/device-guard/images/device-guard-gp.png
diff --git a/windows/keep-secure/images/dg-fig1-enableos.png b/windows/device-security/device-guard/images/dg-fig1-enableos.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig1-enableos.png
rename to windows/device-security/device-guard/images/dg-fig1-enableos.png
diff --git a/windows/keep-secure/images/dg-fig10-enablecredentialguard.png b/windows/device-security/device-guard/images/dg-fig10-enablecredentialguard.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig10-enablecredentialguard.png
rename to windows/device-security/device-guard/images/dg-fig10-enablecredentialguard.png
diff --git a/windows/keep-secure/images/dg-fig11-dgproperties.png b/windows/device-security/device-guard/images/dg-fig11-dgproperties.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig11-dgproperties.png
rename to windows/device-security/device-guard/images/dg-fig11-dgproperties.png
diff --git a/windows/keep-secure/images/dg-fig12-verifysigning.png b/windows/device-security/device-guard/images/dg-fig12-verifysigning.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig12-verifysigning.png
rename to windows/device-security/device-guard/images/dg-fig12-verifysigning.png
diff --git a/windows/keep-secure/images/dg-fig13-createnewgpo.png b/windows/device-security/device-guard/images/dg-fig13-createnewgpo.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig13-createnewgpo.png
rename to windows/device-security/device-guard/images/dg-fig13-createnewgpo.png
diff --git a/windows/keep-secure/images/dg-fig14-createnewfile.png b/windows/device-security/device-guard/images/dg-fig14-createnewfile.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig14-createnewfile.png
rename to windows/device-security/device-guard/images/dg-fig14-createnewfile.png
diff --git a/windows/keep-secure/images/dg-fig15-setnewfileprops.png b/windows/device-security/device-guard/images/dg-fig15-setnewfileprops.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig15-setnewfileprops.png
rename to windows/device-security/device-guard/images/dg-fig15-setnewfileprops.png
diff --git a/windows/keep-secure/images/dg-fig16-specifyinfo.png b/windows/device-security/device-guard/images/dg-fig16-specifyinfo.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig16-specifyinfo.png
rename to windows/device-security/device-guard/images/dg-fig16-specifyinfo.png
diff --git a/windows/keep-secure/images/dg-fig17-specifyinfo.png b/windows/device-security/device-guard/images/dg-fig17-specifyinfo.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig17-specifyinfo.png
rename to windows/device-security/device-guard/images/dg-fig17-specifyinfo.png
diff --git a/windows/keep-secure/images/dg-fig18-specifyux.png b/windows/device-security/device-guard/images/dg-fig18-specifyux.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig18-specifyux.png
rename to windows/device-security/device-guard/images/dg-fig18-specifyux.png
diff --git a/windows/keep-secure/images/dg-fig19-customsettings.png b/windows/device-security/device-guard/images/dg-fig19-customsettings.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig19-customsettings.png
rename to windows/device-security/device-guard/images/dg-fig19-customsettings.png
diff --git a/windows/keep-secure/images/dg-fig2-createou.png b/windows/device-security/device-guard/images/dg-fig2-createou.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig2-createou.png
rename to windows/device-security/device-guard/images/dg-fig2-createou.png
diff --git a/windows/keep-secure/images/dg-fig20-setsoftwareinv.png b/windows/device-security/device-guard/images/dg-fig20-setsoftwareinv.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig20-setsoftwareinv.png
rename to windows/device-security/device-guard/images/dg-fig20-setsoftwareinv.png
diff --git a/windows/keep-secure/images/dg-fig21-pathproperties.png b/windows/device-security/device-guard/images/dg-fig21-pathproperties.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig21-pathproperties.png
rename to windows/device-security/device-guard/images/dg-fig21-pathproperties.png
diff --git a/windows/keep-secure/images/dg-fig22-deploycode.png b/windows/device-security/device-guard/images/dg-fig22-deploycode.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig22-deploycode.png
rename to windows/device-security/device-guard/images/dg-fig22-deploycode.png
diff --git a/windows/keep-secure/images/dg-fig23-exceptionstocode.png b/windows/device-security/device-guard/images/dg-fig23-exceptionstocode.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig23-exceptionstocode.png
rename to windows/device-security/device-guard/images/dg-fig23-exceptionstocode.png
diff --git a/windows/keep-secure/images/dg-fig24-creategpo.png b/windows/device-security/device-guard/images/dg-fig24-creategpo.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig24-creategpo.png
rename to windows/device-security/device-guard/images/dg-fig24-creategpo.png
diff --git a/windows/keep-secure/images/dg-fig25-editcode.png b/windows/device-security/device-guard/images/dg-fig25-editcode.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig25-editcode.png
rename to windows/device-security/device-guard/images/dg-fig25-editcode.png
diff --git a/windows/keep-secure/images/dg-fig26-enablecode.png b/windows/device-security/device-guard/images/dg-fig26-enablecode.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig26-enablecode.png
rename to windows/device-security/device-guard/images/dg-fig26-enablecode.png
diff --git a/windows/keep-secure/images/dg-fig27-managecerttemp.png b/windows/device-security/device-guard/images/dg-fig27-managecerttemp.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig27-managecerttemp.png
rename to windows/device-security/device-guard/images/dg-fig27-managecerttemp.png
diff --git a/windows/keep-secure/images/dg-fig29-enableconstraints.png b/windows/device-security/device-guard/images/dg-fig29-enableconstraints.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig29-enableconstraints.png
rename to windows/device-security/device-guard/images/dg-fig29-enableconstraints.png
diff --git a/windows/keep-secure/images/dg-fig3-enablevbs.png b/windows/device-security/device-guard/images/dg-fig3-enablevbs.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig3-enablevbs.png
rename to windows/device-security/device-guard/images/dg-fig3-enablevbs.png
diff --git a/windows/keep-secure/images/dg-fig30-selectnewcert.png b/windows/device-security/device-guard/images/dg-fig30-selectnewcert.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig30-selectnewcert.png
rename to windows/device-security/device-guard/images/dg-fig30-selectnewcert.png
diff --git a/windows/keep-secure/images/dg-fig31-getmoreinfo.png b/windows/device-security/device-guard/images/dg-fig31-getmoreinfo.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig31-getmoreinfo.png
rename to windows/device-security/device-guard/images/dg-fig31-getmoreinfo.png
diff --git a/windows/keep-secure/images/dg-fig5-createnewou.png b/windows/device-security/device-guard/images/dg-fig5-createnewou.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig5-createnewou.png
rename to windows/device-security/device-guard/images/dg-fig5-createnewou.png
diff --git a/windows/keep-secure/images/dg-fig6-enablevbs.png b/windows/device-security/device-guard/images/dg-fig6-enablevbs.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig6-enablevbs.png
rename to windows/device-security/device-guard/images/dg-fig6-enablevbs.png
diff --git a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png b/windows/device-security/device-guard/images/dg-fig7-enablevbsofkmci.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig7-enablevbsofkmci.png
rename to windows/device-security/device-guard/images/dg-fig7-enablevbsofkmci.png
diff --git a/windows/keep-secure/images/dg-fig8-createoulinked.png b/windows/device-security/device-guard/images/dg-fig8-createoulinked.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig8-createoulinked.png
rename to windows/device-security/device-guard/images/dg-fig8-createoulinked.png
diff --git a/windows/keep-secure/images/dg-fig9-enablevbs.png b/windows/device-security/device-guard/images/dg-fig9-enablevbs.png
similarity index 100%
rename from windows/keep-secure/images/dg-fig9-enablevbs.png
rename to windows/device-security/device-guard/images/dg-fig9-enablevbs.png
diff --git a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
similarity index 90%
rename from windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
rename to windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
index 73592f2841..66956fbb5c 100644
--- a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
+++ b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
@@ -34,7 +34,7 @@ The following table lists security threats and describes the corresponding Devic
| **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**: With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.
**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. |
| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**: Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Device Guard security.
**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
-In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](credential-guard.md) and [AppLocker](applocker-overview.md).
+In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview).
## New and changed functionality
@@ -67,7 +67,7 @@ For more information about the deployment of Device Guard features, see:
### Device Guard with AppLocker
-Although [AppLocker](applocker-overview.md) is not considered a new Device Guard feature, it complements Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
+Although [AppLocker](/windows/device-security/applocker/applocker-overview) is not considered a new Device Guard feature, it complements Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
> **Note** One example of how Device Guard functionality can be enhanced by AppLocker is when you want to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule.
@@ -75,7 +75,7 @@ AppLocker and Device Guard should run side-by-side in your organization, which o
### Device Guard with Credential Guard
-Another Windows 10 feature that employs VBS is [Credential Guard](credential-guard.md). Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Credential Guard (which is not a feature within Device Guard), see [Protect derived domain credentials with Credential Guard](credential-guard.md).
+Another Windows 10 feature that employs VBS is [Credential Guard](/windows/access-protection/credential-guard/credential-guard). Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Credential Guard (which is not a feature within Device Guard), see [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard).
Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats.
diff --git a/windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
similarity index 100%
rename from windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
rename to windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
diff --git a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
similarity index 100%
rename from windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
rename to windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
similarity index 100%
rename from windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
rename to windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json
new file mode 100644
index 0000000000..b0f818ea94
--- /dev/null
+++ b/windows/device-security/docfx.json
@@ -0,0 +1,41 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg",
+ "**/*.gif"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ },
+ "fileMetadata": {},
+ "template": [],
+ "dest": "win-device-security"
+ }
+}
\ No newline at end of file
diff --git a/windows/keep-secure/encrypted-hard-drive.md b/windows/device-security/encrypted-hard-drive.md
similarity index 100%
rename from windows/keep-secure/encrypted-hard-drive.md
rename to windows/device-security/encrypted-hard-drive.md
diff --git a/windows/keep-secure/images/hva-fig1-endtoend1.png b/windows/device-security/images/hva-fig1-endtoend1.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig1-endtoend1.png
rename to windows/device-security/images/hva-fig1-endtoend1.png
diff --git a/windows/keep-secure/images/hva-fig10-conditionalaccesscontrol.png b/windows/device-security/images/hva-fig10-conditionalaccesscontrol.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig10-conditionalaccesscontrol.png
rename to windows/device-security/images/hva-fig10-conditionalaccesscontrol.png
diff --git a/windows/keep-secure/images/hva-fig11-office365.png b/windows/device-security/images/hva-fig11-office365.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig11-office365.png
rename to windows/device-security/images/hva-fig11-office365.png
diff --git a/windows/keep-secure/images/hva-fig12-conditionalaccess12.png b/windows/device-security/images/hva-fig12-conditionalaccess12.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig12-conditionalaccess12.png
rename to windows/device-security/images/hva-fig12-conditionalaccess12.png
diff --git a/windows/keep-secure/images/hva-fig2-assessfromcloud2.png b/windows/device-security/images/hva-fig2-assessfromcloud2.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig2-assessfromcloud2.png
rename to windows/device-security/images/hva-fig2-assessfromcloud2.png
diff --git a/windows/keep-secure/images/hva-fig3-endtoendoverview3.png b/windows/device-security/images/hva-fig3-endtoendoverview3.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig3-endtoendoverview3.png
rename to windows/device-security/images/hva-fig3-endtoendoverview3.png
diff --git a/windows/keep-secure/images/hva-fig4-hardware.png b/windows/device-security/images/hva-fig4-hardware.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig4-hardware.png
rename to windows/device-security/images/hva-fig4-hardware.png
diff --git a/windows/keep-secure/images/hva-fig5-virtualbasedsecurity.png b/windows/device-security/images/hva-fig5-virtualbasedsecurity.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig5-virtualbasedsecurity.png
rename to windows/device-security/images/hva-fig5-virtualbasedsecurity.png
diff --git a/windows/keep-secure/images/hva-fig6-logs.png b/windows/device-security/images/hva-fig6-logs.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig6-logs.png
rename to windows/device-security/images/hva-fig6-logs.png
diff --git a/windows/keep-secure/images/hva-fig7-measurement.png b/windows/device-security/images/hva-fig7-measurement.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig7-measurement.png
rename to windows/device-security/images/hva-fig7-measurement.png
diff --git a/windows/keep-secure/images/hva-fig8-evaldevicehealth8.png b/windows/device-security/images/hva-fig8-evaldevicehealth8.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig8-evaldevicehealth8.png
rename to windows/device-security/images/hva-fig8-evaldevicehealth8.png
diff --git a/windows/keep-secure/images/hva-fig8a-healthattest8a.png b/windows/device-security/images/hva-fig8a-healthattest8a.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig8a-healthattest8a.png
rename to windows/device-security/images/hva-fig8a-healthattest8a.png
diff --git a/windows/keep-secure/images/hva-fig9-intune.png b/windows/device-security/images/hva-fig9-intune.png
similarity index 100%
rename from windows/keep-secure/images/hva-fig9-intune.png
rename to windows/device-security/images/hva-fig9-intune.png
diff --git a/windows/keep-secure/images/mobile-security-guide-fig1.png b/windows/device-security/images/mobile-security-guide-fig1.png
similarity index 100%
rename from windows/keep-secure/images/mobile-security-guide-fig1.png
rename to windows/device-security/images/mobile-security-guide-fig1.png
diff --git a/windows/keep-secure/images/mobile-security-guide-fig2.png b/windows/device-security/images/mobile-security-guide-fig2.png
similarity index 100%
rename from windows/keep-secure/images/mobile-security-guide-fig2.png
rename to windows/device-security/images/mobile-security-guide-fig2.png
diff --git a/windows/keep-secure/images/mobile-security-guide-figure3.png b/windows/device-security/images/mobile-security-guide-figure3.png
similarity index 100%
rename from windows/keep-secure/images/mobile-security-guide-figure3.png
rename to windows/device-security/images/mobile-security-guide-figure3.png
diff --git a/windows/keep-secure/images/mobile-security-guide-figure4.png b/windows/device-security/images/mobile-security-guide-figure4.png
similarity index 100%
rename from windows/keep-secure/images/mobile-security-guide-figure4.png
rename to windows/device-security/images/mobile-security-guide-figure4.png
diff --git a/windows/device-security/index.md b/windows/device-security/index.md
new file mode 100644
index 0000000000..dc7615e6f9
--- /dev/null
+++ b/windows/device-security/index.md
@@ -0,0 +1,26 @@
+---
+title: Device Security (Windows 10)
+description: Learn more about how to help secure your Windows 10 and Windows 10 Mobile devices.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Device Security
+
+Learn more about how to help secure your Windows 10 and Windows 10 Mobile devices.
+
+| Section | Description |
+|-|-|
+| [AppLocker](applocker/applocker-overview.md)| Describes AppLocker, and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.|
+| [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
+| [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) | Learn more about protecting high-value assets. |
+| [Device Guard deployment guide](device-guard/device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
+| [Encrypted Hard Drive](encrypted-hard-drive.md) | Provides information about Encrypted Hard Drive, which uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
+| [Security auditing](auditing/security-auditing-overview.md)| Describes how the IT professional can use the security auditing features in Windows, and how organizations can benefit from using these technologies, to enhance the security and manageability of networks.|
+| [Security policy settings](security-policy-settings/security-policy-settings.md)| Provides a collection of reference topics that describe the common scenarios, architecture, and processes for security settings.|
+| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Provides links to information about the Trusted Platform Module (TPM), which is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |
+| [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) | Learn more about securing your Windows 10 Mobile devices. |
+| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
similarity index 99%
rename from windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
rename to windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index ac0409286d..337320eccf 100644
--- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -262,7 +262,7 @@ There are three different parts that make up the Device Guard solution in Window
- After the hardware security feature, there is the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security.
- The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
-For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](device-guard-deployment-guide.md).
+For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
### Device Guard scenarios
@@ -365,7 +365,7 @@ The following table details the hardware requirements for both virtualization-ba
Trusted Platform Module (TPM)
-
Required to support health attestation and necessary for additional key protections for virtualization-based security.
+
Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported; TPM 1.2 is also supported beginnning with Windows 10, version 1703.
@@ -818,6 +818,6 @@ Health attestation is a key feature of Windows 10 that includes client and clou
## Related topics
-- [Protect derived domain credentials with Credential Guard](credential-guard.md)
-- [Device Guard deployment guide](device-guard-deployment-guide.md)
+- [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
+- [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
- [Trusted Platform Module technology overview](https://go.microsoft.com/fwlink/p/?LinkId=733957)
diff --git a/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md b/windows/device-security/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
similarity index 100%
rename from windows/keep-secure/access-credential-manager-as-a-trusted-caller.md
rename to windows/device-security/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
diff --git a/windows/keep-secure/access-this-computer-from-the-network.md b/windows/device-security/security-policy-settings/access-this-computer-from-the-network.md
similarity index 100%
rename from windows/keep-secure/access-this-computer-from-the-network.md
rename to windows/device-security/security-policy-settings/access-this-computer-from-the-network.md
diff --git a/windows/keep-secure/account-lockout-duration.md b/windows/device-security/security-policy-settings/account-lockout-duration.md
similarity index 100%
rename from windows/keep-secure/account-lockout-duration.md
rename to windows/device-security/security-policy-settings/account-lockout-duration.md
diff --git a/windows/keep-secure/account-lockout-policy.md b/windows/device-security/security-policy-settings/account-lockout-policy.md
similarity index 100%
rename from windows/keep-secure/account-lockout-policy.md
rename to windows/device-security/security-policy-settings/account-lockout-policy.md
diff --git a/windows/keep-secure/account-lockout-threshold.md b/windows/device-security/security-policy-settings/account-lockout-threshold.md
similarity index 100%
rename from windows/keep-secure/account-lockout-threshold.md
rename to windows/device-security/security-policy-settings/account-lockout-threshold.md
diff --git a/windows/keep-secure/account-policies.md b/windows/device-security/security-policy-settings/account-policies.md
similarity index 100%
rename from windows/keep-secure/account-policies.md
rename to windows/device-security/security-policy-settings/account-policies.md
diff --git a/windows/keep-secure/accounts-administrator-account-status.md b/windows/device-security/security-policy-settings/accounts-administrator-account-status.md
similarity index 100%
rename from windows/keep-secure/accounts-administrator-account-status.md
rename to windows/device-security/security-policy-settings/accounts-administrator-account-status.md
diff --git a/windows/keep-secure/accounts-block-microsoft-accounts.md b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md
similarity index 100%
rename from windows/keep-secure/accounts-block-microsoft-accounts.md
rename to windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md
diff --git a/windows/keep-secure/accounts-guest-account-status.md b/windows/device-security/security-policy-settings/accounts-guest-account-status.md
similarity index 100%
rename from windows/keep-secure/accounts-guest-account-status.md
rename to windows/device-security/security-policy-settings/accounts-guest-account-status.md
diff --git a/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/device-security/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
similarity index 100%
rename from windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
rename to windows/device-security/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
diff --git a/windows/keep-secure/accounts-rename-administrator-account.md b/windows/device-security/security-policy-settings/accounts-rename-administrator-account.md
similarity index 100%
rename from windows/keep-secure/accounts-rename-administrator-account.md
rename to windows/device-security/security-policy-settings/accounts-rename-administrator-account.md
diff --git a/windows/keep-secure/accounts-rename-guest-account.md b/windows/device-security/security-policy-settings/accounts-rename-guest-account.md
similarity index 100%
rename from windows/keep-secure/accounts-rename-guest-account.md
rename to windows/device-security/security-policy-settings/accounts-rename-guest-account.md
diff --git a/windows/keep-secure/act-as-part-of-the-operating-system.md b/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system.md
similarity index 100%
rename from windows/keep-secure/act-as-part-of-the-operating-system.md
rename to windows/device-security/security-policy-settings/act-as-part-of-the-operating-system.md
diff --git a/windows/keep-secure/add-workstations-to-domain.md b/windows/device-security/security-policy-settings/add-workstations-to-domain.md
similarity index 100%
rename from windows/keep-secure/add-workstations-to-domain.md
rename to windows/device-security/security-policy-settings/add-workstations-to-domain.md
diff --git a/windows/keep-secure/adjust-memory-quotas-for-a-process.md b/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process.md
similarity index 100%
rename from windows/keep-secure/adjust-memory-quotas-for-a-process.md
rename to windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process.md
diff --git a/windows/keep-secure/administer-security-policy-settings.md b/windows/device-security/security-policy-settings/administer-security-policy-settings.md
similarity index 99%
rename from windows/keep-secure/administer-security-policy-settings.md
rename to windows/device-security/security-policy-settings/administer-security-policy-settings.md
index de0baa4b22..17efc2a182 100644
--- a/windows/keep-secure/administer-security-policy-settings.md
+++ b/windows/device-security/security-policy-settings/administer-security-policy-settings.md
@@ -85,7 +85,7 @@ Over time, new ways to manage security policy settings have been introduced, whi
AppLocker
-
See [Administer AppLocker](administer-applocker.md).
+
See [Administer AppLocker](/windows/device-security/applocker/administer-applocker).
Gpedit.msc
Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.
diff --git a/windows/keep-secure/allow-log-on-locally.md b/windows/device-security/security-policy-settings/allow-log-on-locally.md
similarity index 100%
rename from windows/keep-secure/allow-log-on-locally.md
rename to windows/device-security/security-policy-settings/allow-log-on-locally.md
diff --git a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md b/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services.md
similarity index 100%
rename from windows/keep-secure/allow-log-on-through-remote-desktop-services.md
rename to windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services.md
diff --git a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md b/windows/device-security/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
similarity index 89%
rename from windows/keep-secure/audit-audit-the-access-of-global-system-objects.md
rename to windows/device-security/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
index 9fcecc87b1..afb13502d6 100644
--- a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md
+++ b/windows/device-security/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
@@ -18,7 +18,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-If you enable this policy setting, a default system access control list (SACL) is applied when the device creates system objects such as mutexes, events, semaphores, and MS-DOS® devices. If you also enable the [Audit object access](basic-audit-object-access.md) audit setting, access to these system objects is audited.
+If you enable this policy setting, a default system access control list (SACL) is applied when the device creates system objects such as mutexes, events, semaphores, and MS-DOS® devices. If you also enable the [Audit object access](../auditing/basic-audit-object-access.md) audit setting, access to these system objects is audited.
Global system objects, also known as "base system objects" or "base named objects," are temporary kernel objects that have had names assigned to them by the application or system component that created them. These objects are most commonly used to synchronize multiple applications or multiple parts of a complex application. Because they have names, these objects are global in scope and, therefore, visible to all processes on the device. These objects all have a security descriptor; but typically, they do not have a NULL SACL. If you enable this policy setting and it takes effect at startup time, the kernel assigns a SACL to these objects when they are created.
@@ -34,7 +34,7 @@ Enabling this policy setting can generate a large number of security events, esp
### Best practices
-- Use the advanced security audit policy option, [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access, to reduce the number of unrelated audit events that you generate.
+- Use the advanced security audit policy option, [Audit Kernel Object](../auditing/audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access, to reduce the number of unrelated audit events that you generate.
### Location
@@ -69,12 +69,12 @@ All auditing capabilities are integrated in Group Policy. You can configure, dep
To audit attempts to access global system objects, you can use one of two security audit policy settings:
-- [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access
-- [Audit object access](basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy
+- [Audit Kernel Object](../auditing/audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access
+- [Audit object access](../auditing/basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy
If possible, use the Advanced Security Audit Policy option to reduce the number of unrelated audit events that you generate.
-If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated:
+If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is configured, the following events are generated:
| Event ID | Event message |
| - | - |
@@ -83,7 +83,7 @@ If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the
| 4661 | A handle to an object was requested. |
| 4663 | An attempt was made to access an object. |
-If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated:
+If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is configured, the following events are generated:
| Event ID | Event message |
| - | - |
diff --git a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/device-security/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
similarity index 90%
rename from windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md
rename to windows/device-security/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
index d66a9e0a4e..1abeb256d4 100644
--- a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md
+++ b/windows/device-security/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
@@ -61,7 +61,7 @@ Enabling this policy setting in conjunction with the **Audit privilege use** pol
Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner.
-Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md), which can help you manage the number of events generated.
+Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](../auditing/audit-sensitive-privilege-use.md), which can help you manage the number of events generated.
## Security considerations
@@ -73,7 +73,7 @@ When the backup and restore function is used, it creates a copy of the file syst
### Countermeasure
-Enable the **Audit: Audit the use of Backup and Restore privilege** setting. Alternatively, implement automatic log backup by configuring the **AutoBackupLogFiles** registry key. If you enable this option when the [Audit privilege use](basic-audit-privilege-use.md) setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner.
+Enable the **Audit: Audit the use of Backup and Restore privilege** setting. Alternatively, implement automatic log backup by configuring the **AutoBackupLogFiles** registry key. If you enable this option when the [Audit privilege use](../auditing/basic-audit-privilege-use.md) setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner.
For more information about configuring this key, see Microsoft Knowledge Base article [100879](https://go.microsoft.com/fwlink/p/?LinkId=100879).
### Potential impact
diff --git a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/device-security/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
similarity index 97%
rename from windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md
rename to windows/device-security/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
index 50880766f6..2cd37d2f17 100644
--- a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md
+++ b/windows/device-security/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
@@ -20,7 +20,7 @@ Describes the best practices, location, values, and security considerations for
You can manage your audit policy in a more precise way by using audit policy subcategories.
-There are over 40 auditing subcategories that provide precise details about activities on a device. For info about these subcategories, see the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
+There are over 40 auditing subcategories that provide precise details about activities on a device. For info about these subcategories, see the [Advanced security audit policy settings](../auditing/advanced-security-audit-policy-settings.md).
### Possible values
diff --git a/windows/keep-secure/audit-policy.md b/windows/device-security/security-policy-settings/audit-policy.md
similarity index 56%
rename from windows/keep-secure/audit-policy.md
rename to windows/device-security/security-policy-settings/audit-policy.md
index 2cd2c8cd95..793d65adee 100644
--- a/windows/keep-secure/audit-policy.md
+++ b/windows/device-security/security-policy-settings/audit-policy.md
@@ -19,19 +19,19 @@ Provides information about basic audit policies that are available in Windows an
The security audit policy settings under **Security Settings\\Local Policies\\Audit Policy** provide broad security audit capabilities for client devices and servers that cannot use advanced security audit policy settings.
The basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** are:
-- [Audit account logon events](basic-audit-account-logon-events.md)
-- [Audit account management](basic-audit-account-management.md)
-- [Audit directory service access](basic-audit-directory-service-access.md)
-- [Audit logon events](basic-audit-logon-events.md)
-- [Audit object access](basic-audit-object-access.md)
-- [Audit policy change](basic-audit-policy-change.md)
-- [Audit privilege use](basic-audit-privilege-use.md)
-- [Audit process tracking](basic-audit-process-tracking.md)
-- [Audit system events](basic-audit-system-events.md)
+- [Audit account logon events](../auditing/basic-audit-account-logon-events.md)
+- [Audit account management](../auditing/basic-audit-account-management.md)
+- [Audit directory service access](../auditing/basic-audit-directory-service-access.md)
+- [Audit logon events](../auditing/basic-audit-logon-events.md)
+- [Audit object access](../auditing/basic-audit-object-access.md)
+- [Audit policy change](../auditing/basic-audit-policy-change.md)
+- [Audit privilege use](../auditing/basic-audit-privilege-use.md)
+- [Audit process tracking](../auditing/basic-audit-process-tracking.md)
+- [Audit system events](../auditing/basic-audit-system-events.md)
## Related topics
- [Configure security policy settings](how-to-configure-security-policy-settings.md)
-- [Security auditing](security-auditing-overview.md)
+- [Security auditing](../auditing/security-auditing-overview.md)
diff --git a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/device-security/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
similarity index 100%
rename from windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
rename to windows/device-security/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
diff --git a/windows/keep-secure/back-up-files-and-directories.md b/windows/device-security/security-policy-settings/back-up-files-and-directories.md
similarity index 100%
rename from windows/keep-secure/back-up-files-and-directories.md
rename to windows/device-security/security-policy-settings/back-up-files-and-directories.md
diff --git a/windows/keep-secure/bypass-traverse-checking.md b/windows/device-security/security-policy-settings/bypass-traverse-checking.md
similarity index 100%
rename from windows/keep-secure/bypass-traverse-checking.md
rename to windows/device-security/security-policy-settings/bypass-traverse-checking.md
diff --git a/windows/keep-secure/change-the-system-time.md b/windows/device-security/security-policy-settings/change-the-system-time.md
similarity index 100%
rename from windows/keep-secure/change-the-system-time.md
rename to windows/device-security/security-policy-settings/change-the-system-time.md
diff --git a/windows/keep-secure/change-the-time-zone.md b/windows/device-security/security-policy-settings/change-the-time-zone.md
similarity index 100%
rename from windows/keep-secure/change-the-time-zone.md
rename to windows/device-security/security-policy-settings/change-the-time-zone.md
diff --git a/windows/keep-secure/create-a-pagefile.md b/windows/device-security/security-policy-settings/create-a-pagefile.md
similarity index 100%
rename from windows/keep-secure/create-a-pagefile.md
rename to windows/device-security/security-policy-settings/create-a-pagefile.md
diff --git a/windows/keep-secure/create-a-token-object.md b/windows/device-security/security-policy-settings/create-a-token-object.md
similarity index 100%
rename from windows/keep-secure/create-a-token-object.md
rename to windows/device-security/security-policy-settings/create-a-token-object.md
diff --git a/windows/keep-secure/create-global-objects.md b/windows/device-security/security-policy-settings/create-global-objects.md
similarity index 100%
rename from windows/keep-secure/create-global-objects.md
rename to windows/device-security/security-policy-settings/create-global-objects.md
diff --git a/windows/keep-secure/create-permanent-shared-objects.md b/windows/device-security/security-policy-settings/create-permanent-shared-objects.md
similarity index 100%
rename from windows/keep-secure/create-permanent-shared-objects.md
rename to windows/device-security/security-policy-settings/create-permanent-shared-objects.md
diff --git a/windows/keep-secure/create-symbolic-links.md b/windows/device-security/security-policy-settings/create-symbolic-links.md
similarity index 100%
rename from windows/keep-secure/create-symbolic-links.md
rename to windows/device-security/security-policy-settings/create-symbolic-links.md
diff --git a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/device-security/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
similarity index 100%
rename from windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
rename to windows/device-security/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
diff --git a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/device-security/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
similarity index 100%
rename from windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
rename to windows/device-security/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
diff --git a/windows/keep-secure/debug-programs.md b/windows/device-security/security-policy-settings/debug-programs.md
similarity index 100%
rename from windows/keep-secure/debug-programs.md
rename to windows/device-security/security-policy-settings/debug-programs.md
diff --git a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md b/windows/device-security/security-policy-settings/deny-access-to-this-computer-from-the-network.md
similarity index 100%
rename from windows/keep-secure/deny-access-to-this-computer-from-the-network.md
rename to windows/device-security/security-policy-settings/deny-access-to-this-computer-from-the-network.md
diff --git a/windows/keep-secure/deny-log-on-as-a-batch-job.md b/windows/device-security/security-policy-settings/deny-log-on-as-a-batch-job.md
similarity index 100%
rename from windows/keep-secure/deny-log-on-as-a-batch-job.md
rename to windows/device-security/security-policy-settings/deny-log-on-as-a-batch-job.md
diff --git a/windows/keep-secure/deny-log-on-as-a-service.md b/windows/device-security/security-policy-settings/deny-log-on-as-a-service.md
similarity index 100%
rename from windows/keep-secure/deny-log-on-as-a-service.md
rename to windows/device-security/security-policy-settings/deny-log-on-as-a-service.md
diff --git a/windows/keep-secure/deny-log-on-locally.md b/windows/device-security/security-policy-settings/deny-log-on-locally.md
similarity index 100%
rename from windows/keep-secure/deny-log-on-locally.md
rename to windows/device-security/security-policy-settings/deny-log-on-locally.md
diff --git a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md b/windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services.md
similarity index 100%
rename from windows/keep-secure/deny-log-on-through-remote-desktop-services.md
rename to windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services.md
diff --git a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md b/windows/device-security/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
similarity index 100%
rename from windows/keep-secure/devices-allow-undock-without-having-to-log-on.md
rename to windows/device-security/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
diff --git a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md b/windows/device-security/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
similarity index 100%
rename from windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md
rename to windows/device-security/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
diff --git a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md b/windows/device-security/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
similarity index 100%
rename from windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md
rename to windows/device-security/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
diff --git a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/device-security/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
similarity index 100%
rename from windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
rename to windows/device-security/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
diff --git a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/device-security/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
similarity index 100%
rename from windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
rename to windows/device-security/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
diff --git a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/device-security/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
similarity index 100%
rename from windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md
rename to windows/device-security/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/device-security/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
similarity index 100%
rename from windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
rename to windows/device-security/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
diff --git a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md b/windows/device-security/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
similarity index 100%
rename from windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md
rename to windows/device-security/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
diff --git a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/device-security/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
similarity index 100%
rename from windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
rename to windows/device-security/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
diff --git a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/device-security/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
similarity index 100%
rename from windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
rename to windows/device-security/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
diff --git a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/device-security/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
similarity index 100%
rename from windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md
rename to windows/device-security/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
diff --git a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md b/windows/device-security/security-policy-settings/domain-member-disable-machine-account-password-changes.md
similarity index 100%
rename from windows/keep-secure/domain-member-disable-machine-account-password-changes.md
rename to windows/device-security/security-policy-settings/domain-member-disable-machine-account-password-changes.md
diff --git a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md b/windows/device-security/security-policy-settings/domain-member-maximum-machine-account-password-age.md
similarity index 100%
rename from windows/keep-secure/domain-member-maximum-machine-account-password-age.md
rename to windows/device-security/security-policy-settings/domain-member-maximum-machine-account-password-age.md
diff --git a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/device-security/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
similarity index 100%
rename from windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md
rename to windows/device-security/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
diff --git a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
similarity index 100%
rename from windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
rename to windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
diff --git a/windows/keep-secure/enforce-password-history.md b/windows/device-security/security-policy-settings/enforce-password-history.md
similarity index 100%
rename from windows/keep-secure/enforce-password-history.md
rename to windows/device-security/security-policy-settings/enforce-password-history.md
diff --git a/windows/keep-secure/enforce-user-logon-restrictions.md b/windows/device-security/security-policy-settings/enforce-user-logon-restrictions.md
similarity index 100%
rename from windows/keep-secure/enforce-user-logon-restrictions.md
rename to windows/device-security/security-policy-settings/enforce-user-logon-restrictions.md
diff --git a/windows/keep-secure/force-shutdown-from-a-remote-system.md b/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system.md
similarity index 100%
rename from windows/keep-secure/force-shutdown-from-a-remote-system.md
rename to windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system.md
diff --git a/windows/keep-secure/generate-security-audits.md b/windows/device-security/security-policy-settings/generate-security-audits.md
similarity index 100%
rename from windows/keep-secure/generate-security-audits.md
rename to windows/device-security/security-policy-settings/generate-security-audits.md
diff --git a/windows/keep-secure/how-to-configure-security-policy-settings.md b/windows/device-security/security-policy-settings/how-to-configure-security-policy-settings.md
similarity index 100%
rename from windows/keep-secure/how-to-configure-security-policy-settings.md
rename to windows/device-security/security-policy-settings/how-to-configure-security-policy-settings.md
diff --git a/windows/keep-secure/images/privacy-setting-in-sign-in-options.png b/windows/device-security/security-policy-settings/images/privacy-setting-in-sign-in-options.png
similarity index 100%
rename from windows/keep-secure/images/privacy-setting-in-sign-in-options.png
rename to windows/device-security/security-policy-settings/images/privacy-setting-in-sign-in-options.png
diff --git a/windows/keep-secure/images/secpol-architecture.gif b/windows/device-security/security-policy-settings/images/secpol-architecture.gif
similarity index 100%
rename from windows/keep-secure/images/secpol-architecture.gif
rename to windows/device-security/security-policy-settings/images/secpol-architecture.gif
diff --git a/windows/keep-secure/images/secpol-components.gif b/windows/device-security/security-policy-settings/images/secpol-components.gif
similarity index 100%
rename from windows/keep-secure/images/secpol-components.gif
rename to windows/device-security/security-policy-settings/images/secpol-components.gif
diff --git a/windows/keep-secure/images/secpol-multigpomerge.gif b/windows/device-security/security-policy-settings/images/secpol-multigpomerge.gif
similarity index 100%
rename from windows/keep-secure/images/secpol-multigpomerge.gif
rename to windows/device-security/security-policy-settings/images/secpol-multigpomerge.gif
diff --git a/windows/keep-secure/images/secpol-processes.gif b/windows/device-security/security-policy-settings/images/secpol-processes.gif
similarity index 100%
rename from windows/keep-secure/images/secpol-processes.gif
rename to windows/device-security/security-policy-settings/images/secpol-processes.gif
diff --git a/windows/keep-secure/impersonate-a-client-after-authentication.md b/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication.md
similarity index 100%
rename from windows/keep-secure/impersonate-a-client-after-authentication.md
rename to windows/device-security/security-policy-settings/impersonate-a-client-after-authentication.md
diff --git a/windows/keep-secure/increase-a-process-working-set.md b/windows/device-security/security-policy-settings/increase-a-process-working-set.md
similarity index 100%
rename from windows/keep-secure/increase-a-process-working-set.md
rename to windows/device-security/security-policy-settings/increase-a-process-working-set.md
diff --git a/windows/keep-secure/increase-scheduling-priority.md b/windows/device-security/security-policy-settings/increase-scheduling-priority.md
similarity index 100%
rename from windows/keep-secure/increase-scheduling-priority.md
rename to windows/device-security/security-policy-settings/increase-scheduling-priority.md
diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
similarity index 100%
rename from windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
rename to windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/device-security/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
similarity index 98%
rename from windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
rename to windows/device-security/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
index 302baa44b9..79f14ac23c 100644
--- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/device-security/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
@@ -1,7 +1,6 @@
---
title: Interactive logon Don't display last signed-in (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting.
-ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/device-security/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
similarity index 100%
rename from windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md
rename to windows/device-security/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
diff --git a/windows/keep-secure/interactive-logon-dont-display-username-at-sign-in.md b/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
similarity index 100%
rename from windows/keep-secure/interactive-logon-dont-display-username-at-sign-in.md
rename to windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
diff --git a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md b/windows/device-security/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
similarity index 100%
rename from windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md
rename to windows/device-security/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
diff --git a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md b/windows/device-security/security-policy-settings/interactive-logon-machine-inactivity-limit.md
similarity index 100%
rename from windows/keep-secure/interactive-logon-machine-inactivity-limit.md
rename to windows/device-security/security-policy-settings/interactive-logon-machine-inactivity-limit.md
diff --git a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/device-security/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
similarity index 100%
rename from windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md
rename to windows/device-security/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
diff --git a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/device-security/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
similarity index 100%
rename from windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md
rename to windows/device-security/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
diff --git a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/device-security/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
similarity index 100%
rename from windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
rename to windows/device-security/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
diff --git a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/device-security/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
similarity index 100%
rename from windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
rename to windows/device-security/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
diff --git a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/device-security/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
similarity index 100%
rename from windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
rename to windows/device-security/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
diff --git a/windows/keep-secure/interactive-logon-require-smart-card.md b/windows/device-security/security-policy-settings/interactive-logon-require-smart-card.md
similarity index 100%
rename from windows/keep-secure/interactive-logon-require-smart-card.md
rename to windows/device-security/security-policy-settings/interactive-logon-require-smart-card.md
diff --git a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md b/windows/device-security/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
similarity index 100%
rename from windows/keep-secure/interactive-logon-smart-card-removal-behavior.md
rename to windows/device-security/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
diff --git a/windows/keep-secure/kerberos-policy.md b/windows/device-security/security-policy-settings/kerberos-policy.md
similarity index 100%
rename from windows/keep-secure/kerberos-policy.md
rename to windows/device-security/security-policy-settings/kerberos-policy.md
diff --git a/windows/keep-secure/load-and-unload-device-drivers.md b/windows/device-security/security-policy-settings/load-and-unload-device-drivers.md
similarity index 100%
rename from windows/keep-secure/load-and-unload-device-drivers.md
rename to windows/device-security/security-policy-settings/load-and-unload-device-drivers.md
diff --git a/windows/keep-secure/lock-pages-in-memory.md b/windows/device-security/security-policy-settings/lock-pages-in-memory.md
similarity index 100%
rename from windows/keep-secure/lock-pages-in-memory.md
rename to windows/device-security/security-policy-settings/lock-pages-in-memory.md
diff --git a/windows/keep-secure/log-on-as-a-batch-job.md b/windows/device-security/security-policy-settings/log-on-as-a-batch-job.md
similarity index 100%
rename from windows/keep-secure/log-on-as-a-batch-job.md
rename to windows/device-security/security-policy-settings/log-on-as-a-batch-job.md
diff --git a/windows/keep-secure/log-on-as-a-service.md b/windows/device-security/security-policy-settings/log-on-as-a-service.md
similarity index 100%
rename from windows/keep-secure/log-on-as-a-service.md
rename to windows/device-security/security-policy-settings/log-on-as-a-service.md
diff --git a/windows/keep-secure/manage-auditing-and-security-log.md b/windows/device-security/security-policy-settings/manage-auditing-and-security-log.md
similarity index 96%
rename from windows/keep-secure/manage-auditing-and-security-log.md
rename to windows/device-security/security-policy-settings/manage-auditing-and-security-log.md
index 7a6cfdc0ea..282e775032 100644
--- a/windows/keep-secure/manage-auditing-and-security-log.md
+++ b/windows/device-security/security-policy-settings/manage-auditing-and-security-log.md
@@ -19,7 +19,7 @@ Describes the best practices, location, values, policy management, and security
## Reference
This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the
-Security log in Event Viewer. For more info about the Object Access audit policy, see [Audit object access](basic-audit-object-access.md).
+Security log in Event Viewer. For more info about the Object Access audit policy, see [Audit object access](../auditing/basic-audit-object-access.md).
Constant: SeSecurityPrivilege
@@ -62,7 +62,7 @@ Any change to the user rights assignment for an account becomes effective the ne
Audits for object access are not performed unless you enable them by using the Local Group Policy Editor, the Group Policy Management Console (GPMC), or the Auditpol command-line tool.
-For more information about the Object Access audit policy, see [Audit object access](basic-audit-object-access.md).
+For more information about the Object Access audit policy, see [Audit object access](../auditing/basic-audit-object-access.md).
### Group Policy
diff --git a/windows/keep-secure/maximum-lifetime-for-service-ticket.md b/windows/device-security/security-policy-settings/maximum-lifetime-for-service-ticket.md
similarity index 100%
rename from windows/keep-secure/maximum-lifetime-for-service-ticket.md
rename to windows/device-security/security-policy-settings/maximum-lifetime-for-service-ticket.md
diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md b/windows/device-security/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
similarity index 100%
rename from windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md
rename to windows/device-security/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket.md b/windows/device-security/security-policy-settings/maximum-lifetime-for-user-ticket.md
similarity index 100%
rename from windows/keep-secure/maximum-lifetime-for-user-ticket.md
rename to windows/device-security/security-policy-settings/maximum-lifetime-for-user-ticket.md
diff --git a/windows/keep-secure/maximum-password-age.md b/windows/device-security/security-policy-settings/maximum-password-age.md
similarity index 100%
rename from windows/keep-secure/maximum-password-age.md
rename to windows/device-security/security-policy-settings/maximum-password-age.md
diff --git a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md b/windows/device-security/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
similarity index 100%
rename from windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md
rename to windows/device-security/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md b/windows/device-security/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
similarity index 100%
rename from windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md
rename to windows/device-security/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/device-security/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
similarity index 100%
rename from windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
rename to windows/device-security/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
diff --git a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/device-security/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
similarity index 100%
rename from windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
rename to windows/device-security/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
diff --git a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/device-security/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
similarity index 100%
rename from windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
rename to windows/device-security/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
diff --git a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/device-security/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
similarity index 100%
rename from windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
rename to windows/device-security/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md b/windows/device-security/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
similarity index 100%
rename from windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md
rename to windows/device-security/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/device-security/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
similarity index 100%
rename from windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
rename to windows/device-security/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
diff --git a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/device-security/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
similarity index 100%
rename from windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
rename to windows/device-security/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
diff --git a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/device-security/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
similarity index 100%
rename from windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md
rename to windows/device-security/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
diff --git a/windows/keep-secure/minimum-password-age.md b/windows/device-security/security-policy-settings/minimum-password-age.md
similarity index 100%
rename from windows/keep-secure/minimum-password-age.md
rename to windows/device-security/security-policy-settings/minimum-password-age.md
diff --git a/windows/keep-secure/minimum-password-length.md b/windows/device-security/security-policy-settings/minimum-password-length.md
similarity index 100%
rename from windows/keep-secure/minimum-password-length.md
rename to windows/device-security/security-policy-settings/minimum-password-length.md
diff --git a/windows/keep-secure/modify-an-object-label.md b/windows/device-security/security-policy-settings/modify-an-object-label.md
similarity index 100%
rename from windows/keep-secure/modify-an-object-label.md
rename to windows/device-security/security-policy-settings/modify-an-object-label.md
diff --git a/windows/keep-secure/modify-firmware-environment-values.md b/windows/device-security/security-policy-settings/modify-firmware-environment-values.md
similarity index 100%
rename from windows/keep-secure/modify-firmware-environment-values.md
rename to windows/device-security/security-policy-settings/modify-firmware-environment-values.md
diff --git a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md b/windows/device-security/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
similarity index 100%
rename from windows/keep-secure/network-access-allow-anonymous-sidname-translation.md
rename to windows/device-security/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/device-security/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
similarity index 100%
rename from windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
rename to windows/device-security/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/device-security/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
similarity index 100%
rename from windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
rename to windows/device-security/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
diff --git a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/device-security/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
similarity index 100%
rename from windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
rename to windows/device-security/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
diff --git a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/device-security/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
similarity index 100%
rename from windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md
rename to windows/device-security/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
diff --git a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/device-security/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
similarity index 100%
rename from windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md
rename to windows/device-security/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/device-security/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
similarity index 100%
rename from windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md
rename to windows/device-security/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md b/windows/device-security/security-policy-settings/network-access-remotely-accessible-registry-paths.md
similarity index 100%
rename from windows/keep-secure/network-access-remotely-accessible-registry-paths.md
rename to windows/device-security/security-policy-settings/network-access-remotely-accessible-registry-paths.md
diff --git a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/device-security/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
similarity index 100%
rename from windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
rename to windows/device-security/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
diff --git a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md b/windows/device-security/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
similarity index 100%
rename from windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md
rename to windows/device-security/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
diff --git a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md b/windows/device-security/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
similarity index 100%
rename from windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md
rename to windows/device-security/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
diff --git a/windows/keep-secure/network-list-manager-policies.md b/windows/device-security/security-policy-settings/network-list-manager-policies.md
similarity index 100%
rename from windows/keep-secure/network-list-manager-policies.md
rename to windows/device-security/security-policy-settings/network-list-manager-policies.md
diff --git a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/device-security/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
similarity index 100%
rename from windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
rename to windows/device-security/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
diff --git a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md b/windows/device-security/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
similarity index 100%
rename from windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md
rename to windows/device-security/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
diff --git a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/device-security/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
similarity index 100%
rename from windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
rename to windows/device-security/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
diff --git a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/device-security/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
similarity index 100%
rename from windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md
rename to windows/device-security/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
diff --git a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/device-security/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
similarity index 100%
rename from windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
rename to windows/device-security/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
diff --git a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md b/windows/device-security/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
similarity index 100%
rename from windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md
rename to windows/device-security/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
diff --git a/windows/keep-secure/network-security-lan-manager-authentication-level.md b/windows/device-security/security-policy-settings/network-security-lan-manager-authentication-level.md
similarity index 100%
rename from windows/keep-secure/network-security-lan-manager-authentication-level.md
rename to windows/device-security/security-policy-settings/network-security-lan-manager-authentication-level.md
diff --git a/windows/keep-secure/network-security-ldap-client-signing-requirements.md b/windows/device-security/security-policy-settings/network-security-ldap-client-signing-requirements.md
similarity index 100%
rename from windows/keep-secure/network-security-ldap-client-signing-requirements.md
rename to windows/device-security/security-policy-settings/network-security-ldap-client-signing-requirements.md
diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
similarity index 100%
rename from windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
rename to windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
similarity index 100%
rename from windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
rename to windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/device-security/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
similarity index 100%
rename from windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
rename to windows/device-security/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/device-security/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
similarity index 100%
rename from windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
rename to windows/device-security/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/device-security/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
similarity index 100%
rename from windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
rename to windows/device-security/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/device-security/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
similarity index 100%
rename from windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
rename to windows/device-security/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
diff --git a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/device-security/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
similarity index 100%
rename from windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md
rename to windows/device-security/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
diff --git a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/device-security/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
similarity index 100%
rename from windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
rename to windows/device-security/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
diff --git a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/device-security/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
similarity index 100%
rename from windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
rename to windows/device-security/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
diff --git a/windows/keep-secure/password-must-meet-complexity-requirements.md b/windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md
similarity index 100%
rename from windows/keep-secure/password-must-meet-complexity-requirements.md
rename to windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md
diff --git a/windows/keep-secure/password-policy.md b/windows/device-security/security-policy-settings/password-policy.md
similarity index 100%
rename from windows/keep-secure/password-policy.md
rename to windows/device-security/security-policy-settings/password-policy.md
diff --git a/windows/keep-secure/perform-volume-maintenance-tasks.md b/windows/device-security/security-policy-settings/perform-volume-maintenance-tasks.md
similarity index 100%
rename from windows/keep-secure/perform-volume-maintenance-tasks.md
rename to windows/device-security/security-policy-settings/perform-volume-maintenance-tasks.md
diff --git a/windows/keep-secure/profile-single-process.md b/windows/device-security/security-policy-settings/profile-single-process.md
similarity index 100%
rename from windows/keep-secure/profile-single-process.md
rename to windows/device-security/security-policy-settings/profile-single-process.md
diff --git a/windows/keep-secure/profile-system-performance.md b/windows/device-security/security-policy-settings/profile-system-performance.md
similarity index 100%
rename from windows/keep-secure/profile-system-performance.md
rename to windows/device-security/security-policy-settings/profile-system-performance.md
diff --git a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md b/windows/device-security/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
similarity index 100%
rename from windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md
rename to windows/device-security/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
diff --git a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/device-security/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
similarity index 100%
rename from windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
rename to windows/device-security/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
diff --git a/windows/keep-secure/remove-computer-from-docking-station.md b/windows/device-security/security-policy-settings/remove-computer-from-docking-station.md
similarity index 100%
rename from windows/keep-secure/remove-computer-from-docking-station.md
rename to windows/device-security/security-policy-settings/remove-computer-from-docking-station.md
diff --git a/windows/keep-secure/replace-a-process-level-token.md b/windows/device-security/security-policy-settings/replace-a-process-level-token.md
similarity index 100%
rename from windows/keep-secure/replace-a-process-level-token.md
rename to windows/device-security/security-policy-settings/replace-a-process-level-token.md
diff --git a/windows/keep-secure/reset-account-lockout-counter-after.md b/windows/device-security/security-policy-settings/reset-account-lockout-counter-after.md
similarity index 100%
rename from windows/keep-secure/reset-account-lockout-counter-after.md
rename to windows/device-security/security-policy-settings/reset-account-lockout-counter-after.md
diff --git a/windows/keep-secure/restore-files-and-directories.md b/windows/device-security/security-policy-settings/restore-files-and-directories.md
similarity index 100%
rename from windows/keep-secure/restore-files-and-directories.md
rename to windows/device-security/security-policy-settings/restore-files-and-directories.md
diff --git a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md b/windows/device-security/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
similarity index 94%
rename from windows/keep-secure/secpol-advanced-security-audit-policy-settings.md
rename to windows/device-security/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
index e3f6f2ce53..dca87d3e20 100644
--- a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md
+++ b/windows/device-security/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
@@ -26,4 +26,4 @@ You can access these audit policy settings through the Local Security Policy sna
These Advanced Audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
-For more info, see [Advanced security audit policies](advanced-security-auditing.md).
+For more info, see [Advanced security audit policies](../auditing/advanced-security-auditing.md).
diff --git a/windows/keep-secure/security-options.md b/windows/device-security/security-policy-settings/security-options.md
similarity index 100%
rename from windows/keep-secure/security-options.md
rename to windows/device-security/security-policy-settings/security-options.md
diff --git a/windows/keep-secure/security-policy-settings-reference.md b/windows/device-security/security-policy-settings/security-policy-settings-reference.md
similarity index 100%
rename from windows/keep-secure/security-policy-settings-reference.md
rename to windows/device-security/security-policy-settings/security-policy-settings-reference.md
diff --git a/windows/keep-secure/security-policy-settings.md b/windows/device-security/security-policy-settings/security-policy-settings.md
similarity index 100%
rename from windows/keep-secure/security-policy-settings.md
rename to windows/device-security/security-policy-settings/security-policy-settings.md
diff --git a/windows/keep-secure/shut-down-the-system.md b/windows/device-security/security-policy-settings/shut-down-the-system.md
similarity index 100%
rename from windows/keep-secure/shut-down-the-system.md
rename to windows/device-security/security-policy-settings/shut-down-the-system.md
diff --git a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/device-security/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
similarity index 100%
rename from windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
rename to windows/device-security/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
diff --git a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md b/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
similarity index 100%
rename from windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md
rename to windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
diff --git a/windows/keep-secure/store-passwords-using-reversible-encryption.md b/windows/device-security/security-policy-settings/store-passwords-using-reversible-encryption.md
similarity index 100%
rename from windows/keep-secure/store-passwords-using-reversible-encryption.md
rename to windows/device-security/security-policy-settings/store-passwords-using-reversible-encryption.md
diff --git a/windows/keep-secure/synchronize-directory-service-data.md b/windows/device-security/security-policy-settings/synchronize-directory-service-data.md
similarity index 100%
rename from windows/keep-secure/synchronize-directory-service-data.md
rename to windows/device-security/security-policy-settings/synchronize-directory-service-data.md
diff --git a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/device-security/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
similarity index 100%
rename from windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
rename to windows/device-security/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
diff --git a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
similarity index 100%
rename from windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
rename to windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
diff --git a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/device-security/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
similarity index 100%
rename from windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
rename to windows/device-security/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
diff --git a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/device-security/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
similarity index 100%
rename from windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md
rename to windows/device-security/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
diff --git a/windows/keep-secure/system-settings-optional-subsystems.md b/windows/device-security/security-policy-settings/system-settings-optional-subsystems.md
similarity index 100%
rename from windows/keep-secure/system-settings-optional-subsystems.md
rename to windows/device-security/security-policy-settings/system-settings-optional-subsystems.md
diff --git a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/device-security/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
similarity index 100%
rename from windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
rename to windows/device-security/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
diff --git a/windows/keep-secure/take-ownership-of-files-or-other-objects.md b/windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects.md
similarity index 100%
rename from windows/keep-secure/take-ownership-of-files-or-other-objects.md
rename to windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects.md
diff --git a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
similarity index 98%
rename from windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
rename to windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
index 7b203c0bcd..e0e41611ad 100644
--- a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+++ b/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
@@ -81,4 +81,4 @@ Enable the **User Account Control: Admin Approval Mode for the Built-in Administ
Users who log on by using the local administrator account are prompted for consent whenever a program requests an elevation in privilege.
## Related topics
-- [Security Options](security-options.md)
+- [Security Options](/windows/device-security/security-policy-settings/security-options)
diff --git a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/device-security/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
similarity index 99%
rename from windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
rename to windows/device-security/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
index e80369cae9..ec501f6f2d 100644
--- a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+++ b/windows/device-security/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
@@ -116,4 +116,4 @@ If a user requests remote assistance from an administrator and the remote assist
## Related topics
-- [Security Options](security-options.md)
+- [Security Options](/windows/device-security/security-policy-settings/security-options)
diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
similarity index 98%
rename from windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
rename to windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
index 97af8126a3..cbc598ba9f 100644
--- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+++ b/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -97,4 +97,4 @@ Administrators should be made aware that they will be prompted for consent when
## Related topics
-- [Security Options](security-options.md)
+- [Security Options](/windows/device-security/security-policy-settings/security-options)
diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
similarity index 98%
rename from windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
rename to windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
index 7ca4ce4329..e2d5edf535 100644
--- a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+++ b/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -86,4 +86,4 @@ Users must provide administrative passwords to run programs with elevated privil
## Related topics
-- [Security Options](security-options.md)
+- [Security Options](/windows/device-security/security-policy-settings/security-options)
diff --git a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/device-security/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
similarity index 97%
rename from windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md
rename to windows/device-security/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
index 0c372cd6ee..32708030df 100644
--- a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md
+++ b/windows/device-security/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
@@ -79,4 +79,4 @@ Users must provide administrative passwords to install programs.
## Related topics
-- [Security Options](security-options.md)
+- [Security Options](/windows/device-security/security-policy-settings/security-options)
diff --git a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/device-security/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
similarity index 98%
rename from windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
rename to windows/device-security/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
index 76edee3e01..a40147e7fc 100644
--- a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+++ b/windows/device-security/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
@@ -87,4 +87,4 @@ Control over the applications that are installed on the desktops and the hardwar
## Related topics
-- [Security Options](security-options.md)
+- [Security Options](/windows/device-security/security-policy-settings/security-options)
diff --git a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/device-security/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
similarity index 98%
rename from windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
rename to windows/device-security/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
index be21f041f5..bfa1ed931c 100644
--- a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+++ b/windows/device-security/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
@@ -109,4 +109,4 @@ If the application that requests UIAccess meets the UIAccess setting requirement
## Related topics
-- [Security Options](security-options.md)
+- [Security Options](/windows/device-security/security-policy-settings/security-options)
diff --git a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
similarity index 97%
rename from windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md
rename to windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 61664f5a6e..566bd4d85a 100644
--- a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -83,4 +83,4 @@ Users and administrators must learn to work with UAC prompts and adjust their wo
## Related topics
-- [Security Options](security-options.md)
+- [Security Options](/windows/device-security/security-policy-settings/security-options)
diff --git a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/device-security/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
similarity index 97%
rename from windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
rename to windows/device-security/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
index 85c36101a5..4946bf5cee 100644
--- a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+++ b/windows/device-security/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
@@ -86,4 +86,4 @@ None. This is the default configuration.
## Related topics
-- [Security Options](security-options.md)
+- [Security Options](/windows/device-security/security-policy-settings/security-options)
diff --git a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/device-security/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
similarity index 97%
rename from windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
rename to windows/device-security/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
index 8501495c6b..8308a25a5d 100644
--- a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+++ b/windows/device-security/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
@@ -84,4 +84,4 @@ None. This is the default configuration.
## Related topics
-- [Security Options](security-options.md)
+- [Security Options](/windows/device-security/security-policy-settings/security-options)
diff --git a/windows/keep-secure/user-rights-assignment.md b/windows/device-security/security-policy-settings/user-rights-assignment.md
similarity index 100%
rename from windows/keep-secure/user-rights-assignment.md
rename to windows/device-security/security-policy-settings/user-rights-assignment.md
diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/device-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
similarity index 100%
rename from windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
rename to windows/device-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/device-security/tpm/change-the-tpm-owner-password.md
similarity index 100%
rename from windows/keep-secure/change-the-tpm-owner-password.md
rename to windows/device-security/tpm/change-the-tpm-owner-password.md
diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/device-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
similarity index 100%
rename from windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
rename to windows/device-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
diff --git a/windows/keep-secure/manage-tpm-commands.md b/windows/device-security/tpm/manage-tpm-commands.md
similarity index 100%
rename from windows/keep-secure/manage-tpm-commands.md
rename to windows/device-security/tpm/manage-tpm-commands.md
diff --git a/windows/keep-secure/manage-tpm-lockout.md b/windows/device-security/tpm/manage-tpm-lockout.md
similarity index 100%
rename from windows/keep-secure/manage-tpm-lockout.md
rename to windows/device-security/tpm/manage-tpm-lockout.md
diff --git a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/device-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
similarity index 100%
rename from windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md
rename to windows/device-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
diff --git a/windows/keep-secure/tpm-fundamentals.md b/windows/device-security/tpm/tpm-fundamentals.md
similarity index 100%
rename from windows/keep-secure/tpm-fundamentals.md
rename to windows/device-security/tpm/tpm-fundamentals.md
diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md
similarity index 100%
rename from windows/keep-secure/tpm-recommendations.md
rename to windows/device-security/tpm/tpm-recommendations.md
diff --git a/windows/keep-secure/trusted-platform-module-overview.md b/windows/device-security/tpm/trusted-platform-module-overview.md
similarity index 100%
rename from windows/keep-secure/trusted-platform-module-overview.md
rename to windows/device-security/tpm/trusted-platform-module-overview.md
diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
similarity index 100%
rename from windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
rename to windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
diff --git a/windows/keep-secure/trusted-platform-module-top-node.md b/windows/device-security/tpm/trusted-platform-module-top-node.md
similarity index 100%
rename from windows/keep-secure/trusted-platform-module-top-node.md
rename to windows/device-security/tpm/trusted-platform-module-top-node.md
diff --git a/windows/keep-secure/windows-10-mobile-security-guide.md b/windows/device-security/windows-10-mobile-security-guide.md
similarity index 100%
rename from windows/keep-secure/windows-10-mobile-security-guide.md
rename to windows/device-security/windows-10-mobile-security-guide.md
diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/device-security/windows-security-baselines.md
similarity index 100%
rename from windows/keep-secure/windows-security-baselines.md
rename to windows/device-security/windows-security-baselines.md
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
new file mode 100644
index 0000000000..8ed1a52f71
--- /dev/null
+++ b/windows/hub/TOC.md
@@ -0,0 +1,9 @@
+# [Windows 10 and Windows 10 Mobile](index.md)
+## [What's new](/windows/whats-new)
+## [Deployment](/windows/deployment)
+## [Configuration](/windows/configuration)
+## [Client management](/windows/client-management)
+## [Application management](/windows/application-management)
+## [Access protection](/windows/access-protection)
+## [Device security](/windows/device-security)
+## [Threat protection](/windows/threat-protection)
\ No newline at end of file
diff --git a/windows/hub/WaaS-infographic.pdf b/windows/hub/WaaS-infographic.pdf
new file mode 100644
index 0000000000..cb1ef988a1
Binary files /dev/null and b/windows/hub/WaaS-infographic.pdf differ
diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml
new file mode 100644
index 0000000000..c435a3c156
--- /dev/null
+++ b/windows/hub/breadcrumb/toc.yml
@@ -0,0 +1,32 @@
+- name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /windows
+ topicHref: /windows/windows-10
+ items:
+ - name: What's new
+ tocHref: /windows/whats-new/
+ topicHref: /windows/whats-new/index
+ - name: Configuration
+ tocHref: /windows/configuration/
+ topicHref: /windows/configuration/index
+ - name: Deployment
+ tocHref: /windows/deployment/
+ topicHref: /windows/deployment/index
+ - name: Application management
+ tocHref: /windows/application-management/
+ topicHref: /windows/application-management/index
+ - name: Client management
+ tocHref: /windows/client-management/
+ topicHref: /windows/client-management/index
+ - name: Access protection
+ tocHref: /windows/access-protection/
+ topicHref: /windows/access-protection/index
+ - name: Device security
+ tocHref: /windows/device-security/
+ topicHref: /windows/device-security/index
+ - name: Threat protection
+ tocHref: /windows/threat-protection/
+ topicHref: /windows/threat-protection/index
\ No newline at end of file
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
new file mode 100644
index 0000000000..863fc12d71
--- /dev/null
+++ b/windows/hub/docfx.json
@@ -0,0 +1,43 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md",
+ "**/*.yml"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg",
+ "**/*.gif",
+ "**/*.pdf"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ },
+ "fileMetadata": {},
+ "template": [],
+ "dest": "windows-hub"
+ }
+}
\ No newline at end of file
diff --git a/windows/hub/images/W10-WaaS-poster.PNG b/windows/hub/images/W10-WaaS-poster.PNG
new file mode 100644
index 0000000000..d3887faf89
Binary files /dev/null and b/windows/hub/images/W10-WaaS-poster.PNG differ
diff --git a/windows/hub/images/access-protection.png b/windows/hub/images/access-protection.png
new file mode 100644
index 0000000000..0da647699b
Binary files /dev/null and b/windows/hub/images/access-protection.png differ
diff --git a/windows/hub/images/application-management.png b/windows/hub/images/application-management.png
new file mode 100644
index 0000000000..078094818e
Binary files /dev/null and b/windows/hub/images/application-management.png differ
diff --git a/windows/hub/images/client-management.png b/windows/hub/images/client-management.png
new file mode 100644
index 0000000000..3b6e6f95e5
Binary files /dev/null and b/windows/hub/images/client-management.png differ
diff --git a/windows/hub/images/configuration.png b/windows/hub/images/configuration.png
new file mode 100644
index 0000000000..de9f183599
Binary files /dev/null and b/windows/hub/images/configuration.png differ
diff --git a/windows/hub/images/deployment.png b/windows/hub/images/deployment.png
new file mode 100644
index 0000000000..b87cebc6fc
Binary files /dev/null and b/windows/hub/images/deployment.png differ
diff --git a/windows/hub/images/device-security.png b/windows/hub/images/device-security.png
new file mode 100644
index 0000000000..348d0e1719
Binary files /dev/null and b/windows/hub/images/device-security.png differ
diff --git a/windows/images/front-page-video.PNG b/windows/hub/images/front-page-video.PNG
similarity index 100%
rename from windows/images/front-page-video.PNG
rename to windows/hub/images/front-page-video.PNG
diff --git a/windows/hub/images/remote.png b/windows/hub/images/remote.png
new file mode 100644
index 0000000000..3be3f8e27e
Binary files /dev/null and b/windows/hub/images/remote.png differ
diff --git a/windows/hub/images/threat-protection.png b/windows/hub/images/threat-protection.png
new file mode 100644
index 0000000000..a9d411cfa3
Binary files /dev/null and b/windows/hub/images/threat-protection.png differ
diff --git a/windows/hub/images/virtualization.png b/windows/hub/images/virtualization.png
new file mode 100644
index 0000000000..7e65511dfe
Binary files /dev/null and b/windows/hub/images/virtualization.png differ
diff --git a/windows/hub/images/whats-new-highlight.png b/windows/hub/images/whats-new-highlight.png
new file mode 100644
index 0000000000..679573dd94
Binary files /dev/null and b/windows/hub/images/whats-new-highlight.png differ
diff --git a/windows/hub/images/whats-new.png b/windows/hub/images/whats-new.png
new file mode 100644
index 0000000000..de0c3fa545
Binary files /dev/null and b/windows/hub/images/whats-new.png differ
diff --git a/windows/hub/index.md b/windows/hub/index.md
new file mode 100644
index 0000000000..7ebbf52bf3
--- /dev/null
+++ b/windows/hub/index.md
@@ -0,0 +1,95 @@
+---
+title: Windows 10 and Windows 10 Mobile (Windows 10)
+description: Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
+ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
+ms.prod: w10
+localizationpriority: high
+author: brianlic-msft
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Windows 10 and Windows 10 Mobile
+
+Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
+
+
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
+
+ These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+
+ - Read more about Windows as a Service
+
+
+
+
+
+## Related topics
+[Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009)
+
+
+
+
+
diff --git a/windows/images/W10-WaaS-poster.PNG b/windows/images/W10-WaaS-poster.PNG
deleted file mode 100644
index 76f843c1b8..0000000000
Binary files a/windows/images/W10-WaaS-poster.PNG and /dev/null differ
diff --git a/windows/images/w10-configure.png b/windows/images/w10-configure.png
deleted file mode 100644
index ebfef8d97b..0000000000
Binary files a/windows/images/w10-configure.png and /dev/null differ
diff --git a/windows/images/w10-deploy.png b/windows/images/w10-deploy.png
deleted file mode 100644
index d567f44f1d..0000000000
Binary files a/windows/images/w10-deploy.png and /dev/null differ
diff --git a/windows/images/w10-evaluation.png b/windows/images/w10-evaluation.png
deleted file mode 100644
index 19d690b694..0000000000
Binary files a/windows/images/w10-evaluation.png and /dev/null differ
diff --git a/windows/images/w10-manage.png b/windows/images/w10-manage.png
deleted file mode 100644
index 9ace55b79b..0000000000
Binary files a/windows/images/w10-manage.png and /dev/null differ
diff --git a/windows/images/w10-plan.png b/windows/images/w10-plan.png
deleted file mode 100644
index 045f85e914..0000000000
Binary files a/windows/images/w10-plan.png and /dev/null differ
diff --git a/windows/images/w10-secure.png b/windows/images/w10-secure.png
deleted file mode 100644
index 7799e94849..0000000000
Binary files a/windows/images/w10-secure.png and /dev/null differ
diff --git a/windows/images/w10-update.png b/windows/images/w10-update.png
deleted file mode 100644
index 876374904b..0000000000
Binary files a/windows/images/w10-update.png and /dev/null differ
diff --git a/windows/images/w10-whatsnew-highlight.png b/windows/images/w10-whatsnew-highlight.png
deleted file mode 100644
index b8534ef41d..0000000000
Binary files a/windows/images/w10-whatsnew-highlight.png and /dev/null differ
diff --git a/windows/images/w10-whatsnew.png b/windows/images/w10-whatsnew.png
deleted file mode 100644
index cc040c45aa..0000000000
Binary files a/windows/images/w10-whatsnew.png and /dev/null differ
diff --git a/windows/index.md b/windows/index.md
deleted file mode 100644
index dad59e644a..0000000000
--- a/windows/index.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Windows 10 and Windows 10 Mobile (Windows 10)
-description: This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile.
-ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
-ms.prod: w10
-localizationpriority: high
-author: brianlic-msft
----
-
-# Windows 10 and Windows 10 Mobile
-
-This library provides the core content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
-
-
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
-
- These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
- - Read more about Windows as a Service
-
- - Download the WaaS infographic
-
-
-
-
-
-
-## Related topics
-[Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009)
-
-
-
-
diff --git a/windows/keep-secure/.vscode/settings.json b/windows/keep-secure/.vscode/settings.json
deleted file mode 100644
index 96b19b0418..0000000000
--- a/windows/keep-secure/.vscode/settings.json
+++ /dev/null
@@ -1,4 +0,0 @@
-// Place your settings in this file to overwrite default and user settings.
-{
- "update.channel": "none",
-}
\ No newline at end of file
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
deleted file mode 100644
index bc1d1edae3..0000000000
--- a/windows/keep-secure/TOC.md
+++ /dev/null
@@ -1,974 +0,0 @@
-# [Keep Windows 10 secure](index.md)
-## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-## [Windows Hello for Business](hello-identity-verification.md)
-### [How Windows Hello for Business works](hello-how-it-works.md)
-### [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-### [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-### [Windows Hello and password changes](hello-and-password-changes.md)
-### [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-### [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-### [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
-## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
-## [Device Guard deployment guide](device-guard-deployment-guide.md)
-### [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
-### [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
-### [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-### [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
-#### [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
-#### [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
-#### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
-#### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
-### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
-## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
-## [Protect derived domain credentials with Credential Guard](credential-guard.md)
-### [How Credential Guard works](credential-guard-how-it-works.md)
-### [Credential Guard Requirements](credential-guard-requirements.md)
-### [Manage Credential Guard](credential-guard-manage.md)
-### [Scenarios not protected by Credential Guard](credential-guard-not-protected-scenarios.md)
-### [Considerations when using Credential Guard](credential-guard-considerations.md)
-### [Scripts for Certificate Authority Issuance Policies](credential-guard-scripts.md)
-## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
-## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md)
-### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
-#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
-##### [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
-##### [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
-##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
-#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
-#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
-#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md)
-### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
-### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
-### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
-### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
-#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
-#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md)
-#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md)
-#### [Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md)
-## [Windows Defender SmartScreen](windows-defender-smartscreen-overview.md)
-### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)
-### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen-set-individual-device.md)
-## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
-## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
-## [VPN technical guide](vpn-guide.md)
-### [VPN connection types](vpn-connection-type.md)
-### [VPN routing decisions](vpn-routing.md)
-### [VPN authentication options](vpn-authentication.md)
-### [VPN and conditional access](vpn-conditional-access.md)
-### [VPN name resolution](vpn-name-resolution.md)
-### [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
-### [VPN security features](vpn-security-features.md)
-### [VPN profile options](vpn-profile-options.md)
-## [Windows security baselines](windows-security-baselines.md)
-## [Security technologies](security-technologies.md)
-### [Access Control Overview](access-control.md)
-#### [Dynamic Access Control Overview](dynamic-access-control.md)
-#### [Security identifiers](security-identifiers.md)
-#### [Security Principals](security-principals.md)
-#### [Local Accounts](local-accounts.md)
-#### [Active Directory Accounts](active-directory-accounts.md)
-#### [Microsoft Accounts](microsoft-accounts.md)
-#### [Service Accounts](service-accounts.md)
-#### [Active Directory Security Groups](active-directory-security-groups.md)
-#### [Special Identities](special-identities.md)
-### [AppLocker](applocker-overview.md)
-#### [Administer AppLocker](administer-applocker.md)
-##### [Maintain AppLocker policies](maintain-applocker-policies.md)
-##### [Edit an AppLocker policy](edit-an-applocker-policy.md)
-##### [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
-##### [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
-##### [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md)
-##### [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)
-##### [Optimize AppLocker performance](optimize-applocker-performance.md)
-##### [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
-##### [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)
-##### [Working with AppLocker rules](working-with-applocker-rules.md)
-###### [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
-###### [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
-###### [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
-###### [Create AppLocker default rules](create-applocker-default-rules.md)
-###### [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
-###### [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md)
-###### [Delete an AppLocker rule](delete-an-applocker-rule.md)
-###### [Edit AppLocker rules](edit-applocker-rules.md)
-###### [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
-###### [Enforce AppLocker rules](enforce-applocker-rules.md)
-###### [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
-##### [Working with AppLocker policies](working-with-applocker-policies.md)
-###### [Configure the Application Identity service](configure-the-application-identity-service.md)
-###### [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
-###### [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
-###### [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)
-###### [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md)
-###### [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
-###### [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)
-###### [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)
-###### [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)
-###### [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md)
-###### [Merge AppLocker policies manually](merge-applocker-policies-manually.md)
-###### [Refresh an AppLocker policy](refresh-an-applocker-policy.md)
-###### [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)
-#### [AppLocker design guide](applocker-policies-design-guide.md)
-##### [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
-##### [Determine your application control objectives](determine-your-application-control-objectives.md)
-##### [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
-###### [Document your app list](document-your-application-list.md)
-##### [Select the types of rules to create](select-types-of-rules-to-create.md)
-###### [Document your AppLocker rules](document-your-applocker-rules.md)
-##### [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
-###### [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
-###### [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
-###### [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md)
-##### [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
-###### [Document your application control management processes](document-your-application-control-management-processes.md)
-##### [Create your AppLocker planning document](create-your-applocker-planning-document.md)
-#### [AppLocker deployment guide](applocker-policies-deployment-guide.md)
-##### [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
-##### [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md)
-##### [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md)
-##### [Create Your AppLocker policies](create-your-applocker-policies.md)
-###### [Create Your AppLocker rules](create-your-applocker-rules.md)
-##### [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
-###### [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
-####### [Determine which apps are digitally signed on a reference device](determine-which-applications-are-digitally-signed-on-a-reference-computer.md)
-####### [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md)
-#### [AppLocker technical reference](applocker-technical-reference.md)
-##### [What Is AppLocker?](what-is-applocker.md)
-##### [Requirements to use AppLocker](requirements-to-use-applocker.md)
-##### [AppLocker policy use scenarios](applocker-policy-use-scenarios.md)
-##### [How AppLocker works](how-applocker-works-techref.md)
-###### [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
-###### [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
-###### [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
-###### [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
-###### [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
-####### [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
-####### [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
-####### [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
-###### [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
-####### [Executable rules in AppLocker](executable-rules-in-applocker.md)
-####### [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
-####### [Script rules in AppLocker](script-rules-in-applocker.md)
-####### [DLL rules in AppLocker](dll-rules-in-applocker.md)
-####### [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
-##### [AppLocker architecture and components](applocker-architecture-and-components.md)
-##### [AppLocker processes and interactions](applocker-processes-and-interactions.md)
-##### [AppLocker functions](applocker-functions.md)
-##### [Security considerations for AppLocker](security-considerations-for-applocker.md)
-##### [Tools to Use with AppLocker](tools-to-use-with-applocker.md)
-###### [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md)
-##### [AppLocker Settings](applocker-settings.md)
-### [BitLocker](bitlocker-overview.md)
-#### [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md)
-#### [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
-#### [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
-#### [BitLocker basic deployment](bitlocker-basic-deployment.md)
-#### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)
-#### [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-#### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
-#### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
-#### [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
-#### [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
-#### [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)
-#### [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
-##### [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md)
-##### [BitLocker Countermeasures](bitlocker-countermeasures.md)
-##### [Choose the Right BitLocker Countermeasure](choose-the-right-bitlocker-countermeasure.md)
-#### [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
-### [Encrypted Hard Drive](encrypted-hard-drive.md)
-### [Enterprise Certificate Pinning](enterprise-certificate-pinning.md)
-### [Security auditing](security-auditing-overview.md)
-#### [Basic security audit policies](basic-security-audit-policies.md)
-##### [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md)
-##### [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md)
-##### [View the security event log](view-the-security-event-log.md)
-##### [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-###### [Audit account logon events](basic-audit-account-logon-events.md)
-###### [Audit account management](basic-audit-account-management.md)
-###### [Audit directory service access](basic-audit-directory-service-access.md)
-###### [Audit logon events](basic-audit-logon-events.md)
-###### [Audit object access](basic-audit-object-access.md)
-###### [Audit policy change](basic-audit-policy-change.md)
-###### [Audit privilege use](basic-audit-privilege-use.md)
-###### [Audit process tracking](basic-audit-process-tracking.md)
-###### [Audit system events](basic-audit-system-events.md)
-#### [Advanced security audit policies](advanced-security-auditing.md)
-##### [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
-##### [Advanced security auditing FAQ](advanced-security-auditing-faq.md)
-###### [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md)
-##### [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
-###### [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md)
-###### [Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md)
-###### [Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)
-###### [Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md)
-###### [Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)
-###### [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)
-###### [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)
-###### [Monitor claim types](monitor-claim-types.md)
-##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-###### [Audit Credential Validation](audit-credential-validation.md)
-####### [Event 4774 S, F: An account was mapped for logon.](event-4774.md)
-####### [Event 4775 F: An account could not be mapped for logon.](event-4775.md)
-####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](event-4776.md)
-####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](event-4777.md)
-###### [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
-####### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](event-4768.md)
-####### [Event 4771 F: Kerberos pre-authentication failed.](event-4771.md)
-####### [Event 4772 F: A Kerberos authentication ticket request failed.](event-4772.md)
-###### [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
-####### [Event 4769 S, F: A Kerberos service ticket was requested.](event-4769.md)
-####### [Event 4770 S: A Kerberos service ticket was renewed.](event-4770.md)
-####### [Event 4773 F: A Kerberos service ticket request failed.](event-4773.md)
-###### [Audit Other Account Logon Events](audit-other-account-logon-events.md)
-###### [Audit Application Group Management](audit-application-group-management.md)
-###### [Audit Computer Account Management](audit-computer-account-management.md)
-####### [Event 4741 S: A computer account was created.](event-4741.md)
-####### [Event 4742 S: A computer account was changed.](event-4742.md)
-####### [Event 4743 S: A computer account was deleted.](event-4743.md)
-###### [Audit Distribution Group Management](audit-distribution-group-management.md)
-####### [Event 4749 S: A security-disabled global group was created.](event-4749.md)
-####### [Event 4750 S: A security-disabled global group was changed.](event-4750.md)
-####### [Event 4751 S: A member was added to a security-disabled global group.](event-4751.md)
-####### [Event 4752 S: A member was removed from a security-disabled global group.](event-4752.md)
-####### [Event 4753 S: A security-disabled global group was deleted.](event-4753.md)
-###### [Audit Other Account Management Events](audit-other-account-management-events.md)
-####### [Event 4782 S: The password hash an account was accessed.](event-4782.md)
-####### [Event 4793 S: The Password Policy Checking API was called.](event-4793.md)
-###### [Audit Security Group Management](audit-security-group-management.md)
-####### [Event 4731 S: A security-enabled local group was created.](event-4731.md)
-####### [Event 4732 S: A member was added to a security-enabled local group.](event-4732.md)
-####### [Event 4733 S: A member was removed from a security-enabled local group.](event-4733.md)
-####### [Event 4734 S: A security-enabled local group was deleted.](event-4734.md)
-####### [Event 4735 S: A security-enabled local group was changed.](event-4735.md)
-####### [Event 4764 S: A group’s type was changed.](event-4764.md)
-####### [Event 4799 S: A security-enabled local group membership was enumerated.](event-4799.md)
-###### [Audit User Account Management](audit-user-account-management.md)
-####### [Event 4720 S: A user account was created.](event-4720.md)
-####### [Event 4722 S: A user account was enabled.](event-4722.md)
-####### [Event 4723 S, F: An attempt was made to change an account's password.](event-4723.md)
-####### [Event 4724 S, F: An attempt was made to reset an account's password.](event-4724.md)
-####### [Event 4725 S: A user account was disabled.](event-4725.md)
-####### [Event 4726 S: A user account was deleted.](event-4726.md)
-####### [Event 4738 S: A user account was changed.](event-4738.md)
-####### [Event 4740 S: A user account was locked out.](event-4740.md)
-####### [Event 4765 S: SID History was added to an account.](event-4765.md)
-####### [Event 4766 F: An attempt to add SID History to an account failed.](event-4766.md)
-####### [Event 4767 S: A user account was unlocked.](event-4767.md)
-####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](event-4780.md)
-####### [Event 4781 S: The name of an account was changed.](event-4781.md)
-####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](event-4794.md)
-####### [Event 4798 S: A user's local group membership was enumerated.](event-4798.md)
-####### [Event 5376 S: Credential Manager credentials were backed up.](event-5376.md)
-####### [Event 5377 S: Credential Manager credentials were restored from a backup.](event-5377.md)
-###### [Audit DPAPI Activity](audit-dpapi-activity.md)
-####### [Event 4692 S, F: Backup of data protection master key was attempted.](event-4692.md)
-####### [Event 4693 S, F: Recovery of data protection master key was attempted.](event-4693.md)
-####### [Event 4694 S, F: Protection of auditable protected data was attempted.](event-4694.md)
-####### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](event-4695.md)
-###### [Audit PNP Activity](audit-pnp-activity.md)
-####### [Event 6416 S: A new external device was recognized by the System.](event-6416.md)
-####### [Event 6419 S: A request was made to disable a device.](event-6419.md)
-####### [Event 6420 S: A device was disabled.](event-6420.md)
-####### [Event 6421 S: A request was made to enable a device.](event-6421.md)
-####### [Event 6422 S: A device was enabled.](event-6422.md)
-####### [Event 6423 S: The installation of this device is forbidden by system policy.](event-6423.md)
-####### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](event-6424.md)
-###### [Audit Process Creation](audit-process-creation.md)
-####### [Event 4688 S: A new process has been created.](event-4688.md)
-####### [Event 4696 S: A primary token was assigned to process.](event-4696.md)
-###### [Audit Process Termination](audit-process-termination.md)
-####### [Event 4689 S: A process has exited.](event-4689.md)
-###### [Audit RPC Events](audit-rpc-events.md)
-####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](event-5712.md)
-###### [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
-####### [Event 4928 S, F: An Active Directory replica source naming context was established.](event-4928.md)
-####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](event-4929.md)
-####### [Event 4930 S, F: An Active Directory replica source naming context was modified.](event-4930.md)
-####### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](event-4931.md)
-####### [Event 4934 S: Attributes of an Active Directory object were replicated.](event-4934.md)
-####### [Event 4935 F: Replication failure begins.](event-4935.md)
-####### [Event 4936 S: Replication failure ends.](event-4936.md)
-####### [Event 4937 S: A lingering object was removed from a replica.](event-4937.md)
-###### [Audit Directory Service Access](audit-directory-service-access.md)
-####### [Event 4662 S, F: An operation was performed on an object.](event-4662.md)
-####### [Event 4661 S, F: A handle to an object was requested.](event-4661.md)
-###### [Audit Directory Service Changes](audit-directory-service-changes.md)
-####### [Event 5136 S: A directory service object was modified.](event-5136.md)
-####### [Event 5137 S: A directory service object was created.](event-5137.md)
-####### [Event 5138 S: A directory service object was undeleted.](event-5138.md)
-####### [Event 5139 S: A directory service object was moved.](event-5139.md)
-####### [Event 5141 S: A directory service object was deleted.](event-5141.md)
-###### [Audit Directory Service Replication](audit-directory-service-replication.md)
-####### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](event-4932.md)
-####### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](event-4933.md)
-###### [Audit Account Lockout](audit-account-lockout.md)
-####### [Event 4625 F: An account failed to log on.](event-4625.md)
-###### [Audit User/Device Claims](audit-user-device-claims.md)
-####### [Event 4626 S: User/Device claims information.](event-4626.md)
-###### [Audit Group Membership](audit-group-membership.md)
-####### [Event 4627 S: Group membership information.](event-4627.md)
-###### [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
-###### [Audit IPsec Main Mode](audit-ipsec-main-mode.md)
-###### [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)
-###### [Audit Logoff](audit-logoff.md)
-####### [Event 4634 S: An account was logged off.](event-4634.md)
-####### [Event 4647 S: User initiated logoff.](event-4647.md)
-###### [Audit Logon](audit-logon.md)
-####### [Event 4624 S: An account was successfully logged on.](event-4624.md)
-####### [Event 4625 F: An account failed to log on.](event-4625.md)
-####### [Event 4648 S: A logon was attempted using explicit credentials.](event-4648.md)
-####### [Event 4675 S: SIDs were filtered.](event-4675.md)
-###### [Audit Network Policy Server](audit-network-policy-server.md)
-###### [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-####### [Event 4649 S: A replay attack was detected.](event-4649.md)
-####### [Event 4778 S: A session was reconnected to a Window Station.](event-4778.md)
-####### [Event 4779 S: A session was disconnected from a Window Station.](event-4779.md)
-####### [Event 4800 S: The workstation was locked.](event-4800.md)
-####### [Event 4801 S: The workstation was unlocked.](event-4801.md)
-####### [Event 4802 S: The screen saver was invoked.](event-4802.md)
-####### [Event 4803 S: The screen saver was dismissed.](event-4803.md)
-####### [Event 5378 F: The requested credentials delegation was disallowed by policy.](event-5378.md)
-####### [Event 5632 S, F: A request was made to authenticate to a wireless network.](event-5632.md)
-####### [Event 5633 S, F: A request was made to authenticate to a wired network.](event-5633.md)
-###### [Audit Special Logon](audit-special-logon.md)
-####### [Event 4964 S: Special groups have been assigned to a new logon.](event-4964.md)
-####### [Event 4672 S: Special privileges assigned to new logon.](event-4672.md)
-###### [Audit Application Generated](audit-application-generated.md)
-###### [Audit Certification Services](audit-certification-services.md)
-###### [Audit Detailed File Share](audit-detailed-file-share.md)
-####### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](event-5145.md)
-###### [Audit File Share](audit-file-share.md)
-####### [Event 5140 S, F: A network share object was accessed.](event-5140.md)
-####### [Event 5142 S: A network share object was added.](event-5142.md)
-####### [Event 5143 S: A network share object was modified.](event-5143.md)
-####### [Event 5144 S: A network share object was deleted.](event-5144.md)
-####### [Event 5168 F: SPN check for SMB/SMB2 failed.](event-5168.md)
-###### [Audit File System](audit-file-system.md)
-####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
-####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
-####### [Event 4660 S: An object was deleted.](event-4660.md)
-####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
-####### [Event 4664 S: An attempt was made to create a hard link.](event-4664.md)
-####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
-####### [Event 5051: A file was virtualized.](event-5051.md)
-####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
-###### [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-####### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](event-5031.md)
-####### [Event 5150: The Windows Filtering Platform blocked a packet.](event-5150.md)
-####### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](event-5151.md)
-####### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](event-5154.md)
-####### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](event-5155.md)
-####### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](event-5156.md)
-####### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](event-5157.md)
-####### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](event-5158.md)
-####### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](event-5159.md)
-###### [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
-####### [Event 5152 F: The Windows Filtering Platform blocked a packet.](event-5152.md)
-####### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](event-5153.md)
-###### [Audit Handle Manipulation](audit-handle-manipulation.md)
-####### [Event 4690 S: An attempt was made to duplicate a handle to an object.](event-4690.md)
-###### [Audit Kernel Object](audit-kernel-object.md)
-####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
-####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
-####### [Event 4660 S: An object was deleted.](event-4660.md)
-####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
-###### [Audit Other Object Access Events](audit-other-object-access-events.md)
-####### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](event-4671.md)
-####### [Event 4691 S: Indirect access to an object was requested.](event-4691.md)
-####### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](event-5148.md)
-####### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](event-5149.md)
-####### [Event 4698 S: A scheduled task was created.](event-4698.md)
-####### [Event 4699 S: A scheduled task was deleted.](event-4699.md)
-####### [Event 4700 S: A scheduled task was enabled.](event-4700.md)
-####### [Event 4701 S: A scheduled task was disabled.](event-4701.md)
-####### [Event 4702 S: A scheduled task was updated.](event-4702.md)
-####### [Event 5888 S: An object in the COM+ Catalog was modified.](event-5888.md)
-####### [Event 5889 S: An object was deleted from the COM+ Catalog.](event-5889.md)
-####### [Event 5890 S: An object was added to the COM+ Catalog.](event-5890.md)
-###### [Audit Registry](audit-registry.md)
-####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
-####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
-####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
-####### [Event 4660 S: An object was deleted.](event-4660.md)
-####### [Event 4657 S: A registry value was modified.](event-4657.md)
-####### [Event 5039: A registry key was virtualized.](event-5039.md)
-####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
-###### [Audit Removable Storage](audit-removable-storage.md)
-###### [Audit SAM](audit-sam.md)
-####### [Event 4661 S, F: A handle to an object was requested.](event-4661.md)
-###### [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
-####### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](event-4818.md)
-###### [Audit Audit Policy Change](audit-audit-policy-change.md)
-####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
-####### [Event 4715 S: The audit policy, SACL, on an object was changed.](event-4715.md)
-####### [Event 4719 S: System audit policy was changed.](event-4719.md)
-####### [Event 4817 S: Auditing settings on object were changed.](event-4817.md)
-####### [Event 4902 S: The Per-user audit policy table was created.](event-4902.md)
-####### [Event 4906 S: The CrashOnAuditFail value has changed.](event-4906.md)
-####### [Event 4907 S: Auditing settings on object were changed.](event-4907.md)
-####### [Event 4908 S: Special Groups Logon table modified.](event-4908.md)
-####### [Event 4912 S: Per User Audit Policy was changed.](event-4912.md)
-####### [Event 4904 S: An attempt was made to register a security event source.](event-4904.md)
-####### [Event 4905 S: An attempt was made to unregister a security event source.](event-4905.md)
-###### [Audit Authentication Policy Change](audit-authentication-policy-change.md)
-####### [Event 4706 S: A new trust was created to a domain.](event-4706.md)
-####### [Event 4707 S: A trust to a domain was removed.](event-4707.md)
-####### [Event 4716 S: Trusted domain information was modified.](event-4716.md)
-####### [Event 4713 S: Kerberos policy was changed.](event-4713.md)
-####### [Event 4717 S: System security access was granted to an account.](event-4717.md)
-####### [Event 4718 S: System security access was removed from an account.](event-4718.md)
-####### [Event 4739 S: Domain Policy was changed.](event-4739.md)
-####### [Event 4864 S: A namespace collision was detected.](event-4864.md)
-####### [Event 4865 S: A trusted forest information entry was added.](event-4865.md)
-####### [Event 4866 S: A trusted forest information entry was removed.](event-4866.md)
-####### [Event 4867 S: A trusted forest information entry was modified.](event-4867.md)
-###### [Audit Authorization Policy Change](audit-authorization-policy-change.md)
-####### [Event 4703 S: A user right was adjusted.](event-4703.md)
-####### [Event 4704 S: A user right was assigned.](event-4704.md)
-####### [Event 4705 S: A user right was removed.](event-4705.md)
-####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
-####### [Event 4911 S: Resource attributes of the object were changed.](event-4911.md)
-####### [Event 4913 S: Central Access Policy on the object was changed.](event-4913.md)
-###### [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
-###### [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-####### [Event 4944 S: The following policy was active when the Windows Firewall started.](event-4944.md)
-####### [Event 4945 S: A rule was listed when the Windows Firewall started.](event-4945.md)
-####### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](event-4946.md)
-####### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](event-4947.md)
-####### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](event-4948.md)
-####### [Event 4949 S: Windows Firewall settings were restored to the default values.](event-4949.md)
-####### [Event 4950 S: A Windows Firewall setting has changed.](event-4950.md)
-####### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](event-4951.md)
-####### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](event-4952.md)
-####### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](event-4953.md)
-####### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](event-4954.md)
-####### [Event 4956 S: Windows Firewall has changed the active profile.](event-4956.md)
-####### [Event 4957 F: Windows Firewall did not apply the following rule.](event-4957.md)
-####### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](event-4958.md)
-###### [Audit Other Policy Change Events](audit-other-policy-change-events.md)
-####### [Event 4714 S: Encrypted data recovery policy was changed.](event-4714.md)
-####### [Event 4819 S: Central Access Policies on the machine have been changed.](event-4819.md)
-####### [Event 4826 S: Boot Configuration Data loaded.](event-4826.md)
-####### [Event 4909: The local policy settings for the TBS were changed.](event-4909.md)
-####### [Event 4910: The group policy settings for the TBS were changed.](event-4910.md)
-####### [Event 5063 S, F: A cryptographic provider operation was attempted.](event-5063.md)
-####### [Event 5064 S, F: A cryptographic context operation was attempted.](event-5064.md)
-####### [Event 5065 S, F: A cryptographic context modification was attempted.](event-5065.md)
-####### [Event 5066 S, F: A cryptographic function operation was attempted.](event-5066.md)
-####### [Event 5067 S, F: A cryptographic function modification was attempted.](event-5067.md)
-####### [Event 5068 S, F: A cryptographic function provider operation was attempted.](event-5068.md)
-####### [Event 5069 S, F: A cryptographic function property operation was attempted.](event-5069.md)
-####### [Event 5070 S, F: A cryptographic function property modification was attempted.](event-5070.md)
-####### [Event 5447 S: A Windows Filtering Platform filter has been changed.](event-5447.md)
-####### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](event-6144.md)
-####### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](event-6145.md)
-###### [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
-####### [Event 4673 S, F: A privileged service was called.](event-4673.md)
-####### [Event 4674 S, F: An operation was attempted on a privileged object.](event-4674.md)
-####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
-###### [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
-####### [Event 4673 S, F: A privileged service was called.](event-4673.md)
-####### [Event 4674 S, F: An operation was attempted on a privileged object.](event-4674.md)
-####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
-###### [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
-####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
-###### [Audit IPsec Driver](audit-ipsec-driver.md)
-###### [Audit Other System Events](audit-other-system-events.md)
-####### [Event 5024 S: The Windows Firewall Service has started successfully.](event-5024.md)
-####### [Event 5025 S: The Windows Firewall Service has been stopped.](event-5025.md)
-####### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](event-5027.md)
-####### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](event-5028.md)
-####### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](event-5029.md)
-####### [Event 5030 F: The Windows Firewall Service failed to start.](event-5030.md)
-####### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](event-5032.md)
-####### [Event 5033 S: The Windows Firewall Driver has started successfully.](event-5033.md)
-####### [Event 5034 S: The Windows Firewall Driver was stopped.](event-5034.md)
-####### [Event 5035 F: The Windows Firewall Driver failed to start.](event-5035.md)
-####### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](event-5037.md)
-####### [Event 5058 S, F: Key file operation.](event-5058.md)
-####### [Event 5059 S, F: Key migration operation.](event-5059.md)
-####### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](event-6400.md)
-####### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](event-6401.md)
-####### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](event-6402.md)
-####### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](event-6403.md)
-####### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](event-6404.md)
-####### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](event-6405.md)
-####### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](event-6406.md)
-####### [Event 6407: 1%.](event-6407.md)
-####### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](event-6408.md)
-####### [Event 6409: BranchCache: A service connection point object could not be parsed.](event-6409.md)
-###### [Audit Security State Change](audit-security-state-change.md)
-####### [Event 4608 S: Windows is starting up.](event-4608.md)
-####### [Event 4616 S: The system time was changed.](event-4616.md)
-####### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](event-4621.md)
-###### [Audit Security System Extension](audit-security-system-extension.md)
-####### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](event-4610.md)
-####### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](event-4611.md)
-####### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](event-4614.md)
-####### [Event 4622 S: A security package has been loaded by the Local Security Authority.](event-4622.md)
-####### [Event 4697 S: A service was installed in the system.](event-4697.md)
-###### [Audit System Integrity](audit-system-integrity.md)
-####### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](event-4612.md)
-####### [Event 4615 S: Invalid use of LPC port.](event-4615.md)
-####### [Event 4618 S: A monitored security event pattern has occurred.](event-4618.md)
-####### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](event-4816.md)
-####### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](event-5038.md)
-####### [Event 5056 S: A cryptographic self-test was performed.](event-5056.md)
-####### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](event-5062.md)
-####### [Event 5057 F: A cryptographic primitive operation failed.](event-5057.md)
-####### [Event 5060 F: Verification operation failed.](event-5060.md)
-####### [Event 5061 S, F: Cryptographic operation.](event-5061.md)
-####### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](event-6281.md)
-####### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](event-6410.md)
-###### [Other Events](other-events.md)
-####### [Event 1100 S: The event logging service has shut down.](event-1100.md)
-####### [Event 1102 S: The audit log was cleared.](event-1102.md)
-####### [Event 1104 S: The security log is now full.](event-1104.md)
-####### [Event 1105 S: Event log automatic backup.](event-1105.md)
-####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](event-1108.md)
-###### [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
-###### [Registry (Global Object Access Auditing) ](registry-global-object-access-auditing.md)
-###### [File System (Global Object Access Auditing) ](file-system-global-object-access-auditing.md)
-### [Security policy settings](security-policy-settings.md)
-#### [Administer security policy settings](administer-security-policy-settings.md)
-##### [Network List Manager policies](network-list-manager-policies.md)
-#### [Configure security policy settings](how-to-configure-security-policy-settings.md)
-#### [Security policy settings reference](security-policy-settings-reference.md)
-##### [Account Policies](account-policies.md)
-###### [Password Policy](password-policy.md)
-####### [Enforce password history](enforce-password-history.md)
-####### [Maximum password age](maximum-password-age.md)
-####### [Minimum password age](minimum-password-age.md)
-####### [Minimum password length](minimum-password-length.md)
-####### [Password must meet complexity requirements](password-must-meet-complexity-requirements.md)
-####### [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md)
-###### [Account Lockout Policy](account-lockout-policy.md)
-####### [Account lockout duration](account-lockout-duration.md)
-####### [Account lockout threshold](account-lockout-threshold.md)
-####### [Reset account lockout counter after](reset-account-lockout-counter-after.md)
-###### [Kerberos Policy](kerberos-policy.md)
-####### [Enforce user logon restrictions](enforce-user-logon-restrictions.md)
-####### [Maximum lifetime for service ticket](maximum-lifetime-for-service-ticket.md)
-####### [Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md)
-####### [Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md)
-####### [Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md)
-##### [Audit Policy](audit-policy.md)
-##### [Security Options](security-options.md)
-###### [Accounts: Administrator account status](accounts-administrator-account-status.md)
-###### [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md)
-###### [Accounts: Guest account status](accounts-guest-account-status.md)
-###### [Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)
-###### [Accounts: Rename administrator account](accounts-rename-administrator-account.md)
-###### [Accounts: Rename guest account](accounts-rename-guest-account.md)
-###### [Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md)
-###### [Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md)
-###### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md)
-###### [Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)
-###### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
-###### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
-###### [Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)
-###### [Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md)
-###### [Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md)
-###### [Devices: Restrict CD-ROM access to locally logged-on user only](devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)
-###### [Devices: Restrict floppy access to locally logged-on user only](devices-restrict-floppy-access-to-locally-logged-on-user-only.md)
-###### [Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md)
-###### [Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md)
-###### [Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md)
-###### [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
-###### [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
-###### [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
-###### [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md)
-###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
-###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
-###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
-###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)
-###### [Interactive logon: Don't display username at sign-in](interactive-logon-dont-display-username-at-sign-in.md)
-###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
-###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
-###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)
-###### [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md)
-###### [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)
-###### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
-###### [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)
-###### [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)
-###### [Interactive logon: Require smart card](interactive-logon-require-smart-card.md)
-###### [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md)
-###### [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
-###### [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
-###### [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
-###### [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
-###### [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
-###### [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
-###### [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
-###### [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
-###### [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)
-###### [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)
-###### [Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)
-###### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)
-###### [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)
-###### [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)
-###### [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)
-###### [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)
-###### [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)
-###### [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
-###### [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)
-###### [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)
-###### [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
-###### [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)
-###### [Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)
-###### [Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)
-###### [Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)
-###### [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)
-###### [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)
-###### [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md)
-###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
-###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
-###### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)
-###### [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)
-###### [Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)
-###### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)
-###### [Network security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md)
-###### [Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)
-###### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)
-###### [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)
-###### [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)
-###### [Shutdown: Allow system to be shut down without having to log on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)
-###### [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)
-###### [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
-###### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
-###### [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
-###### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)
-###### [System settings: Optional subsystems](system-settings-optional-subsystems.md)
-###### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
-###### [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
-###### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)
-###### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)
-###### [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)
-###### [User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)
-###### [User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)
-###### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)
-###### [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)
-###### [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)
-###### [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)
-##### [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md)
-##### [User Rights Assignment](user-rights-assignment.md)
-###### [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md)
-###### [Access this computer from the network](access-this-computer-from-the-network.md)
-###### [Act as part of the operating system](act-as-part-of-the-operating-system.md)
-###### [Add workstations to domain](add-workstations-to-domain.md)
-###### [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md)
-###### [Allow log on locally](allow-log-on-locally.md)
-###### [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)
-###### [Back up files and directories](back-up-files-and-directories.md)
-###### [Bypass traverse checking](bypass-traverse-checking.md)
-###### [Change the system time](change-the-system-time.md)
-###### [Change the time zone](change-the-time-zone.md)
-###### [Create a pagefile](create-a-pagefile.md)
-###### [Create a token object](create-a-token-object.md)
-###### [Create global objects](create-global-objects.md)
-###### [Create permanent shared objects](create-permanent-shared-objects.md)
-###### [Create symbolic links](create-symbolic-links.md)
-###### [Debug programs](debug-programs.md)
-###### [Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)
-###### [Deny log on as a batch job](deny-log-on-as-a-batch-job.md)
-###### [Deny log on as a service](deny-log-on-as-a-service.md)
-###### [Deny log on locally](deny-log-on-locally.md)
-###### [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)
-###### [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)
-###### [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md)
-###### [Generate security audits](generate-security-audits.md)
-###### [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)
-###### [Increase a process working set](increase-a-process-working-set.md)
-###### [Increase scheduling priority](increase-scheduling-priority.md)
-###### [Load and unload device drivers](load-and-unload-device-drivers.md)
-###### [Lock pages in memory](lock-pages-in-memory.md)
-###### [Log on as a batch job](log-on-as-a-batch-job.md)
-###### [Log on as a service](log-on-as-a-service.md)
-###### [Manage auditing and security log](manage-auditing-and-security-log.md)
-###### [Modify an object label](modify-an-object-label.md)
-###### [Modify firmware environment values](modify-firmware-environment-values.md)
-###### [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md)
-###### [Profile single process](profile-single-process.md)
-###### [Profile system performance](profile-system-performance.md)
-###### [Remove computer from docking station](remove-computer-from-docking-station.md)
-###### [Replace a process level token](replace-a-process-level-token.md)
-###### [Restore files and directories](restore-files-and-directories.md)
-###### [Shut down the system](shut-down-the-system.md)
-###### [Synchronize directory service data](synchronize-directory-service-data.md)
-###### [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md)
-### [Smart Cards](smart-card-windows-smart-card-technical-reference.md)
-#### [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
-##### [Smart Card Architecture](smart-card-architecture.md)
-##### [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
-##### [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
-##### [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
-##### [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
-##### [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
-#### [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
-##### [Smart Cards Debugging Information](smart-card-debugging-information.md)
-##### [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
-##### [Smart Card Events](smart-card-events.md)
-### [Trusted Platform Module](trusted-platform-module-top-node.md)
-#### [Trusted Platform Module Overview](trusted-platform-module-overview.md)
-#### [TPM fundamentals](tpm-fundamentals.md)
-#### [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
-#### [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md)
-#### [Manage TPM commands](manage-tpm-commands.md)
-#### [Manage TPM lockout](manage-tpm-lockout.md)
-#### [Change the TPM owner password](change-the-tpm-owner-password.md)
-#### [View status, clear, or troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md)
-#### [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md)
-#### [TPM recommendations](tpm-recommendations.md)
-### [User Account Control](user-account-control-overview.md)
-#### [How User Account Control works](how-user-account-control-works.md)
-#### [User Account Control security policy settings](user-account-control-security-policy-settings.md)
-#### [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md)
-### [Virtual Smart Cards](virtual-smart-card-overview.md)
-#### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
-##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
-##### [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
-##### [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
-##### [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
-#### [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
-### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
-#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
-#### [Preview features](preview-windows-defender-advanced-threat-protection.md)
-#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
-#### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
-#### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
-##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
-###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
-###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
-###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
-####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
-###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
-##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
-#### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
-#### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)
-##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
-##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
-##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-###### [Alert process tree](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree)
-###### [Incident graph](investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph)
-###### [Alert timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline)
-##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
-##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
-##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
-##### [View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
-##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
-###### [Search for specific alerts](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts)
-###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
-##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
-##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
-##### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
-###### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
-####### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
-####### [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
-####### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
-####### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-###### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
-####### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
-####### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
-####### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
-####### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-####### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
-######## [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
-######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
-######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
-#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
-##### [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-##### [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-##### [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
-##### [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
-#### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-##### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-##### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
-##### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
-##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
-###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
-###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-#### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md)
-##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md)
-##### [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
-##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md)
-##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
-#### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender Antivirus compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
-
-
-### [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-#### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
-#### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus-on-windows-server-2016.md)
-#### [Windows Defender Antivirus and Advanced Threat Protection: Better together](windows-defender-antivirus-compatibility.md)
-#### [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
-#### [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
-##### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)
-###### [Deployment guide for VDI environments](deployment-vdi-windows-defender-antivirus.md)
-##### [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
-##### [Manage updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-###### [Manage protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
-###### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
-###### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-###### [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-###### [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-#### [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md)
-##### [Utilize Microsoft cloud-provided protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-###### [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
-###### [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md)
-###### [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md)
-###### [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
-###### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-##### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
-###### [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-###### [Enable and configure always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-##### [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
-###### [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-###### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
-###### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-#### [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-##### [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-###### [Configure exclusions in Windows Defender AV on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md)
-##### [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-##### [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
-##### [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-##### [Configure and run scans](run-scan-windows-defender-antivirus.md)
-##### [Review scan results](review-scan-results-windows-defender-antivirus.md)
-##### [Run and review the results of a Windows Defender Offline scan](windows-defender-offline.md)
-#### [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)
-#### [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
-##### [Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)
-##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)
-##### [Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)
-##### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)
-##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](command-line-arguments-windows-defender-antivirus.md)
-### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
-#### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)
-#### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
-#### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
-#### [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md)
-##### [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
-##### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
-###### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
-###### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
-###### [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
-###### [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-devices.md)
-##### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
-###### [Basic Firewall Policy Design](basic-firewall-policy-design.md)
-###### [Domain Isolation Policy Design](domain-isolation-policy-design.md)
-###### [Server Isolation Policy Design](server-isolation-policy-design.md)
-###### [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
-##### [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
-###### [Firewall Policy Design Example](firewall-policy-design-example.md)
-###### [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
-###### [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
-###### [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
-##### [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
-###### [Gathering the Information You Need](gathering-the-information-you-need.md)
-####### [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
-####### [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
-####### [Gathering Information about Your Computers](gathering-information-about-your-devices.md)
-####### [Gathering Other Relevant Information](gathering-other-relevant-information.md)
-###### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md)
-##### [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
-###### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
-###### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
-####### [Exemption List](exemption-list.md)
-####### [Isolated Domain](isolated-domain.md)
-####### [Boundary Zone](boundary-zone.md)
-####### [Encryption Zone](encryption-zone.md)
-###### [Planning Server Isolation Zones](planning-server-isolation-zones.md)
-###### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
-###### [Documenting the Zones](documenting-the-zones.md)
-###### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
-####### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
-####### [Planning Network Access Groups](planning-network-access-groups.md)
-####### [Planning the GPOs](planning-the-gpos.md)
-######## [Firewall GPOs](firewall-gpos.md)
-######### [GPO_DOMISO_Firewall](gpo-domiso-firewall.md)
-######## [Isolated Domain GPOs](isolated-domain-gpos.md)
-######### [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md)
-######### [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md)
-######## [Boundary Zone GPOs](boundary-zone-gpos.md)
-######### [GPO_DOMISO_Boundary](gpo-domiso-boundary.md)
-######## [Encryption Zone GPOs](encryption-zone-gpos.md)
-######### [GPO_DOMISO_Encryption](gpo-domiso-encryption.md)
-######## [Server Isolation GPOs](server-isolation-gpos.md)
-####### [Planning GPO Deployment](planning-gpo-deployment.md)
-##### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
-#### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
-##### [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md)
-##### [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
-##### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
-##### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
-###### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)
-###### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)
-###### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)
-##### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
-###### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)
-###### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)
-###### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)
-###### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
-##### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
-###### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
-###### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
-##### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
-##### [Procedures Used in This Guide](procedures-used-in-this-guide.md)
-###### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
-###### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
-###### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
-###### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
-###### [Configure Authentication Methods](configure-authentication-methods.md)
-###### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
-###### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
-###### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
-###### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
-###### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
-###### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
-###### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
-###### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
-###### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
-###### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
-###### [Create a Group Policy Object](create-a-group-policy-object.md)
-###### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
-###### [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
-###### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
-###### [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
-###### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
-###### [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
-###### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
-###### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
-###### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
-###### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
-###### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
-###### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
-###### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
-###### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
-###### [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
-###### [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
-###### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
-###### [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
-###### [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
-###### [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
-###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
-## [Enterprise security guides](windows-10-enterprise-security-guides.md)
-### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
-### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
-### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
-### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
-## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)
diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
deleted file mode 100644
index ca83fa4210..0000000000
--- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
+++ /dev/null
@@ -1,137 +0,0 @@
----
-title: Add apps to your Windows Information Protection (WIP) policy by using Microsoft Intune custom URI functionality (Windows 10)
-description: Add apps to your Windows Information Protection (WIP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker.
-ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
-keywords: WIP, Enterprise Data Protection, protected apps, protected app list
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.pagetype: security
-ms.sitesec: library
-author: eross-msft
-localizationpriority: high
----
-
-# Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality
-**Applies to:**
-
-- Windows 10, version 1607 and later
-- Windows 10 Mobile
-
-You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=691330).
-
->[!IMPORTANT]
->Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
-
-## Add Store apps
-1. Go to the AppLocker UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
-
-2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.
-
- The **Automatically Generate Packaged app Rules** wizard opens, letting you create WIP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
-
-3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
-
- You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
-
-4. Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
-
- This name should be easily recognizable, such as *WIP_StoreApps_Rules*.
-
-5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
-
-
- >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
-
-6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
-
-7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
-
- >**Important** Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
-
-8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-
-9. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
-10. In the **Add one or more OMA-URI settings that control functionality on Windows devices** box, click **Add**.
-
-11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**.
-
-12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection//StoreApp EXE`
-
-13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
-
-14. Copy the text that has a **Type** of `Appx`, within the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
-
- ```
-
- ```
-
-15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
-After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
-
-## Add Desktop apps
-1. Open the Local Security Policy snap-in (SecPol.msc).
-
-2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.
-
- The **Automatically Generate Executable Rules** wizard opens, letting you create WIP-protected app polices by analyzing the files within a specific folder.
-
-3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
-
- You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
-
-4. Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
-
- This name should be easily recognizable, such as *WIP_DesktopApps_Rules*.
-
-5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
-
- >**Important** You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
-
- >**Note** We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
-
-6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
-
-7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
-
- >**Important** Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
-
-8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-
-9. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
-10. In the **Add one or more OMA-URI settings that control functionality on Windows devices** box, click **Add**.
-
-11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**.
-
-12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection//EXE`
-
-13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
-
-14. Copy the text that has a **Type** of `EXE`, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
-
- ```
-
- ```
-
-15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
-
- After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
-## Related topics
-- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
-- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
-- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
deleted file mode 100644
index 18f2048095..0000000000
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ /dev/null
@@ -1,198 +0,0 @@
----
-title: Change history for Keep Windows 10 secure (Windows 10)
-description: This topic lists new and updated topics in the Keep Windows 10 secure documentation for Windows 10 and Windows 10 Mobile.
-ms.assetid: E50EC5E6-71AA-4FF1-8356-574CFDB8079B
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
----
-
-# Change history for Keep Windows 10 secure
-This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
-
-
-## March 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
-|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. |
-|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. |
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)|Added content about recovering data from a cloud environment.|
-|[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
-|[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
-|[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New |
-|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)|New |
-|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen-set-individual-device.md)|New |
-
-
-## February 2017
-
-|New or changed topic |Description |
-|---------------------|------------|
-|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Added information that maps the Enhanced Mitigation Experience Toolkit (EMET) to Windows 10 features. |
-
-
-## January 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |New |
-|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. |
-|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New |
-|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New |
-| Microsoft Passport guide | Content merged into [Windows Hello for Business](hello-identity-verification.md) topics |
-
-## December 2016
-|New or changed topic |Description |
-|---------------------|------------|
-|[Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |Added filter examples for Windows 10 and Windows Server 2016. |
-
-
-
-## November 2016
-| New or changed topic | Description |
-| --- | --- |
-|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md), [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md), and [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Added additional details about what happens when you turn off WIP. |
-|[Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) |Changed WIPModeID to EDPModeID, to match the CSP. |
-
-
-
-## October 2016
-
-| New or changed topic | Description |
-| --- | --- |
-|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Added Microsoft Remote Desktop information. |
-|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about where the optioanl icon overlay appears.|
-|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added content about using ActiveX controls.|
-|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |New |
-|[VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
-|[Windows security baselines](windows-security-baselines.md) | Added Windows 10, version 1607 and Windows Server 2016 baseline |
-
-
-## September 2016
-
-| New or changed topic | Description |
-| --- | --- |
-|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) | New |
-|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
-|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
-| [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs |
-| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq example and added a new Windows PowerShell example for creating a self-signed certificate |
-
-## August 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |New |
-|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |Updated and added additional scenarios for testing |
-|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated to include info from the original What's New and Overview topics |
-
-## RELEASE: Windows 10, version 1607
-
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
-
-- [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-- [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
-- [Windows Defender Offline in Windows 10](windows-defender-offline.md)
-- [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
-- [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
-- [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
-- [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)
-- [Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)
-- [Assign user access to the Windows Defender ATP portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
-- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
-- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
-
-
-## July 2016
-
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New |
-|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New |
-|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |New |
-|[Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |New |
-|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated |
-|[Device Guard deployment guide](device-guard-deployment-guide.md) (multiple topics) | Updated |
-
-
-## June 2016
-
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. |
-| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
-| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
-| [Windows security baselines](windows-security-baselines.md) | New |
-
-## May 2016
-
-|New or changed topic | Description |
-|----------------------|-------------|
-| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Changed Internet Explorer to Microsoft Edge |
-| [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. |
-| [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content |
-|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated info based on changes to the features and functionality.|
-| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 |
-|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New |
-
-## April 2016
-
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Protect derived domain credentials with Credential Guard](credential-guard.md) |Clarified Credential Guard protections |
-
-## March 2016
-
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 is required to manage AppLocker by using Group Policy.|
-|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Added pre-release content about how to set up and deploy Windows Information Protection (WIP) in an enterprise environment.|
-
-## February 2016
-
-| New or changed topic | Description |
-|----------------------|-------------|
-|[Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) |New |
-|[Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) |New |
-|[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) |New |
-|[Encrypted Hard Drive](encrypted-hard-drive.md) |New |
-
-## January 2016
-
-|New or changed topic |Description |
-|---------------------|------------|
-|[Device Guard deployment guide](device-guard-deployment-guide.md) |Updated recommendations in Bring Your Own Device section |
-|[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) |Updated the prerequisites for an Azure Active Directory/Active Directory hybrid environment |
-|[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md) |Updated to clarify that this procedure is not needed for Passport for Work |
-|[Microsoft Passport guide](microsoft-passport-guide.md) |Updated the prerequisites for an Azure Active Directory/Active Directory hybrid environment |
-|[Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) |New |
-
-## December 2015
-
-|New or changed topic |Description |
-|---------------------|------------|
-|[Device Guard certification and compliance](device-guard-certification-and-compliance.md) |Updated |
-|[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) |Updated |
-|[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated |
-|[Security policy settings](security-policy-settings.md) (multiple topics) |Updated |
-
-## November 2015
-
-|New or changed topic |Description |
-|---------------------|-------------|
-|[Windows Defender in Windows 10](windows-defender-in-windows-10.md) |New |
-|[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)|New |
-|[AppLocker](applocker-overview.md) (multiple topics) |Updated |
-|[Device Guard certification and compliance](device-guard-certification-and-compliance.md) |Updated |
-|[Device Guard deployment guide](device-guard-deployment-guide.md) |Updated |
-|[Security auditing](security-auditing-overview.md) (multiple topics) |Updated |
-|[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) |Updated |
-
-## Related topics
-- [Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
-- [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
-- [Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
-- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
diff --git a/windows/keep-secure/code/example-script.ps1 b/windows/keep-secure/code/example-script.ps1
deleted file mode 100644
index e6563c2378..0000000000
--- a/windows/keep-secure/code/example-script.ps1
+++ /dev/null
@@ -1,60 +0,0 @@
-$authUrl = 'Your Authorization URL'
-$clientId = 'Your Client ID'
-$clientSecret = 'Your Client Secret'
-
-
-Try
-{
- $tokenPayload = @{
- "resource" = 'https://graph.windows.net'
- "client_id" = $clientId
- "client_secret" = $clientSecret
- "grant_type"='client_credentials'}
-
- "Fetching an access token"
- $response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
- $token = $response.access_token
- "Token fetched successfully"
-
- $headers = @{
- "Content-Type" = "application/json"
- "Accept" = "application/json"
- "Authorization" = "Bearer {0}" -f $token }
-
- $apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
-
- $alertDefinitionPayload = @{
- "Name" = "Test Alert"
- "Severity" = "Medium"
- "InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature"
- "Title" = "Test alert."
- "UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled."
- "RecommendedAction" = "No recommended action for this test alert."
- "Category" = "SuspiciousNetworkTraffic"
- "Enabled" = "true"}
- "Creating an Alert Definition"
- $alertDefinition =
- Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
- -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
- "Alert Definition created successfully"
- $alertDefinitionId = $alertDefinition.Id
-
- $iocPayload = @{
- "Type"="IpAddress"
- "Value"="52.184.197.12"
- "DetectionFunction"="Equals"
- "Enabled"="true"
- "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
-
- "Creating an Indicator of Compromise"
- $ioc =
- Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
- -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
- "Indicator of Compromise created successfully"
-
- "All done!"
-}
-Catch
-{
- 'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message
-}
diff --git a/windows/keep-secure/code/example.ps1 b/windows/keep-secure/code/example.ps1
deleted file mode 100644
index 6941c80627..0000000000
--- a/windows/keep-secure/code/example.ps1
+++ /dev/null
@@ -1,50 +0,0 @@
-$authUrl = 'Your Authorization URL'
-$clientId = 'Your Client ID'
-$clientSecret = 'Your Client Secret'
-
-$tokenPayload = @{
- "resource"='https://graph.windows.net'
- "client_id" = $clientId
- "client_secret" = $clientSecret
- "grant_type"='client_credentials'}
-
-$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
-$token = $response.access_token
-
-$headers = @{
- "Content-Type"="application/json"
- "Accept"="application/json"
- "Authorization"="Bearer {0}" -f $token }
-
-$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
-
-$alertDefinitions =
- (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
-
-$alertDefinitionPayload = @{
- "Name"= "The alert's name"
- "Severity"= "Low"
- "InternalDescription"= "An internal description of the Alert"
- "Title"= "The Title"
- "UxDescription"= "Description of the alerts"
- "RecommendedAction"= "The alert's recommended action"
- "Category"= "Trojan"
- "Enabled"= "true"}
-
-$alertDefinition =
- Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
- -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
-
-$alertDefinitionId = $alertDefinition.Id
-
-$iocPayload = @{
- "Type"="Sha1"
- "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
- "DetectionFunction"="Equals"
- "Enabled"="true"
- "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
-
-
-$ioc =
- Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
- -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
diff --git a/windows/keep-secure/code/example.py b/windows/keep-secure/code/example.py
deleted file mode 100644
index 6203b5230b..0000000000
--- a/windows/keep-secure/code/example.py
+++ /dev/null
@@ -1,51 +0,0 @@
-import json
-import requests
-from pprint import pprint
-
-auth_url="Your Authorization URL"
-client_id="Your Client ID"
-client_secret="Your Client Secret"
-
-payload = {"resource": "https://graph.windows.net",
- "client_id": client_id,
- "client_secret": client_secret,
- "grant_type": "client_credentials"}
-
-response = requests.post(auth_url, payload)
-token = json.loads(response.text)["access_token"]
-
-with requests.Session() as session:
- session.headers = {
- 'Authorization': 'Bearer {}'.format(token),
- 'Content-Type': 'application/json',
- 'Accept': 'application/json'}
-
- response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
- pprint(json.loads(response.text))
-
- alert_definition = {"Name": "The alert's name",
- "Severity": "Low",
- "InternalDescription": "An internal description of the alert",
- "Title": "The Title",
- "UxDescription": "Description of the alerts",
- "RecommendedAction": "The alert's recommended action",
- "Category": "Trojan",
- "Enabled": True}
-
- response = session.post(
- "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
- json=alert_definition)
-
- alert_definition_id = json.loads(response.text)["Id"]
-
- ioc = {'Type': "Sha1",
- 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
- 'DetectionFunction': "Equals",
- 'Enabled': True,
- "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
-
- response = session.post(
- "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
- json=ioc)
-
- pprint(json.loads(response.text))
diff --git a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
deleted file mode 100644
index 64602d97ae..0000000000
--- a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
+++ /dev/null
@@ -1,120 +0,0 @@
----
-title: Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune (Windows 10)
-description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
-ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
-keywords: WIP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
-localizationpriority: high
----
-
-# Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune
-**Applies to:**
-
-- Windows 10, version 1607
-- Windows 10 Mobile
-
-After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
-
-## Create your VPN policy using Microsoft Intune
-Follow these steps to create the VPN policy you want to use with WIP.
-
-**To create your VPN policy**
-
-1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
-
-2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-
- 
-
-3. Type *Contoso_VPN_Win10* into the **Name** box, along with an optional description for your policy into the **Description** box.
-
- 
-
-4. In the **VPN Settings** area, type the following info:
-
- - **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable.
-
- - **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**.
-
- - **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable.
-
- - **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN).
-
- 
-
-5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.
-It's your choice whether you check the box to **Remember the user credentials at each logon**.
-
- 
-
-6. You can leave the rest of the default or blank settings, and then click **Save Policy**.
-
-## Deploy your VPN policy using Microsoft Intune
-After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
-
-**To deploy your VPN policy**
-
-1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
-
-2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
-The added people move to the **Selected Groups** list on the right-hand pane.
-
- 
-
-3. After you've picked all of the employees and groups that should get the policy, click **OK**.
-The policy is deployed to the selected users' devices.
-
-## Link your WIP and VPN policies and deploy the custom configuration policy
-The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EDPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies
-
-**To link your VPN policy**
-
-1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
-
-2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-
- 
-
-3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
- 
-
-4. In the **OMA-URI Settings** area, click **Add** to add your **EDPModeID** info.
-
-5. In the **OMA-URI Settings** area, type the following info:
-
- - **Setting name.** Type **EDPModeID** as the name.
-
- - **Data type.** Pick the **String** data type.
-
- - **OMA-URI.** Type `./Vendor/MSFT/VPNv2//EDPModeId`, replacing <*VPNProfileName*> with the name you gave to your VPN policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EDPModeId`.
-
- - **Value.** Your fully-qualified domain that should be used by the OMA-URI setting.
-
- 
-
-6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**
-
-
- **To deploy your linked policy**
-
-1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
-
-2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane.
-
- 
-
-3. After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices.
-
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
-
-
-
-
diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md
deleted file mode 100644
index 76ded492c6..0000000000
--- a/windows/keep-secure/create-wip-policy-using-intune.md
+++ /dev/null
@@ -1,480 +0,0 @@
----
-title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
-description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
-ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
-localizationpriority: high
----
-
-# Create a Windows Information Protection (WIP) policy using Microsoft Intune
-
-**Applies to:**
-
-- Windows 10, version 1703
-- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop)
-
-Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
-
-## Add a WIP policy
-After you’ve set up Intune for your organization, you must create a WIP-specific policy.
-
-**To add a WIP policy**
-1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area.
-
-2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-
- 
-
-3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
- 
-
-### Add app rules to your policy
-During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
-
-The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
-
->[!Important]
->WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
-
-
->[!Note]
->If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
-
-#### Add a store app rule to your policy
-For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
-
-**To add a store app**
-1. From the **App Rules** area, click **Add**.
-
- The **Add App Rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
-
-3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
-
- Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
-
-4. Pick **Store App** from the **Rule template** drop-down list.
-
- The box changes to show the store app rule options.
-
-5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
-
-If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
-
-**To find the Publisher and Product Name values for Store apps without installing them**
-1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
-
- >**Note** If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
-
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
-
-3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
-
- The API runs and opens a text editor with the app details.
-
- ```json
- {
- "packageIdentityName": "Microsoft.Office.OneNote",
- "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
- }
- ```
-
-4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
-
- >[!Important]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
- ```json
- {
- "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- }
- ```
-
-**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
-1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
-
- >**Note** Your PC and phone must be on the same wireless network.
-
-2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
-
-3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
-
-4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
-
-5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
-
-6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
-
-7. Start the app for which you're looking for the publisher and product name values.
-
-8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
-
- >[!Important]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
- ```json
- {
- "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- }
- ```
-
-#### Add a desktop app rule to your policy
-For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
-
-**To add a desktop app**
-1. From the **App Rules** area, click **Add**.
-
- The **Add App Rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
-
-3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
-
- Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
-
-4. Pick **Desktop App** from the **Rule template** drop-down list.
-
- The box changes to show the store app rule options.
-
-5. Pick the options you want to include for the app rule (see table), and then click **OK**.
-
-
-
-
Option
-
Manages
-
-
-
All fields left as “*”
-
All files signed by any publisher. (Not recommended)
-
-
-
Publisher selected
-
All files signed by the named publisher.
This might be useful if your company is the publisher and signer of internal line-of-business apps.
-
-
-
Publisher and Product Name selected
-
All files for the specified product, signed by the named publisher.
-
-
-
Publisher, Product Name, and Binary name selected
-
Any version of the named file or package for the specified product, signed by the named publisher.
-
-
-
Publisher, Product Name, Binary name, and File Version, and above, selected
-
Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.
This option is recommended for enlightened apps that weren't previously enlightened.
-
-
-
Publisher, Product Name, Binary name, and File Version, And below selected
-
Specified version or older releases of the named file or package for the specified product, signed by the named publisher.
-
-
-
Publisher, Product Name, Binary name, and File Version, Exactly selected
-
Specified version of the named file or package for the specified product, signed by the named publisher.
-
-
-
-If you’re unsure about what to include for the publisher, you can run this PowerShell command:
-
-```ps1
- Get-AppLockerFileInformation -Path ""
-```
-Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
-
-In this example, you'd get the following info:
-
-``` json
- Path Publisher
- ---- ---------
- %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
-```
-Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
-
-#### Add an AppLocker policy file
-For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
-
-**To create an app rule and xml file using the AppLocker tool**
-1. Open the Local Security Policy snap-in (SecPol.msc).
-
-2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
-
- 
-
-3. Right-click in the right-hand pane, and then click **Create New Rule**.
-
- The **Create Packaged app Rules** wizard appears.
-
-4. On the **Before You Begin** page, click **Next**.
-
- 
-
-5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
-
- 
-
-6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
-
- 
-
-7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos.
-
- 
-
-8. On the updated **Publisher** page, click **Create**.
-
- 
-
-9. Review the Local Security Policy snap-in to make sure your rule is correct.
-
- 
-
-10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
-
- The **Export policy** box opens, letting you export and save your new policy as XML.
-
- 
-
-11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
-
- The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
-
- **Example XML file**
- This is the XML file that AppLocker creates for Microsoft Photos.
-
- ```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ```
-12. After you’ve created your XML file, you need to import it by using Microsoft Intune.
-
-**To import your Applocker policy file app rule using Microsoft Intune**
-1. From the **App Rules** area, click **Add**.
-
- The **Add App Rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*.
-
-3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
-
- Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
-
-4. Pick **AppLocker policy file** from the **Rule template** drop-down list.
-
- The box changes to let you import your AppLocker XML policy file.
-
-5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box.
-
- The file is imported and the apps are added to your **App Rules** list.
-
-#### Exempt apps from WIP restrictions
-If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
-
-**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
-1. From the **App Rules** area, click **Add**.
-
- The **Add App Rule** box appears.
-
-2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*.
-
-3. Click **Exempt** from the **Windows Information Protection mode** drop-down list.
-
- Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
-
-4. Fill out the rest of the app rule info, based on the type of rule you’re adding:
-
- - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
-
- - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
-
- - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
-
-5. Click **OK**.
-
-### Manage the WIP protection mode for your enterprise data
-After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
-
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
-
-|Mode |Description |
-|-----|------------|
-|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
-|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
-|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
-|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
-
-
-
-### Define your enterprise-managed corporate identity
-Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
-
-You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
-
-**To add your corporate identity**
-- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
-
- 
-
-### Choose where apps can access enterprise data
-After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
-
-There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
-
->[!IMPORTANT]
->Every WIP policy should include policy that defines your enterprise network locations.
->Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
-
-**To define where your protected apps can find and send enterprise data on you network**
-
-1. Add additional network locations your apps can access by clicking **Add**.
-
- The **Add or edit corporate network definition** box appears.
-
-2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
-
- 
-
-
-
-
Network location type
-
Format
-
Description
-
-
-
Enterprise Cloud Resources
-
With proxy: contoso.sharepoint.com,contoso.internalproxy1.com| contoso.visualstudio.com,contoso.internalproxy2.com
Without proxy: contoso.sharepoint.com|contoso.visualstudio.com
-
Specify the cloud resources to be treated as corporate and protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.
If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.
Important In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
-
-
-
Enterprise Network Domain Names (Required)
-
corp.contoso.com,region.contoso.com
-
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.
If you have multiple resources, you must separate them using the "," delimiter.
-
-
-
Enterprise Proxy Servers
-
proxy.contoso.com:80;proxy2.contoso.com:443
-
Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.
This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.
This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.
If you have multiple resources, you must separate them using the ";" delimiter.
Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.
-
-
-
Enterprise IPv6 Range (Required, if not using IPv4)
Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.
-
-
-
Neutral Resources
-
sts.contoso.com,sts.contoso2.com
-
Specify your authentication redirection endpoints for your company.
These locations are considered enterprise or personal, based on the context of the connection before the redirection.
If you have multiple resources, you must separate them using the "," delimiter.
-
-
-
-3. Add as many locations as you need, and then click **OK**.
-
- The **Add corporate network definition** box closes.
-
-4. Decide if you want to Windows to look for additional network settings:
-
- 
-
- - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
-
- - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
-
-5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
-
- 
-
- After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
-
- For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
-
-### Choose to set up Azure Rights Management with WIP
-WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
-
-To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
-
-Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option.
-
->[!NOTE]
->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
-
-### Choose your optional WIP-related settings
-After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
-
-
-
-**To set your optional settings**
-1. Choose to set any or all of the optional settings:
-
- - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
-
- - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box.
-
- - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
-
- - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
-
- - **Yes (recommended).** Turns on the feature and provides the additional protection.
-
- - **No, or not configured.** Doesn't enable this feature.
-
- - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
-
- - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
-
- - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
-
- - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
-
- - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
-
- - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
-
- - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
-
- - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu.
-
- - **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option.
-
-2. Click **Save Policy**.
-
-## Related topics
-- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
-- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
-- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
-- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
-- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
-- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/credential-guard-not-protected-scenarios.md b/windows/keep-secure/credential-guard-not-protected-scenarios.md
deleted file mode 100644
index 6206dbe532..0000000000
--- a/windows/keep-secure/credential-guard-not-protected-scenarios.md
+++ /dev/null
@@ -1,159 +0,0 @@
----
-title: Scenarios not protected by Credential Guard (Windows 10)
-description: Scenarios not protected by Credential Guard in Windows 10.
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: high
-author: brianlic-msft
----
-
-# Scenarios not protected by Credential Guard
-
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
-in the Deep Dive into Credential Guard video series.
-
-Some ways to store credentials are not protected by Credential Guard, including:
-
-- Software that manages credentials outside of Windows feature protection
-- Local accounts and Microsoft Accounts
-- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
-- Key loggers
-- Physical attacks
-- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
-- Third-party security packages
-- Digest and CredSSP credentials
- - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
-- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.
-
-For further information, see video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
-
-## Additional mitigations
-
-Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
-
-### Restricting domain users to specific domain-joined devices
-
-Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
-
-### Kerberos armoring
-
-Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
-
-**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
-
-- Users need to be in domains that are running Windows Server 2012 R2 or higher
-- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
-- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
-
-### Protecting domain-joined device secrets
-
-Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
-
-Domain-joined device certificate authentication has the following requirements:
-- Devices' accounts are in Windows Server 2012 domain functional level or higher.
-- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
- - KDC EKU present
- - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
-- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
-- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
-
-#### Deploying domain-joined device certificates
-
-To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
-
-For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
-
-**Creating a new certificate template**
-
-1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
-2. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
-3. Right-click the new template, and then click **Properties**.
-4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
-5. Click **Client Authentication**, and then click **Remove**.
-6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
- - Name: Kerberos Client Auth
- - Object Identifier: 1.3.6.1.5.2.3.4
-7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
-8. Under **Issuance Policies**, click**High Assurance**.
-9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
-
-Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
-
-**Enrolling devices in a certificate**
-
-Run the following command:
-``` syntax
-CertReq -EnrollCredGuardCert MachineAuthentication
-```
-
-> [!NOTE]
-> You must restart the device after enrolling the machine authentication certificate.
-
-#### How a certificate issuance policy can be used for access control
-
-Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
-
-**To see the issuance policies available**
-
-- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
- From a Windows PowerShell command prompt, run the following command:
-
- ``` syntax
- .\get-IssuancePolicy.ps1 –LinkedToGroup:All
- ```
-
-**To link an issuance policy to a universal security group**
-
-- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
- From a Windows PowerShell command prompt, run the following command:
-
- ``` syntax
- .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
- ```
-
-### Restricting user sign on
-
-So we now have completed the following:
-
-- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
-- Mapped that policy to a universal security group or claim
-- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
-
-Authentication policies have the following requirements:
-- User accounts are in a Windows Server 2012 domain functional level or higher domain.
-
-**Creating an authentication policy restricting users to the specific universal security group**
-
-1. Open Active Directory Administrative Center.
-2. Click **Authentication**, click **New**, and then click **Authentication Policy**.
-3. In the **Display name** box, enter a name for this authentication policy.
-4. Under the **Accounts** heading, click **Add**.
-5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
-6. Under the **User Sign On** heading, click the **Edit** button.
-7. Click **Add a condition**.
-8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**.
-9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
-10. Click **OK** to close the **Edit Access Control Conditions** box.
-11. Click **OK** to create the authentication policy.
-12. Close Active Directory Administrative Center.
-
-> [!NOTE]
-> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
-
-#### Discovering authentication failures due to authentication policies
-
-To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
-
-To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
-
-## See also
-
-**Deep Dive into Credential Guard: Related videos**
-
-[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json
new file mode 100644
index 0000000000..8d60cf1552
--- /dev/null
+++ b/windows/keep-secure/docfx.json
@@ -0,0 +1,37 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {},
+ "fileMetadata": {},
+ "template": [],
+ "dest": "keep-secure"
+ }
+}
\ No newline at end of file
diff --git a/windows/keep-secure/images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif b/windows/keep-secure/images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif
deleted file mode 100644
index 374b1fe60e..0000000000
Binary files a/windows/keep-secure/images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif and /dev/null differ
diff --git a/windows/keep-secure/images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif b/windows/keep-secure/images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif
deleted file mode 100644
index 60246363c0..0000000000
Binary files a/windows/keep-secure/images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif and /dev/null differ
diff --git a/windows/keep-secure/images/add-user.png b/windows/keep-secure/images/add-user.png
deleted file mode 100644
index 45b52bbc4d..0000000000
Binary files a/windows/keep-secure/images/add-user.png and /dev/null differ
diff --git a/windows/keep-secure/images/adsi-edit.png b/windows/keep-secure/images/adsi-edit.png
deleted file mode 100644
index 2d0c4d0af7..0000000000
Binary files a/windows/keep-secure/images/adsi-edit.png and /dev/null differ
diff --git a/windows/keep-secure/images/alertsq.png b/windows/keep-secure/images/alertsq.png
deleted file mode 100644
index b89dab8196..0000000000
Binary files a/windows/keep-secure/images/alertsq.png and /dev/null differ
diff --git a/windows/keep-secure/images/alertsq2.png b/windows/keep-secure/images/alertsq2.png
deleted file mode 100644
index 8e823cd9c7..0000000000
Binary files a/windows/keep-secure/images/alertsq2.png and /dev/null differ
diff --git a/windows/keep-secure/images/assign-users.png b/windows/keep-secure/images/assign-users.png
deleted file mode 100644
index 87c529be50..0000000000
Binary files a/windows/keep-secure/images/assign-users.png and /dev/null differ
diff --git a/windows/keep-secure/images/auditpol-guid-list.png b/windows/keep-secure/images/auditpol-guid-list.png
deleted file mode 100644
index d69583ad89..0000000000
Binary files a/windows/keep-secure/images/auditpol-guid-list.png and /dev/null differ
diff --git a/windows/keep-secure/images/auditpol.png b/windows/keep-secure/images/auditpol.png
deleted file mode 100644
index cabf86563d..0000000000
Binary files a/windows/keep-secure/images/auditpol.png and /dev/null differ
diff --git a/windows/keep-secure/images/azure-active-directory-list.png b/windows/keep-secure/images/azure-active-directory-list.png
deleted file mode 100644
index 1a126b049d..0000000000
Binary files a/windows/keep-secure/images/azure-active-directory-list.png and /dev/null differ
diff --git a/windows/keep-secure/images/azure-active-directory.png b/windows/keep-secure/images/azure-active-directory.png
deleted file mode 100644
index b6e3efec10..0000000000
Binary files a/windows/keep-secure/images/azure-active-directory.png and /dev/null differ
diff --git a/windows/keep-secure/images/azure-browse.png b/windows/keep-secure/images/azure-browse.png
deleted file mode 100644
index 929c6050b4..0000000000
Binary files a/windows/keep-secure/images/azure-browse.png and /dev/null differ
diff --git a/windows/keep-secure/images/azure-org-directory.png b/windows/keep-secure/images/azure-org-directory.png
deleted file mode 100644
index dbb20d17eb..0000000000
Binary files a/windows/keep-secure/images/azure-org-directory.png and /dev/null differ
diff --git a/windows/keep-secure/images/azure-signout.png b/windows/keep-secure/images/azure-signout.png
deleted file mode 100644
index 29dd863029..0000000000
Binary files a/windows/keep-secure/images/azure-signout.png and /dev/null differ
diff --git a/windows/keep-secure/images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif b/windows/keep-secure/images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif
deleted file mode 100644
index 2d1bf229c3..0000000000
Binary files a/windows/keep-secure/images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif and /dev/null differ
diff --git a/windows/keep-secure/images/bt-passcode.png b/windows/keep-secure/images/bt-passcode.png
deleted file mode 100644
index 4941075883..0000000000
Binary files a/windows/keep-secure/images/bt-passcode.png and /dev/null differ
diff --git a/windows/keep-secure/images/btpair.png b/windows/keep-secure/images/btpair.png
deleted file mode 100644
index 16c087111d..0000000000
Binary files a/windows/keep-secure/images/btpair.png and /dev/null differ
diff --git a/windows/keep-secure/images/changes-icon.png b/windows/keep-secure/images/changes-icon.png
deleted file mode 100644
index 6cf9d4eb8c..0000000000
Binary files a/windows/keep-secure/images/changes-icon.png and /dev/null differ
diff --git a/windows/keep-secure/images/check-icon.png b/windows/keep-secure/images/check-icon.png
deleted file mode 100644
index 20d181d703..0000000000
Binary files a/windows/keep-secure/images/check-icon.png and /dev/null differ
diff --git a/windows/keep-secure/images/comments-icon.png b/windows/keep-secure/images/comments-icon.png
deleted file mode 100644
index bf54738910..0000000000
Binary files a/windows/keep-secure/images/comments-icon.png and /dev/null differ
diff --git a/windows/keep-secure/images/comments.png b/windows/keep-secure/images/comments.png
deleted file mode 100644
index 360aa79d2d..0000000000
Binary files a/windows/keep-secure/images/comments.png and /dev/null differ
diff --git a/windows/keep-secure/images/confirm-user-access.png b/windows/keep-secure/images/confirm-user-access.png
deleted file mode 100644
index 6199186405..0000000000
Binary files a/windows/keep-secure/images/confirm-user-access.png and /dev/null differ
diff --git a/windows/keep-secure/images/contoso-active-directory.png b/windows/keep-secure/images/contoso-active-directory.png
deleted file mode 100644
index 1a126b049d..0000000000
Binary files a/windows/keep-secure/images/contoso-active-directory.png and /dev/null differ
diff --git a/windows/keep-secure/images/contoso-application.png b/windows/keep-secure/images/contoso-application.png
deleted file mode 100644
index 66cd9ac852..0000000000
Binary files a/windows/keep-secure/images/contoso-application.png and /dev/null differ
diff --git a/windows/keep-secure/images/contoso-users.png b/windows/keep-secure/images/contoso-users.png
deleted file mode 100644
index 39a6d1a7eb..0000000000
Binary files a/windows/keep-secure/images/contoso-users.png and /dev/null differ
diff --git a/windows/keep-secure/images/contoso.png b/windows/keep-secure/images/contoso.png
deleted file mode 100644
index 8c72d9ac32..0000000000
Binary files a/windows/keep-secure/images/contoso.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender-gp-defsharesfield.png b/windows/keep-secure/images/defender-gp-defsharesfield.png
deleted file mode 100644
index bd40c53930..0000000000
Binary files a/windows/keep-secure/images/defender-gp-defsharesfield.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender-gp-defsourcefield.png b/windows/keep-secure/images/defender-gp-defsourcefield.png
deleted file mode 100644
index 9ce64c0b3c..0000000000
Binary files a/windows/keep-secure/images/defender-gp-defsourcefield.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender-scanarchivecpu.png b/windows/keep-secure/images/defender-scanarchivecpu.png
deleted file mode 100644
index 03f469da10..0000000000
Binary files a/windows/keep-secure/images/defender-scanarchivecpu.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender-scanarchivedepth.png b/windows/keep-secure/images/defender-scanarchivedepth.png
deleted file mode 100644
index 051b12d342..0000000000
Binary files a/windows/keep-secure/images/defender-scanarchivedepth.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender-scanarchivefiles.png b/windows/keep-secure/images/defender-scanarchivefiles.png
deleted file mode 100644
index 64b8a47f65..0000000000
Binary files a/windows/keep-secure/images/defender-scanarchivefiles.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender-scanarchivesize.png b/windows/keep-secure/images/defender-scanarchivesize.png
deleted file mode 100644
index 3c2d70974c..0000000000
Binary files a/windows/keep-secure/images/defender-scanarchivesize.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender-scanemailfiles.png b/windows/keep-secure/images/defender-scanemailfiles.png
deleted file mode 100644
index 8d03c9c1c2..0000000000
Binary files a/windows/keep-secure/images/defender-scanemailfiles.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender/detection-source.png b/windows/keep-secure/images/defender/detection-source.png
deleted file mode 100644
index 7d471dc22d..0000000000
Binary files a/windows/keep-secure/images/defender/detection-source.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender/download-wdo.png b/windows/keep-secure/images/defender/download-wdo.png
deleted file mode 100644
index 50d2fc3152..0000000000
Binary files a/windows/keep-secure/images/defender/download-wdo.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender/enhanced-notifications.png b/windows/keep-secure/images/defender/enhanced-notifications.png
deleted file mode 100644
index 8317458416..0000000000
Binary files a/windows/keep-secure/images/defender/enhanced-notifications.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender/gp.png b/windows/keep-secure/images/defender/gp.png
deleted file mode 100644
index 8b57c7b45c..0000000000
Binary files a/windows/keep-secure/images/defender/gp.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender/malware-detected.png b/windows/keep-secure/images/defender/malware-detected.png
deleted file mode 100644
index 91fce5a44b..0000000000
Binary files a/windows/keep-secure/images/defender/malware-detected.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender/order-update-sources-wdav.png b/windows/keep-secure/images/defender/order-update-sources-wdav.png
deleted file mode 100644
index 904f314699..0000000000
Binary files a/windows/keep-secure/images/defender/order-update-sources-wdav.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender/quarantine.png b/windows/keep-secure/images/defender/quarantine.png
deleted file mode 100644
index 6a908aedec..0000000000
Binary files a/windows/keep-secure/images/defender/quarantine.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender/settings-wdo.png b/windows/keep-secure/images/defender/settings-wdo.png
deleted file mode 100644
index 23412856b0..0000000000
Binary files a/windows/keep-secure/images/defender/settings-wdo.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender/ux-config-key.png b/windows/keep-secure/images/defender/ux-config-key.png
deleted file mode 100644
index 3e2d966342..0000000000
Binary files a/windows/keep-secure/images/defender/ux-config-key.png and /dev/null differ
diff --git a/windows/keep-secure/images/defender/ux-uilockdown-key.png b/windows/keep-secure/images/defender/ux-uilockdown-key.png
deleted file mode 100644
index 86d1b4b249..0000000000
Binary files a/windows/keep-secure/images/defender/ux-uilockdown-key.png and /dev/null differ
diff --git a/windows/keep-secure/images/detection-source.png b/windows/keep-secure/images/detection-source.png
deleted file mode 100644
index 7d471dc22d..0000000000
Binary files a/windows/keep-secure/images/detection-source.png and /dev/null differ
diff --git a/windows/keep-secure/images/expand.png b/windows/keep-secure/images/expand.png
deleted file mode 100644
index aba33dc51f..0000000000
Binary files a/windows/keep-secure/images/expand.png and /dev/null differ
diff --git a/windows/keep-secure/images/export-sccm.png b/windows/keep-secure/images/export-sccm.png
deleted file mode 100644
index 62ed43e9e7..0000000000
Binary files a/windows/keep-secure/images/export-sccm.png and /dev/null differ
diff --git a/windows/keep-secure/images/faa393df-4856-4431-9eda-4f4e5be72a90.gif b/windows/keep-secure/images/faa393df-4856-4431-9eda-4f4e5be72a90.gif
deleted file mode 100644
index d3c8021646..0000000000
Binary files a/windows/keep-secure/images/faa393df-4856-4431-9eda-4f4e5be72a90.gif and /dev/null differ
diff --git a/windows/keep-secure/images/machine-investigation.png b/windows/keep-secure/images/machine-investigation.png
deleted file mode 100644
index d9ef2ad4a2..0000000000
Binary files a/windows/keep-secure/images/machine-investigation.png and /dev/null differ
diff --git a/windows/keep-secure/images/machines-view.png b/windows/keep-secure/images/machines-view.png
deleted file mode 100644
index f1d00f4035..0000000000
Binary files a/windows/keep-secure/images/machines-view.png and /dev/null differ
diff --git a/windows/keep-secure/images/manage-alert-menu.png b/windows/keep-secure/images/manage-alert-menu.png
deleted file mode 100644
index 27f2129dbf..0000000000
Binary files a/windows/keep-secure/images/manage-alert-menu.png and /dev/null differ
diff --git a/windows/keep-secure/images/mva_videos.png b/windows/keep-secure/images/mva_videos.png
deleted file mode 100644
index 2a785874bd..0000000000
Binary files a/windows/keep-secure/images/mva_videos.png and /dev/null differ
diff --git a/windows/keep-secure/images/net-helpmsg-58.png b/windows/keep-secure/images/net-helpmsg-58.png
deleted file mode 100644
index 53f96107ea..0000000000
Binary files a/windows/keep-secure/images/net-helpmsg-58.png and /dev/null differ
diff --git a/windows/keep-secure/images/oma-uri.png b/windows/keep-secure/images/oma-uri.png
deleted file mode 100644
index 00cfe55d01..0000000000
Binary files a/windows/keep-secure/images/oma-uri.png and /dev/null differ
diff --git a/windows/keep-secure/images/onboardingstate.png b/windows/keep-secure/images/onboardingstate.png
deleted file mode 100644
index ab49c49e17..0000000000
Binary files a/windows/keep-secure/images/onboardingstate.png and /dev/null differ
diff --git a/windows/keep-secure/images/passport-fig1.png b/windows/keep-secure/images/passport-fig1.png
deleted file mode 100644
index 3144e48b59..0000000000
Binary files a/windows/keep-secure/images/passport-fig1.png and /dev/null differ
diff --git a/windows/keep-secure/images/passport-fig2-pinimmeduse.png b/windows/keep-secure/images/passport-fig2-pinimmeduse.png
deleted file mode 100644
index d52ab7168e..0000000000
Binary files a/windows/keep-secure/images/passport-fig2-pinimmeduse.png and /dev/null differ
diff --git a/windows/keep-secure/images/passport-fig4-join.png b/windows/keep-secure/images/passport-fig4-join.png
deleted file mode 100644
index 367d78a5aa..0000000000
Binary files a/windows/keep-secure/images/passport-fig4-join.png and /dev/null differ
diff --git a/windows/keep-secure/images/phone-signin-device-select.png b/windows/keep-secure/images/phone-signin-device-select.png
deleted file mode 100644
index a002efa427..0000000000
Binary files a/windows/keep-secure/images/phone-signin-device-select.png and /dev/null differ
diff --git a/windows/keep-secure/images/phone-signin-menu.png b/windows/keep-secure/images/phone-signin-menu.png
deleted file mode 100644
index 4672433344..0000000000
Binary files a/windows/keep-secure/images/phone-signin-menu.png and /dev/null differ
diff --git a/windows/keep-secure/images/phone-signin-settings.png b/windows/keep-secure/images/phone-signin-settings.png
deleted file mode 100644
index e0ae827426..0000000000
Binary files a/windows/keep-secure/images/phone-signin-settings.png and /dev/null differ
diff --git a/windows/keep-secure/images/portal-image.png b/windows/keep-secure/images/portal-image.png
deleted file mode 100644
index c038da30de..0000000000
Binary files a/windows/keep-secure/images/portal-image.png and /dev/null differ
diff --git a/windows/keep-secure/images/portal.png b/windows/keep-secure/images/portal.png
deleted file mode 100644
index 7bc1d56ed3..0000000000
Binary files a/windows/keep-secure/images/portal.png and /dev/null differ
diff --git a/windows/keep-secure/images/portqry.png b/windows/keep-secure/images/portqry.png
deleted file mode 100644
index e14de2dc2d..0000000000
Binary files a/windows/keep-secure/images/portqry.png and /dev/null differ
diff --git a/windows/keep-secure/images/proxy-settings.png b/windows/keep-secure/images/proxy-settings.png
deleted file mode 100644
index 717e483a89..0000000000
Binary files a/windows/keep-secure/images/proxy-settings.png and /dev/null differ
diff --git a/windows/keep-secure/images/psexec-cmd.png b/windows/keep-secure/images/psexec-cmd.png
deleted file mode 100644
index dd35045531..0000000000
Binary files a/windows/keep-secure/images/psexec-cmd.png and /dev/null differ
diff --git a/windows/keep-secure/images/pua1.png b/windows/keep-secure/images/pua1.png
deleted file mode 100644
index f3d96a245a..0000000000
Binary files a/windows/keep-secure/images/pua1.png and /dev/null differ
diff --git a/windows/keep-secure/images/pua2.png b/windows/keep-secure/images/pua2.png
deleted file mode 100644
index 72ffa10aa5..0000000000
Binary files a/windows/keep-secure/images/pua2.png and /dev/null differ
diff --git a/windows/keep-secure/images/registry-editor.png b/windows/keep-secure/images/registry-editor.png
deleted file mode 100644
index 5b3c291a9a..0000000000
Binary files a/windows/keep-secure/images/registry-editor.png and /dev/null differ
diff --git a/windows/keep-secure/images/remove-menu.png b/windows/keep-secure/images/remove-menu.png
deleted file mode 100644
index 04c622a051..0000000000
Binary files a/windows/keep-secure/images/remove-menu.png and /dev/null differ
diff --git a/windows/keep-secure/images/resolve-alert.png b/windows/keep-secure/images/resolve-alert.png
deleted file mode 100644
index ffd43633fd..0000000000
Binary files a/windows/keep-secure/images/resolve-alert.png and /dev/null differ
diff --git a/windows/keep-secure/images/sc-query-diagtrack.png b/windows/keep-secure/images/sc-query-diagtrack.png
deleted file mode 100644
index 1fd1031ae8..0000000000
Binary files a/windows/keep-secure/images/sc-query-diagtrack.png and /dev/null differ
diff --git a/windows/keep-secure/images/sc-query-sense-autostart.png b/windows/keep-secure/images/sc-query-sense-autostart.png
deleted file mode 100644
index 814513a98c..0000000000
Binary files a/windows/keep-secure/images/sc-query-sense-autostart.png and /dev/null differ
diff --git a/windows/keep-secure/images/sc-query-sense-running.png b/windows/keep-secure/images/sc-query-sense-running.png
deleted file mode 100644
index 0e537a3e96..0000000000
Binary files a/windows/keep-secure/images/sc-query-sense-running.png and /dev/null differ
diff --git a/windows/keep-secure/images/sc-query-sense.png b/windows/keep-secure/images/sc-query-sense.png
deleted file mode 100644
index 0e537a3e96..0000000000
Binary files a/windows/keep-secure/images/sc-query-sense.png and /dev/null differ
diff --git a/windows/keep-secure/images/sccm-primary-domain.png b/windows/keep-secure/images/sccm-primary-domain.png
deleted file mode 100644
index ca2c5a0b78..0000000000
Binary files a/windows/keep-secure/images/sccm-primary-domain.png and /dev/null differ
diff --git a/windows/keep-secure/images/security-fig1-invalidaccess.png b/windows/keep-secure/images/security-fig1-invalidaccess.png
deleted file mode 100644
index 8aa3535761..0000000000
Binary files a/windows/keep-secure/images/security-fig1-invalidaccess.png and /dev/null differ
diff --git a/windows/keep-secure/images/security-fig10-optinsettings.png b/windows/keep-secure/images/security-fig10-optinsettings.png
deleted file mode 100644
index 6754e27e0c..0000000000
Binary files a/windows/keep-secure/images/security-fig10-optinsettings.png and /dev/null differ
diff --git a/windows/keep-secure/images/security-fig11-defendersettings.png b/windows/keep-secure/images/security-fig11-defendersettings.png
deleted file mode 100644
index bba84ac28f..0000000000
Binary files a/windows/keep-secure/images/security-fig11-defendersettings.png and /dev/null differ
diff --git a/windows/keep-secure/images/security-fig2-vbsarchitecture-redo.png b/windows/keep-secure/images/security-fig2-vbsarchitecture-redo.png
deleted file mode 100644
index 6bcddd364a..0000000000
Binary files a/windows/keep-secure/images/security-fig2-vbsarchitecture-redo.png and /dev/null differ
diff --git a/windows/keep-secure/images/security-fig2-vbsarchitecture.png b/windows/keep-secure/images/security-fig2-vbsarchitecture.png
deleted file mode 100644
index 55301bf8c2..0000000000
Binary files a/windows/keep-secure/images/security-fig2-vbsarchitecture.png and /dev/null differ
diff --git a/windows/keep-secure/images/security-fig3-healthattestation.png b/windows/keep-secure/images/security-fig3-healthattestation.png
deleted file mode 100644
index 8cc8003555..0000000000
Binary files a/windows/keep-secure/images/security-fig3-healthattestation.png and /dev/null differ
diff --git a/windows/keep-secure/images/security-fig6-edge2.png b/windows/keep-secure/images/security-fig6-edge2.png
deleted file mode 100644
index d3d2d9c2e5..0000000000
Binary files a/windows/keep-secure/images/security-fig6-edge2.png and /dev/null differ
diff --git a/windows/keep-secure/images/security-fig7-smartscreenfilter.png b/windows/keep-secure/images/security-fig7-smartscreenfilter.png
deleted file mode 100644
index dba19d0f08..0000000000
Binary files a/windows/keep-secure/images/security-fig7-smartscreenfilter.png and /dev/null differ
diff --git a/windows/keep-secure/images/security-fig8-smartscreenconfig.png b/windows/keep-secure/images/security-fig8-smartscreenconfig.png
deleted file mode 100644
index 1377b79de8..0000000000
Binary files a/windows/keep-secure/images/security-fig8-smartscreenconfig.png and /dev/null differ
diff --git a/windows/keep-secure/images/security-fig9-windows7allow.png b/windows/keep-secure/images/security-fig9-windows7allow.png
deleted file mode 100644
index cc2bc0e16b..0000000000
Binary files a/windows/keep-secure/images/security-fig9-windows7allow.png and /dev/null differ
diff --git a/windows/keep-secure/images/service-components.png b/windows/keep-secure/images/service-components.png
deleted file mode 100644
index 1dd6cd48ba..0000000000
Binary files a/windows/keep-secure/images/service-components.png and /dev/null differ
diff --git a/windows/keep-secure/images/settings-icon.png b/windows/keep-secure/images/settings-icon.png
deleted file mode 100644
index 697ba3b0c3..0000000000
Binary files a/windows/keep-secure/images/settings-icon.png and /dev/null differ
diff --git a/windows/keep-secure/images/sort-order-icon.png b/windows/keep-secure/images/sort-order-icon.png
deleted file mode 100644
index c3cda66580..0000000000
Binary files a/windows/keep-secure/images/sort-order-icon.png and /dev/null differ
diff --git a/windows/keep-secure/images/suppression-rules.png b/windows/keep-secure/images/suppression-rules.png
deleted file mode 100644
index cd78d0a860..0000000000
Binary files a/windows/keep-secure/images/suppression-rules.png and /dev/null differ
diff --git a/windows/keep-secure/images/timeline.png b/windows/keep-secure/images/timeline.png
deleted file mode 100644
index ac657b2a12..0000000000
Binary files a/windows/keep-secure/images/timeline.png and /dev/null differ
diff --git a/windows/keep-secure/images/value-prop.png b/windows/keep-secure/images/value-prop.png
deleted file mode 100644
index 75291f8d96..0000000000
Binary files a/windows/keep-secure/images/value-prop.png and /dev/null differ
diff --git a/windows/keep-secure/images/windef-utc-console-start.png b/windows/keep-secure/images/windef-utc-console-start.png
deleted file mode 100644
index 57c2020b04..0000000000
Binary files a/windows/keep-secure/images/windef-utc-console-start.png and /dev/null differ
diff --git a/windows/keep-secure/images/windows-atp-service-users.png b/windows/keep-secure/images/windows-atp-service-users.png
deleted file mode 100644
index 87c529be50..0000000000
Binary files a/windows/keep-secure/images/windows-atp-service-users.png and /dev/null differ
diff --git a/windows/keep-secure/images/windows-atp-service.png b/windows/keep-secure/images/windows-atp-service.png
deleted file mode 100644
index e2175190f4..0000000000
Binary files a/windows/keep-secure/images/windows-atp-service.png and /dev/null differ
diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
deleted file mode 100644
index db8b674702..0000000000
--- a/windows/keep-secure/index.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Keep Windows 10 secure (Windows 10)
-description: Learn about keeping Windows 10 and Windows 10 Mobile secure.
-ms.assetid: EA559BA8-734F-41DB-A74A-D8DBF36BE920
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: high
-author: brianlic-msft
----
-# Keep Windows 10 secure
-
-Learn about keeping Windows 10 and Windows 10 Mobile secure.
-
-## In this section
-
-| Topic | Description |
-| --- | --- |
-| [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
-| [Windows Hello for Business](hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
-| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
-| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
-| [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
-| [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
-| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
-| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. |
-| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
-|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. |
-| [VPN technical guide](vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
-| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
-| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. For example, learn about AppLocker, BitLocker, and Security auditing. |
-| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Review technology overviews that help you understand Windows 10 security technologies in the context of the enterprise. |
-| [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
-
-## Related topics
-
-[Windows 10 and Windows 10 Mobile](../index.md)
-
-
diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md
deleted file mode 100644
index 856216aac1..0000000000
--- a/windows/keep-secure/mandatory-settings-for-wip.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
-description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) in your enterprise.
-keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Allowed apps list
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
-localizationpriority: high
----
-
-# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
-**Applies to:**
-
-- Windows 10, version 1607 and later
-- Windows 10 Mobile
-
-This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
-
->[!IMPORTANT]
->All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your organization.
-
-
-|Task |Description |
-|------------------------------------|--------------------------|
-|Add at least one app rule in the **App Rules** area in your WIP policy. |You must have at least one app rule specified in the **App Rules** area of your WIP policy. For more info about where this area is and how to add an app rule, see the **Add individual apps to your Protected App list** section of the policy creation topics.|
-|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection level for your enterprise data** section of the policy creation topics.|
-|Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
-|Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. |
-|Specify your Enterprise IPv4 or IPv6 Ranges. |Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
-|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate** section of the policy creation topics. |
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index b41b8bdaae..0000000000
--- a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: PowerShell code examples for the custom threat intelligence API
-description: Use PowerShell code to create custom threat intelligence using REST API.
-keywords: powershell, code examples, threat intelligence, custom threat intelligence, rest api, api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-localizationpriority: high
----
-
-# PowerShell code examples for the custom threat intelligence API
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-This article provides PowerShell code examples for using the custom threat intelligence API.
-
-These code examples demonstrate the following tasks:
-- [Obtain an Azure AD access token](#token)
-- [Create headers](#headers)
-- [Create calls to the custom threat intelligence API](#calls)
-- [Create a new alert definition](#alert-definition)
-- [Create a new indicator of compromise](#ioc)
-
-
-## Step 1: Obtain an Azure AD access token
-The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
-
-Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal:
-
-[!code[CustomTIAPI](./code/example.ps1#L1-L14)]
-
-
-## Step 2: Create headers used for the requests with the API
-Use the following code to create the headers used for the requests with the API:
-
-[!code[CustomTIAPI](./code/example.ps1#L16-L19)]
-
-
-## Step 3: Create calls to the custom threat intelligence API
-After creating the headers, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
-
-[!code[CustomTIAPI](./code/example.ps1#L21-L24)]
-
-The response is empty on initial use of the API.
-
-
-## Step 4: Create a new alert definition
-The following example demonstrates how you to create a new alert definition.
-
-[!code[CustomTIAPI](./code/example.ps1#L26-L39)]
-
-
-## Step 5: Create a new indicator of compromise
-You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
-
-[!code[CustomTIAPI](./code/example.ps1#L43-L53)]
-
-## Complete code
-You can use the complete code to create calls to the API.
-
-[!code[CustomTIAPI](./code/example.ps1#L1-L53)]
-
-## Related topics
-- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
-- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
-- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index 0306678e79..0000000000
--- a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Windows Defender ATP preview features
-description: Learn how to access Windows Defender Advanced Threat Protection preview features.
-keywords: preview, preview experience, Windows Defender Advanced Threat Protection, features, updates
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-localizationpriority: high
----
-
-# Windows Defender ATP preview features
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
-
-Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
-
-You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
-
-For more information, see [Turn on the preview experience](preview-settings-windows-defender-advanced-threat-protection.md).
-
-## Preview features
-The following features are included in the preview release:
-
-- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- - [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
- - [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
- - [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
-
-- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
- - [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
- - [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
- - [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
-
-- [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
- - [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
-
-- [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) - Create custom threat intelligence alerts using the threat intelligence API to generate alerts that are applicable to your organization.
-
->[!NOTE]
-> All response actions require machines to be on the latest Windows 10 Insider Preview build.
diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index a67b250923..0000000000
--- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: Python code examples for the custom threat intelligence API
-description: Use Python code to create custom threat intelligence using REST API.
-keywords: python, code examples, threat intelligence, custom threat intelligence, rest api, api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-localizationpriority: high
----
-
-# Python code examples for the custom threat intelligence API
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-## Before you begin
-You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library.
-
-These code examples demonstrate the following tasks:
-- [Obtain an Azure AD access token](#token)
-- [Create request session object](#session-object)
-- [Create calls to the custom threat intelligence API](#calls)
-- [Create a new alert definition](#alert-definition)
-- [Create a new indicator of compromise](#ioc)
-
-
-## Step 1: Obtain an Azure AD access token
-The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
-
-Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
-
-[!code[CustomTIAPI](./code/example.py#L1-L17)]
-
-
-
-## Step 2: Create request session object
-Add HTTP headers to the session object, including the Authorization header with the token that was obtained.
-
-[!code[CustomTIAPI](./code/example.py#L19-L23)]
-
-
-## Step 3: Create calls to the custom threat intelligence API
-After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
-
-[!code[CustomTIAPI](./code/example.py#L25-L26)]
-
-The response is empty on initial use of the API.
-
-
-## Step 4: Create a new alert definition
-The following example demonstrates how you to create a new alert definition.
-
-[!code[CustomTIAPI](./code/example.py#L28-L39)]
-
-
-## Step 5: Create a new indicator of compromise
-You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
-
-[!code[CustomTIAPI](./code/example.py#L41-L51)]
-
-## Complete code
-You can use the complete code to create calls to the API.
-
-[!code[CustomTIAPI](./code/example.py#L1-L53)]
-
-## Related topics
-- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
-- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
-- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md
deleted file mode 100644
index 6b82a956c7..0000000000
--- a/windows/keep-secure/security-technologies.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Security technologies (Windows 10)
-description: Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
-ms.assetid: BFE2DE22-B0CE-465B-8CF6-28F64464DF08
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
----
-
-# Security technologies
-
-As an IT professional, you can use these topics to learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
-
-| Section | Description |
-|-|-|
-| [Access control](access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
-| [AppLocker](applocker-overview.md)| Describes AppLocker, and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.|
-| [BitLocker](bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
-| [Encrypted Hard Drive](encrypted-hard-drive.md) | Provides information about Encrypted Hard Drive, which uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
-| [Security auditing](security-auditing-overview.md)| Describes how the IT professional can use the security auditing features in Windows, and how organizations can benefit from using these technologies, to enhance the security and manageability of networks.|
-| [Security policy settings](security-policy-settings.md)| Provides a collection of reference topics that describe the common scenarios, architecture, and processes for security settings.|
-| [Smart Cards](smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
-| [Trusted Platform Module](trusted-platform-module-top-node.md)| Provides links to information about the Trusted Platform Module (TPM), which is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |
-| [User Account Control](user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
-| [Virtual Smart Cards](virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
-| [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Provides information about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
-| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| Provides information about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
-| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) | Provides information about Windows Firewall with Advanced Security, which is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |
-
-
-
diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md
deleted file mode 100644
index daa6be5167..0000000000
--- a/windows/keep-secure/using-owa-with-wip.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-title: Using Outlook Web Access with Windows Information Protection (WIP) (Windows 10)
-description: Options for using Outlook Web Access (OWA) with Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
-localizationpriority: high
----
-
-# Using Outlook Web Access with Windows Information Protection (WIP)
-**Applies to:**
-
-- Windows 10, version 1607 and later
-- Windows 10 Mobile
-
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
-
-Because Outlook Web Access (OWA) can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP):
-
-|Option |OWA behavior |
-|-------|-------------|
-|Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app. | Disabled. |
-|Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data. |
-|Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. |
-
->[!NOTE]
->These limitations don’t apply to Outlook 2016 or to the Office 365 Mail and Calendar apps. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings.
-
-
-
-
-
diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md
deleted file mode 100644
index 496bb6addb..0000000000
--- a/windows/keep-secure/windows-10-enterprise-security-guides.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: Enterprise security guides (Windows 10)
-description: Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides.
-ms.assetid: 57134f84-bd4b-4b1d-b663-4a2d36f5a7f8
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, devices
-author: challum
-
----
-
-# Enterprise security guides
-
-## Purpose
-
-This section offers overviews to help you understand selected enterprise-level security technologies, such as technologies to control the health of Windows 10-based devices.
-
-## In this section
-
-
-
-
-
-
-
-
-
Topic
-
Description
-
-
-
-
-
[Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
-
This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
-
-
-
[Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
-
This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the Microsoft Download Center.
-
-
-
[How to use single sign on (SSO) over VPN and Wi-Fi connections](how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
-
This topic explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
-
-
-
-
-
-
diff --git a/windows/manage/.vscode/settings.json b/windows/manage/.vscode/settings.json
deleted file mode 100644
index 20af2f68a6..0000000000
--- a/windows/manage/.vscode/settings.json
+++ /dev/null
@@ -1,3 +0,0 @@
-// Place your settings in this file to overwrite default and user settings.
-{
-}
\ No newline at end of file
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
deleted file mode 100644
index 148d75201f..0000000000
--- a/windows/manage/TOC.md
+++ /dev/null
@@ -1,166 +0,0 @@
-# [Manage Windows 10](index.md)
-## [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
-## [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
-## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
-## [Windows Store for Business](windows-store-for-business.md)
-### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
-####[Windows Store for Business overview](windows-store-for-business-overview.md)
-#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
-#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
-#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
-#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)
-### [Find and acquire apps](find-and-acquire-apps-overview.md)
-#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)
-#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md)
-#### [Working with line-of-business apps](working-with-line-of-business-apps.md)
-### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
-#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
-#### [Assign apps to employees](assign-apps-to-employees.md)
-#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
-#### [Distribute offline apps](distribute-offline-apps.md)
-### [Manage apps](manage-apps-windows-store-for-business-overview.md)
-#### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md)
-#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md)
-#### [Manage access to private store](manage-access-to-private-store.md)
-#### [Manage private store settings](manage-private-store-settings.md)
-#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
-### [Device Guard signing portal](device-guard-signing-portal.md)
-#### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
-#### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
-### [Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md)
-#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
-#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
-### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
-## [Create mandatory user profiles](mandatory-user-profile.md)
-## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
-## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
-## [New policies for Windows 10](new-policies-for-windows-10.md)
-## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
-## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
-## [Application Virtualization (App-V) for Windows](appv-for-windows.md)
-### [Getting Started with App-V](appv-getting-started.md)
-#### [What's new in App-V for Windows 10, version 1703 and earlier](appv-about-appv.md)
-##### [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows.md)
-##### [Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md)
-#### [Evaluating App-V](appv-evaluating-appv.md)
-#### [High Level Architecture for App-V](appv-high-level-architecture.md)
-### [Planning for App-V](appv-planning-for-appv.md)
-#### [Preparing Your Environment for App-V](appv-preparing-your-environment.md)
-##### [App-V Prerequisites](appv-prerequisites.md)
-##### [App-V Security Considerations](appv-security-considerations.md)
-#### [Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
-##### [App-V Supported Configurations](appv-supported-configurations.md)
-##### [App-V Capacity Planning](appv-capacity-planning.md)
-##### [Planning for High Availability with App-V](appv-planning-for-high-availability-with-appv.md)
-##### [Planning to Deploy App-V with an Electronic Software Distribution System](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md)
-##### [Planning for the App-V Server Deployment](appv-planning-for-appv-server-deployment.md)
-##### [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md)
-##### [Planning for Using App-V with Office](appv-planning-for-using-appv-with-office.md)
-##### [Planning to Use Folder Redirection with App-V](appv-planning-folder-redirection-with-appv.md)
-#### [App-V Planning Checklist](appv-planning-checklist.md)
-### [Deploying App-V](appv-deploying-appv.md)
-#### [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md)
-##### [About Client Configuration Settings](appv-client-configuration-settings.md)
-##### [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
-##### [How to Install the Sequencer](appv-install-the-sequencer.md)
-#### [Deploying the App-V Server](appv-deploying-the-appv-server.md)
-##### [How to Deploy the App-V Server](appv-deploy-the-appv-server.md)
-##### [How to Deploy the App-V Server Using a Script](appv-deploy-the-appv-server-with-a-script.md)
-##### [How to Deploy the App-V Databases by Using SQL Scripts](appv-deploy-appv-databases-with-sql-scripts.md)
-##### [How to Install the Publishing Server on a Remote Computer](appv-install-the-publishing-server-on-a-remote-computer.md)
-##### [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](appv-install-the-management-and-reporting-databases-on-separate-computers.md)
-##### [How to install the Management Server on a Standalone Computer and Connect it to the Database ](appv-install-the-management-server-on-a-standalone-computer.md)
-##### [About App-V Reporting](appv-reporting.md)
-##### [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](appv-install-the-reporting-server-on-a-standalone-computer.md)
-#### [App-V Deployment Checklist](appv-deployment-checklist.md)
-#### [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
-#### [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
-#### [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
-### [Operations for App-V](appv-operations.md)
-#### [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md)
-##### [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md)
-##### [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md)
-##### [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md)
-##### [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md)
-##### [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md)
-##### [How to Create and Use a Project Template](appv-create-and-use-a-project-template.md)
-##### [How to Create a Package Accelerator](appv-create-a-package-accelerator.md)
-##### [How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md)
-#### [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md)
-##### [About App-V Dynamic Configuration](appv-dynamic-configuration.md)
-##### [How to Connect to the Management Console ](appv-connect-to-the-management-console.md)
-##### [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md)
-##### [How to Configure Access to Packages by Using the Management Console ](appv-configure-access-to-packages-with-the-management-console.md)
-##### [How to Publish a Package by Using the Management Console ](appv-publish-a-packages-with-the-management-console.md)
-##### [How to Delete a Package in the Management Console ](appv-delete-a-package-with-the-management-console.md)
-##### [How to Add or Remove an Administrator by Using the Management Console](appv-add-or-remove-an-administrator-with-the-management-console.md)
-##### [How to Register and Unregister a Publishing Server by Using the Management Console](appv-register-and-unregister-a-publishing-server-with-the-management-console.md)
-##### [How to Create a Custom Configuration File by Using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md)
-##### [How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console](appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md)
-##### [How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console](appv-customize-virtual-application-extensions-with-the-management-console.md)
-##### [How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console ](appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md)
-#### [Managing Connection Groups](appv-managing-connection-groups.md)
-##### [About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)
-##### [About the Connection Group File](appv-connection-group-file.md)
-##### [How to Create a Connection Group](appv-create-a-connection-group.md)
-##### [How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)
-##### [How to Delete a Connection Group](appv-delete-a-connection-group.md)
-##### [How to Publish a Connection Group](appv-publish-a-connection-group.md)
-##### [How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)
-##### [How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)
-#### [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md)
-##### [How to deploy App-V Packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md)
-##### [How to Enable Only Administrators to Publish Packages by Using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md)
-#### [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
-##### [Automatically clean-up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
-#### [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md)
-##### [How to Convert a Package Created in a Previous Version of App-V](appv-convert-a-package-created-in-a-previous-version-of-appv.md)
-#### [Maintaining App-V](appv-maintaining-appv.md)
-##### [How to Move the App-V Server to Another Computer](appv-move-the-appv-server-to-another-computer.md)
-#### [Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md)
-##### [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help ](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md)
-##### [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md)
-##### [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)
-##### [How to Modify Client Configuration by Using Windows PowerShell](appv-modify-client-configuration-with-powershell.md)
-##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
-##### [How to Apply the User Configuration File by Using Windows PowerShell](appv-apply-the-user-configuration-file-with-powershell.md)
-##### [How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)
-##### [How to Sequence a Package by Using Windows PowerShell ](appv-sequence-a-package-with-powershell.md)
-##### [How to Create a Package Accelerator by Using Windows PowerShell](appv-create-a-package-accelerator-with-powershell.md)
-##### [How to Enable Reporting on the App-V Client by Using Windows PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md)
-##### [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md)
-### [Troubleshooting App-V](appv-troubleshooting.md)
-### [Technical Reference for App-V](appv-technical-reference.md)
-#### [Available Mobile Data Management (MDM) settings for App-V](appv-available-mdm-settings.md)
-#### [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
-#### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
-#### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
-#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md)
-## [User Experience Virtualization (UE-V) for Windows](uev-for-windows.md)
-### [Get Started with UE-V](uev-getting-started.md)
-#### [What's New in UE-V for Windows 10, version 1607](uev-whats-new-in-uev-for-windows.md)
-#### [User Experience Virtualization Release Notes](uev-release-notes-1607.md)
-#### [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
-### [Prepare a UE-V Deployment](uev-prepare-for-deployment.md)
-#### [Deploy Required UE-V Features](uev-deploy-required-features.md)
-#### [Deploy UE-V for use with Custom Applications](uev-deploy-uev-for-custom-applications.md)
-### [Administering UE-V](uev-administering-uev.md)
-#### [Manage Configurations for UE-V](uev-manage-configurations.md)
-##### [Configuring UE-V with Group Policy Objects](uev-configuring-uev-with-group-policy-objects.md)
-##### [Configuring UE-V with System Center Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md)
-##### [Administering UE-V with Windows PowerShell and WMI](uev-administering-uev-with-windows-powershell-and-wmi.md)
-###### [Managing the UE-V Service and Packages with Windows PowerShell and WMI](uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md)
-###### [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md)
-#### [Working with Custom UE-V Templates and the UE-V Template Generator](uev-working-with-custom-templates-and-the-uev-generator.md)
-#### [Manage Administrative Backup and Restore in UE-V](uev-manage-administrative-backup-and-restore.md)
-#### [Changing the Frequency of UE-V Scheduled Tasks](uev-changing-the-frequency-of-scheduled-tasks.md)
-#### [Migrating UE-V Settings Packages](uev-migrating-settings-packages.md)
-#### [Using UE-V with Application Virtualization Applications](uev-using-uev-with-application-virtualization-applications.md)
-### [Troubleshooting UE-V](uev-troubleshooting.md)
-### [Technical Reference for UE-V](uev-technical-reference.md)
-#### [Sync Methods for UE-V](uev-sync-methods.md)
-#### [Sync Trigger Events for UE-V](uev-sync-trigger-events.md)
-#### [Synchronizing Microsoft Office with UE-V](uev-synchronizing-microsoft-office-with-uev.md)
-#### [Application Template Schema Reference for UE-V](uev-application-template-schema-reference.md)
-#### [Security Considerations for UE-V](uev-security-considerations.md)
-## [Change history for Manage Windows 10](change-history-for-manage-and-update-windows-10.md)
diff --git a/windows/manage/application-development-for-windows-as-a-service.zip b/windows/manage/application-development-for-windows-as-a-service.zip
deleted file mode 100644
index 7ae85a8f22..0000000000
Binary files a/windows/manage/application-development-for-windows-as-a-service.zip and /dev/null differ
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
deleted file mode 100644
index d6a3868254..0000000000
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ /dev/null
@@ -1,203 +0,0 @@
----
-title: Change history for Manage Windows 10 (Windows 10)
-description: This topic lists new and updated topics in the Manage Windows 10 documentation for Windows 10 and Windows 10 Mobile.
-ms.assetid: 29144AFA-1DA9-4532-B07D-1EBE34B7E1E0
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: jdeckerMS
----
-
-# Change history for Manage Windows 10
-
-This topic lists new and updated topics in the [Manage Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
-
->If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
-
-## RELEASE: Windows 10, version 1703
-
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). Some topics have been moved to [Update Windows 10](../update/index.md) or to [Configure Windows 10](../configure/index.md).
-
-## March 2017
-| New or changed topic | Description |
-| --- | --- |
-|[Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md) |New |
-|[What's new in App-V for Windows 10, version 1703 and earlier](appv-about-appv.md)|Updated to include new features in App-V for Windows 10, version 1703. |
-|[Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md)|New |
-|[Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) |New |
-|[Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) |New |
-|[Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) |New |
-|[Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) |New |
-|[Available Mobile Data Management (MDM) settings for App-V](appv-available-mdm-settings.md) |New |
-
-## February 2017
-| New or changed topic | Description |
-| --- | --- |
-| [Windows Libraries](windows-libraries.md) | New |
-| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New |
-| [Get started with Update Compliance](update-compliance-get-started.md) | New |
-| [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New |
-|[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added Group Policy setting that blocks user access to Windows Update. |
-|[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |Added Express updates. |
-| [Distribute offline apps](distribute-offline-apps.md) | General updates to topic. Added links to supporting content for System Center Configuration Manager and Microsoft Intune. |
-
-
-## January 2017
-
-| New or changed topic | Description |
-| --- | --- |
-| [Cortana at work topics](../configure/cortana-at-work-overview.md)]|New |
-| [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. |
-| [Manage device restarts after updates](waas-restart.md) | Added Registry keys for controlling restarts. |
-
-## December 2016
-
-| New or changed topic | Description |
-| --- | --- |
-| [Quick guide to Windows as a service](waas-quick-start.md) | New |
-| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Added video demonstration of the latest in modern management for Windows 10 |
-| [Windows Store for Business overview](windows-store-for-business-overview.md) | Updated list of supported markets. |
-
-## November 2016
-
-| New or changed topic | Description |
-| --- | --- |
-| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added guidance for switching devices between servicing branches |
-| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Windows 10 IoT Mobile |
-
-## October 2016
-
-| New or changed topic | Description |
-| --- | --- |
-| [Manage device restarts after updates](waas-restart.md) | New |
-| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | New |
-| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) |Added an important note about Cortana and Office 365 integration. |
-| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. |
-| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. |
-| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Current Branch for Business (CBB) support for Windows 10 IoT Mobile. |
-
-
-## September 2016
-
-| New or changed topic | Description |
-| --- | --- |
-| [Update Windows 10 in the enterprise](waas-update-windows-10.md), replaces **Windows 10 servicing options** | New |
-| [Lockdown features from Windows Embedded 8.1 Industry](../configure/lockdown-features-windows-10.md) | Added Group Policy setting to replace Gesture Filter |
-| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added content for Windows Server 2016 |
-| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the script for setting a custom shell using Shell Launcher. |
-
-## August 2016
-
-| New or changed topic | Description |
-| --- | --- |
-| [Create mandatory user profiles](mandatory-user-profile.md) | New |
-| [Update Windows 10 in the enterprise](waas-update-windows-10.md) | New section |
-| [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) | Updated sample XML for combined Start and taskbar layout; added note to explain the difference between applying taskbar configuration by Group Policy and by provisioning package |
-| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated instructions for exiting assigned access mode. |
-| Application development for Windows as a service | Topic moved to MSDN: [Application development for Windows as a service](https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service)
-| Windows 10 servicing options | New content replaced this topic; see [Overview of Windows as a service](waas-overview.md) |
-
-## RELEASE: Windows 10, version 1607
-
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
-
-- [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
-- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-- [Set up a shared or guest PC with Windows 10](../configure/set-up-shared-or-guest-pc.md)
-- [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
-- [Application Virtualization (App-V) for Windows 10](appv-for-windows.md)
-- [User Experience Virtualization (UE-V) for Windows 10](uev-for-windows.md)
-
-## July 2016
-
-| New or changed topic | Description |
-| ---|---|
-| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | New |
-| [Windows 10 servicing options](introduction-to-windows-10-servicing.md) | Added detailed content on servicing branches, moved from [Windows 10 servicing overview](../plan/windows-10-servicing-options.md). |
-
-
-## June 2016
-
-| New or changed topic | Description |
-| ---|---|
-| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the sample script for Shell Launcher. |
-
-## May 2016
-
-| New or changed topic | Description |
-| ---|---|
-| [Group Policies that apply only to Windows 10 Enterprise and Education Editions](group-policies-for-enterprise-and-education-editions.md) | New |
-| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added section on how to turn off Live Tiles |
-| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content |
-| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |Removed info about sharing wi-fi network access with contacts, since it's been deprecated. |
-| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
-| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Removed Windows 10 Mobile from **Applies to** |
-
-
-
-## April 2016
-
-| New or changed topic | Description |
-| ---|---|
-| [Administrative tools in Windows 10](administrative-tools-in-windows-10.md) | Added screenshots of Control Panel and the administrative tools folder. |
-| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added the font streaming section. |
-| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Made corrections to script and instructions for Shell Launcher. |
-
-## March 2016
-
-| New or changed topic | Description |
-| ---|---|
-| [Application development for Windows as a service](application-development-for-windows-as-a-service.md) | New |
-| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | New |
-| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. |
-
-## February 2016
-
-| New or changed topic | Description |
-| ---|---|
-| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added call history and email to the Settings > Privacy section. Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
-| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
-| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Added instructions for replacing markup characters with escape characters in Start layout XML |
-| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | New |
-| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | New |
-| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
-
-
-## December 2015
-
-| New or changed topic | Description |
-| ---|---|
-| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) | New |
-| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | New |
-| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New |
-
-## November 2015
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-| [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) | New |
-| [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) | New |
-| [Customize and export Start layout](customize-and-export-start-layout.md) | New |
-| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New |
-| [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) | New |
-| [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) | New |
-| [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) | New |
-| [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) | New |
-| [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) | New |
-| [Windows Hello biometrics in the enterprise](../keep-secure/windows-hello-in-enterprise.md) | New |
-| [Windows Store for Business](windows-store-for-business.md) (multiple topics) | New |
-| [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) | Updated |
-| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Updated |
-| [New policies for Windows 10](new-policies-for-windows-10.md) | Updated |
-
-## Related topics
-
-[Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
-
-[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
-
-[Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
-
-[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json
new file mode 100644
index 0000000000..628f06503d
--- /dev/null
+++ b/windows/manage/docfx.json
@@ -0,0 +1,37 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {},
+ "fileMetadata": {},
+ "template": [],
+ "dest": "windows-manage"
+ }
+}
\ No newline at end of file
diff --git a/windows/manage/images/aadj1.jpg b/windows/manage/images/aadj1.jpg
deleted file mode 100644
index 2348fc4c84..0000000000
Binary files a/windows/manage/images/aadj1.jpg and /dev/null differ
diff --git a/windows/manage/images/aadj2.jpg b/windows/manage/images/aadj2.jpg
deleted file mode 100644
index 39486bfc66..0000000000
Binary files a/windows/manage/images/aadj2.jpg and /dev/null differ
diff --git a/windows/manage/images/aadj3.jpg b/windows/manage/images/aadj3.jpg
deleted file mode 100644
index 80e1f5762f..0000000000
Binary files a/windows/manage/images/aadj3.jpg and /dev/null differ
diff --git a/windows/manage/images/aadj4.jpg b/windows/manage/images/aadj4.jpg
deleted file mode 100644
index 0db2910012..0000000000
Binary files a/windows/manage/images/aadj4.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjbrowser.jpg b/windows/manage/images/aadjbrowser.jpg
deleted file mode 100644
index c8d909688e..0000000000
Binary files a/windows/manage/images/aadjbrowser.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjcal.jpg b/windows/manage/images/aadjcal.jpg
deleted file mode 100644
index 1858886f5f..0000000000
Binary files a/windows/manage/images/aadjcal.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjcalmail.jpg b/windows/manage/images/aadjcalmail.jpg
deleted file mode 100644
index 5a5661259a..0000000000
Binary files a/windows/manage/images/aadjcalmail.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjmail1.jpg b/windows/manage/images/aadjmail1.jpg
deleted file mode 100644
index 89b1fcc3b7..0000000000
Binary files a/windows/manage/images/aadjmail1.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjmail2.jpg b/windows/manage/images/aadjmail2.jpg
deleted file mode 100644
index 0608010c6a..0000000000
Binary files a/windows/manage/images/aadjmail2.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjmail3.jpg b/windows/manage/images/aadjmail3.jpg
deleted file mode 100644
index d7154a7e0e..0000000000
Binary files a/windows/manage/images/aadjmail3.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjonedrive.jpg b/windows/manage/images/aadjonedrive.jpg
deleted file mode 100644
index 6fb1196d5f..0000000000
Binary files a/windows/manage/images/aadjonedrive.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjonenote.jpg b/windows/manage/images/aadjonenote.jpg
deleted file mode 100644
index 4ccd207f9f..0000000000
Binary files a/windows/manage/images/aadjonenote.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjonenote2.jpg b/windows/manage/images/aadjonenote2.jpg
deleted file mode 100644
index 1b6941e638..0000000000
Binary files a/windows/manage/images/aadjonenote2.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjonenote3.jpg b/windows/manage/images/aadjonenote3.jpg
deleted file mode 100644
index 3ac6911046..0000000000
Binary files a/windows/manage/images/aadjonenote3.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjpin.jpg b/windows/manage/images/aadjpin.jpg
deleted file mode 100644
index dac6cfec30..0000000000
Binary files a/windows/manage/images/aadjpin.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjppt.jpg b/windows/manage/images/aadjppt.jpg
deleted file mode 100644
index 268d5fe662..0000000000
Binary files a/windows/manage/images/aadjppt.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjverify.jpg b/windows/manage/images/aadjverify.jpg
deleted file mode 100644
index 7b30210f39..0000000000
Binary files a/windows/manage/images/aadjverify.jpg and /dev/null differ
diff --git a/windows/manage/images/aadjword.jpg b/windows/manage/images/aadjword.jpg
deleted file mode 100644
index db2a58406e..0000000000
Binary files a/windows/manage/images/aadjword.jpg and /dev/null differ
diff --git a/windows/manage/images/button.png b/windows/manage/images/button.png
deleted file mode 100644
index 1ba7590f76..0000000000
Binary files a/windows/manage/images/button.png and /dev/null differ
diff --git a/windows/manage/images/oobe.jpg b/windows/manage/images/oobe.jpg
deleted file mode 100644
index 53a5dab6bf..0000000000
Binary files a/windows/manage/images/oobe.jpg and /dev/null differ
diff --git a/windows/manage/images/setupmsg.jpg b/windows/manage/images/setupmsg.jpg
deleted file mode 100644
index 12935483c5..0000000000
Binary files a/windows/manage/images/setupmsg.jpg and /dev/null differ
diff --git a/windows/manage/index.md b/windows/manage/index.md
deleted file mode 100644
index 3446fc1a1b..0000000000
--- a/windows/manage/index.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Manage Windows 10 (Windows 10)
-description: Learn about managing and updating Windows 10.
-ms.assetid: E5716355-02AB-4B75-A962-14B1A7F7BDA0
-keywords: Windows 10, MDM, WSUS, Windows update
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: high
-author: jdeckerMS
----
-
-# Manage Windows 10
-
-Learn about managing Windows 10.
-
->[!NOTE]
->Information for Windows 10 Enterprise also applies to Windows 10 IoT Enterprise, and information for Windows 10 Mobile Enterprise also applies to Windows 10 IoT Mobile. For information about managing devices running Windows 10 IoT Core, see [Windows 10 IoT Core Commercialization](https://www.windowsforiotdevices.com/).
-
-## In this section
-
-
-
-| Topic | Description |
-| --- | --- |
-| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. |
-| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | How to plan for and deploy Windows 10 Mobile devices. |
-| [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) | Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. |
-| [Windows Store for Business](windows-store-for-business.md) | Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. |
-| [Create mandatory user profiles](mandatory-user-profile.md) | Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. |
-| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC. |
-| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). |
-| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10. |
-| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education. |
-| [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) | There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset. |
-| [Application Virtualization (App-V) for Windows](appv-for-windows.md) | When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. |
-| [User Experience Virtualization for Windows (UE-V)](uev-for-windows.md) | When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. |
-| [Change history for Manage Windows 10](change-history-for-manage-and-update-windows-10.md) | This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
-
-
-
-
-
-
-## Related topics
-[Windows 10 and Windows 10 Mobile](../index.md)
-
-
-[Learn how Microsoft does IT at the IT Showcase](https://www.microsoft.com/itshowcase)
diff --git a/windows/manage/new-policies-for-windows-10.md b/windows/manage/new-policies-for-windows-10.md
deleted file mode 100644
index 311f3f125f..0000000000
--- a/windows/manage/new-policies-for-windows-10.md
+++ /dev/null
@@ -1,99 +0,0 @@
----
-title: New policies for Windows 10 (Windows 10)
-description: Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1.
-ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D
-keywords: ["MDM", "Group Policy"]
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: jdeckerMS
-localizationpriority: high
----
-
-# New policies for Windows 10
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://go.microsoft.com/fwlink/p/?LinkID=625081).
-
-## New Group Policy settings in Windows 10
-
-
-There are some new policy settings in Group Policy for devices running Windows 10 , such as:
-
-- Microsoft Edge browser settings
-
-- Universal Windows app settings, such as:
-
- - Disable deployment of Windows Store apps to non-system volumes
-
- - Restrict users' application data to always stay on the system volume
-
- - Allow applications to share app data between users
-
-- [Start screen and Start menu layout](customize-windows-10-start-screens-by-using-group-policy.md)
-
-- Windows Tips
-
-- Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
-
-- [Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=623294)
-
-- Windows Updates for Business
-
-For a spreadsheet of Group Policy settings included in Windows, see [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=613627).
-
-## New MDM policies
-
-
-Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile includes settings from Windows Phone 8.1, plus new or enhanced settings for Windows 10, such as:
-
-- Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only)
-
-- Enhanced Bluetooth policies
-
-- Passport and Hello
-
-- Device update
-
-- Hardware-based device health attestation
-
-- [Kiosk mode](set-up-a-device-for-anyone-to-use.md), start screen, start menu layout
-
-- Security
-
-- [VPN](https://go.microsoft.com/fwlink/p/?LinkId=623295) and enterprise Wi-Fi management
-
-- Certificate management
-
-- Windows Tips
-
-- Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
-
-Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
-
-If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317).
-
-No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=613264). For more information, see the [ActiveSync configuration service provider](https://go.microsoft.com/fwlink/p/?LinkId=618944) technical reference.
-
-## Related topics
-
-
-[Manage corporate devices](manage-corporate-devices.md)
-
-[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
-
-[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json
new file mode 100644
index 0000000000..289552ee34
--- /dev/null
+++ b/windows/plan/docfx.json
@@ -0,0 +1,37 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {},
+ "fileMetadata": {},
+ "template": [],
+ "dest": "windows-plan"
+ }
+}
\ No newline at end of file
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
new file mode 100644
index 0000000000..a166cca5f1
--- /dev/null
+++ b/windows/threat-protection/TOC.md
@@ -0,0 +1,159 @@
+# [Threat protection](index.md)
+
+## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
+### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
+### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
+### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
+### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
+### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+#### [Configure endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+##### [Configure endpoints using System Security Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
+##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+#### [Configure proxy and Internet settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
+### [Use the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+#### [View the Dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
+#### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md)
+#### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md)
+##### [Alert process tree](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree)
+##### [Incident graph](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph)
+##### [Alert timeline](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline)
+#### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md)
+#### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md)
+#### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
+#### [View and organize the Machines view](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
+#### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
+##### [Search for specific alerts](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts)
+##### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+##### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+##### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+#### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
+#### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
+#### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
+##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+###### [Undo machine isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
+###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
+###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+###### [Remove file from quarantine](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+###### [Block files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+###### [Check activity details in Action center](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+###### [Deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+####### [View deep analysis reports](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+####### [Troubleshoot deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
+#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+#### [Configure Splunk to pull alerts](windows-defender-atp\configure-splunk-windows-defender-advanced-threat-protection.md)
+#### [Configure HP ArcSight to pull alerts](windows-defender-atp\configure-arcsight-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP alert API fields](windows-defender-atp\api-portal-mapping-windows-defender-advanced-threat-protection.md)
+#### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+#### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md)
+#### [PowerShell code examples](windows-defender-atp\powershell-example-code-windows-defender-advanced-threat-protection.md)
+#### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
+#### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
+#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+### [Configure Windows Defender ATP preferences settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
+#### [Update general settings](windows-defender-atp\general-settings-windows-defender-advanced-threat-protection.md)
+#### [Turn on advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
+#### [Turn on preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md)
+#### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
+### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
+### [Windows Defender ATP service status](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
+### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
+### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
+### [Windows Defender Antivirus compatibility](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
+
+## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
+### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+### [Windows Defender Antivirus and Advanced Threat Protection: Better together](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
+#### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
+##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
+#### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
+#### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
+##### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
+##### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
+##### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
+##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
+##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
+#### [Utilize Microsoft cloud-provided protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
+##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
+##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
+##### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
+##### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+#### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
+##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
+#### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md)
+##### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
+##### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
+##### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
+### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
+#### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
+##### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
+##### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+##### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
+#### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
+#### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
+#### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
+#### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
+#### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
+#### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+### [Reference topics for management and configuration tools](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
+#### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
+#### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
+#### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
+#### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
+#### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+
+## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
+### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
+### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
+
+## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
+### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md)
+#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
+##### [Deploy your Windows Information Protection (WIP) policy](windows-information-protection\deploy-wip-policy-using-intune.md)
+##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
+#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
+#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
+#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md)
+### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md)
+### [Testing scenarios for Windows Information Protection (WIP)](windows-information-protection\testing-scenarios-for-wip.md)
+### [Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md)
+### [How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md)
+### [General guidance and best practices for Windows Information Protection (WIP)](windows-information-protection\guidance-and-best-practices-wip.md)
+#### [Enlightened apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)
+#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md)
+#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md)
+#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
+
+## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
+
+## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
+
+## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
+
+## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
+
+## [Change history for Threat Protection](change-history-for-threat-protection.md)
\ No newline at end of file
diff --git a/windows/keep-secure/block-untrusted-fonts-in-enterprise.md b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
similarity index 100%
rename from windows/keep-secure/block-untrusted-fonts-in-enterprise.md
rename to windows/threat-protection/block-untrusted-fonts-in-enterprise.md
diff --git a/windows/threat-protection/change-history-for-threat-protection.md b/windows/threat-protection/change-history-for-threat-protection.md
new file mode 100644
index 0000000000..94f62ff897
--- /dev/null
+++ b/windows/threat-protection/change-history-for-threat-protection.md
@@ -0,0 +1,26 @@
+---
+title: Change history for threat protection (Windows 10)
+description: This topic lists new and updated topics in the Windows 10 threat protection documentation for Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Change history for threat protection
+This topic lists new and updated topics in the [Threat protection](index.md) documentation.
+
+## March 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)|Updated based on Windows 10, version 1703.|
+|[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New |
+|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
+|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) |Updated based on Windows 10, version 1703. |
+|[Deploy your Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md) |Updated based on Windows 10, version 1703.
+|[Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703.|
+|[Windows Defender SmartScreen overview](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)|New |
+|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)|New |
+|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)|New |
+|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Explains how mitigations in the Enhanced Mitigation Experience Toolkit (EMET) relate to those in Windows 10. |
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
new file mode 100644
index 0000000000..5614b0a94c
--- /dev/null
+++ b/windows/threat-protection/docfx.json
@@ -0,0 +1,41 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg",
+ "**/*.gif"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ },
+ "fileMetadata": {},
+ "template": [],
+ "dest": "win-threat-protection"
+ }
+}
\ No newline at end of file
diff --git a/windows/keep-secure/images/capi-gpo.png b/windows/threat-protection/images/capi-gpo.png
similarity index 100%
rename from windows/keep-secure/images/capi-gpo.png
rename to windows/threat-protection/images/capi-gpo.png
diff --git a/windows/keep-secure/images/gp-process-mitigation-options-bit-flag-image.png b/windows/threat-protection/images/gp-process-mitigation-options-bit-flag-image.png
similarity index 100%
rename from windows/keep-secure/images/gp-process-mitigation-options-bit-flag-image.png
rename to windows/threat-protection/images/gp-process-mitigation-options-bit-flag-image.png
diff --git a/windows/keep-secure/images/gp-process-mitigation-options-show.png b/windows/threat-protection/images/gp-process-mitigation-options-show.png
similarity index 100%
rename from windows/keep-secure/images/gp-process-mitigation-options-show.png
rename to windows/threat-protection/images/gp-process-mitigation-options-show.png
diff --git a/windows/keep-secure/images/gp-process-mitigation-options.png b/windows/threat-protection/images/gp-process-mitigation-options.png
similarity index 100%
rename from windows/keep-secure/images/gp-process-mitigation-options.png
rename to windows/threat-protection/images/gp-process-mitigation-options.png
diff --git a/windows/keep-secure/images/runkey.png b/windows/threat-protection/images/runkey.png
similarity index 100%
rename from windows/keep-secure/images/runkey.png
rename to windows/threat-protection/images/runkey.png
diff --git a/windows/keep-secure/images/runoncekey.png b/windows/threat-protection/images/runoncekey.png
similarity index 100%
rename from windows/keep-secure/images/runoncekey.png
rename to windows/threat-protection/images/runoncekey.png
diff --git a/windows/keep-secure/images/security-fig4-aslr.png b/windows/threat-protection/images/security-fig4-aslr.png
similarity index 100%
rename from windows/keep-secure/images/security-fig4-aslr.png
rename to windows/threat-protection/images/security-fig4-aslr.png
diff --git a/windows/keep-secure/images/security-fig5-dep.png b/windows/threat-protection/images/security-fig5-dep.png
similarity index 100%
rename from windows/keep-secure/images/security-fig5-dep.png
rename to windows/threat-protection/images/security-fig5-dep.png
diff --git a/windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png b/windows/threat-protection/images/threat-mitigations-pre-breach-post-breach-conceptual.png
similarity index 100%
rename from windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png
rename to windows/threat-protection/images/threat-mitigations-pre-breach-post-breach-conceptual.png
diff --git a/windows/keep-secure/images/wef-client-config.png b/windows/threat-protection/images/wef-client-config.png
similarity index 100%
rename from windows/keep-secure/images/wef-client-config.png
rename to windows/threat-protection/images/wef-client-config.png
diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md
new file mode 100644
index 0000000000..77a4201aad
--- /dev/null
+++ b/windows/threat-protection/index.md
@@ -0,0 +1,24 @@
+---
+title: Threat Protection (Windows 10)
+description: Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Threat Protection
+
+Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
+
+| Section | Description |
+|-|-|
+| [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) | Learn more about mitigating threats in Windows 10. |
+| [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. |
+| [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)| Provides information about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
+| [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)| Provides information about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
+|[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Learn more about how to help protect against potential corporate data leakage. |
+| [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) | Learn more about Windows Defender SmartScreen. |
+| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
+| [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
diff --git a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md b/windows/threat-protection/override-mitigation-options-for-app-related-security-policies.md
similarity index 99%
rename from windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
rename to windows/threat-protection/override-mitigation-options-for-app-related-security-policies.md
index 1412786961..e207ba506e 100644
--- a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/threat-protection/override-mitigation-options-for-app-related-security-policies.md
@@ -28,8 +28,7 @@ The Group Policy settings in this topic are related to three types of process mi
- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection).
-- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization).
-
+- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization).
To find additional ASLR protections in the table below, look for `IMAGES` or `ASLR`.
The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings.
diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
similarity index 50%
rename from windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
rename to windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 718ca488fb..a23616e9a6 100644
--- a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -14,32 +14,32 @@ author: justinha
**Applies to:**
- Windows 10
-This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Windows and Office, see [Related topics](#related-topics).
+This topic provides an overview of some of the software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Microsoft, see [Related topics](#related-topics).
| **Section** | **Contents** |
|--------------|-------------------------|
-| [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines the basic ways that Windows 10 is designed to mitigate software exploits and similar threats. |
+| [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats. |
| [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). |
-| [Windows 10 mitigations that need no configuration](#windows-10-mitigations-that-need-no-configuration) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. |
-| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | For IT professionals who are familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/en-us/kb/2458544), describes how the mitigations in EMET correspond to features built into Windows 10. It also describes how to convert an XML settings file created in EMET into mitigation policies for Windows 10. |
+| [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. |
+| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. |
This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration:
-**Figure 1. Device protection and threat resistance as part of the Windows 10 security defenses**
+*Figure 1. Device protection and threat resistance as part of the Windows 10 security defenses*
## The security threat landscape
-Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks and the personal enjoyment of temporarily taking a system offline. Since then, attacker’s motives have shifted toward monetizing their attacks, which includes holding machines and data hostage until the owners pay the demanded ransom, and exploiting the valuable information the attackers discover for monetary gain. Unlike these examples, modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that results in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets, seemingly unlimited human resources, and unknown motives. Threats like these require a different approach and mitigations that can meet the challenge.
+Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of of temporarily taking a system offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge.
-In recognition of this landscape, Windows 10, version 1703 includes multiple security features that were created to make it difficult (and costly) to find and exploit software vulnerabilities. These features are designed to:
+In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities. These features are designed to:
- Eliminate entire classes of vulnerabilities
- Break exploitation techniques
-- Contain damage and prevent persistence
+- Contain the damage and prevent persistence
- Limit the window of opportunity to exploit
@@ -47,48 +47,46 @@ The following sections provide more detail about security mitigations in Windows
## Windows 10 mitigations that you can configure
-Windows 10 mitigations that you can configure are listed in the following two tables. The first table focuses on features such as Device Guard, and the second table describes memory protection options such as Data Execution Prevention. Memory protection options provide specific mitigations against malware that attempts to manipulate memory to gain control of a system.
+Windows 10 mitigations that you can configure are listed in the following two tables. The first table covers a wide array of protections for devices and users across the enterprise and the second table drills down into specific memory protections such as Data Execution Prevention. Memory protection options provide specific mitigations against malware that attempts to manipulate memory in order to gain control of a system.
**Table 1 Windows 10 mitigations that you can configure**
| Mitigation and corresponding threat | Description and links |
|---|---|
-| **Windows Defender SmartScreen**, which helps prevent malicious applications from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.
**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
-| **Credential Guard**, which helps keep attackers from gaining access through Pass-the-Hash or Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them. Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) |
-| **Enterprise certificate pinning**, which helps keep users from being deceived by man-in-the-middle attacks that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its legitimate Certification Authority, either root or leaf.
**More information**: [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) |
-| **Device Guard**, which helps keep a device from running malware or other untrusted apps | Device Guard includes Code Integrity policies, a whitelist you create of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain entrance to the kernel. Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) |
-| **Windows Defender Antivirus**, which helps keep devices free of viruses and other known software threats | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.
**More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic |
-| **Blocking of untrusted fonts**, which helps prevent fonts from being used in elevation-of-privilege attacks | The Block Untrusted Fonts setting allows you to prevent users from loading untrusted fonts onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).
**More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |
-| **Memory protections** listed in [Table 2](#table-2), which help prevent malware from using memory manipulation techniques such as buffer overruns | This set of mitigations helps to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system. For example, malware might use buffer overruns to inject malicious executable code into memory. A minority of trusted apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing needed apps to run correctly.
**More information**: [Table 2](#table-2), later in this topic |
-| **UEFI Secure Boot**, which helps protect the platform from bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot helps to protect the boot process and firmware from tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.
**More information**: [UEFI and Secure Boot](bitlocker-countermeasures.md#uefi-and-secure-boot) |
-| **Early Launch Antimalware (ELAM)**, which helps protect the platform from rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.
**More information**: [Early Launch Antimalware](bitlocker-countermeasures.md#protection-during-startup) |
-| **Device Health Attestation**, which helps prevent compromised devices from accessing an organization’s assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device’s actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.
**More information**: [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) and [Device Health Attestation](https://technet.microsoft.com/windows-server-docs/security/device-health-attestation) |
+| **Windows Defender SmartScreen** helps prevent malicious applications from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.
**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
+| **Credential Guard** helps keep attackers from gaining access through Pass-the-Hash or Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them. Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) |
+| **Enterprise certificate pinning** helps prevent man-in-the-middle attacks that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.
**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) |
+| **Device Guard** helps keep a device from running malware or other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel. Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) |
+| **Windows Defender Antivirus**, which helps keep devices free of viruses and other malware | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.
**More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic |
+| **Blocking of untrusted fonts** helps prevent fonts from being used in elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).
**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) |
+| **Memory protections** help prevent malware from using memory manipulation techniques such as buffer overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note: A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.
**More information**: [Table 2](#table-2), later in this topic |
+| **UEFI Secure Boot** helps protect the platform from bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.
**More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot) |
+| **Early Launch Antimalware (ELAM)** helps protect the platform from rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.
**More information**: [Early Launch Antimalware](/windows/device-security/bitlocker/bitlocker-countermeasures#protection-during-startup) |
+| **Device Health Attestation** helps prevent compromised devices from accessing an organization’s assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device’s actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.
**More information**: [Control the health of Windows 10-based devices](/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) and [Device Health Attestation](https://technet.microsoft.com/windows-server-docs/security/device-health-attestation) |
-Configurable Windows 10 mitigations oriented specifically toward memory manipulation are listed in the following table. Detailed understanding of these threats and mitigations requires knowledge of how the operating system and applications handle memory—knowledge used by developers but not necessarily by IT professionals. However, from an IT professional’s perspective, the basic process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any needed applications. Then you can deploy settings that maximize protection while still allowing needed apps to run correctly.
+Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth understanding of these threats and mitigations and knowledge about how the operating system and applications handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any applications that you use so that you can deploy settings that maximize protection while still allowing apps to run correctly.
-Also, as an IT professional, you can ask application developers and software vendors to deliver applications compiled with an additional protection called Control Flow Guard (CFG). No configuration is needed in the operating system—the protection is compiled into applications, as described in [Control Flow Guard](#control-flow-guard), later in this topic.
+As an IT professional, you can ask application developers and software vendors to deliver applications that include an additional protection called Control Flow Guard (CFG). No configuration is needed in the operating system—the protection is compiled into applications. More information can be found in [Control Flow Guard](#control-flow-guard).
-### Table 2 Configurable Windows 10 mitigations designed to protect against memory exploits
+### Table 2 Configurable Windows 10 mitigations designed to help protect against memory exploits
| Mitigation and corresponding threat | Description |
|---|---|
-| **Data Execution Prevention (DEP),** which helps prevent exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature that has been available in Windows operating systems for over a decade. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, the vast majority of applications do not. For more information, see [Data Execution Prevention](#data-execution-prevention), later in this topic.
**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure additional DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
-| **SEHOP**, which helps prevent overwrites of the Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. Although some applications have compatibility problems with SEHOP, the vast majority of applications do not. For more information, see [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.
**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure additional SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
-| **ASLR**, which mitigates malware attacks based on expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This mitigates malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.
**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure additional ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
+| **Data Execution Prevention (DEP)** helps prevent exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature available in Windows operating systems. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, the vast majority of applications do not. **More information**: [Data Execution Prevention](#data-execution-prevention), later in this topic.
**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure additional DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
+| **SEHOP** helps prevent overwrites of the Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to help block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. **More information**: [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.
**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure additional SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
+| **ASLR** helps mitigate malware attacks based on expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This helps mitigate malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded. **More information**: [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.
**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure additional ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
### Windows Defender SmartScreen
Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads.
-Starting with Windows Internet Explorer 8, the SmartScreen Filter has helped protect users from both malicious applications and nefarious websites by using the SmartScreen Filter’s application and URL reputation services. The SmartScreen Filter in Internet Explorer would check URLs and newly downloaded apps against an online reputation service that Microsoft maintained. If the app or URL were not known to be safe, SmartScreen Filter would warn the user or even prevent the app or URL from loading, depending on how systems administrators had configured Group Policy settings.
+For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings.
-For Windows 10, Microsoft further developed SmartScreen, now called Windows Defender SmartScreen, by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings.
-
-For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md).
+For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
### Windows Defender Antivirus
-Windows included Windows Defender Antivirus, a robust inbox antimalware solution, starting with Windows 8, when it was called Windows Defender. With Windows 10, Microsoft significantly improved Windows Defender Antivirus. Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware:
+Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware:
- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates.
@@ -102,19 +100,17 @@ Windows included Windows Defender Antivirus, a robust inbox antimalware solution
-For more information, see [Windows Defender in Windows 10](windows-defender-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
+For more information, see [Windows Defender in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
For information about Windows Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Windows Defender Advanced Threat Protection (ATP)](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-advanced-threat-protection) (documentation).
### Data Execution Prevention
-Malware depends on its ability to put a malicious payload into memory with the hope that it will be executed later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information?
+Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information?
-Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted within through a vulnerability exploit.
+Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted by means of a vulnerability exploit.
-Because of the importance of DEP, users cannot install Windows 10 on a computer that does not have DEP capability. Fortunately, most processors released since the mid-2000s support DEP.
-
-**To use Task Manager to see which apps use DEP**
+**To use Task Manager to see apps that use DEP**
1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen.
@@ -126,13 +122,13 @@ Because of the importance of DEP, users cannot install Windows 10 on a computer
5. Click **OK**.
-You can now see which processes have DEP enabled. Figure 2 shows the processes running on a Windows 10 PC with a single process that does not support DEP.
+You can now see which processes have DEP enabled.
-**Figure 2. Processes on which DEP has been enabled in Windows 10**
+*Figure 2. Processes on which DEP has been enabled in Windows 10*
You can use Control Panel to view or change DEP settings.
@@ -154,17 +150,17 @@ You can use Control Panel to view or change DEP settings.
#### To use Group Policy to control DEP settings
-You can use the Group Policy setting called **Process Mitigation Options** to control DEP settings. Although some applications have compatibility problems with DEP, the vast majority of applications do not. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
+You can use the Group Policy setting called **Process Mitigation Options** to control DEP settings. A few applications have compatibility problems with DEP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
### Structured Exception Handling Overwrite Protection
Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handler](https://msdn.microsoft.com/library/windows/desktop/ms680657(v=vs.85).aspx) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements.
-You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. Although some applications have compatibility problems with SEHOP, the vast majority of applications do not. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
+You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
### Address Space Layout Randomization
-One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations.
+One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. Any malware that could write directly to the system memory could simply overwrite it in well-known and predictable locations.
Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts.
@@ -172,29 +168,27 @@ Address Space Layout Randomization (ASLR) makes that type of attack much more di
**Figure 3. ASLR at work**
-Although the ASLR implementation in Windows 7 was effective, it wasn’t applied holistically across the operating system, and the level of entropy (cryptographic randomization) wasn’t always at the highest possible level. To decrease the likelihood that sophisticated attacks such as heap spraying could succeed, starting with Windows 8, Microsoft applied ASLR holistically across the system and increased the level of entropy many times.
-
-The ASLR implementation in Windows 10 is greatly improved over Windows 7, especially with 64-bit system and application processes that can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another.
+Windows 10 applies ASLR holistically across the system and increases the level of entropy many times compared with previous versions of Windows to combat sophisticated attacks such as heap spraying. 64-bit system and application processes can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another.
You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings (“Force ASLR” and “Bottom-up ASLR”), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
-## Windows 10 mitigations that need no configuration
+## Mitigations that are built in to Windows 10
-Windows 10 provides many threat mitigations that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations.
+Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations.
-One of the mitigations, Control Flow Guard (CFG), needs no configuration within the operating system, but does require that the application developer configure the mitigation into the application when it’s compiled. CFG is built into Microsoft Edge, IE11, and other features in Windows 10, and can be built into many other applications when they are compiled.
+Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require that an application developer configure the mitigation into the application when it’s compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled.
### Table 3 Windows 10 mitigations to protect against memory exploits – no configuration needed
| Mitigation and corresponding threat | Description |
|---|---|
-| **SMB hardening for SYSVOL and NETLOGON shares**, which mitigates man-in-the-middle attacks | Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).
**More information**: [SMB hardening improvements for SYSVOL and NETLOGON shares](#smb-hardening-improvements-for-sysvol-and-netlogon-shares), later in this topic. |
-| **Protected Processes**, which help prevent one process from tampering with another process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed.
**More information**: [Protected Processes](#protected-processes), later in this topic. |
-| **Universal Windows apps protections**, which screen downloadable apps and run them in an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.
**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. |
-| **Heap protections**, which help prevent exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.
**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. |
-| **Kernel pool protections**, which help prevent exploitation of pool memory used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations to create an attack.
**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. |
-| **Control Flow Guard**, which mitigates exploits that are based on flow between code locations in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead can be built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other features in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015. For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. Administrators can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
-| **Protections built into Microsoft Edge** (the browser), which mitigate multiple threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. |
+| **SMB hardening for SYSVOL and NETLOGON shares** helps mitigate man-in-the-middle attacks | Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).
**More information**: [SMB hardening improvements for SYSVOL and NETLOGON shares](#smb-hardening-improvements-for-sysvol-and-netlogon-shares), later in this topic. |
+| **Protected Processes** help prevent one process from tampering with another process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed.
**More information**: [Protected Processes](#protected-processes), later in this topic. |
+| **Universal Windows apps protections** screen downloadable apps and run them in an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.
**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. |
+| **Heap protections** help prevent exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.
**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. |
+| **Kernel pool protections** help prevent exploitation of pool memory used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.
**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. |
+| **Control Flow Guard** helps mitigate exploits that are based on flow between code locations in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015. For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
+| **Protections built into Microsoft Edge** (the browser) helps mitigate multiple threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. |
### SMB hardening improvements for SYSVOL and NETLOGON shares
@@ -205,15 +199,15 @@ In Windows 10 and Windows Server 2016, client connections to the Active Director
### Protected Processes
-Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on any malware that might be running. Protected Processes creates limits of this type.
+Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on malware that gets on the device. Protected Processes creates limits of this type.
With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system.
### Universal Windows apps protections
-When users download Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
+When users download Universal Windows apps from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
-Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Unlike Windows Classic applications, which can run with elevated privileges and have potentially sweeping access to the system and data, Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission.
+Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission.
In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher.
@@ -221,7 +215,7 @@ In addition, all Universal Windows apps follow the security principle of least p
The *heap* is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part of an attack.
-Windows 10 has several important improvements to the security of the heap over Windows 7:
+Windows 10 has several important improvements to the security of the heap:
- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption.
@@ -241,9 +235,9 @@ In addition to pool hardening, Windows 10 includes other kernel hardening featur
- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.)
-- **Supervisor Mode Execution Prevention (SMEP)**: Prevents the kernel (the “supervisor”) from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support.
+- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the “supervisor”) from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support.
-- **Safe unlinking:** Protects against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination.
+- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination.
- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as “NULL dereference” to overwrite critical system data structures in memory.
@@ -253,13 +247,13 @@ When applications are loaded into memory, they are allocated space based on the
This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk.
-An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Administrators should consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://msdn.microsoft.com/library/windows/desktop/mt637065(v=vs.85).aspx).
+An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://msdn.microsoft.com/library/windows/desktop/mt637065(v=vs.85).aspx).
Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG.
### Microsoft Edge and Internet Explorer 11
-Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks.
+Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks.
All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority.
@@ -277,7 +271,7 @@ Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is m
In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security.
-For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when users use Microsoft Edge and it identifies a site that requires IE11, they will automatically be switched to IE11.
+For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11.
### Functions that software vendors can use to build mitigations into apps
@@ -302,9 +296,9 @@ Some of the protections available in Windows 10 are provided through functions t
## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit
-You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. If you are familiar with EMET, you can use this section to understand how those mitigations map to Windows 10. Many of EMET’s mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, are not considered durable, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10.
+You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET’s mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10.
-EMET has benefited many enterprise IT admins and other security enthusiasts and early adopters, yet has also fallen behind the pace of security innovation in Windows. For this reason and because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/security/jj653751)).
+Because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/security/jj653751)).
The following table lists EMET features in relation to Windows 10 features.
@@ -325,21 +319,21 @@ to Windows 10 features
SEHOP
ASLR (Force ASLR, Bottom-up ASLR)
-
Included in Windows 10 as configurable features. See Table 2, earlier in this topic.
-
Also see the section that follows for steps you can take to convert your EMET settings for these features into policies that you can apply to Windows 10.
+
DEP, SEHOP and ASLR are included in Windows 10 as configurable features. See Table 2, earlier in this topic.
+
You can install the ProcessMitigations PowerShell module to convert your EMET settings for these features into policies that you can apply to Windows 10.
Load Library Check (LoadLib)
Memory Protection Check (MemProt)
-
Supported in Windows 10, for all applications that are written to use these functions. See Table 4, earlier in this topic.
+
LoadLib and MemProt are supported in Windows 10, for all applications that are written to use these functions. See Table 4, earlier in this topic.
Null Page
-
No action needed; mitigations for this threat are built into Windows 10, as described in the “Memory reservations” item in Kernel pool protections, earlier in this topic.
+
Mitigations for this threat are built into Windows 10, as described in the “Memory reservations” item in Kernel pool protections, earlier in this topic.
@@ -347,7 +341,7 @@ to Windows 10 features
EAF
EAF+
-
Windows 10 does not include mitigations that map specifically to these EMET features, because they are seen as low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.
+
Windows 10 does not include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.
@@ -371,12 +365,64 @@ One of EMET’s strengths is that it allows you to import and export configurati
Install-Module -Name ProcessMitigations
```
-The ConvertTo-ProcessMitigationPolicy cmdlet can:
+The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process, or it can save all settings to an XML file.
-- **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate an output file of Windows 10 mitigation settings. For example:
+To get the current settings on all running instances of notepad.exe:
+
+```powershell
+Get-ProcessMitigation -Name notepad.exe -RunningProcess
+```
+
+To get the current settings in the registry for notepad.exe:
+
+```powershell
+Get-ProcessMitigation -Name notepad.exe
+```
+
+To get the current settings for the running process with pid 1304:
+
+```powershell
+Get-ProcessMitigation -Id 1304
+```
+
+To get the all process mitigation settings from the registry and save them to the xml file settings.xml:
+
+```powershell
+Get-ProcessMitigation -RegistryConfigFilePath settings.xml
+```
+
+The Set-ProcessMitigation cmdlet can enable and disable process mitigations or set them in bulk from an XML file.
+
+To get the current process mitigation for "notepad.exe" from the registry and then enable MicrosoftSignedOnly and disable MandatoryASLR:
+
+```powershell
+Set-ProcessMitigation -Name Notepad.exe -Enable MicrosoftSignedOnly -Disable MandatoryASLR
+```
+
+To set the process mitigations from an XML file (which can be generated from get-ProcessMitigation -RegistryConfigFilePath settings.xml):
+
+```powershell
+Set-ProcessMitigation -PolicyFilePath settings.xml
+```
+
+To set the system default to be MicrosoftSignedOnly:
+
+```powershell
+Set-ProcessMitigation -System -Enable MicrosoftSignedOnly
+```
+
+The ConvertTo-ProcessMitigationPolicy cmdlet converts mitigation policy file formats. The syntax is:
+
+```powershell
+ConvertTo-ProcessMitigationPolicy -EMETFilePath -OutputFilePath []
+```
+
+Examples:
+
+- **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate a result file of Windows 10 mitigation settings. For example:
```powershell
- ConvertTo-ProcessMitigationPolicy -EMETfile emetpolicy.xml -output newconfiguration.xml
+ ConvertTo-ProcessMitigationPolicy -EMETFilePath policy.xml -OutputFilePath result.xml
```
- **Audit and modify the converted settings (the output file)**: Additional cmdlets let you apply, enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables MandatoryASLR and DEPATL registry settings for Notepad:
@@ -385,25 +431,23 @@ The ConvertTo-ProcessMitigationPolicy cmdlet can:
Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL
```
-- **Convert Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections.
+- **Convert Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies). This will enable protections on Windows 10 equivalent to EMET’s ASR protections.
-- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md). For example:
+- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning). For example:
```powershell
- ConvertTo-ProcessMitigationPolicy -EMETfile certtrustrules.xml -output enterprisecertpinningrules.xml
+ ConvertTo-ProcessMitigationPolicy -EMETfilePath certtrustrules.xml -OutputFilePath enterprisecertpinningrules.xml
```
#### EMET-related products
-Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer enterprise deliveries for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (ATP).
+Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer a range of options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md) (ATP).
## Related topics
-- [Keep Windows 10 secure](index.md)
-- [Security technologies in Windows 10](security-technologies.md)
- [Security and Assurance in Windows Server 2016](https://technet.microsoft.com/windows-server-docs/security/security-and-assurance)
- [Windows Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp)
-- [Windows Defender Advanced Threat Protection (ATP) - documentation](windows-defender-advanced-threat-protection.md)
+- [Windows Defender Advanced Threat Protection (ATP) - documentation](windows-defender-atp/windows-defender-advanced-threat-protection.md)
- [Exchange Online Advanced Threat Protection Service Description](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx)
- [Office 365 Advanced Threat Protection](https://products.office.com/en-us/exchange/online-email-threat-protection)
- [Microsoft Malware Protection Center](https://www.microsoft.com/en-us/security/portal/mmpc/default.aspx)
diff --git a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
similarity index 100%
rename from windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
rename to windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
diff --git a/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
diff --git a/windows/keep-secure/configuration-management-reference-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/configuration-management-reference-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
diff --git a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
similarity index 84%
rename from windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
index 1f2fa78b86..18065e7b67 100644
--- a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -50,15 +50,15 @@ For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.
Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
---|---|---|---
See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
-Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | `-DisableRestorePoint`
+Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available
Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
- Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precendence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
+ Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
Scan packed executables | Scan > Scan packed executables | Enabled | Not available
Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
- Specify the maximum CPU load (as a percentage) during a scan. This a theoretical maximum - scans will not always use the maximum load defined here, but they will never exceed it | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
- Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies not limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
+ Specify the maximum CPU load (as a percentage) during a scan. This is a maximum - scans will not always use the maximum load defined here, but they will never exceed it | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
+ Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
**Use Configuration Manager to configure scanning options:**
@@ -77,16 +77,16 @@ See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Scan
### Email scanning limitations
We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
-Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended method for scanning emails.
+Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails.
You can use this Group Policy to also enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
- DBX
- MBX
- MIME
-PST files used by Outlook 2003 or older (where the archive type is set to non-uni-code) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
+PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
-If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
+If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
- Email subject
- Attachment name
diff --git a/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
diff --git a/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
similarity index 97%
rename from windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
index ab5f73d845..09874321a0 100644
--- a/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
@@ -41,7 +41,7 @@ The default period that the file will be [blocked](configure-block-at-first-sigh
## Prerequisites to use the extended cloud block timeout
-The [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature and its prerequisites must be enabled before you can specifiy an extended timeout period.
+The [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature and its prerequisites must be enabled before you can specify an extended timeout period.
## Specify the extended timeout period
diff --git a/windows/keep-secure/configure-end-user-interaction-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/configure-end-user-interaction-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
diff --git a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
similarity index 96%
rename from windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
index 874d94951f..db1498b7bd 100644
--- a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
@@ -35,7 +35,7 @@ author: iaanw
You can exclude certain files, folders, processes, and process-opened files from being scanned by Windows Defender Antivirus.
-The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only aply to real-time protection.
+The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization.
diff --git a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
diff --git a/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
similarity index 98%
rename from windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index 58d8075e0c..728b747ccb 100644
--- a/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -78,7 +78,7 @@ Scan | Configure local setting override for the scan type to use for a scheduled
You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md).
-By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate GPO that you have deployed on your network. Where there are conflicts, the globally defined list takes precendence.
+By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate GPO that you have deployed on your network. Where there are conflicts, the globally defined list takes precedence.
You can disable this setting to ensure that only globally defined lists (such as those from any deployed GPOs) are used.
diff --git a/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
similarity index 96%
rename from windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index 21303b1d7c..8abb221880 100644
--- a/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -26,7 +26,7 @@ author: iaanw
To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
-This topic lists the connections that must be allowed, including firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services.
+This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services.
See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity.
@@ -167,7 +167,7 @@ If you are using Microsoft Edge, you'll also see a notification message:
-A similar message occurs if you are uding Internet Explorer:
+A similar message occurs if you are using Internet Explorer:
diff --git a/windows/keep-secure/configure-notifications-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
similarity index 98%
rename from windows/keep-secure/configure-notifications-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index 2244318943..a692199439 100644
--- a/windows/keep-secure/configure-notifications-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -31,7 +31,7 @@ In Windows 10, application notifications about malware detection and remediation
Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
-You can also configure how standard notifications appear on endpoints, such as notfications for reboot or when a threat has been detected and remediated.
+You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated.
## Configure the additional notifications that appear on endpoints
diff --git a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
similarity index 99%
rename from windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index e1043e17fc..50dbbe12a6 100644
--- a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -89,7 +89,7 @@ You can [configure how locally and globally defined exclusions lists are merged]
**Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:**
-Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess' parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
+Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
The format for the cmdlets is:
diff --git a/windows/keep-secure/configure-protection-features-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/configure-protection-features-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
diff --git a/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
similarity index 92%
rename from windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index 6b0d0a8a25..677e0883be 100644
--- a/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -37,7 +37,7 @@ author: iaanw
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
-These activities include events such as processes making unusual changes to existing files, modifiying or creating automatic startup registry keys and startup locations (also known as auto-start extensibilty points, or ASEPs), and other changes to the file system or file structure.
+These activities include events such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
## Configure and enable always-on protection
@@ -65,10 +65,10 @@ Real-time protection | Monitor file and program activity on your computer | The
Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to Windows Defender SmartScreen filter, which scans files before and during downloading | Enabled
Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the AV engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled
Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
-Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analysed by behavior monitoring | Enabled
+Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
-Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes.
-Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled (both directions)
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions)
+Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled
Root | Allow antimalware service to startup with normal priority | You can lower the priority of the AV engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender AV to still run. This lowers the protection on the endpoint. | Disabled
@@ -81,7 +81,7 @@ Root | Allow antimalware service to remain running always | If protection update
The main real-time protection capability is enabled by default, but you can disable it with Group Policy:
-**Use Group Policy to diasble real-time protection:**
+**Use Group Policy to disable real-time protection:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
diff --git a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
similarity index 97%
rename from windows/keep-secure/configure-remediation-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
index ea6dd93746..b664d78cdf 100644
--- a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
@@ -39,7 +39,7 @@ You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.micr
## Configure remediation options
-You can configure how remediation with the Group Policy settings described in this section.
+You can configure how remediation works with the Group Policy settings described in this section.
To configure these settings:
diff --git a/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
diff --git a/windows/keep-secure/configure-windows-defender-antivirus-features.md b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
similarity index 100%
rename from windows/keep-secure/configure-windows-defender-antivirus-features.md
rename to windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
diff --git a/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
similarity index 70%
rename from windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index ac57f3e615..fb622e18eb 100644
--- a/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -31,9 +31,9 @@ You can use Group Policy, PowerShell, and Windows Management Instrumentation (WM
Topic | Description
---|---
-[Exclude files and processes from scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
-[Configure email, removable storage, network, reparse point, and archive scanning](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender AV to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
-[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quaratine folder
+[Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
+[Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender AV to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
+[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
diff --git a/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
similarity index 94%
rename from windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index 56578ebbbb..3a1c5ca1c6 100644
--- a/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -36,22 +36,20 @@ You'll also see additional links for:
> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-part antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
-Tool|Deployment options (1)|Management options (network-wide configuration and policy or baseline deployment) ([2](#fn2))|Reporting options
+Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
---|---|---|---
-System Center Configuration Manager ([3](#fn3))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
+System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
Microsoft Intune|[Deploy the Microsoft Intune client to endpoints][]|Use and deploy a [custom Intune policy][] and use the Intune console to [manage tasks][]|[Monitor endpoint protection in the Microsoft Intune administration console][]
Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
-1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences. [(Return to table)](#ref1)
-
-1. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
+1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences. [(Return to table)](#ref2)
-1. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref3)
-
+2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
+3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
diff --git a/windows/keep-secure/deploy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
similarity index 76%
rename from windows/keep-secure/deploy-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
index f81ce50c65..0f51f5cf85 100644
--- a/windows/keep-secure/deploy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
@@ -27,7 +27,7 @@ author: iaanw
Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender AV protection.
-See the [(Deployment, managament, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref1) for instructions on how to enable protection with System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, Microsoft Intune, PowerShell cmdlets, and Windows Management Instruction (WMI).
+See the table in the [Deploy, manage, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md#ref2) topic for instructions on how to enable protection with System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, Microsoft Intune, PowerShell cmdlets, and Windows Management Instruction (WMI).
Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender AV protection, such as Virtual Desktop Infrastructure (VDI) environments.
@@ -37,4 +37,4 @@ The remaining topic in this section provides end-to-end advice and best practice
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
-- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrasructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
\ No newline at end of file
+- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
similarity index 96%
rename from windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 6c2984299b..29c80abf0c 100644
--- a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -53,12 +53,12 @@ For Azure-based virtual machines, you can also review the [Install Endpoint Prot
There are three main steps in this guide to help roll out Windows Defender AV protection across your VDI:
1. [Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image)
-2. [Manage the base image and updates for your VMs](#manage-vms-and-base-image)
+2. [Manage the base image and updates for your VMs](#manage-your-vms-and-base-image)
3. [Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including:
- [Randomize scheduled scans](#randomize-scheduled-scans)
- [Use quick scans](#use-quick-scans)
- [Prevent notifications](#prevent-notifications)
- - [Disable scans from occuring after every update](#disable-scans-after-an-update)
+ - [Disable scans from occurring after every update](#disable-scans-after-an-update)
- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
>[!IMPORTANT]
@@ -147,7 +147,7 @@ There are a number of settings that can help ensure optimal performance on your
- [Randomize scheduled scans](#randomize-scheduled-scans)
- [Use quick scans](#use-quick-scans)
- [Prevent notifications](#prevent-notifications)
- - [Disable scans from occuring after every update](#disable-scans-after-an-update)
+ - [Disable scans from occurring after every update](#disable-scans-after-an-update)
- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
These settings can be configured as part of creating your base image, or as a day-to-day management function of your VDI infrastructure or network.
@@ -157,7 +157,7 @@ These settings can be configured as part of creating your base image, or as a da
### Randomize scheduled scans
-Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjuction with [Disable scans from occuring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
+Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md).
@@ -175,7 +175,7 @@ The start time of the scan itself is still based on the scheduled scan policy
5. Expand the tree to **Windows components > Windows Defender** and configure the following setting:
- 1. Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the sechedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
+ 1. Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the schedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
**Use Configuration Manager to randomize schedule scans:**
diff --git a/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
diff --git a/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
similarity index 97%
rename from windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index abdb360aef..98c5ae9865 100644
--- a/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -113,7 +113,7 @@ See the following for more information and allowed parameters:
> [!WARNING]
> Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
-5. Scoll down to the **Microsoft Active Protection Service** section and set the following settings:
+5. Scroll down to the **Microsoft Active Protection Service** section and set the following settings:
Setting | Set to
--|--
@@ -139,7 +139,7 @@ See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](http
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
>[!NOTE]
->If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailble.
+>If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
## Related topics
@@ -150,4 +150,4 @@ See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](http
- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
-- - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/evaluate-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/evaluate-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
diff --git a/windows/keep-secure/images/defender-updatedefs2.png b/windows/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png
similarity index 100%
rename from windows/keep-secure/images/defender-updatedefs2.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender-updatedefs2.png
diff --git a/windows/keep-secure/images/defender/client.png b/windows/threat-protection/windows-defender-antivirus/images/defender/client.png
similarity index 100%
rename from windows/keep-secure/images/defender/client.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/client.png
diff --git a/windows/keep-secure/images/defender/notification.png b/windows/threat-protection/windows-defender-antivirus/images/defender/notification.png
similarity index 100%
rename from windows/keep-secure/images/defender/notification.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/notification.png
diff --git a/windows/keep-secure/images/defender/sccm-wdo.png b/windows/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png
similarity index 100%
rename from windows/keep-secure/images/defender/sccm-wdo.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/sccm-wdo.png
diff --git a/windows/keep-secure/images/defender/wdav-bafs-edge.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-bafs-edge.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-edge.png
diff --git a/windows/keep-secure/images/defender/wdav-bafs-ie.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-bafs-ie.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-bafs-ie.png
diff --git a/windows/keep-secure/images/defender/wdav-extension-exclusions.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-extension-exclusions.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-extension-exclusions.png
diff --git a/windows/keep-secure/images/defender/wdav-get-mpthreat.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-get-mpthreat.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreat.png
diff --git a/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-get-mpthreatdetection.png
diff --git a/windows/keep-secure/images/defender/wdav-headless-mode-1607.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-headless-mode-1607.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1607.png
diff --git a/windows/keep-secure/images/defender/wdav-headless-mode-1703.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-headless-mode-1703.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-1703.png
diff --git a/windows/keep-secure/images/defender/wdav-headless-mode-off-1703.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-headless-mode-off-1703.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-headless-mode-off-1703.png
diff --git a/windows/keep-secure/images/defender/wdav-history-wdsc.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-history-wdsc.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-history-wdsc.png
diff --git a/windows/keep-secure/images/defender/wdav-malware-detected.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-malware-detected.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-malware-detected.png
diff --git a/windows/keep-secure/images/defender/wdav-order-update-sources.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-order-update-sources.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-order-update-sources.png
diff --git a/windows/keep-secure/images/defender/wdav-path-exclusions.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-path-exclusions.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-path-exclusions.png
diff --git a/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-all.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-powershell-get-exclusions-all.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-all.png
diff --git a/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-powershell-get-exclusions-variable.png
diff --git a/windows/keep-secure/images/defender/wdav-process-exclusions.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-process-exclusions.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-process-exclusions.png
diff --git a/windows/keep-secure/images/defender/wdav-protection-settings-wdsc.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-protection-settings-wdsc.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png
diff --git a/windows/keep-secure/images/defender/wdav-quarantined-history-wdsc.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-quarantined-history-wdsc.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-quarantined-history-wdsc.png
diff --git a/windows/keep-secure/images/defender/wdav-settings-old.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-settings-old.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-settings-old.png
diff --git a/windows/keep-secure/images/defender/wdav-wdsc.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-wdsc.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc.png
diff --git a/windows/keep-secure/images/defender/wdav-windows-defender-app-old.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png
similarity index 100%
rename from windows/keep-secure/images/defender/wdav-windows-defender-app-old.png
rename to windows/threat-protection/windows-defender-antivirus/images/defender/wdav-windows-defender-app-old.png
diff --git a/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
similarity index 97%
rename from windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
index e1142eb8e3..9726dfceba 100644
--- a/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
@@ -61,7 +61,7 @@ You can use Group Policy, Configuration Manager, PowerShell cmdlets, and WMI to
4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
-**Use PowerShell cmdlets to to check for protection updates before running a scan:**
+**Use PowerShell cmdlets to check for protection updates before running a scan:**
Use the following cmdlets:
@@ -72,7 +72,7 @@ Set-MpPreference -CheckForSignaturesBeforeRunningScan
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
-**Use Windows Management Instruction (WMI) to to check for protection updates before running a scan**
+**Use Windows Management Instruction (WMI) to check for protection updates before running a scan**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
diff --git a/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
similarity index 99%
rename from windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
index 7228604795..32920b478d 100644
--- a/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -92,7 +92,7 @@ See the following for more information and allowed parameters:
## Set the number of days before protection is reported as out-of-date
-You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
+You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)).
**Use Group Policy to specify the number of days before protection is considered out-of-date:**
diff --git a/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
similarity index 99%
rename from windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
index 28197fc0c6..feffc5c8b6 100644
--- a/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -52,7 +52,7 @@ You can also randomize the times when each endpoint checks and downloads protect
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
- 1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the nuber of hours between updates. Click **OK**.
+ 1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
diff --git a/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
diff --git a/windows/keep-secure/manage-updates-baselines-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/manage-updates-baselines-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
diff --git a/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
similarity index 96%
rename from windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
index 660d4049a7..b54cfd7521 100644
--- a/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
@@ -35,7 +35,7 @@ There are two settings that are particularly useful for these devices:
- Opt-in to Microsoft Update on mobile computers without a WSUS connection
- Prevent definition updates when running on battery power
-The following topics may also be useful in this situations:
+The following topics may also be useful in these situations:
- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
@@ -101,4 +101,4 @@ You can configure Windows Defender AV to only download protection updates when t
## Related topics
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Update and manage Windows Defender in Windows 10](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/prevent-end-user-interaction-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
diff --git a/windows/keep-secure/report-monitor-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
similarity index 55%
rename from windows/keep-secure/report-monitor-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
index c2a5ab14a1..2ace158d7c 100644
--- a/windows/keep-secure/report-monitor-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
@@ -26,11 +26,17 @@ There are a number of ways you can review protection status and alerts, dependin
-You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](ttps://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).
+You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).
-If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
+If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964766(v=vs.85).aspx).
-For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, managament, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref1).
+Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md).
+
+These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/en-us/library/windows/desktop/bb427443(v=vs.85).aspx). It is common practice for SIEMs to have connectors for Windows events. This technique allows for correlation of all security events from the machine in the SIEM.
+
+You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-malware).
+
+For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref2).
## Related topics
diff --git a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
similarity index 95%
rename from windows/keep-secure/review-scan-results-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
index aa7ec15eef..63d6ce419e 100644
--- a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
@@ -32,7 +32,7 @@ author: iaanw
- Windows Defender Security Center app
-After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. You can also define
+After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results.
**Use Configuration Manager to review Windows Defender AV scan results:**
@@ -54,7 +54,7 @@ See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us
**Use PowerShell cmdlets to review Windows Defender AV scan results:**
-The following cmdlet will return each detection on the endpoint. If there are multiple detection of the same threat, each detection will be listed separately, based on the time of each detection:
+The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection:
```PowerShell
Get-MpThreatDetection
diff --git a/windows/keep-secure/run-scan-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
similarity index 92%
rename from windows/keep-secure/run-scan-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index f494c10f93..4e29084ea1 100644
--- a/windows/keep-secure/run-scan-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -65,7 +65,7 @@ See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defen
**Use Configuration Manager to run a scan:**
-See [Antimalware and firewall tasks: How to perform an on-demance scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
+See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
diff --git a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
similarity index 99%
rename from windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index 50ca1d5359..a4826a52ae 100644
--- a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -33,7 +33,7 @@ author: iaanw
-> [!IMPORTANT]
+> [!NOTE]
> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default.
@@ -201,7 +201,7 @@ Scan | Specify the time for a daily quick scan | Specify the number of minutes a
Use the following cmdlets:
```PowerShell
-Set-MpPreference Set-MpPreference -ScanScheduleQuickTime
+Set-MpPreference -ScanScheduleQuickTime
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
diff --git a/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
similarity index 100%
rename from windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
diff --git a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
similarity index 98%
rename from windows/keep-secure/troubleshoot-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index ebca8b01c8..4e7c275117 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -91,7 +91,7 @@ The table in this section lists the main Windows Defender Antivirus client event
Scan Resources: <Resources (such as files/directories/BHO) that were scanned.>
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
@@ -133,7 +133,7 @@ The table in this section lists the main Windows Defender Antivirus client event
Customer scan
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Scan Time: <The duration of a scan.>
@@ -223,7 +223,7 @@ The table in this section lists the main Windows Defender Antivirus client event
Customer scan
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
@@ -267,7 +267,7 @@ The table in this section lists the main Windows Defender Antivirus client event
Customer scan
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
@@ -311,7 +311,7 @@ The table in this section lists the main Windows Defender Antivirus client event
Customer scan
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description>
@@ -403,7 +403,7 @@ Description of the error.
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
UAC
Status: <Status>
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Process Name: <Process in the PID>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
@@ -438,7 +438,7 @@ UAC
Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example:
@@ -491,7 +491,7 @@ UAC
Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Name: <Threat name>
ID: <Threat ID>
Severity: <Severity>, for example:
@@ -562,7 +562,7 @@ Description of the error.
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
@@ -607,7 +607,7 @@ Description of the error.
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description>
@@ -656,7 +656,7 @@ For more information please see the following:
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
@@ -701,7 +701,7 @@ For more information please see the following:
Category: <Category description>, for example, any threat or malware type.
Path: <File path>
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description>
@@ -739,7 +739,7 @@ Description of the error.
Windows Defender has removed history of malware and other potentially unwanted software.
Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
@@ -771,7 +771,7 @@ Description of the error.
Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.
Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description>
@@ -847,7 +847,7 @@ For more information please see the following:
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
UAC
Status: <Status>
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Process Name: <Process in the PID>
Signature ID: Enumeration matching severity.
Signature Version: <Definition version>
@@ -925,7 +925,7 @@ For more information please see the following:
Remote attestation
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
UAC
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Process Name: <Process in the PID>
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
@@ -1008,7 +1008,7 @@ For more information please see the following:
Remote attestation
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
UAC
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Process Name: <Process in the PID>
Action: <Action>, for example:
Clean: The resource was cleaned
@@ -1029,7 +1029,7 @@ Description of the error.
Engine Version: <Antimalware Engine version>
NOTE:
Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
-
Default Internet Explorer or Edge setting
+
Default Internet Explorer or Microsoft Edge setting
User Access Control settings
Chrome settings
Boot Control Data
@@ -1137,7 +1137,7 @@ For more information please see the following:
Remote attestation
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
UAC
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Process Name: <Process in the PID>
Action: <Action>, for example:
Clean: The resource was cleaned
@@ -1234,7 +1234,7 @@ For more information please see the following:
Remote attestation
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
UAC
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Process Name: <Process in the PID>
Action: <Action>, for example:
Clean: The resource was cleaned
@@ -1388,7 +1388,7 @@ Description of the error.
User action:
-
No action is necessary. The Windows Defenderclient is in a healthy state. This event is reported on an hourly basis.
+
No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.
-
User: <Domain>\<User>
+
User: <Domain>\\<User>
Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description>
@@ -2717,6 +2717,7 @@ This section provides the following information about Windows Defender Antivirus
- The error code
- The possible reason for the error
- Advice on what to do now
+
Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
diff --git a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
similarity index 89%
rename from windows/keep-secure/use-group-policy-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
index b9a28ec92a..661ce72277 100644
--- a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
@@ -40,13 +40,13 @@ The following table in this topic lists the Group Policy settings available in W
Location | Setting | Documented in topic
---|---|---
Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
-Client interface | Display additional text to clients when they need to perform an action | [Configurethenotificationsthatappearonendpoints](configure-notifications-windows-defender-antivirus.md)
-Client interface | Suppress all notifications | [Configurethenotificationsthatappearonendpoints](configure-notifications-windows-defender-antivirus.md)
-Client interface | Suppresses reboot notifications | [Configurethenotificationsthatappearonendpoints](configure-notifications-windows-defender-antivirus.md)
-Exclusions | Extension Exclusions | [ConfigureandvalidateexclusionsinWindowsDefenderAVscans](configure-exclusions-windows-defender-antivirus.md)
-Exclusions | Path Exclusions | [ConfigureandvalidateexclusionsinWindowsDefenderAVscans](configure-exclusions-windows-defender-antivirus.md)
-Exclusions | Process Exclusions | [ConfigureandvalidateexclusionsinWindowsDefenderAVscans](configure-exclusions-windows-defender-antivirus.md)
-Exclusions | Turn off Auto Exclusions | [ConfigureandvalidateexclusionsinWindowsDefenderAVscans](configure-exclusions-windows-defender-antivirus.md)
+Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+Exclusions | Extension Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Path Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Process Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
MAPS | Configure the 'Block at First Sight' feature | [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
@@ -63,14 +63,14 @@ Real-time protection | Configure local setting override for monitoring for incom
Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Monitor file and program activity on your computer | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Scan all downloaded files and attachments | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn off real-time protection | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn on behavior monitoring | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn on process scanning whenever real-time protection is enabled | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn on raw volume write notifications | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Monitor file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Scan all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn off real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on raw volume write notifications | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
@@ -81,7 +81,7 @@ Reporting | Configure time out for detections in critically failed state | Not u
Reporting | Configure time out for detections in non-critical failed state | Not used
Reporting | Configure time out for detections in recently remediated state | Not used
Reporting | Configure time out for detections requiring additional action | Not used
-Reporting | Turn off enhanced notifications | [Configurethenotificationsthatappearonendpoints](configure-notifications-windows-defender-antivirus.md)
+Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
Root | Turn off Windows Defender Antivirus | Not used
Root | Define addresses to bypass proxy server | Not used
Root | Define proxy auto-config (.pac) for connecting to the network | Not used
@@ -103,7 +103,7 @@ Scan | Configure local setting override for scheduled scan time | [Prevent or al
Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
Scan | Create a system restore point | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
-Scan | Turn on heuristics | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Scan | Turn on heuristics | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
similarity index 89%
rename from windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
index 2cf071feeb..d7904ec127 100644
--- a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
@@ -16,7 +16,7 @@ author: iaanw
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender AV.
-In both cases, the protection will be labelled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV.
+In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV.
See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
similarity index 82%
rename from windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index d3d65aa3ad..ae1135c98c 100644
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -27,9 +27,9 @@ PowerShell cmdlets are most useful in Windows Server environments that don't rel
> [!NOTE]
> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
-Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that dployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
+Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
-You can [configure which settings can be overriden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
+You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
@@ -38,10 +38,11 @@ PowerShell is typically installed under the folder _%SystemRoot%\system32\Window
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
- > [!NOTE]
- > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
3. Enter the command and parameters.
+> [!NOTE]
+> You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+
To open online help for any of the cmdlets type the following:
```PowerShell
diff --git a/windows/keep-secure/use-wmi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
similarity index 72%
rename from windows/keep-secure/use-wmi-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
index cc74e07307..39b5a2ad99 100644
--- a/windows/keep-secure/use-wmi-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
@@ -20,15 +20,15 @@ author: iaanw
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
-Read more about WMI at the [Microsoft Develop Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).
+Read more about WMI at the [Microsoft Developer Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).
Windows Defender AV has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts.
-Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that dployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
+Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
-You can [configure which settings can be overriden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
+You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
## Related topics
diff --git a/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
similarity index 95%
rename from windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 708740d908..bd45aa1d5f 100644
--- a/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -31,7 +31,7 @@ Cloud-delivered protection for Windows Defender Antivirus, also referred to as M
Enabling cloud-delivered protection helps detect and block new malware - even if the malware has never been seen before - without needing to wait for a traditionally delivered definition update to block it. Definition updates can take hours to prepare and deliver, while our cloud service can deliver updated protection in seconds.
-Cloud-delivered protecton is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies.
+Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies.
The following table describes the differences in cloud-based protection between recent versions of Windows and System Center Configuration Manager.
diff --git a/windows/keep-secure/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
similarity index 88%
rename from windows/keep-secure/windows-defender-antivirus-compatibility.md
rename to windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 23e1a82978..7fa6451710 100644
--- a/windows/keep-secure/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -27,9 +27,9 @@ author: iaanw
Windows Defender Advanced Threat Protection (ATP) is an additional service beyond Windows Defender Antivirus that helps enterprises detect, investigate, and respond to advanced persistent threats on their network.
-See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
+See the [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) topics for more information about the service.
-If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongisde your other antivirus product.
+If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongside your other antivirus product.
In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender will not provide real-time protection from malware.
diff --git a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
similarity index 99%
rename from windows/keep-secure/windows-defender-antivirus-in-windows-10.md
rename to windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index a9cdcf6735..bcce59abef 100644
--- a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -66,7 +66,6 @@ Some features require a certain version of Windows 10 - the minimum version requ
Functionality, configuration, and management is largely the same when using Windows Defender Antivirus on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
-#
@@ -74,7 +73,7 @@ Functionality, configuration, and management is largely the same when using Wind
Topic | Description
:---|:---
-[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and powershell script
+[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script
[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected
diff --git a/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
similarity index 94%
rename from windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md
rename to windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index 3510bcb390..b350ed550f 100644
--- a/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -41,7 +41,7 @@ See [Windows Defender Overview for Windows Server](https://technet.microsoft.com
While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
- In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
-- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md#sysreq).
+- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md).
## Related topics
diff --git a/windows/keep-secure/windows-defender-offline.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
similarity index 97%
rename from windows/keep-secure/windows-defender-offline.md
rename to windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index c3e4825764..af07823d3a 100644
--- a/windows/keep-secure/windows-defender-offline.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -31,6 +31,8 @@ author: iaanw
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
+You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak.
+
In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
## Pre-requisites and requirements
diff --git a/windows/keep-secure/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
similarity index 98%
rename from windows/keep-secure/windows-defender-security-center-antivirus.md
rename to windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index dec5bc9ff3..1def305540 100644
--- a/windows/keep-secure/windows-defender-security-center-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -43,7 +43,7 @@ The app also includes the settings and status of:
- Parental and Family Controls
>[!NOTE]
->The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Advanced Security Center, which is the web portal used to review and manage [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md).
+>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Advanced Security Center, which is the web portal used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
**Review virus and threat protection settings in the Windows Defender Security Center app:**
diff --git a/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
similarity index 97%
rename from windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
index 580f3684c9..f0976431f1 100644
--- a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -78,3 +78,4 @@ Portal label | SIEM field name | Description
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
similarity index 98%
rename from windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
index 636c697802..385a17c7b8 100644
--- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -182,3 +182,4 @@ Windows Defender ATP alerts will appear as discrete events, with "Microsoft” a
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
similarity index 93%
rename from windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
index c4a85d0274..8084bd32aa 100644
--- a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -41,11 +41,16 @@ The email notifications feature is turned off by default. Turn it on to start re
- **High** – Select this level to send notifications for high-severity alerts.
- **Medium** – Select this level to send notifications for medium-severity alerts.
- **Low** - Select this level to send notifications for low-severity alerts.
+ - **Informational** - Select this level to send notification for alerts that might not be considered harmful but good to keep track of.
4. In **Email recipients to notify on new alerts**, type the email address then select the + sign.
5. Click **Save preferences** when you’ve completed adding all the recipients.
Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email.
+Here's an example email notification:
+
+
+
## Remove email recipients
1. Select the trash bin icon beside the email address you’d like to remove.
diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
similarity index 72%
rename from windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 058966943e..d714ae09df 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -29,7 +29,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
-### Onboard and monitor endpoints
+### Onboard and monitor endpoints using the classic Intune console
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
@@ -46,13 +46,15 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
a. Select **Policy** > **Configuration Policies** > **Add**.
- b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
+ b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
- c. Type a name and description for the policy.
+ c. Type a name and description for the policy.
+
- d. Under OMA-URI settings, select **Add...**.
+ d. Under OMA-URI settings, select **Add...**.
+
e. Type the following values then select **OK**:
@@ -92,10 +94,58 @@ Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/Wi
Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 Default value: 1 | Windows Defender ATP Sample sharing is enabled
-
+Configuration for onboarded machines: telemetry reporting frequency | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/TelemetryReportingFrequency | Integer | 1 or 2 1: Normal (default)
2: Expedite | Windows Defender ATP telemetry reporting
> [!NOTE]
-> The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
+> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
+> - Configuration of telemetry reporting frequency is only available for machines on Windows 10, version 1703.
+
+### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
+
+1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+ a. Select **Endpoint Management** on the **Navigation pane**.
+
+ b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
+
+ 
+
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
+
+3. Login to the [Microsoft Azure portal](https://portal.azure.com).
+
+4. From the Intune blade, choose **Device configuration**.
+
+ 
+
+5. Under **Manage**, choose **Profiles** and click **Create Profile**.
+
+ 
+
+4. Type a name, description and choose **Windows 10 and later** as the Platform and **Windows Defender ATP (Windows 10 Desktop)** as the Profile type.
+
+ 
+
+7. Click **Settings** > **Configure**.
+
+ 
+
+8. Click the folder icon and select the WindowsDefenderATP.onboarding file you extracted earlier. Configure whether you want to allow sample collection from endpoints for [Deep Analysis](investigate-files-windows-defender-advanced-threat-protection.md) by choosing **All**, or disable this feature by choosing **None**. When complete, click **OK**.
+
+ 
+
+9. Click **Create**.
+
+ 
+
+10. Search for and select the Group you want to apply the Configuration Policy to, then click **Select**.
+
+ 
+
+11. Click **Save** to finish deploying the Configuration Policy.
+
+ 
+
### Offboard and monitor endpoints
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
similarity index 99%
rename from windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 8ef29a6be5..2f6d228d47 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -45,7 +45,7 @@ Configure a registry-based static proxy to allow only Windows Defender ATP senso
The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
-The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy`.
+The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy\DataCollection`.
The registry value `TelemetryProxyServer` takes the following string format:
@@ -111,7 +111,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
HardDrivePath\WDATPConnectivityAnalyzer.cmd
```
Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example
- ```text
+ ```
C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
```
diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
similarity index 74%
rename from windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
index 011897e94c..5bd33553ac 100644
--- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
@@ -34,8 +34,8 @@ To use either of these supported SIEM tools you'll need to:
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- Configure the supported SIEM tool:
- - [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- - [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+ - [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+ - [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
For more information on the list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md).
@@ -51,7 +51,8 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull
Topic | Description
:---|:---
[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
-[Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
-[Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
+[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
+[Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
+[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature.
diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
similarity index 97%
rename from windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
index 708ddc8854..24412f45b9 100644
--- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -138,3 +138,4 @@ Use the solution explorer to view alerts in Splunk.
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
similarity index 92%
rename from windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
index 314ccc9c79..a10edb15c5 100644
--- a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -30,4 +30,4 @@ Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe
The Windows Defender Antivirus interface will be disabled, and users on the endpoint will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
-For more information, see the [Windows Defender Antivirus and Windows Defender ATP compatibility topic](windows-defender-antivirus-compatibility.md).
+For more information, see the [Windows Defender Antivirus and Windows Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
diff --git a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
similarity index 96%
rename from windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
index 9c83ea0f99..e995968888 100644
--- a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -53,3 +53,4 @@ You can now proceed with configuring your SIEM solution or connecting to the ale
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
similarity index 63%
rename from windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index b7f9bce85f..073acf1b34 100644
--- a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -42,10 +42,72 @@ This step will guide you in creating an alert definition and an IOC for a malici
2. Copy and paste the following PowerShell script. This script will upload a sample alert definition and IOC to Windows Defender ATP which you can use to generate an alert.
- NOTE:
- Make sure you replace the `authUrl`, `clientId`, and `clientSecret` values with your details which you saved in when you enabled the threat intelligence application.
+ NOTE:
+ Make sure you replace the authUrl, clientId, and clientSecret values with your details which you saved in when you enabled the threat intelligence application.
- [!code[ExampleScript](./code/example-script.ps1#L1-L60)]
+ ~~~~
+ $authUrl = 'Your Authorization URL'
+ $clientId = 'Your Client ID'
+ $clientSecret = 'Your Client Secret'
+
+ Try
+ {
+ $tokenPayload = @{
+ "resource" = 'https://graph.windows.net'
+ "client_id" = $clientId
+ "client_secret" = $clientSecret
+ "grant_type"='client_credentials'}
+
+ "Fetching an access token"
+ $response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
+ $token = $response.access_token
+ "Token fetched successfully"
+
+ $headers = @{
+ "Content-Type" = "application/json"
+ "Accept" = "application/json"
+ "Authorization" = "Bearer {0}" -f $token }
+
+ $apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
+
+ $alertDefinitionPayload = @{
+ "Name" = "Test Alert"
+ "Severity" = "Medium"
+ "InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature"
+ "Title" = "Test alert."
+ "UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled."
+ "RecommendedAction" = "No recommended action for this test alert."
+ "Category" = "SuspiciousNetworkTraffic"
+ "Enabled" = "true"}
+
+ "Creating an Alert Definition"
+ $alertDefinition =
+ Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
+
+ "Alert Definition created successfully"
+ $alertDefinitionId = $alertDefinition.Id
+
+ $iocPayload = @{
+ "Type"="IpAddress"
+ "Value"="52.184.197.12"
+ "DetectionFunction"="Equals"
+ "Enabled"="true"
+ "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
+
+ "Creating an Indicator of Compromise"
+ $ioc =
+ Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
+ "Indicator of Compromise created successfully"
+
+ "All done!"
+ }
+ Catch
+ {
+ "Something went wrong! Got the following exception message: {0}" -f $_.Exception.Message
+ }
+ ~~~~
3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes until the new or updated alert definition propagates to the detection engines.
@@ -54,11 +116,11 @@ This step will guide you in creating an alert definition and an IOC for a malici
NOTE:
If you get the exception “The remote server returned an error: (407) Proxy Authentication Required", you need to add the proxy configuration by adding the following code to the PowerShell script:
- ```syntax
+ ~~~~
$webclient=New-Object System.Net.WebClient
$creds=Get-Credential
$webclient.Proxy.Credentials=$creds
- ```
+ ~~~~
## Step 3: Simulate a custom TI alert
This step will guide you in simulating an event in connection to a malicious IP that will trigger the Windows Defender ATP custom TI alert.
diff --git a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/images/active-threat-icon.png b/windows/threat-protection/windows-defender-atp/images/active-threat-icon.png
similarity index 100%
rename from windows/keep-secure/images/active-threat-icon.png
rename to windows/threat-protection/windows-defender-atp/images/active-threat-icon.png
diff --git a/windows/keep-secure/images/alert-details.png b/windows/threat-protection/windows-defender-atp/images/alert-details.png
similarity index 100%
rename from windows/keep-secure/images/alert-details.png
rename to windows/threat-protection/windows-defender-atp/images/alert-details.png
diff --git a/windows/keep-secure/images/alert-icon.png b/windows/threat-protection/windows-defender-atp/images/alert-icon.png
similarity index 100%
rename from windows/keep-secure/images/alert-icon.png
rename to windows/threat-protection/windows-defender-atp/images/alert-icon.png
diff --git a/windows/keep-secure/images/alerts-q-bulk.png b/windows/threat-protection/windows-defender-atp/images/alerts-q-bulk.png
similarity index 100%
rename from windows/keep-secure/images/alerts-q-bulk.png
rename to windows/threat-protection/windows-defender-atp/images/alerts-q-bulk.png
diff --git a/windows/keep-secure/images/alerts-queue-numbered.png b/windows/threat-protection/windows-defender-atp/images/alerts-queue-numbered.png
similarity index 100%
rename from windows/keep-secure/images/alerts-queue-numbered.png
rename to windows/threat-protection/windows-defender-atp/images/alerts-queue-numbered.png
diff --git a/windows/keep-secure/images/analysis-results.png b/windows/threat-protection/windows-defender-atp/images/analysis-results.png
similarity index 100%
rename from windows/keep-secure/images/analysis-results.png
rename to windows/threat-protection/windows-defender-atp/images/analysis-results.png
diff --git a/windows/keep-secure/images/atp-action-center-with-info.png b/windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png
similarity index 100%
rename from windows/keep-secure/images/atp-action-center-with-info.png
rename to windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png
diff --git a/windows/keep-secure/images/atp-actor-report.png b/windows/threat-protection/windows-defender-atp/images/atp-actor-report.png
similarity index 100%
rename from windows/keep-secure/images/atp-actor-report.png
rename to windows/threat-protection/windows-defender-atp/images/atp-actor-report.png
diff --git a/windows/keep-secure/images/atp-actor.png b/windows/threat-protection/windows-defender-atp/images/atp-actor.png
similarity index 100%
rename from windows/keep-secure/images/atp-actor.png
rename to windows/threat-protection/windows-defender-atp/images/atp-actor.png
diff --git a/windows/keep-secure/images/atp-add-intune-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-add-intune-policy.png
similarity index 100%
rename from windows/keep-secure/images/atp-add-intune-policy.png
rename to windows/threat-protection/windows-defender-atp/images/atp-add-intune-policy.png
diff --git a/windows/keep-secure/images/atp-alert-process-tree.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png
similarity index 100%
rename from windows/keep-secure/images/atp-alert-process-tree.png
rename to windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png
diff --git a/windows/keep-secure/images/atp-alert-source.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-source.png
similarity index 100%
rename from windows/keep-secure/images/atp-alert-source.png
rename to windows/threat-protection/windows-defender-atp/images/atp-alert-source.png
diff --git a/windows/keep-secure/images/atp-alert-status.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png
similarity index 100%
rename from windows/keep-secure/images/atp-alert-status.png
rename to windows/threat-protection/windows-defender-atp/images/atp-alert-status.png
diff --git a/windows/keep-secure/images/atp-alert-timeline-numbered.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline-numbered.png
similarity index 100%
rename from windows/keep-secure/images/atp-alert-timeline-numbered.png
rename to windows/threat-protection/windows-defender-atp/images/atp-alert-timeline-numbered.png
diff --git a/windows/keep-secure/images/atp-alert-timeline.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
similarity index 100%
rename from windows/keep-secure/images/atp-alert-timeline.png
rename to windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
diff --git a/windows/keep-secure/images/atp-alerts-group.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-group.png
similarity index 100%
rename from windows/keep-secure/images/atp-alerts-group.png
rename to windows/threat-protection/windows-defender-atp/images/atp-alerts-group.png
diff --git a/windows/keep-secure/images/atp-alerts-q.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-q.png
similarity index 100%
rename from windows/keep-secure/images/atp-alerts-q.png
rename to windows/threat-protection/windows-defender-atp/images/atp-alerts-q.png
diff --git a/windows/keep-secure/images/atp-alerts-related-to-file.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-file.png
similarity index 100%
rename from windows/keep-secure/images/atp-alerts-related-to-file.png
rename to windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-file.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-category.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-category.png
new file mode 100644
index 0000000000..3691b59d4c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-category.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-configure.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-configure.png
new file mode 100644
index 0000000000..63f79cbca8
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-configure.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-configure.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-configure.png
new file mode 100644
index 0000000000..c10925962a
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-configure.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-name.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-name.png
new file mode 100644
index 0000000000..193d2c09e5
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-name.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy.png
new file mode 100644
index 0000000000..f095a6489e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png
new file mode 100644
index 0000000000..9c41b16d73
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create.png
new file mode 100644
index 0000000000..ccfb5a2155
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png
new file mode 100644
index 0000000000..4d1885054b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-save-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-save-policy.png
new file mode 100644
index 0000000000..e22db5b21e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-save-policy.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-save.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-save.png
new file mode 100644
index 0000000000..3d28d1d2d8
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-save.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-select-group.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-select-group.png
new file mode 100644
index 0000000000..d81a7b351e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-select-group.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-settings-configure.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-settings-configure.png
new file mode 100644
index 0000000000..92dde3043d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-settings-configure.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune.png
new file mode 100644
index 0000000000..63cf2d1ddf
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune.png differ
diff --git a/windows/keep-secure/images/atp-azure-ui-user-access.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png
similarity index 100%
rename from windows/keep-secure/images/atp-azure-ui-user-access.png
rename to windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png
diff --git a/windows/keep-secure/images/atp-blockfile.png b/windows/threat-protection/windows-defender-atp/images/atp-blockfile.png
similarity index 100%
rename from windows/keep-secure/images/atp-blockfile.png
rename to windows/threat-protection/windows-defender-atp/images/atp-blockfile.png
diff --git a/windows/keep-secure/images/atp-custom-ti-mapping.png b/windows/threat-protection/windows-defender-atp/images/atp-custom-ti-mapping.png
similarity index 100%
rename from windows/keep-secure/images/atp-custom-ti-mapping.png
rename to windows/threat-protection/windows-defender-atp/images/atp-custom-ti-mapping.png
diff --git a/windows/keep-secure/images/atp-disableantispyware-regkey.png b/windows/threat-protection/windows-defender-atp/images/atp-disableantispyware-regkey.png
similarity index 100%
rename from windows/keep-secure/images/atp-disableantispyware-regkey.png
rename to windows/threat-protection/windows-defender-atp/images/atp-disableantispyware-regkey.png
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-example-email-notification.png b/windows/threat-protection/windows-defender-atp/images/atp-example-email-notification.png
new file mode 100644
index 0000000000..c46cc214d7
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-example-email-notification.png differ
diff --git a/windows/keep-secure/images/atp-export-machine-timeline-events.png b/windows/threat-protection/windows-defender-atp/images/atp-export-machine-timeline-events.png
similarity index 100%
rename from windows/keep-secure/images/atp-export-machine-timeline-events.png
rename to windows/threat-protection/windows-defender-atp/images/atp-export-machine-timeline-events.png
diff --git a/windows/keep-secure/images/atp-file-action.png b/windows/threat-protection/windows-defender-atp/images/atp-file-action.png
similarity index 100%
rename from windows/keep-secure/images/atp-file-action.png
rename to windows/threat-protection/windows-defender-atp/images/atp-file-action.png
diff --git a/windows/keep-secure/images/atp-file-details.png b/windows/threat-protection/windows-defender-atp/images/atp-file-details.png
similarity index 100%
rename from windows/keep-secure/images/atp-file-details.png
rename to windows/threat-protection/windows-defender-atp/images/atp-file-details.png
diff --git a/windows/keep-secure/images/atp-file-in-org.png b/windows/threat-protection/windows-defender-atp/images/atp-file-in-org.png
similarity index 100%
rename from windows/keep-secure/images/atp-file-in-org.png
rename to windows/threat-protection/windows-defender-atp/images/atp-file-in-org.png
diff --git a/windows/keep-secure/images/atp-file-information.png b/windows/threat-protection/windows-defender-atp/images/atp-file-information.png
similarity index 100%
rename from windows/keep-secure/images/atp-file-information.png
rename to windows/threat-protection/windows-defender-atp/images/atp-file-information.png
diff --git a/windows/keep-secure/images/atp-incident-graph.png b/windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png
similarity index 100%
rename from windows/keep-secure/images/atp-incident-graph.png
rename to windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png
diff --git a/windows/keep-secure/images/atp-intune-add-oma.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-add-oma.png
similarity index 100%
rename from windows/keep-secure/images/atp-intune-add-oma.png
rename to windows/threat-protection/windows-defender-atp/images/atp-intune-add-oma.png
diff --git a/windows/keep-secure/images/atp-intune-add-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-add-policy.png
similarity index 100%
rename from windows/keep-secure/images/atp-intune-add-policy.png
rename to windows/threat-protection/windows-defender-atp/images/atp-intune-add-policy.png
diff --git a/windows/keep-secure/images/atp-intune-deploy-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-deploy-policy.png
similarity index 100%
rename from windows/keep-secure/images/atp-intune-deploy-policy.png
rename to windows/threat-protection/windows-defender-atp/images/atp-intune-deploy-policy.png
diff --git a/windows/keep-secure/images/atp-intune-manage-deployment.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-manage-deployment.png
similarity index 100%
rename from windows/keep-secure/images/atp-intune-manage-deployment.png
rename to windows/threat-protection/windows-defender-atp/images/atp-intune-manage-deployment.png
diff --git a/windows/keep-secure/images/atp-intune-new-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-new-policy.png
similarity index 100%
rename from windows/keep-secure/images/atp-intune-new-policy.png
rename to windows/threat-protection/windows-defender-atp/images/atp-intune-new-policy.png
diff --git a/windows/keep-secure/images/atp-intune-oma-uri-setting.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-oma-uri-setting.png
similarity index 100%
rename from windows/keep-secure/images/atp-intune-oma-uri-setting.png
rename to windows/threat-protection/windows-defender-atp/images/atp-intune-oma-uri-setting.png
diff --git a/windows/keep-secure/images/atp-intune-policy-name.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-policy-name.png
similarity index 100%
rename from windows/keep-secure/images/atp-intune-policy-name.png
rename to windows/threat-protection/windows-defender-atp/images/atp-intune-policy-name.png
diff --git a/windows/keep-secure/images/atp-intune-save-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-policy.png
similarity index 100%
rename from windows/keep-secure/images/atp-intune-save-policy.png
rename to windows/threat-protection/windows-defender-atp/images/atp-intune-save-policy.png
diff --git a/windows/keep-secure/images/atp-investigation-package-action-center.png b/windows/threat-protection/windows-defender-atp/images/atp-investigation-package-action-center.png
similarity index 100%
rename from windows/keep-secure/images/atp-investigation-package-action-center.png
rename to windows/threat-protection/windows-defender-atp/images/atp-investigation-package-action-center.png
diff --git a/windows/keep-secure/images/atp-isolate-machine.png b/windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png
similarity index 100%
rename from windows/keep-secure/images/atp-isolate-machine.png
rename to windows/threat-protection/windows-defender-atp/images/atp-isolate-machine.png
diff --git a/windows/keep-secure/images/atp-machine-details-view.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png
similarity index 100%
rename from windows/keep-secure/images/atp-machine-details-view.png
rename to windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png
diff --git a/windows/keep-secure/images/atp-machine-health-details.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-health-details.png
similarity index 100%
rename from windows/keep-secure/images/atp-machine-health-details.png
rename to windows/threat-protection/windows-defender-atp/images/atp-machine-health-details.png
diff --git a/windows/keep-secure/images/atp-machine-health.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-health.png
similarity index 100%
rename from windows/keep-secure/images/atp-machine-health.png
rename to windows/threat-protection/windows-defender-atp/images/atp-machine-health.png
diff --git a/windows/keep-secure/images/atp-machine-investigation-package.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png
similarity index 100%
rename from windows/keep-secure/images/atp-machine-investigation-package.png
rename to windows/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png
diff --git a/windows/keep-secure/images/atp-machine-isolation.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png
similarity index 100%
rename from windows/keep-secure/images/atp-machine-isolation.png
rename to windows/threat-protection/windows-defender-atp/images/atp-machine-isolation.png
diff --git a/windows/keep-secure/images/atp-machine-timeline-details-panel.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
similarity index 100%
rename from windows/keep-secure/images/atp-machine-timeline-details-panel.png
rename to windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
diff --git a/windows/keep-secure/images/atp-machine-timeline.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline.png
similarity index 100%
rename from windows/keep-secure/images/atp-machine-timeline.png
rename to windows/threat-protection/windows-defender-atp/images/atp-machine-timeline.png
diff --git a/windows/keep-secure/images/atp-machines-at-risk.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png
similarity index 100%
rename from windows/keep-secure/images/atp-machines-at-risk.png
rename to windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png
diff --git a/windows/keep-secure/images/atp-machines-view-list.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-view-list.png
similarity index 100%
rename from windows/keep-secure/images/atp-machines-view-list.png
rename to windows/threat-protection/windows-defender-atp/images/atp-machines-view-list.png
diff --git a/windows/keep-secure/images/atp-main-portal.png b/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png
similarity index 100%
rename from windows/keep-secure/images/atp-main-portal.png
rename to windows/threat-protection/windows-defender-atp/images/atp-main-portal.png
diff --git a/windows/keep-secure/images/atp-mdm-onboarding-package.png b/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png
similarity index 100%
rename from windows/keep-secure/images/atp-mdm-onboarding-package.png
rename to windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png
diff --git a/windows/keep-secure/images/atp-no-network-connection.png b/windows/threat-protection/windows-defender-atp/images/atp-no-network-connection.png
similarity index 100%
rename from windows/keep-secure/images/atp-no-network-connection.png
rename to windows/threat-protection/windows-defender-atp/images/atp-no-network-connection.png
diff --git a/windows/keep-secure/images/atp-notification-file.png b/windows/threat-protection/windows-defender-atp/images/atp-notification-file.png
similarity index 100%
rename from windows/keep-secure/images/atp-notification-file.png
rename to windows/threat-protection/windows-defender-atp/images/atp-notification-file.png
diff --git a/windows/keep-secure/images/atp-notification-isolate.png b/windows/threat-protection/windows-defender-atp/images/atp-notification-isolate.png
similarity index 100%
rename from windows/keep-secure/images/atp-notification-isolate.png
rename to windows/threat-protection/windows-defender-atp/images/atp-notification-isolate.png
diff --git a/windows/keep-secure/images/atp-observed-in-organization.png b/windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png
similarity index 100%
rename from windows/keep-secure/images/atp-observed-in-organization.png
rename to windows/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png
diff --git a/windows/keep-secure/images/atp-observed-machines.png b/windows/threat-protection/windows-defender-atp/images/atp-observed-machines.png
similarity index 100%
rename from windows/keep-secure/images/atp-observed-machines.png
rename to windows/threat-protection/windows-defender-atp/images/atp-observed-machines.png
diff --git a/windows/keep-secure/images/atp-onboard-mdm.png b/windows/threat-protection/windows-defender-atp/images/atp-onboard-mdm.png
similarity index 100%
rename from windows/keep-secure/images/atp-onboard-mdm.png
rename to windows/threat-protection/windows-defender-atp/images/atp-onboard-mdm.png
diff --git a/windows/keep-secure/images/atp-preferences-setup.png b/windows/threat-protection/windows-defender-atp/images/atp-preferences-setup.png
similarity index 100%
rename from windows/keep-secure/images/atp-preferences-setup.png
rename to windows/threat-protection/windows-defender-atp/images/atp-preferences-setup.png
diff --git a/windows/keep-secure/images/atp-refresh-token.png b/windows/threat-protection/windows-defender-atp/images/atp-refresh-token.png
similarity index 100%
rename from windows/keep-secure/images/atp-refresh-token.png
rename to windows/threat-protection/windows-defender-atp/images/atp-refresh-token.png
diff --git a/windows/keep-secure/images/atp-remediated-alert.png b/windows/threat-protection/windows-defender-atp/images/atp-remediated-alert.png
similarity index 100%
rename from windows/keep-secure/images/atp-remediated-alert.png
rename to windows/threat-protection/windows-defender-atp/images/atp-remediated-alert.png
diff --git a/windows/keep-secure/images/atp-remove-blocked-file.png b/windows/threat-protection/windows-defender-atp/images/atp-remove-blocked-file.png
similarity index 100%
rename from windows/keep-secure/images/atp-remove-blocked-file.png
rename to windows/threat-protection/windows-defender-atp/images/atp-remove-blocked-file.png
diff --git a/windows/keep-secure/images/atp-running-script.png b/windows/threat-protection/windows-defender-atp/images/atp-running-script.png
similarity index 100%
rename from windows/keep-secure/images/atp-running-script.png
rename to windows/threat-protection/windows-defender-atp/images/atp-running-script.png
diff --git a/windows/keep-secure/images/atp-sample-custom-ti-alert.png b/windows/threat-protection/windows-defender-atp/images/atp-sample-custom-ti-alert.png
similarity index 100%
rename from windows/keep-secure/images/atp-sample-custom-ti-alert.png
rename to windows/threat-protection/windows-defender-atp/images/atp-sample-custom-ti-alert.png
diff --git a/windows/keep-secure/images/atp-sensor-filter.png b/windows/threat-protection/windows-defender-atp/images/atp-sensor-filter.png
similarity index 100%
rename from windows/keep-secure/images/atp-sensor-filter.png
rename to windows/threat-protection/windows-defender-atp/images/atp-sensor-filter.png
diff --git a/windows/keep-secure/images/atp-sensor-health-filter-resized.png b/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-resized.png
similarity index 100%
rename from windows/keep-secure/images/atp-sensor-health-filter-resized.png
rename to windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-resized.png
diff --git a/windows/keep-secure/images/atp-sensor-health-filter-tile.png b/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-tile.png
similarity index 100%
rename from windows/keep-secure/images/atp-sensor-health-filter-tile.png
rename to windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-tile.png
diff --git a/windows/keep-secure/images/atp-sensor-health-filter.png b/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png
similarity index 100%
rename from windows/keep-secure/images/atp-sensor-health-filter.png
rename to windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png
diff --git a/windows/keep-secure/images/atp-sensor-health-nonav.png b/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-nonav.png
similarity index 100%
rename from windows/keep-secure/images/atp-sensor-health-nonav.png
rename to windows/threat-protection/windows-defender-atp/images/atp-sensor-health-nonav.png
diff --git a/windows/keep-secure/images/atp-sensor-health-tile.png b/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-tile.png
similarity index 100%
rename from windows/keep-secure/images/atp-sensor-health-tile.png
rename to windows/threat-protection/windows-defender-atp/images/atp-sensor-health-tile.png
diff --git a/windows/keep-secure/images/atp-siem-integration.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-integration.png
similarity index 100%
rename from windows/keep-secure/images/atp-siem-integration.png
rename to windows/threat-protection/windows-defender-atp/images/atp-siem-integration.png
diff --git a/windows/keep-secure/images/atp-simulate-custom-ti.png b/windows/threat-protection/windows-defender-atp/images/atp-simulate-custom-ti.png
similarity index 100%
rename from windows/keep-secure/images/atp-simulate-custom-ti.png
rename to windows/threat-protection/windows-defender-atp/images/atp-simulate-custom-ti.png
diff --git a/windows/keep-secure/images/atp-stop-quarantine-file.png b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png
similarity index 100%
rename from windows/keep-secure/images/atp-stop-quarantine-file.png
rename to windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png
diff --git a/windows/keep-secure/images/atp-stopnquarantine-file.png b/windows/threat-protection/windows-defender-atp/images/atp-stopnquarantine-file.png
similarity index 100%
rename from windows/keep-secure/images/atp-stopnquarantine-file.png
rename to windows/threat-protection/windows-defender-atp/images/atp-stopnquarantine-file.png
diff --git a/windows/keep-secure/images/atp-suppression-rules.png b/windows/threat-protection/windows-defender-atp/images/atp-suppression-rules.png
similarity index 100%
rename from windows/keep-secure/images/atp-suppression-rules.png
rename to windows/threat-protection/windows-defender-atp/images/atp-suppression-rules.png
diff --git a/windows/keep-secure/images/atp-threat-intel-api.png b/windows/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png
similarity index 100%
rename from windows/keep-secure/images/atp-threat-intel-api.png
rename to windows/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png
diff --git a/windows/keep-secure/images/atp-thunderbolt-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-thunderbolt-icon.png
similarity index 100%
rename from windows/keep-secure/images/atp-thunderbolt-icon.png
rename to windows/threat-protection/windows-defender-atp/images/atp-thunderbolt-icon.png
diff --git a/windows/keep-secure/images/atp-tile-sensor-health.png b/windows/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png
similarity index 100%
rename from windows/keep-secure/images/atp-tile-sensor-health.png
rename to windows/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png
diff --git a/windows/keep-secure/images/atp-undo-isolation.png b/windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png
similarity index 100%
rename from windows/keep-secure/images/atp-undo-isolation.png
rename to windows/threat-protection/windows-defender-atp/images/atp-undo-isolation.png
diff --git a/windows/keep-secure/images/atp-user-details-pane.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png
similarity index 100%
rename from windows/keep-secure/images/atp-user-details-pane.png
rename to windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png
diff --git a/windows/keep-secure/images/atp-user-details-view.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details-view.png
similarity index 100%
rename from windows/keep-secure/images/atp-user-details-view.png
rename to windows/threat-protection/windows-defender-atp/images/atp-user-details-view.png
diff --git a/windows/keep-secure/images/atp-users-at-risk.png b/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png
similarity index 100%
rename from windows/keep-secure/images/atp-users-at-risk.png
rename to windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png
diff --git a/windows/keep-secure/images/atp.png b/windows/threat-protection/windows-defender-atp/images/atp.png
similarity index 100%
rename from windows/keep-secure/images/atp.png
rename to windows/threat-protection/windows-defender-atp/images/atp.png
diff --git a/windows/keep-secure/images/components.png b/windows/threat-protection/windows-defender-atp/images/components.png
similarity index 100%
rename from windows/keep-secure/images/components.png
rename to windows/threat-protection/windows-defender-atp/images/components.png
diff --git a/windows/keep-secure/images/detection-icon.png b/windows/threat-protection/windows-defender-atp/images/detection-icon.png
similarity index 100%
rename from windows/keep-secure/images/detection-icon.png
rename to windows/threat-protection/windows-defender-atp/images/detection-icon.png
diff --git a/windows/keep-secure/images/filter-log.png b/windows/threat-protection/windows-defender-atp/images/filter-log.png
similarity index 100%
rename from windows/keep-secure/images/filter-log.png
rename to windows/threat-protection/windows-defender-atp/images/filter-log.png
diff --git a/windows/keep-secure/images/machines-active-threats-tile.png b/windows/threat-protection/windows-defender-atp/images/machines-active-threats-tile.png
similarity index 100%
rename from windows/keep-secure/images/machines-active-threats-tile.png
rename to windows/threat-protection/windows-defender-atp/images/machines-active-threats-tile.png
diff --git a/windows/keep-secure/images/machines-at-risk.png b/windows/threat-protection/windows-defender-atp/images/machines-at-risk.png
similarity index 100%
rename from windows/keep-secure/images/machines-at-risk.png
rename to windows/threat-protection/windows-defender-atp/images/machines-at-risk.png
diff --git a/windows/keep-secure/images/machines-reporting-tile.png b/windows/threat-protection/windows-defender-atp/images/machines-reporting-tile.png
similarity index 100%
rename from windows/keep-secure/images/machines-reporting-tile.png
rename to windows/threat-protection/windows-defender-atp/images/machines-reporting-tile.png
diff --git a/windows/keep-secure/images/menu-icon.png b/windows/threat-protection/windows-defender-atp/images/menu-icon.png
similarity index 100%
rename from windows/keep-secure/images/menu-icon.png
rename to windows/threat-protection/windows-defender-atp/images/menu-icon.png
diff --git a/windows/keep-secure/images/not-remediated-icon.png b/windows/threat-protection/windows-defender-atp/images/not-remediated-icon.png
similarity index 100%
rename from windows/keep-secure/images/not-remediated-icon.png
rename to windows/threat-protection/windows-defender-atp/images/not-remediated-icon.png
diff --git a/windows/keep-secure/images/overview.png b/windows/threat-protection/windows-defender-atp/images/overview.png
similarity index 100%
rename from windows/keep-secure/images/overview.png
rename to windows/threat-protection/windows-defender-atp/images/overview.png
diff --git a/windows/keep-secure/images/remediated-icon.png b/windows/threat-protection/windows-defender-atp/images/remediated-icon.png
similarity index 100%
rename from windows/keep-secure/images/remediated-icon.png
rename to windows/threat-protection/windows-defender-atp/images/remediated-icon.png
diff --git a/windows/keep-secure/images/rules-legend.png b/windows/threat-protection/windows-defender-atp/images/rules-legend.png
similarity index 100%
rename from windows/keep-secure/images/rules-legend.png
rename to windows/threat-protection/windows-defender-atp/images/rules-legend.png
diff --git a/windows/keep-secure/images/run-as-admin.png b/windows/threat-protection/windows-defender-atp/images/run-as-admin.png
similarity index 100%
rename from windows/keep-secure/images/run-as-admin.png
rename to windows/threat-protection/windows-defender-atp/images/run-as-admin.png
diff --git a/windows/keep-secure/images/sccm-deployment.png b/windows/threat-protection/windows-defender-atp/images/sccm-deployment.png
similarity index 100%
rename from windows/keep-secure/images/sccm-deployment.png
rename to windows/threat-protection/windows-defender-atp/images/sccm-deployment.png
diff --git a/windows/keep-secure/images/settings.png b/windows/threat-protection/windows-defender-atp/images/settings.png
similarity index 100%
rename from windows/keep-secure/images/settings.png
rename to windows/threat-protection/windows-defender-atp/images/settings.png
diff --git a/windows/keep-secure/images/status-tile.png b/windows/threat-protection/windows-defender-atp/images/status-tile.png
similarity index 100%
rename from windows/keep-secure/images/status-tile.png
rename to windows/threat-protection/windows-defender-atp/images/status-tile.png
diff --git a/windows/keep-secure/images/submit-file.png b/windows/threat-protection/windows-defender-atp/images/submit-file.png
similarity index 100%
rename from windows/keep-secure/images/submit-file.png
rename to windows/threat-protection/windows-defender-atp/images/submit-file.png
diff --git a/windows/keep-secure/images/windefatp-sc-qc-diagtrack.png b/windows/threat-protection/windows-defender-atp/images/windefatp-sc-qc-diagtrack.png
similarity index 100%
rename from windows/keep-secure/images/windefatp-sc-qc-diagtrack.png
rename to windows/threat-protection/windows-defender-atp/images/windefatp-sc-qc-diagtrack.png
diff --git a/windows/keep-secure/images/windefatp-sc-query-diagtrack.png b/windows/threat-protection/windows-defender-atp/images/windefatp-sc-query-diagtrack.png
similarity index 100%
rename from windows/keep-secure/images/windefatp-sc-query-diagtrack.png
rename to windows/threat-protection/windows-defender-atp/images/windefatp-sc-query-diagtrack.png
diff --git a/windows/keep-secure/images/windefatp-sc-query.png b/windows/threat-protection/windows-defender-atp/images/windefatp-sc-query.png
similarity index 100%
rename from windows/keep-secure/images/windefatp-sc-query.png
rename to windows/threat-protection/windows-defender-atp/images/windefatp-sc-query.png
diff --git a/windows/keep-secure/images/windefatp-utc-console-autostart.png b/windows/threat-protection/windows-defender-atp/images/windefatp-utc-console-autostart.png
similarity index 100%
rename from windows/keep-secure/images/windefatp-utc-console-autostart.png
rename to windows/threat-protection/windows-defender-atp/images/windefatp-utc-console-autostart.png
diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
similarity index 97%
rename from windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index 4537784b7b..44a32cf414 100644
--- a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -81,7 +81,7 @@ You can sort the **Machines list** by the following columns:
- **Active malware detections** - Number of active malware detections reported by the machine
> [!NOTE]
-> The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](windows-defender-in-windows-10.md) as the active real-time protection antimalware product.
+> The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) as the active real-time protection antimalware product.
## Related topics
diff --git a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
similarity index 91%
rename from windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 5498802fbb..a0815dd8f5 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -23,6 +23,8 @@ localizationpriority: high
There are some minimum requirements for onboarding your network and endpoints.
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)
+
## Minimum requirements
You must be on Windows 10, version 1607 at a minimum.
For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
@@ -106,11 +108,13 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
```
## Windows Defender signature updates are configured
-The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md).
+The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
-When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md).
+When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy).
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-minreq-belowfoldlink1)
diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..c34193f76e
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,180 @@
+---
+title: PowerShell code examples for the custom threat intelligence API
+description: Use PowerShell code to create custom threat intelligence using REST API.
+keywords: powershell, code examples, threat intelligence, custom threat intelligence, rest api, api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# PowerShell code examples for the custom threat intelligence API
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+This article provides PowerShell code examples for using the custom threat intelligence API.
+
+These code examples demonstrate the following tasks:
+- [Obtain an Azure AD access token](#token)
+- [Create headers](#headers)
+- [Create calls to the custom threat intelligence API](#calls)
+- [Create a new alert definition](#alert-definition)
+- [Create a new indicator of compromise](#ioc)
+
+
+## Step 1: Obtain an Azure AD access token
+The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
+
+Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal:
+
+```powershell
+$authUrl = 'Your Authorization URL'
+$clientId = 'Your Client ID'
+$clientSecret = 'Your Client Secret'
+
+$tokenPayload = @{
+ "resource"='https://graph.windows.net'
+ "client_id" = $clientId
+ "client_secret" = $clientSecret
+ "grant_type"='client_credentials'}
+
+$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
+$token = $response.access_token
+
+```
+
+
+## Step 2: Create headers used for the requests with the API
+Use the following code to create the headers used for the requests with the API:
+
+```powershell
+$headers = @{
+ "Content-Type"="application/json"
+ "Accept"="application/json"
+ "Authorization"="Bearer {0}" -f $token }
+
+$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
+```
+
+
+## Step 3: Create calls to the custom threat intelligence API
+After creating the headers, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
+
+```powershell
+$alertDefinitions =
+ (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
+```
+
+The response is empty on initial use of the API.
+
+
+## Step 4: Create a new alert definition
+The following example demonstrates how you to create a new alert definition.
+
+```powershell
+$alertDefinitionPayload = @{
+ "Name"= "The alert's name"
+ "Severity"= "Low"
+ "InternalDescription"= "An internal description of the Alert"
+ "Title"= "The Title"
+ "UxDescription"= "Description of the alerts"
+ "RecommendedAction"= "The alert's recommended action"
+ "Category"= "Trojan"
+ "Enabled"= "true"}
+
+$alertDefinition =
+ Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
+```
+
+
+## Step 5: Create a new indicator of compromise
+You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
+
+```powershell
+$iocPayload = @{
+ "Type"="Sha1"
+ "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
+ "DetectionFunction"="Equals"
+ "Enabled"="true"
+ "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
+
+
+$ioc =
+ Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
+```
+
+## Complete code
+You can use the complete code to create calls to the API.
+
+```powershell
+$authUrl = 'Your Authorization URL'
+$clientId = 'Your Client ID'
+$clientSecret = 'Your Client Secret'
+
+$tokenPayload = @{
+ "resource"='https://graph.windows.net'
+ "client_id" = $clientId
+ "client_secret" = $clientSecret
+ "grant_type"='client_credentials'}
+
+$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
+$token = $response.access_token
+
+$headers = @{
+ "Content-Type"="application/json"
+ "Accept"="application/json"
+ "Authorization"="Bearer {0}" -f $token }
+
+$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
+
+$alertDefinitions =
+ (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
+
+$alertDefinitionPayload = @{
+ "Name"= "The alert's name"
+ "Severity"= "Low"
+ "InternalDescription"= "An internal description of the Alert"
+ "Title"= "The Title"
+ "UxDescription"= "Description of the alerts"
+ "RecommendedAction"= "The alert's recommended action"
+ "Category"= "Trojan"
+ "Enabled"= "true"}
+
+$alertDefinition =
+ Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
+
+$alertDefinitionId = $alertDefinition.Id
+
+$iocPayload = @{
+ "Type"="Sha1"
+ "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
+ "DetectionFunction"="Equals"
+ "Enabled"="true"
+ "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
+
+
+$ioc =
+ Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
+ -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
+
+```
+
+## Related topics
+- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..311ebea501
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,34 @@
+---
+title: Windows Defender ATP preview features
+description: Learn how to access Windows Defender Advanced Threat Protection preview features.
+keywords: preview, preview experience, Windows Defender Advanced Threat Protection, features, updates
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Windows Defender ATP preview features
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
+
+Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
+
+You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
+
+Turn on the preview experience setting to be among the first to try upcoming features.
+
+1. In the navigation pane, select **Preferences setup** > **Preview experience**.
+2. Toggle the setting between **On** and **Off** and select **Save preferences**.
diff --git a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
similarity index 98%
rename from windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index 5e04c5302d..2c68f00d27 100644
--- a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -193,3 +193,4 @@ HTTP error code | Description
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..dc44b7cbea
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,183 @@
+---
+title: Python code examples for the custom threat intelligence API
+description: Use Python code to create custom threat intelligence using REST API.
+keywords: python, code examples, threat intelligence, custom threat intelligence, rest api, api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Python code examples for the custom threat intelligence API
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+## Before you begin
+You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library.
+
+These code examples demonstrate the following tasks:
+- [Obtain an Azure AD access token](#token)
+- [Create request session object](#session-object)
+- [Create calls to the custom threat intelligence API](#calls)
+- [Create a new alert definition](#alert-definition)
+- [Create a new indicator of compromise](#ioc)
+
+
+## Step 1: Obtain an Azure AD access token
+The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
+
+Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
+
+```
+import json
+import requests
+from pprint import pprint
+
+auth_url="Your Authorization URL"
+client_id="Your Client ID"
+client_secret="Your Client Secret"
+
+payload = {"resource": "https://graph.windows.net",
+ "client_id": client_id,
+ "client_secret": client_secret,
+ "grant_type": "client_credentials"}
+
+response = requests.post(auth_url, payload)
+token = json.loads(response.text)["access_token"]
+```
+
+
+
+## Step 2: Create request session object
+Add HTTP headers to the session object, including the Authorization header with the token that was obtained.
+
+```
+with requests.Session() as session:
+ session.headers = {
+ 'Authorization': 'Bearer {}'.format(token),
+ 'Content-Type': 'application/json',
+ 'Accept': 'application/json'}
+```
+
+
+## Step 3: Create calls to the custom threat intelligence API
+After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
+
+```
+ response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
+ pprint(json.loads(response.text))
+```
+
+The response is empty on initial use of the API.
+
+
+## Step 4: Create a new alert definition
+The following example demonstrates how you to create a new alert definition.
+
+```
+ alert_definition = {"Name": "The alert's name",
+ "Severity": "Low",
+ "InternalDescription": "An internal description of the alert",
+ "Title": "The Title",
+ "UxDescription": "Description of the alerts",
+ "RecommendedAction": "The alert's recommended action",
+ "Category": "Trojan",
+ "Enabled": True}
+
+ response = session.post(
+ "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
+ json=alert_definition)
+```
+
+
+## Step 5: Create a new indicator of compromise
+You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
+
+```
+ alert_definition_id = json.loads(response.text)["Id"]
+
+ ioc = {'Type': "Sha1",
+ 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
+ 'DetectionFunction': "Equals",
+ 'Enabled': True,
+ "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
+
+ response = session.post(
+ "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
+ json=ioc)
+```
+
+## Complete code
+You can use the complete code to create calls to the API.
+
+```syntax
+import json
+import requests
+from pprint import pprint
+
+auth_url="Your Authorization URL"
+client_id="Your Client ID"
+client_secret="Your Client Secret"
+
+payload = {"resource": "https://graph.windows.net",
+ "client_id": client_id,
+ "client_secret": client_secret,
+ "grant_type": "client_credentials"}
+
+response = requests.post(auth_url, payload)
+token = json.loads(response.text)["access_token"]
+
+with requests.Session() as session:
+ session.headers = {
+ 'Authorization': 'Bearer {}'.format(token),
+ 'Content-Type': 'application/json',
+ 'Accept': 'application/json'}
+
+ response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
+ pprint(json.loads(response.text))
+
+ alert_definition = {"Name": "The alert's name",
+ "Severity": "Low",
+ "InternalDescription": "An internal description of the alert",
+ "Title": "The Title",
+ "UxDescription": "Description of the alerts",
+ "RecommendedAction": "The alert's recommended action",
+ "Category": "Trojan",
+ "Enabled": True}
+
+ response = session.post(
+ "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
+ json=alert_definition)
+
+ alert_definition_id = json.loads(response.text)["Id"]
+
+ ioc = {'Type': "Sha1",
+ 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
+ 'DetectionFunction': "Equals",
+ 'Enabled': True,
+ "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
+
+ response = session.post(
+ "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
+ json=ioc)
+
+ pprint(json.loads(response.text))
+```
+
+## Related topics
+- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
similarity index 85%
rename from windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index e9d223c9d6..220ed86e05 100644
--- a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -34,13 +34,13 @@ You can contain an attack in your organization by stopping the malicious process
The **Stop & Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
-The action takes effect on machines with the latest Windows 10 Insider Preview build where the file was observed in the last 30 days.
+The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days.
### Stop and quarantine files
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
- – **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
- – **Search box** - select File from the drop–down menu and enter the file name
+ - **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
+ - **Search box** - select File from the drop–down menu and enter the file name
2. Open the **Actions menu** and select **Stop & Quarantine File**.
@@ -50,11 +50,11 @@ The action takes effect on machines with the latest Windows 10 Insider Preview b
The Action center shows the submission information:
- – **Submission time** - Shows when the action was submitted.
- – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- – **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
- – **Success** - Shows the number of machines where the file has been stopped and quarantined.
- – **Failed** - Shows the number of machines where the action failed and details about the failure.
+ - **Submission time** - Shows when the action was submitted.
+ - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
+ - **Success** - Shows the number of machines where the file has been stopped and quarantined.
+ - **Failed** - Shows the number of machines where the action failed and details about the failure.
4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
@@ -93,7 +93,7 @@ You can roll back and remove a file from quarantine if you’ve determined that
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
>[!NOTE]
->This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](configure-windows-defender-in-windows-10.md).
+>This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. The coverage will be extended over time. The action takes effect on machines with the latest Windows 10 Insider Preview build.
### Enable the block file feature
@@ -108,9 +108,9 @@ The Action center shows the submission information:
- – **Submission time** - Shows when the action was submitted.
- – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- – **Status** - Indicates whether the file was added to or removed from the blacklist.
+ - **Submission time** - Shows when the action was submitted.
+ - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ - **Status** - Indicates whether the file was added to or removed from the blacklist.
When the file is blocked, there will be a new event in the machine timeline.
@@ -129,9 +129,9 @@ For prevalent files in the organization, a warning is shown before an action is
### Remove file from blocked list
1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
- – **Alerts** - Click the file links from the Description or Details in the Alert timeline
- – **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
- – **Search box** - Select File from the drop–down menu and enter the file name
+ - **Alerts** - Click the file links from the Description or Details in the Alert timeline
+ - **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
+ - **Search box** - Select File from the drop–down menu and enter the file name
2. Open the **Actions** menu and select **Remove file from blocked list**.
@@ -173,10 +173,10 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
**Submit files for deep analysis:**
-1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
- – Alerts - click the file links from the **Description** or **Details** in the Alert timeline
- – **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
- – Search box - select **File** from the drop–down menu and enter the file name
+1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
+ - Alerts - click the file links from the **Description** or **Details** in the Alert timeline
+ - **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
+ - Search box - select **File** from the drop–down menu and enter the file name
2. In the **Deep analysis** section of the file view, click **Submit**.
diff --git a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/service-status-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
similarity index 82%
rename from windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index f05e878db5..6025221e43 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -90,9 +90,9 @@ Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause a
:---|:---|:---|:---|:---
0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:** Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | Onboarding Offboarding SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.
**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
If it doesn't exist, open an elevated command and add the key.
- | | | SenseIsRunning OnboardingState OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
- | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional. Server is not supported.
- 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
+ | | | SenseIsRunning OnboardingState OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+ | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional. Server is not supported.
+ 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
**Known issues with non-compliance**
@@ -151,8 +151,21 @@ Event ID | Message | Resolution steps
5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
+9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
If the event happened during offboarding, contact support.
+10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
If the problem persists, contact support.
15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). If the problem persists, contact support.
25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
+27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support.
+29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the endpoint has Internet access, then run the entire offboarding process again.
+30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support.
+32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine.
+55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine.
+63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
+64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing.
+68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type.
+69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
+
There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..c782fef5df
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,52 @@
+---
+title: Troubleshoot SIEM tool integration issues in Windows Defender ATP
+description: Troubleshoot issues that might arise when using SIEM tools with Windows Defender ATP.
+keywords: troubleshoot, siem, client secret, secret
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Troubleshoot SIEM tool integration issues
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+You might need to troubleshoot issues while pulling alerts in your SIEM tools.
+
+This page provides detailed steps to troubleshoot issues you might encounter.
+
+
+## Learn how to get a new client secret
+If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool application, you'll need to get a new secret.
+
+1. Login to the [Azure management portal](https://ms.portal.azure.com).
+
+2. Select **Active Directory**.
+
+3. Select your tenant.
+
+4. Click **Application**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`.
+
+5. Select **Keys** section, then provide a key description and specify the key validity duration.
+
+6. Click **Save**. The key value is displayed.
+
+7. Copy the value and save it in a safe place.
+
+
+## Related topics
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
similarity index 100%
rename from windows/keep-secure/use-windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
similarity index 96%
rename from windows/keep-secure/windows-defender-advanced-threat-protection.md
rename to windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 0a9feddff7..0963cb7037 100644
--- a/windows/keep-secure/windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -27,6 +27,8 @@ localizationpriority: high
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].
+
Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
diff --git a/windows/keep-secure/images/windows-defender-security-center.png b/windows/threat-protection/windows-defender-smartscreen/images/windows-defender-security-center.png
similarity index 100%
rename from windows/keep-secure/images/windows-defender-security-center.png
rename to windows/threat-protection/windows-defender-smartscreen/images/windows-defender-security-center.png
diff --git a/windows/keep-secure/images/windows-defender-smartscreen-control.png b/windows/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png
similarity index 100%
rename from windows/keep-secure/images/windows-defender-smartscreen-control.png
rename to windows/threat-protection/windows-defender-smartscreen/images/windows-defender-smartscreen-control.png
diff --git a/windows/keep-secure/windows-defender-smartscreen-available-settings.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
similarity index 96%
rename from windows/keep-secure/windows-defender-smartscreen-available-settings.md
rename to windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index 936751e349..506e512699 100644
--- a/windows/keep-secure/windows-defender-smartscreen-available-settings.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -205,11 +205,11 @@ To better help you protect your organization, we recommend turning on and using
## Related topics
-- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index)
+- [Threat protection](../index.md)
-- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies)
+- [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)
-- [Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge/available-policies)
+- [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-smartscreen-overview.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
similarity index 90%
rename from windows/keep-secure/windows-defender-smartscreen-overview.md
rename to windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
index 4df34ae566..9b1db90c72 100644
--- a/windows/keep-secure/windows-defender-smartscreen-overview.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
@@ -18,9 +18,6 @@ localizationpriority: high
Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files.
->[!NOTE]
->SmartScreen completely blocks apps from the Internet from running on Windows 10 Mobile.
-
**SmartScreen determines whether a site is potentially malicious by:**
- Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution.
@@ -53,14 +50,11 @@ Windows Defender SmartScreen helps to provide an early warning system against we
When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/en-us/scriptcenter/dd565657(v=msdn.10).aspx).
## Related topics
-- [SmartScreen Frequently Asked Questions (FAQ)](https://support.microsoft.com/en-us/products/windows?os=windows-10)
+- [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [How to recognize phishing email messages, links, or phone calls](https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx)
-- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index)
-
-- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies)
-
+- [Threat protection](../index.md)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
similarity index 95%
rename from windows/keep-secure/windows-defender-smartscreen-set-individual-device.md
rename to windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
index 482d88a367..e611009fcf 100644
--- a/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@@ -73,8 +73,9 @@ You can configure Windows Defender SmartScreen to warn employees from going to a
- If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**.
## Related topics
-- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index)
-- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies)
+- [Threat protection](../index.md)
+
+- [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
similarity index 99%
rename from windows/keep-secure/app-behavior-with-wip.md
rename to windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
index d436e1e7a7..6f41240d2b 100644
--- a/windows/keep-secure/app-behavior-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
@@ -14,7 +14,7 @@ localizationpriority: high
**Applies to:**
- Windows 10, version 1607 and later
-- Windows 10 Mobile
+- Windows 10 Mobile, version 1607 and later
Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
diff --git a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
new file mode 100644
index 0000000000..9316b2ab60
--- /dev/null
+++ b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -0,0 +1,172 @@
+---
+title: How to collect Windows Information Protection (WIP) audit event logs (Windows 10)
+description: How to collect and understand your Windows Information Protection audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices only).
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# How to collect Windows Information Protection (WIP) audit event logs
+
+**Applies to:**
+
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
+
+Windows Information Protection (WIP) creates audit events in the following situations:
+
+- If an employee changes the File ownership for a file from **Work** to **Personal**.
+
+- If data is marked as **Work**, but shared to a personal app or webpage. For example, through copying and pasting, dragging and dropping, sharing a contact, uploading to a personal webpage, or if the user grants a personal app provides temporary access to a work file.
+
+- If an app has custom audit events.
+
+## Collect WIP audit logs by using the Reporting configuration service provider (CSP)
+Collect the WIP audit logs from your employee’s devices by following the guidance provided by the [Reporting configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/reporting-csp) documentation. This topic provides info about the actual audit events.
+
+>[!Note]
+>The **Data** element in the response includes the requested audit logs in an XML-encoded format.
+
+### User element and attributes
+This table includes all available attributes for the **User** element.
+
+|Attribute |Value type |Description |
+|----------|-----------|------------|
+|UserID |String |The security identifier (SID) of the user corresponding to this audit report. |
+|EnterpriseID |String |The enterprise ID corresponding to this audit report. |
+
+### Log element and attributes
+This table includes all available attributes/elements for the **Log** element. The response can contain zero (0) or more **Log** elements.
+
+|Attribute/Element |Value type |Description |
+|----------|-----------|------------|
+|ProviderType |String |This is always **EDPAudit**. |
+|LogType |String |Includes:
**DataCopied.** Work data is copied or shared to a personal location.
**ProtectionRemoved.** WIP protection is removed from a Work-defined file.
**ApplicationGenerated.** A custom audit log provided by an app.
|
+|TimeStamp |Int |Uses the [FILETIME structure](https://msdn.microsoft.com/library/windows/desktop/ms724284(v=vs.85).aspx) to represent the time that the event happened. |
+|Policy |String |How the work data was shared to the personal location:
**CopyPaste.** Work data was pasted into a personal location or app.
**ProtectionRemoved.** Work data was changed to be unprotected.
**DragDrop.** Work data was dropped into a personal location or app.
**Share.** Work data was shared with a personal location or app.
**NULL.** Any other way work data could be made personal beyond the options above. For example, when a work file is opened using a personal application (also known as, temporary access).
|
+|Justification |String |Not implemented. This will always be either blank or NULL.
**Note** Reserved for future use to collect the user justification for changing from **Work** to **Personal**. |
+|Object |String |A description of the shared work data. For example, if an employee opens a work file by using a personal app, this would be the file path. |
+|DataInfo |String |Any additional info about how the work file changed:
**A file path.** If an employee uploads a work file to a personal website by using Microsoft Edge or Internet Explorer, the file path is included here.
**Clipboard data types.** If an employee pastes work data into a personal app, the list of clipboard data types provided by the work app are included here. For more info, see the [Examples](#examples) section of this topic.
|
+|Action |Int |Provides info about what happened when the work data was shared to personal, including:
**1.** File decrypt.
**2.** Copy to location.
**3.** Send to recipient.
**4.** Other.
|
+|FilePath |String |The file path to the file specified in the audit event. For example, the location of a file that’s been decrypted by an employee or uploaded to a personal website. |
+|SourceApplicationName |String |The source app or website. For the source app, this is the AppLocker identity. For the source website, this is the hostname. |
+|SourceName |String |A string provided by the app that’s logging the event. It’s intended to describe the source of the work data. |
+|DestinationEnterpriseID |String |The enterprise ID value for the app or website where the employee is sharing the data.
**NULL**, **Personal**, or **blank** means there’s no enterprise ID because the work data was shared to a personal location. Because we don’t currently support multiple enrollments, you’ll always see one of these values. |
+|DestinationApplicationName |String |The destination app or website. For the destination app, this is the AppLocker identity. For the destination website, this is the hostname. |
+|DestinationName |String |A string provided by the app that’s logging the event. It’s intended to describe the destination of the work data. |
+|Application |String |The AppLocker identity for the app where the audit event happened. |
+
+### Examples
+Here are a few examples of responses from the Reporting CSP.
+
+#### File ownership on a file is changed from work to personal
+```
+110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?>
+<Reporting Version="com.contoso/2.0/MDM/Reporting">
+ <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
+ <Log ProviderType="EDPAudit" LogType="ProtectionRemoved" TimeStamp="131357166318347527">
+ <Policy>Protection removed</Policy>
+ <Justification>NULL</Justification>
+ <FilePath>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</FilePath>
+ </Log>
+ </User>
+</Reporting>
+```
+
+#### A work file is uploaded to a personal webpage in Edge
+```
+110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?>
+<Reporting Version="com.contoso/2.0/MDM/Reporting">
+ <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
+ <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357192409318534">
+ <Policy>CopyPaste</Policy>
+ <Justification>NULL</Justification>
+ <SourceApplicationName>NULL</SourceApplicationName>
+ <DestinationEnterpriseID>NULL</DestinationEnterpriseID>
+ <DestinationApplicationName>mail.contoso.com</DestinationApplicationName>
+ <DataInfo>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</DataInfo>
+ </Log>
+ </User>
+</Reporting>
+```
+
+#### Work data is pasted into a personal webpage
+```
+110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?>
+<Reporting Version="com.contoso/2.0/MDM/Reporting">
+ <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
+ <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357193734179782">
+ <Policy>CopyPaste</Policy>
+ <Justification>NULL</Justification>
+ <SourceApplicationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000</SourceApplicationName>
+ <DestinationEnterpriseID>NULL</DestinationEnterpriseID>
+ <DestinationApplicationName>mail.contoso.com</DestinationApplicationName>
+ <DataInfo>EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink</DataInfo>
+ </Log>
+ </User>
+</Reporting>
+```
+
+#### A work file is opened with a personal application
+```
+110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?>
+<Reporting Version="com.contoso/2.0/MDM/Reporting">
+ <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
+ <Log ProviderType="EDPAudit" LogType="ApplicationGenerated" TimeStamp="131357194991209469">
+ <Policy>NULL</Policy>
+ <Justification></Justification>
+ <Object>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</Object>
+ <Action>1</Action>
+ <SourceName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</SourceName>
+ <DestinationEnterpriseID>Personal</DestinationEnterpriseID>
+ <DestinationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</DestinationName>
+ <Application>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</Application>
+ </Log>
+ </User>
+</Reporting>
+```
+
+#### Work data is pasted into a personal application
+```
+110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?>
+<Reporting Version="com.contoso/2.0/MDM/Reporting">
+ <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
+ <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357196076537270">
+ <Policy>CopyPaste</Policy>
+ <Justification>NULL</Justification>
+ <SourceApplicationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000</SourceApplicationName>
+ <DestinationEnterpriseID>NULL</DestinationEnterpriseID>
+ <DestinationApplicationName></DestinationApplicationName>
+ <DataInfo>EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink</DataInfo>
+ </Log>
+ </User>
+</Reporting>
+```
+
+## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only)
+Use Windows Event Forwarding to collect and aggregate your WIP audit events. You can view your audit events in the Event Viewer.
+
+>[!NOTE]
+>Windows 10 Mobile requires you to use the [Reporting CSP process](#collect-wip-audit-logs-by-using-the-reporting-configuration-service-provider-csp) instead.
+
+**To view the WIP events in the Event Viewer**
+1. Open Event Viewer.
+
+2. In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
similarity index 91%
rename from windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
rename to windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index e24a68abfe..76d9d3a63c 100644
--- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -13,15 +13,15 @@ localizationpriority: high
# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
**Applies to:**
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>[!IMPORTANT]
->If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).
If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
+>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).
If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
**To manually create an EFS DRA certificate**
@@ -53,9 +53,9 @@ The recovery process included in this topic only works for desktop devices. WIP
3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
- cipher /c file_name
+ cipher /c filename
- Where *file_name* is the name of the file you created in Step 1.
+ Where *filename* is the name of the file you created in Step 1.
4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
@@ -67,11 +67,12 @@ The recovery process included in this topic only works for desktop devices. WIP
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
- cipher /d encryptedfile.extension>
+ cipher /d encryptedfile.extension
Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx.
-**To quickly recover WIP-protected desktop data after unenrollment**
+**To quickly recover WIP-protected desktop data after unenrollment**
+
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
>[!IMPORTANT]
@@ -95,7 +96,8 @@ It's possible that you might revoke data from an unenrolled device only to later
The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location.
-**To quickly recover WIP-protected desktop data in a cloud-based environment**
+**To quickly recover WIP-protected desktop data in a cloud-based environment**
+
If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences.
>[!IMPORTANT]
@@ -135,5 +137,7 @@ If you use a cloud environment in your organization, you may still want to resto
- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)
-
**Note** Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+
+>[!Note]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
new file mode 100644
index 0000000000..9fbe861ddc
--- /dev/null
+++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
@@ -0,0 +1,73 @@
+---
+title: Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune (Windows 10)
+description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
+ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
+keywords: WIP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune
+**Applies to:**
+
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
+
+After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Azure Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
+
+## Associate your WIP policy to your VPN policy by using Microsoft Azure Intune
+Follow these steps to associate your WIP policy with your organization's existing VPN policy.
+
+**To associate your policies**
+
+1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
+
+2. Open the Microsoft Azure Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
+
+ 
+
+3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**.
+
+ 
+
+4. In the **Custom OMA-URI Settings** blade, click **Add**.
+
+5. In the **Add Row** blade, type:
+
+ - **Name.** Type a name for your setting, such as *EDPModeID*.
+
+ - **Description.** Type an optional description for your setting.
+
+ - **OMA-URI.** Type _./Vendor/MSFT/VPNv2/<VPNProfileName>/EDPModeId_ into the box.
+
+ - **Data type.** Select **String** from the dropdown box
+
+ - **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
+
+ 
+
+6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
+
+7. Click **Create** to create the policy, including your OMA_URI info.
+
+## Deploy your VPN policy using Microsoft Azure Intune
+After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
+
+**To deploy your Custom VPN policy**
+
+1. On the **App policy** blade, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**.
+
+ A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** blade.
+
+2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy.
+
+ The policy is deployed to the selected users' devices.
+
+ 
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
new file mode 100644
index 0000000000..cb3d8f028e
--- /dev/null
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -0,0 +1,515 @@
+---
+title: Create a Windows Information Protection (WIP) policy using Microsoft Azure Intune (Windows 10)
+description: Microsoft Azure Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Create a Windows Information Protection (WIP) policy using Microsoft Azure Intune
+
+**Applies to:**
+
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
+
+Microsoft Azure Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
+
+## Add a WIP policy
+After you’ve set up Intune for your organization, you must create a WIP-specific policy.
+
+**To add a WIP policy**
+1. Open the Microsoft Azure Intune mobile application management console, click **All settings**, and then click **App policy**.
+
+ 
+
+2. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
+ - **Name.** Type a name (required) for your new policy.
+
+ - **Description.** Type an optional description.
+
+ - **Platform.** Choose **Windows 10** as the supported platform for your policy.
+
+ - **Enrollment state.** Choose **With enrollment** as the enrollment state for your policy.
+
+ 
+
+3. Click **Create**.
+
+ The policy is created and appears in the table on the **App Policy** screen.
+
+ >[!NOTE]
+ >Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available.
+
+### Add apps to your Allowed apps list
+During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+
+The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app.
+
+>[!Important]
+>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+
+
+#### Add a Recommended app to your Allowed apps list
+For this example, we’re going to add Microsoft Edge, a recommended app, to the **Allowed apps** list.
+
+**To add a recommended app**
+1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
+
+ The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
+
+ 
+
+2. From the **Allowed apps** blade, click **Add apps**.
+
+ The **Add apps** blade appears, showing you all **Recommended apps**.
+
+ 
+
+3. Select each app you want to access your enterprise data, and then click **OK**.
+
+ The **Allowed apps** blade updates to show you your selected apps.
+
+ 
+
+#### Add a Store app to your Allowed apps list
+For this example, we’re going to add Microsoft Power BI, a store app, to the **Allowed apps** list.
+
+**To add a Store app**
+1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
+
+ The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
+
+2. From the **Allowed apps** blade, click **Add apps**.
+
+3. On the **Add apps** blade, click **Store apps** from the dropdown list.
+
+ The blade changes to show boxes for you to add a publisher and app name.
+
+4. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the Product **name** is `Microsoft.MicrosoftPowerBIForWindows`.
+
+5. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list.
+
+ >[!NOTE]
+ >To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**.
+
+ 
+
+If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
+
+**To find the publisher and product name values for Store apps without installing them**
+1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*.
+
+2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
+
+3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value.
+
+ The API runs and opens a text editor with the app details.
+
+ ```json
+ {
+ "packageIdentityName": "Microsoft.MicrosoftPowerBIForWindows",
+ "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+ }
+ ```
+
+4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
+
+ >[!Important]
+ >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
+ { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", }
+
+**To find the publisher and product name values for apps installed on Windows 10 mobile phones**
+1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
+
+ >**Note** Your PC and phone must be on the same wireless network.
+
+2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+
+3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+
+4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+
+5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+
+6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+
+7. Start the app for which you're looking for the publisher and product name values.
+
+8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >[!Important]
+ >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
+ { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", }
+
+#### Add a Desktop app to your Allowed apps list
+For this example, we’re going to add WordPad, a desktop app, to the **Allowed apps** list.
+
+**To add a Desktop app**
+1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
+
+ The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
+
+2. From the **Allowed apps** blade, click **Add apps**.
+
+3. On the **Add apps** blade, click **Desktop apps** from the dropdown list.
+
+ The blade changes to show boxes for you to add the following, based on what results you want returned:
+
+
+
+
Field
+
Manages
+
+
+
All fields marked as “*”
+
All files signed by any publisher. (Not recommended)
+
+
+
Publisher only
+
If you only fill out this field, you’ll get all files signed by the named publisher.
This might be useful if your company is the publisher and signer of internal line-of-business apps.
+
+
+
Publisher and Name only
+
If you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher.
+
+
+
Publisher, Name, and File only
+
If you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher.
+
+
+
Publisher, Name, File, and Min version only
+
If you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.
This option is recommended for enlightened apps that weren't previously enlightened.
+
+
+
Publisher, Name, File, and Max version only
+
If you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.
+
+
+
All fields completed
+
If you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher.
+
+
+
+4. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list.
+
+ >[!Note]
+ >To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**.
+
+ 
+
+ **To find the Publisher values for Desktop apps**
+ If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+
+ ```ps1
+ Get-AppLockerFileInformation -Path ""
+ ```
+ Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"`.
+
+ In this example, you'd get the following info:
+
+ ``` json
+ Path Publisher
+ ---- ---------
+ %PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
+ ```
+ Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box.
+
+#### Import a list of apps to your Allowed apps list
+For this example, we’re going to add an AppLocker XML file to the **Allowed apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
+
+**To create a list of Allowed apps using the AppLocker tool**
+1. Open the Local Security Policy snap-in (SecPol.msc).
+
+2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
+
+ 
+
+3. Right-click in the right-hand blade, and then click **Create New Rule**.
+
+ The **Create Packaged app Rules** wizard appears.
+
+4. On the **Before You Begin** page, click **Next**.
+
+ 
+
+5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
+
+ 
+
+6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
+
+ 
+
+7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365.
+
+ 
+
+8. On the updated **Publisher** page, click **Create**.
+
+ 
+
+9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
+
+ 
+
+9. Review the Local Security Policy snap-in to make sure your rule is correct.
+
+ 
+
+10. In the left blade, right-click on **AppLocker**, and then click **Export policy**.
+
+ The **Export policy** box opens, letting you export and save your new policy as XML.
+
+ 
+
+11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
+
+ The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
+
+ **Example XML file**
+ This is the XML file that AppLocker creates for Microsoft Dynamics 365.
+
+ ```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
+
+12. After you’ve created your XML file, you need to import it by using Microsoft Azure Intune.
+
+**To import your list of Allowed apps using Microsoft Azure Intune**
+
+1. From the **Allowed apps** area, click **Import apps**.
+
+ The blade changes to let you add your import file.
+
+ 
+
+2. Browse to your exported AppLocker policy file, and then click **Open**.
+
+ The file imports and the apps are added to your **Allowed app** list.
+
+#### Add exempt apps to your policy
+If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
+
+**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list**
+
+1. From the **App policy** blade, click the name of your policy, and then click **Exempt apps** from the menu that appears.
+
+ The **Exempt apps** blade appears, showing you any apps that are already included in the list for this policy.
+
+2. From the **Exempt apps** blade, click **Add apps**.
+
+ Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-apps-to_your-allowed-apps-list) section of this topic.
+
+3. Fill out the rest of the app info, based on the type of app you’re adding:
+
+ - **Recommended app.** Follow the instructions in the [Add a Recommended app to your Allowed apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic.
+
+ - **Store app.** Follow the instructions in the [Add a Store app to your Allowed apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic.
+
+ - **Desktop app.** Follow the instructions in the [Add a Desktop app to your Allowed apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic.
+
+ - **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Allowed apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps.
+
+4. Click **OK**.
+
+### Manage the WIP protection mode for your enterprise data
+After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
+
+We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
+
+**To add your protection mode**
+
+1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
+
+ The **Required settings** blade appears.
+
+ 
+
+ |Mode |Description |
+ |-----|------------|
+ |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+ |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459).|
+ |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
+ |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
+
+2. Click **Save**.
+
+### Define your enterprise-managed corporate identity
+Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
+
+Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the Corporate identity field. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+
+**To change your corporate identity**
+
+1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
+
+ The **Required settings** blade appears.
+
+2. If the identity isn’t correct, or if you need to add additional domains, type info into the **Corporate identity** field. For example, `contoso.com|newcontoso.com`.
+
+ 
+
+### Choose where apps can access enterprise data
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
+
+There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+
+>[!Important]
+>Every WIP policy should include policy that defines your enterprise network locations. Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+
+**To define where your allowed apps can find and send enterprise data on you network**
+
+1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
+
+ The **Advanced settings** blade appears.
+
+2. Click **Add network boundary** from the Network perimeter area.
+
+ The **Add network boundary** blade appears.
+
+ 
+
+3. Select the type of network boundary to add from the **Boundary type** box.
+
+4. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**.
+
+
+
+
Boundary type
+
Value format
+
Description
+
+
+
Cloud Resources
+
With proxy: contoso.sharepoint.com,contoso.internalproxy1.com| contoso.visualstudio.com,contoso.internalproxy2.com
Without proxy: contoso.sharepoint.com|contoso.visualstudio.com
+
Specify the cloud resources to be treated as corporate and protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.
Important In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
+
+
+
Network domain names
+
corp.contoso.com,region.contoso.com
+
Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
If you have multiple resources, you must separate them using the "," delimiter.
+
+
+
Proxy servers
+
proxy.contoso.com:80;proxy2.contoso.com:443
+
Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.
Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.
+
+
+
Neutral resources
+
sts.contoso.com,sts.contoso2.com
+
Specify your authentication redirection endpoints for your company.
These locations are considered enterprise or personal, based on the context of the connection before the redirection.
If you have multiple resources, you must separate them using the "," delimiter.
+
+
+
+5. Repeat steps 1-4 to add any additional network boundaries.
+
+6. Decide if you want to Windows to look for additional network settings:
+
+ 
+
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+
+### Upload your Data Recovery Agent (DRA) certificate
+After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
+
+>[!Important]
+>Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.
+
+**To upload your DRA certificate**
+1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
+
+ The **Advanced settings** blade appears.
+
+2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+
+ 
+
+### Choose your optional WIP-related settings
+After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
+
+**To set your optional settings**
+
+1. Choose to set any or all optional settings:
+
+ 
+
+ - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
+
+ - **On (recommended).** Turns on the feature and provides the additional protection.
+
+ - **Off, or not configured.** Doesn't enable this feature.
+
+ - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+
+ - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
+
+ - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions.
+
+ - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
+
+ - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
+
+ - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option.
+
+ - **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection.
+
+ - **On.** Starts using Azure Rights Management encryption with WIP. By turning this option on, you can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. For more info about setting up Azure Rights management and using a template ID with WIP, see the [Choose to set up Azure Rights Management with WIP](#choose-to-set-up-azure-rights-management-with-wip) section of this topic.
+
+ - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP.
+
+### Choose to set up Azure Rights Management with WIP
+WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
+
+To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Azure Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
+
+Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option.
+
+>[!NOTE]
+>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
+
+## Related topics
+- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
+- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune](create-vpn-and-wip-policy-using-intune.md)
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
+- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
+- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
similarity index 94%
rename from windows/keep-secure/create-wip-policy-using-sccm.md
rename to windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
index 5a51f50d60..828d6becd9 100644
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -14,9 +14,9 @@ localizationpriority: high
# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
**Applies to:**
-- Windows 10, version 1607
-- Windows 10 Mobile
-- System Center Configuration Manager
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
+- System Center Configuration Manager
System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
@@ -387,7 +387,7 @@ There are no default locations included with WIP, you must add each of your netw
Enterprise Cloud Resources
With proxy: contoso.sharepoint.com,contoso.internalproxy1.com| contoso.visualstudio.com,contoso.internalproxy2.com
Without proxy: contoso.sharepoint.com|contoso.visualstudio.com
-
Specify the cloud resources to be treated as corporate and protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.
If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.
If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/
+
Specify the cloud resources to be treated as corporate and protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.
Important In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
Enterprise Network Domain Names (Required)
@@ -395,14 +395,14 @@ There are no default locations included with WIP, you must add each of your netw
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.
If you have multiple resources, you must separate them using the "," delimiter.
-
Enterprise Proxy Servers
+
Proxy servers
proxy.contoso.com:80;proxy2.contoso.com:443
-
Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.
This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.
This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.
If you have multiple resources, you must separate them using the ";" delimiter.
+
Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
Specify the proxy servers your devices will go through to reach your cloud resources.
Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
+
Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
Enterprise IPv4 Range (Required)
@@ -493,10 +493,10 @@ After you’ve created your WIP policy, you'll need to deploy it to your organiz
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225)
- [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226)
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
## Related topics
- [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372)
- [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623)
-- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
\ No newline at end of file
+- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/deploy-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
similarity index 50%
rename from windows/keep-secure/deploy-wip-policy-using-intune.md
rename to windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
index c9977fec21..486fadd600 100644
--- a/windows/keep-secure/deploy-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
@@ -1,5 +1,5 @@
---
-title: Deploy your Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
+title: Deploy your Windows Information Protection (WIP) policy using Microsoft Azure Intune (Windows 10)
description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
@@ -11,33 +11,33 @@ author: eross-msft
localizationpriority: high
---
-# Deploy your Windows Information Protection (WIP) policy using Microsoft Intune
+# Deploy your Windows Information Protection (WIP) policy using Microsoft Azure Intune
**Applies to:**
-- Windows 10, version 1607
-- Windows 10 Mobile
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
**To deploy your WIP policy**
-1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
+1. On the **App policy** pane, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**.
- 
+ A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane.
-2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
-The added people move to the **Selected Groups** list on the right-hand pane.
+2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy.
- 
+ The policy is deployed to the selected users' devices.
+
+ 
-3. After you've picked all of the employees and groups that should get the policy, click **OK**.
-The policy is deployed to the selected users' devices.
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
## Related topics
-- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
-- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
-- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
-- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
\ No newline at end of file
+- [Create a Windows Information Protection (WIP) policy using Microsoft Azure Intune](create-wip-policy-using-intune.md)
+
+- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune](create-vpn-and-wip-policy-using-intune.md)
+
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
similarity index 97%
rename from windows/keep-secure/enlightened-microsoft-apps-and-wip.md
rename to windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 5555cd3892..77df2d4e51 100644
--- a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
+++ b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -15,8 +15,8 @@ localizationpriority: high
**Applies to:**
-- Windows 10, version 1607 and later
-- Windows 10 Mobile
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
similarity index 89%
rename from windows/keep-secure/guidance-and-best-practices-wip.md
rename to windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
index 3294599cd2..af85cdebaf 100644
--- a/windows/keep-secure/guidance-and-best-practices-wip.md
+++ b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -14,8 +14,8 @@ localizationpriority: high
# General guidance and best practices for Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607 and later
-- Windows 10 Mobile
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
@@ -25,7 +25,7 @@ This section includes info about the enlightened Microsoft apps, including how t
|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |Learn the difference between enlightened and unenlightened app behaviors. |
|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |Recommended additions for the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). |
-|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook Web Access (OWA) with Windows Information Protection (WIP). |
+|[Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook on the web with Windows Information Protection (WIP). |
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/keep-secure/images/intune-add-applocker-xml-file.png b/windows/threat-protection/windows-information-protection/images/intune-add-applocker-xml-file.png
similarity index 100%
rename from windows/keep-secure/images/intune-add-applocker-xml-file.png
rename to windows/threat-protection/windows-information-protection/images/intune-add-applocker-xml-file.png
diff --git a/windows/keep-secure/images/intune-add-classic-apps.png b/windows/threat-protection/windows-information-protection/images/intune-add-classic-apps.png
similarity index 100%
rename from windows/keep-secure/images/intune-add-classic-apps.png
rename to windows/threat-protection/windows-information-protection/images/intune-add-classic-apps.png
diff --git a/windows/keep-secure/images/intune-add-uwp-apps.png b/windows/threat-protection/windows-information-protection/images/intune-add-uwp-apps.png
similarity index 100%
rename from windows/keep-secure/images/intune-add-uwp-apps.png
rename to windows/threat-protection/windows-information-protection/images/intune-add-uwp-apps.png
diff --git a/windows/keep-secure/images/intune-add-uwp.png b/windows/threat-protection/windows-information-protection/images/intune-add-uwp.png
similarity index 100%
rename from windows/keep-secure/images/intune-add-uwp.png
rename to windows/threat-protection/windows-information-protection/images/intune-add-uwp.png
diff --git a/windows/keep-secure/images/intune-addapps.png b/windows/threat-protection/windows-information-protection/images/intune-addapps.png
similarity index 100%
rename from windows/keep-secure/images/intune-addapps.png
rename to windows/threat-protection/windows-information-protection/images/intune-addapps.png
diff --git a/windows/keep-secure/images/intune-applocker-before-begin.png b/windows/threat-protection/windows-information-protection/images/intune-applocker-before-begin.png
similarity index 100%
rename from windows/keep-secure/images/intune-applocker-before-begin.png
rename to windows/threat-protection/windows-information-protection/images/intune-applocker-before-begin.png
diff --git a/windows/keep-secure/images/intune-applocker-permissions.png b/windows/threat-protection/windows-information-protection/images/intune-applocker-permissions.png
similarity index 100%
rename from windows/keep-secure/images/intune-applocker-permissions.png
rename to windows/threat-protection/windows-information-protection/images/intune-applocker-permissions.png
diff --git a/windows/keep-secure/images/intune-applocker-publisher-with-app.png b/windows/threat-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png
similarity index 100%
rename from windows/keep-secure/images/intune-applocker-publisher-with-app.png
rename to windows/threat-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png
diff --git a/windows/keep-secure/images/intune-applocker-publisher.png b/windows/threat-protection/windows-information-protection/images/intune-applocker-publisher.png
similarity index 100%
rename from windows/keep-secure/images/intune-applocker-publisher.png
rename to windows/threat-protection/windows-information-protection/images/intune-applocker-publisher.png
diff --git a/windows/keep-secure/images/intune-applocker-select-apps.png b/windows/threat-protection/windows-information-protection/images/intune-applocker-select-apps.png
similarity index 100%
rename from windows/keep-secure/images/intune-applocker-select-apps.png
rename to windows/threat-protection/windows-information-protection/images/intune-applocker-select-apps.png
diff --git a/windows/keep-secure/images/intune-corporate-identity.png b/windows/threat-protection/windows-information-protection/images/intune-corporate-identity.png
similarity index 100%
rename from windows/keep-secure/images/intune-corporate-identity.png
rename to windows/threat-protection/windows-information-protection/images/intune-corporate-identity.png
diff --git a/windows/keep-secure/images/intune-createnewpolicy.png b/windows/threat-protection/windows-information-protection/images/intune-createnewpolicy.png
similarity index 100%
rename from windows/keep-secure/images/intune-createnewpolicy.png
rename to windows/threat-protection/windows-information-protection/images/intune-createnewpolicy.png
diff --git a/windows/keep-secure/images/intune-data-recovery.png b/windows/threat-protection/windows-information-protection/images/intune-data-recovery.png
similarity index 100%
rename from windows/keep-secure/images/intune-data-recovery.png
rename to windows/threat-protection/windows-information-protection/images/intune-data-recovery.png
diff --git a/windows/keep-secure/images/intune-deploy-vpn.png b/windows/threat-protection/windows-information-protection/images/intune-deploy-vpn.png
similarity index 100%
rename from windows/keep-secure/images/intune-deploy-vpn.png
rename to windows/threat-protection/windows-information-protection/images/intune-deploy-vpn.png
diff --git a/windows/keep-secure/images/intune-empty-addapps.png b/windows/threat-protection/windows-information-protection/images/intune-empty-addapps.png
similarity index 100%
rename from windows/keep-secure/images/intune-empty-addapps.png
rename to windows/threat-protection/windows-information-protection/images/intune-empty-addapps.png
diff --git a/windows/keep-secure/images/intune-generalinfo.png b/windows/threat-protection/windows-information-protection/images/intune-generalinfo.png
similarity index 100%
rename from windows/keep-secure/images/intune-generalinfo.png
rename to windows/threat-protection/windows-information-protection/images/intune-generalinfo.png
diff --git a/windows/keep-secure/images/intune-groupselection.png b/windows/threat-protection/windows-information-protection/images/intune-groupselection.png
similarity index 100%
rename from windows/keep-secure/images/intune-groupselection.png
rename to windows/threat-protection/windows-information-protection/images/intune-groupselection.png
diff --git a/windows/keep-secure/images/intune-groupselection_vpnlink.png b/windows/threat-protection/windows-information-protection/images/intune-groupselection_vpnlink.png
similarity index 100%
rename from windows/keep-secure/images/intune-groupselection_vpnlink.png
rename to windows/threat-protection/windows-information-protection/images/intune-groupselection_vpnlink.png
diff --git a/windows/keep-secure/images/intune-local-security-export.png b/windows/threat-protection/windows-information-protection/images/intune-local-security-export.png
similarity index 100%
rename from windows/keep-secure/images/intune-local-security-export.png
rename to windows/threat-protection/windows-information-protection/images/intune-local-security-export.png
diff --git a/windows/keep-secure/images/intune-local-security-snapin-updated.png b/windows/threat-protection/windows-information-protection/images/intune-local-security-snapin-updated.png
similarity index 100%
rename from windows/keep-secure/images/intune-local-security-snapin-updated.png
rename to windows/threat-protection/windows-information-protection/images/intune-local-security-snapin-updated.png
diff --git a/windows/keep-secure/images/intune-local-security-snapin.png b/windows/threat-protection/windows-information-protection/images/intune-local-security-snapin.png
similarity index 100%
rename from windows/keep-secure/images/intune-local-security-snapin.png
rename to windows/threat-protection/windows-information-protection/images/intune-local-security-snapin.png
diff --git a/windows/keep-secure/images/intune-managedeployment.png b/windows/threat-protection/windows-information-protection/images/intune-managedeployment.png
similarity index 100%
rename from windows/keep-secure/images/intune-managedeployment.png
rename to windows/threat-protection/windows-information-protection/images/intune-managedeployment.png
diff --git a/windows/keep-secure/images/intune-network-detection-boxes.png b/windows/threat-protection/windows-information-protection/images/intune-network-detection-boxes.png
similarity index 100%
rename from windows/keep-secure/images/intune-network-detection-boxes.png
rename to windows/threat-protection/windows-information-protection/images/intune-network-detection-boxes.png
diff --git a/windows/keep-secure/images/intune-networklocation.png b/windows/threat-protection/windows-information-protection/images/intune-networklocation.png
similarity index 100%
rename from windows/keep-secure/images/intune-networklocation.png
rename to windows/threat-protection/windows-information-protection/images/intune-networklocation.png
diff --git a/windows/keep-secure/images/intune-optional-settings.png b/windows/threat-protection/windows-information-protection/images/intune-optional-settings.png
similarity index 100%
rename from windows/keep-secure/images/intune-optional-settings.png
rename to windows/threat-protection/windows-information-protection/images/intune-optional-settings.png
diff --git a/windows/keep-secure/images/intune-protection-mode.png b/windows/threat-protection/windows-information-protection/images/intune-protection-mode.png
similarity index 100%
rename from windows/keep-secure/images/intune-protection-mode.png
rename to windows/threat-protection/windows-information-protection/images/intune-protection-mode.png
diff --git a/windows/keep-secure/images/intune-vpn-authentication.png b/windows/threat-protection/windows-information-protection/images/intune-vpn-authentication.png
similarity index 100%
rename from windows/keep-secure/images/intune-vpn-authentication.png
rename to windows/threat-protection/windows-information-protection/images/intune-vpn-authentication.png
diff --git a/windows/keep-secure/images/intune-vpn-createpolicy.png b/windows/threat-protection/windows-information-protection/images/intune-vpn-createpolicy.png
similarity index 100%
rename from windows/keep-secure/images/intune-vpn-createpolicy.png
rename to windows/threat-protection/windows-information-protection/images/intune-vpn-createpolicy.png
diff --git a/windows/keep-secure/images/intune-vpn-customconfig.png b/windows/threat-protection/windows-information-protection/images/intune-vpn-customconfig.png
similarity index 100%
rename from windows/keep-secure/images/intune-vpn-customconfig.png
rename to windows/threat-protection/windows-information-protection/images/intune-vpn-customconfig.png
diff --git a/windows/keep-secure/images/intune-vpn-omaurisettings.png b/windows/threat-protection/windows-information-protection/images/intune-vpn-omaurisettings.png
similarity index 100%
rename from windows/keep-secure/images/intune-vpn-omaurisettings.png
rename to windows/threat-protection/windows-information-protection/images/intune-vpn-omaurisettings.png
diff --git a/windows/keep-secure/images/intune-vpn-titledescription.png b/windows/threat-protection/windows-information-protection/images/intune-vpn-titledescription.png
similarity index 100%
rename from windows/keep-secure/images/intune-vpn-titledescription.png
rename to windows/threat-protection/windows-information-protection/images/intune-vpn-titledescription.png
diff --git a/windows/keep-secure/images/intune-vpn-vpnsettings.png b/windows/threat-protection/windows-information-protection/images/intune-vpn-vpnsettings.png
similarity index 100%
rename from windows/keep-secure/images/intune-vpn-vpnsettings.png
rename to windows/threat-protection/windows-information-protection/images/intune-vpn-vpnsettings.png
diff --git a/windows/keep-secure/images/intune-vpn-wipmodeid.png b/windows/threat-protection/windows-information-protection/images/intune-vpn-wipmodeid.png
similarity index 100%
rename from windows/keep-secure/images/intune-vpn-wipmodeid.png
rename to windows/threat-protection/windows-information-protection/images/intune-vpn-wipmodeid.png
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png
new file mode 100644
index 0000000000..50440a4fc8
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-1.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-1.png
new file mode 100644
index 0000000000..709ff73d25
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-1.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png
new file mode 100644
index 0000000000..f069f140dd
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png
new file mode 100644
index 0000000000..e02310282d
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png
new file mode 100644
index 0000000000..ae14d18238
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-create.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-create.png
new file mode 100644
index 0000000000..74497fd6ab
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-create.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png
new file mode 100644
index 0000000000..91109c29c9
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png
new file mode 100644
index 0000000000..0aeb04bf0a
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export.png
new file mode 100644
index 0000000000..1f5d20dffa
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-export.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png
new file mode 100644
index 0000000000..7090e29ff1
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png
new file mode 100644
index 0000000000..313b0e4b73
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png
new file mode 100644
index 0000000000..0ced278421
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png
new file mode 100644
index 0000000000..e399d8aa66
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png
new file mode 100644
index 0000000000..0ac48ca032
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png
new file mode 100644
index 0000000000..c924430a97
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png
new file mode 100644
index 0000000000..4b5e707aec
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png b/windows/threat-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png
new file mode 100644
index 0000000000..f2aafb0c41
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png b/windows/threat-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png
new file mode 100644
index 0000000000..8bc8a4d845
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-store-apps.png b/windows/threat-protection/windows-information-protection/images/wip-azure-add-store-apps.png
new file mode 100644
index 0000000000..de20f46e37
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-add-store-apps.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png b/windows/threat-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png
new file mode 100644
index 0000000000..d12500349a
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png b/windows/threat-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png
new file mode 100644
index 0000000000..e2b9b2ccae
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-add-user-groups.png b/windows/threat-protection/windows-information-protection/images/wip-azure-add-user-groups.png
new file mode 100644
index 0000000000..ab17d13baf
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-add-user-groups.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png b/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png
new file mode 100644
index 0000000000..71594dd252
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png b/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png
new file mode 100644
index 0000000000..3b709bbc46
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png b/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png
new file mode 100644
index 0000000000..7daf9d9760
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png
new file mode 100644
index 0000000000..9f1bc57abc
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png b/windows/threat-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png
new file mode 100644
index 0000000000..b549db5548
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png b/windows/threat-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png
new file mode 100644
index 0000000000..a72f225ec1
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png b/windows/threat-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png
new file mode 100644
index 0000000000..eef6b1efd0
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png b/windows/threat-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png
new file mode 100644
index 0000000000..5ed595983a
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-import-apps.png b/windows/threat-protection/windows-information-protection/images/wip-azure-import-apps.png
new file mode 100644
index 0000000000..f9d257645a
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-import-apps.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-portal-add-policy.png b/windows/threat-protection/windows-information-protection/images/wip-azure-portal-add-policy.png
new file mode 100644
index 0000000000..59291bf62e
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-portal-add-policy.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-portal-start.png b/windows/threat-protection/windows-information-protection/images/wip-azure-portal-start.png
new file mode 100644
index 0000000000..f282ff5e6b
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-portal-start.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
new file mode 100644
index 0000000000..1481a21f0d
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
new file mode 100644
index 0000000000..4bbd91028f
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png b/windows/threat-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png
new file mode 100644
index 0000000000..2ecd78f1ca
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png b/windows/threat-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png
new file mode 100644
index 0000000000..f397cd6797
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png b/windows/threat-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png
new file mode 100644
index 0000000000..30dde125e1
Binary files /dev/null and b/windows/threat-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png differ
diff --git a/windows/keep-secure/images/wip-intune-app-reconfig-warning.png b/windows/threat-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png
similarity index 100%
rename from windows/keep-secure/images/wip-intune-app-reconfig-warning.png
rename to windows/threat-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png
diff --git a/windows/keep-secure/images/wip-sccm-add-network-domain.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-add-network-domain.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-add-network-domain.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-add-network-domain.png
diff --git a/windows/keep-secure/images/wip-sccm-addapplockerfile.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-addapplockerfile.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png
diff --git a/windows/keep-secure/images/wip-sccm-adddesktopapp.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-adddesktopapp.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png
diff --git a/windows/keep-secure/images/wip-sccm-additionalsettings.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-additionalsettings.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-additionalsettings.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-additionalsettings.png
diff --git a/windows/keep-secure/images/wip-sccm-addpolicy.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-addpolicy.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-addpolicy.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-addpolicy.png
diff --git a/windows/keep-secure/images/wip-sccm-adduniversalapp.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-adduniversalapp.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png
diff --git a/windows/keep-secure/images/wip-sccm-appmgmt.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-appmgmt.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-appmgmt.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-appmgmt.png
diff --git a/windows/keep-secure/images/wip-sccm-corp-identity.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-corp-identity.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-corp-identity.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-corp-identity.png
diff --git a/windows/keep-secure/images/wip-sccm-devicesettings.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-devicesettings.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-devicesettings.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-devicesettings.png
diff --git a/windows/keep-secure/images/wip-sccm-dra.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-dra.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-dra.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-dra.png
diff --git a/windows/keep-secure/images/wip-sccm-generalscreen.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-generalscreen.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-generalscreen.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-generalscreen.png
diff --git a/windows/keep-secure/images/wip-sccm-network-domain.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-network-domain.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-network-domain.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-network-domain.png
diff --git a/windows/keep-secure/images/wip-sccm-optsettings.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-optsettings.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-optsettings.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-optsettings.png
diff --git a/windows/keep-secure/images/wip-sccm-summaryscreen.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-summaryscreen.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-summaryscreen.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-summaryscreen.png
diff --git a/windows/keep-secure/images/wip-sccm-supportedplat.png b/windows/threat-protection/windows-information-protection/images/wip-sccm-supportedplat.png
similarity index 100%
rename from windows/keep-secure/images/wip-sccm-supportedplat.png
rename to windows/threat-protection/windows-information-protection/images/wip-sccm-supportedplat.png
diff --git a/windows/keep-secure/images/wip-select-column.png b/windows/threat-protection/windows-information-protection/images/wip-select-column.png
similarity index 100%
rename from windows/keep-secure/images/wip-select-column.png
rename to windows/threat-protection/windows-information-protection/images/wip-select-column.png
diff --git a/windows/keep-secure/images/wip-taskmgr.png b/windows/threat-protection/windows-information-protection/images/wip-taskmgr.png
similarity index 100%
rename from windows/keep-secure/images/wip-taskmgr.png
rename to windows/threat-protection/windows-information-protection/images/wip-taskmgr.png
diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/threat-protection/windows-information-protection/limitations-with-wip.md
similarity index 71%
rename from windows/keep-secure/limitations-with-wip.md
rename to windows/threat-protection/windows-information-protection/limitations-with-wip.md
index edb6564532..18971e3fe1 100644
--- a/windows/keep-secure/limitations-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/limitations-with-wip.md
@@ -14,8 +14,8 @@ localizationpriority: high
**Applies to:**
-- Windows 10, version 1703
-- Windows 10 Mobile
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
This table provides info about the most common problems you might encounter while running WIP in your organization.
@@ -27,18 +27,18 @@ This table provides info about the most common problems you might encounter whil
Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
-
If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
-
Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
+
If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
+
Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
Direct Access is incompatible with WIP.
Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.
-
We recommend that you use VPN for client access to your intranet resources.
Note VPN is optional and isn’t required by WIP.
+
We recommend that you use VPN for client access to your intranet resources.
Note VPN is optional and isn’t required by WIP.
-
NetworkIsolation Group Policy setting is incompatible with WIP.
-
The NetworkIsolation Group Policy setting has incompatible network settings that can conflict and cause problems with WIP.
-
We recommend that you don’t use the NetworkIsolation Group Policy setting.
+
NetworkIsolation Group Policy setting takes precedence over MDM Policy settings.
+
The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.
+
If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.
Cortana can potentially allow data leakage if it’s on the allowed apps list.
@@ -55,8 +55,8 @@ This table provides info about the most common problems you might encounter whil
An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.
To fix this, you can:
-
Start the installer directly from the file share.
-OR-
-
Decrypt the locally copied files needed by the installer.
-OR-
+
Start the installer directly from the file share.
-OR-
+
Decrypt the locally copied files needed by the installer.
-OR-
Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
@@ -68,7 +68,7 @@ This table provides info about the most common problems you might encounter whil
Redirected folders with Client Side Caching are not compatible with WIP.
Apps might encounter access errors while attempting to read a cached, offline file.
-
Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
Note For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045).
+
Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
Note For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045).
You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
@@ -78,7 +78,7 @@ This table provides info about the most common problems you might encounter whil
ActiveX controls should be used with caution.
Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.
-
We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
+
We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False:
@@ -99,7 +99,7 @@ This table provides info about the most common problems you might encounter whil
WIP isn’t turned on for employees in your organization.
-
Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).
+
Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).
diff --git a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
new file mode 100644
index 0000000000..d4b9837475
--- /dev/null
+++ b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -0,0 +1,35 @@
+---
+title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
+description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) in your enterprise.
+keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Allowed apps list
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
+
+This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
+
+>[!IMPORTANT]
+>All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your organization.
+
+|Task|Description|
+|----|-----------|
+|Add at least one app to the **Allowed apps** list in your WIP policy.|You must have at least one app added to your **Allowed apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Allowed apps list** section of the policy creation topics.|
+|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics.|
+|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
+|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
+|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
+|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.
This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.|
+
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
similarity index 94%
rename from windows/keep-secure/overview-create-wip-policy.md
rename to windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
index b2b23e5275..eb659e55c3 100644
--- a/windows/keep-secure/overview-create-wip-policy.md
+++ b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
@@ -13,8 +13,8 @@ localizationpriority: high
# Create a Windows Information Protection (WIP) policy
**Applies to:**
-- Windows 10, version 1607 and later
-- Windows 10 Mobile
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
similarity index 77%
rename from windows/keep-secure/protect-enterprise-data-using-wip.md
rename to windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 0a8a8d62ea..896d97f4a0 100644
--- a/windows/keep-secure/protect-enterprise-data-using-wip.md
+++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -14,8 +14,8 @@ localizationpriority: high
# Protect your enterprise data using Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607 and later
-- Windows 10 Mobile
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
@@ -28,7 +28,7 @@ You’ll need this software to run WIP in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
-|Windows 10, version 1607 or later | Microsoft Intune -OR- System Center Configuration Manager -OR- Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
+|Windows 10, version 1607 or later | Microsoft Intune
-OR-
System Center Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
## What is enterprise data control?
Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
@@ -45,7 +45,7 @@ To help address this security insufficiency, company’s developed data loss pre
- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
-Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss preventions systems is that it provides a jarring experience that interrupts the employees’ natural workflow by blocking some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
+Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss preventions systems is that it provides a jarring experience that interrupts the employees’ natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
### Using information rights management systems
To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
@@ -76,13 +76,13 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- - **Using allowed apps.** Managed apps (apps that you've included on the Allowed Apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+ - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Hide overrides**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your WIP management-mode.
+ - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
- - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list.
+ - **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list.
- **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
@@ -93,8 +93,9 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
-
- >**Note** For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager. System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+
+ >[!NOTE]
+ >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager. System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## How WIP works
WIP helps address your everyday challenges in the enterprise. Including:
@@ -113,22 +114,22 @@ WIP currently addresses these enterprise scenarios:
- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
-- You can select specific apps that can access enterprise data, called "allowed apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
+- You can select specific apps that can access enterprise data, called "allowed apps" that are clearly recognizable to employees. You can also stop non-protected apps from accessing enterprise data.
- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
### WIP-protection modes
Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
-Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](applocker-overview.md) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
+Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
You can set your WIP policy to use 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|
-|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
-|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
-|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
+|Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.
**Note** For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
## Turn off WIP
diff --git a/windows/keep-secure/recommended-network-definitions-for-wip.md b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
similarity index 96%
rename from windows/keep-secure/recommended-network-definitions-for-wip.md
rename to windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index ca34c042a9..0d5eb4ca6f 100644
--- a/windows/keep-secure/recommended-network-definitions-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -14,8 +14,8 @@ localizationpriority: high
**Applies to:**
-- Windows 10, version 1607 and later
-- Windows 10 Mobile
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
similarity index 85%
rename from windows/keep-secure/testing-scenarios-for-wip.md
rename to windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
index 81e9282bd3..a46e4231ad 100644
--- a/windows/keep-secure/testing-scenarios-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -14,8 +14,8 @@ localizationpriority: high
# Testing scenarios for Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607 and later
-- Windows 10 Mobile
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
@@ -29,12 +29,12 @@ You can try any of the processes included in these scenarios, but you should foc
Encrypt and decrypt files using File Explorer.
-
For desktop:
+
For desktop:
Open File Explorer, right-click a work document, and then click Work from the File Ownership menu. Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access:<your_enterprise_identity>. For example, contoso.com.
In File Explorer, right-click the same document, and then click Personal from the File Ownership menu. Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
- For mobile:
+ For mobile:
Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work. Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
@@ -44,11 +44,11 @@ You can try any of the processes included in these scenarios, but you should foc
Create work documents in enterprise-allowed apps.
-
For desktop:
+
For desktop:
-
Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes. Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.
Important Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.
For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.
+
Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes. Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.
Important Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.
For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.
- For mobile:
+ For mobile:
Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location. Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
Open the same document and attempt to save it to a non-work-related location. WIP should stop you from saving the file to this location.
@@ -104,7 +104,7 @@ You can try any of the processes included in these scenarios, but you should foc
Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps. Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
Open File Explorer and make sure your modified files are appearing with a Lock icon.
-
Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.
Note Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.
A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
+
Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.
Note Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.
A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
@@ -133,7 +133,7 @@ You can try any of the processes included in these scenarios, but you should foc
Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.
Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge. Both browsers should respect the enterprise and personal boundary.
-
Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource. IE11 shouldn't be able to access the sites.
Note Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
+
Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource. IE11 shouldn't be able to access the sites.
Note Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
@@ -141,7 +141,7 @@ You can try any of the processes included in these scenarios, but you should foc
Verify your Virtual Private Network (VPN) can be auto-triggered.
-
Set up your VPN network to start based on the WIPModeID setting. For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-wip-policy-using-intune.md) topic.
+
Set up your VPN network to start based on the WIPModeID setting. For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) topic.
Start an app from your allowed apps list. The VPN network should automatically start.
Disconnect from your network and then start an app that isn't on your allowed apps list. The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
@@ -151,7 +151,7 @@ You can try any of the processes included in these scenarios, but you should foc
Unenroll client devices from WIP.
-
Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove. The device should be removed and all of the enterprise content for that managed account should be gone.
Important On desktop devices, the data isn't removed and can be recovered, so you must make sure they content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
+
Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove. The device should be removed and all of the enterprise content for that managed account should be gone.
Important On desktop devices, the data isn't removed and can be recovered, so you must make sure they content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
diff --git a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
new file mode 100644
index 0000000000..d60d0bf4ad
--- /dev/null
+++ b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
@@ -0,0 +1,35 @@
+---
+title: Using Outlook on the web with Windows Information Protection (WIP) (Windows 10)
+description: Options for using Outlook on the web with Windows Information Protection (WIP).
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration, OWA, Outlook Web access
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Using Outlook on the web with Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
+
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+
+Because Outlook on the web can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP):
+
+|Option |Outlook on the web behavior |
+|-------|-------------|
+|Disable Outlook on the web. Employees can only use Microsoft Outlook 2016 or the Mail for Windows 10 app. | Disabled. |
+|Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into Outlook on the web receive prompts and that files downloaded from Outlook on the web aren't automatically protected as corporate data. |
+|Add outlook.office.com to the Cloud resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. |
+
+>[!NOTE]
+>These limitations don’t apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings.
+
+
+
+
+
diff --git a/windows/keep-secure/wip-app-enterprise-context.md b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
similarity index 96%
rename from windows/keep-secure/wip-app-enterprise-context.md
rename to windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
index 107cfa5c1f..c3c1f07f56 100644
--- a/windows/keep-secure/wip-app-enterprise-context.md
+++ b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -13,8 +13,8 @@ localizationpriority: high
# Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607 and later
-- Windows 10 Mobile
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
diff --git a/windows/update/TOC.md b/windows/update/TOC.md
deleted file mode 100644
index b16ed8c89e..0000000000
--- a/windows/update/TOC.md
+++ /dev/null
@@ -1,26 +0,0 @@
-# [Update Windows 10](index.md)
-## [Quick guide to Windows as a service](waas-quick-start.md)
-## [Overview of Windows as a service](waas-overview.md)
-## [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-## [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-## [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
-## [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md)
-### [Get started with Update Compliance](update-compliance-get-started.md)
-### [Use Update Compliance](update-compliance-using.md)
-## [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-### [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-## [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-## [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-### [Configure Windows Update for Business](waas-configure-wufb.md)
-### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-### [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-## [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-## [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-## [Manage device restarts after updates](waas-restart.md)
-## [Windows Insider Program for Business](waas-windows-insider-for-business.md)
-### [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
-### [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
-## [Change history for Update Windows 10](change-history-for-update-windows-10.md)
-
diff --git a/windows/update/docfx.json b/windows/update/docfx.json
new file mode 100644
index 0000000000..21e6f12fb6
--- /dev/null
+++ b/windows/update/docfx.json
@@ -0,0 +1,37 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {},
+ "fileMetadata": {},
+ "template": [],
+ "dest": "windows-update"
+ }
+}
\ No newline at end of file
diff --git a/windows/update/images/ActionCenterXML.jpg b/windows/update/images/ActionCenterXML.jpg
deleted file mode 100644
index b9832b2708..0000000000
Binary files a/windows/update/images/ActionCenterXML.jpg and /dev/null differ
diff --git a/windows/update/images/AppsXML.jpg b/windows/update/images/AppsXML.jpg
deleted file mode 100644
index ecc1869bb5..0000000000
Binary files a/windows/update/images/AppsXML.jpg and /dev/null differ
diff --git a/windows/update/images/AppsXML.png b/windows/update/images/AppsXML.png
deleted file mode 100644
index 3981543264..0000000000
Binary files a/windows/update/images/AppsXML.png and /dev/null differ
diff --git a/windows/update/images/ButtonsXML.jpg b/windows/update/images/ButtonsXML.jpg
deleted file mode 100644
index 238eca7e68..0000000000
Binary files a/windows/update/images/ButtonsXML.jpg and /dev/null differ
diff --git a/windows/update/images/CSPRunnerXML.jpg b/windows/update/images/CSPRunnerXML.jpg
deleted file mode 100644
index 071b316a9e..0000000000
Binary files a/windows/update/images/CSPRunnerXML.jpg and /dev/null differ
diff --git a/windows/update/images/ICDstart-option.PNG b/windows/update/images/ICDstart-option.PNG
deleted file mode 100644
index 1ba49bb261..0000000000
Binary files a/windows/update/images/ICDstart-option.PNG and /dev/null differ
diff --git a/windows/update/images/MenuItemsXML.png b/windows/update/images/MenuItemsXML.png
deleted file mode 100644
index cc681250bb..0000000000
Binary files a/windows/update/images/MenuItemsXML.png and /dev/null differ
diff --git a/windows/update/images/SettingsXML.png b/windows/update/images/SettingsXML.png
deleted file mode 100644
index 98a324bdea..0000000000
Binary files a/windows/update/images/SettingsXML.png and /dev/null differ
diff --git a/windows/update/images/StartGrid.jpg b/windows/update/images/StartGrid.jpg
deleted file mode 100644
index 36136f3201..0000000000
Binary files a/windows/update/images/StartGrid.jpg and /dev/null differ
diff --git a/windows/update/images/StartGridPinnedApps.jpg b/windows/update/images/StartGridPinnedApps.jpg
deleted file mode 100644
index fbade52f53..0000000000
Binary files a/windows/update/images/StartGridPinnedApps.jpg and /dev/null differ
diff --git a/windows/update/images/TilesXML.png b/windows/update/images/TilesXML.png
deleted file mode 100644
index cec52bbbf7..0000000000
Binary files a/windows/update/images/TilesXML.png and /dev/null differ
diff --git a/windows/update/images/aadj1.jpg b/windows/update/images/aadj1.jpg
deleted file mode 100644
index 2348fc4c84..0000000000
Binary files a/windows/update/images/aadj1.jpg and /dev/null differ
diff --git a/windows/update/images/aadj2.jpg b/windows/update/images/aadj2.jpg
deleted file mode 100644
index 39486bfc66..0000000000
Binary files a/windows/update/images/aadj2.jpg and /dev/null differ
diff --git a/windows/update/images/aadj3.jpg b/windows/update/images/aadj3.jpg
deleted file mode 100644
index 80e1f5762f..0000000000
Binary files a/windows/update/images/aadj3.jpg and /dev/null differ
diff --git a/windows/update/images/aadj4.jpg b/windows/update/images/aadj4.jpg
deleted file mode 100644
index 0db2910012..0000000000
Binary files a/windows/update/images/aadj4.jpg and /dev/null differ
diff --git a/windows/update/images/aadjbrowser.jpg b/windows/update/images/aadjbrowser.jpg
deleted file mode 100644
index c8d909688e..0000000000
Binary files a/windows/update/images/aadjbrowser.jpg and /dev/null differ
diff --git a/windows/update/images/aadjcal.jpg b/windows/update/images/aadjcal.jpg
deleted file mode 100644
index 1858886f5f..0000000000
Binary files a/windows/update/images/aadjcal.jpg and /dev/null differ
diff --git a/windows/update/images/aadjcalmail.jpg b/windows/update/images/aadjcalmail.jpg
deleted file mode 100644
index 5a5661259a..0000000000
Binary files a/windows/update/images/aadjcalmail.jpg and /dev/null differ
diff --git a/windows/update/images/aadjmail1.jpg b/windows/update/images/aadjmail1.jpg
deleted file mode 100644
index 89b1fcc3b7..0000000000
Binary files a/windows/update/images/aadjmail1.jpg and /dev/null differ
diff --git a/windows/update/images/aadjmail2.jpg b/windows/update/images/aadjmail2.jpg
deleted file mode 100644
index 0608010c6a..0000000000
Binary files a/windows/update/images/aadjmail2.jpg and /dev/null differ
diff --git a/windows/update/images/aadjmail3.jpg b/windows/update/images/aadjmail3.jpg
deleted file mode 100644
index d7154a7e0e..0000000000
Binary files a/windows/update/images/aadjmail3.jpg and /dev/null differ
diff --git a/windows/update/images/aadjonedrive.jpg b/windows/update/images/aadjonedrive.jpg
deleted file mode 100644
index 6fb1196d5f..0000000000
Binary files a/windows/update/images/aadjonedrive.jpg and /dev/null differ
diff --git a/windows/update/images/aadjonenote.jpg b/windows/update/images/aadjonenote.jpg
deleted file mode 100644
index 4ccd207f9f..0000000000
Binary files a/windows/update/images/aadjonenote.jpg and /dev/null differ
diff --git a/windows/update/images/aadjonenote2.jpg b/windows/update/images/aadjonenote2.jpg
deleted file mode 100644
index 1b6941e638..0000000000
Binary files a/windows/update/images/aadjonenote2.jpg and /dev/null differ
diff --git a/windows/update/images/aadjonenote3.jpg b/windows/update/images/aadjonenote3.jpg
deleted file mode 100644
index 3ac6911046..0000000000
Binary files a/windows/update/images/aadjonenote3.jpg and /dev/null differ
diff --git a/windows/update/images/aadjpin.jpg b/windows/update/images/aadjpin.jpg
deleted file mode 100644
index dac6cfec30..0000000000
Binary files a/windows/update/images/aadjpin.jpg and /dev/null differ
diff --git a/windows/update/images/aadjppt.jpg b/windows/update/images/aadjppt.jpg
deleted file mode 100644
index 268d5fe662..0000000000
Binary files a/windows/update/images/aadjppt.jpg and /dev/null differ
diff --git a/windows/update/images/aadjverify.jpg b/windows/update/images/aadjverify.jpg
deleted file mode 100644
index 7b30210f39..0000000000
Binary files a/windows/update/images/aadjverify.jpg and /dev/null differ
diff --git a/windows/update/images/aadjword.jpg b/windows/update/images/aadjword.jpg
deleted file mode 100644
index db2a58406e..0000000000
Binary files a/windows/update/images/aadjword.jpg and /dev/null differ
diff --git a/windows/update/images/aadjwsfb.jpg b/windows/update/images/aadjwsfb.jpg
deleted file mode 100644
index 428f1a26d4..0000000000
Binary files a/windows/update/images/aadjwsfb.jpg and /dev/null differ
diff --git a/windows/update/images/apprule.png b/windows/update/images/apprule.png
deleted file mode 100644
index ec5417849a..0000000000
Binary files a/windows/update/images/apprule.png and /dev/null differ
diff --git a/windows/update/images/appwarning.png b/windows/update/images/appwarning.png
deleted file mode 100644
index 877d8afebd..0000000000
Binary files a/windows/update/images/appwarning.png and /dev/null differ
diff --git a/windows/update/images/backicon.png b/windows/update/images/backicon.png
deleted file mode 100644
index 3007e448b1..0000000000
Binary files a/windows/update/images/backicon.png and /dev/null differ
diff --git a/windows/update/images/checklistdone.png b/windows/update/images/checklistdone.png
deleted file mode 100644
index 7e53f74d0e..0000000000
Binary files a/windows/update/images/checklistdone.png and /dev/null differ
diff --git a/windows/update/images/choose-package.png b/windows/update/images/choose-package.png
deleted file mode 100644
index 2bf7a18648..0000000000
Binary files a/windows/update/images/choose-package.png and /dev/null differ
diff --git a/windows/update/images/config-policy.png b/windows/update/images/config-policy.png
deleted file mode 100644
index b9cba70af6..0000000000
Binary files a/windows/update/images/config-policy.png and /dev/null differ
diff --git a/windows/update/images/config-source.png b/windows/update/images/config-source.png
deleted file mode 100644
index 58938bacf7..0000000000
Binary files a/windows/update/images/config-source.png and /dev/null differ
diff --git a/windows/update/images/configconflict.png b/windows/update/images/configconflict.png
deleted file mode 100644
index 011a2d76e7..0000000000
Binary files a/windows/update/images/configconflict.png and /dev/null differ
diff --git a/windows/update/images/connect-aad.png b/windows/update/images/connect-aad.png
deleted file mode 100644
index 8583866165..0000000000
Binary files a/windows/update/images/connect-aad.png and /dev/null differ
diff --git a/windows/update/images/csp-placeholder.png b/windows/update/images/csp-placeholder.png
deleted file mode 100644
index fe6bcf4720..0000000000
Binary files a/windows/update/images/csp-placeholder.png and /dev/null differ
diff --git a/windows/update/images/cspinicd.png b/windows/update/images/cspinicd.png
deleted file mode 100644
index a60ad9e2bf..0000000000
Binary files a/windows/update/images/cspinicd.png and /dev/null differ
diff --git a/windows/update/images/csptable.png b/windows/update/images/csptable.png
deleted file mode 100644
index ee210cad69..0000000000
Binary files a/windows/update/images/csptable.png and /dev/null differ
diff --git a/windows/update/images/deploymentworkflow.png b/windows/update/images/deploymentworkflow.png
deleted file mode 100644
index b665a0bfea..0000000000
Binary files a/windows/update/images/deploymentworkflow.png and /dev/null differ
diff --git a/windows/update/images/export-mgt-desktop.png b/windows/update/images/export-mgt-desktop.png
deleted file mode 100644
index 13349c3b4e..0000000000
Binary files a/windows/update/images/export-mgt-desktop.png and /dev/null differ
diff --git a/windows/update/images/export-mgt-mobile.png b/windows/update/images/export-mgt-mobile.png
deleted file mode 100644
index 6a74c23e59..0000000000
Binary files a/windows/update/images/export-mgt-mobile.png and /dev/null differ
diff --git a/windows/update/images/express-settings.png b/windows/update/images/express-settings.png
deleted file mode 100644
index 99e9c4825a..0000000000
Binary files a/windows/update/images/express-settings.png and /dev/null differ
diff --git a/windows/update/images/fig1-deferupgrades.png b/windows/update/images/fig1-deferupgrades.png
deleted file mode 100644
index f8c52b943e..0000000000
Binary files a/windows/update/images/fig1-deferupgrades.png and /dev/null differ
diff --git a/windows/update/images/fig2-deploymenttimeline.png b/windows/update/images/fig2-deploymenttimeline.png
deleted file mode 100644
index a8061d2f15..0000000000
Binary files a/windows/update/images/fig2-deploymenttimeline.png and /dev/null differ
diff --git a/windows/update/images/fig3-overlaprelease.png b/windows/update/images/fig3-overlaprelease.png
deleted file mode 100644
index 58747a35cf..0000000000
Binary files a/windows/update/images/fig3-overlaprelease.png and /dev/null differ
diff --git a/windows/update/images/funfacts.png b/windows/update/images/funfacts.png
deleted file mode 100644
index 71355ec370..0000000000
Binary files a/windows/update/images/funfacts.png and /dev/null differ
diff --git a/windows/update/images/genrule.png b/windows/update/images/genrule.png
deleted file mode 100644
index 1d68f1ad0b..0000000000
Binary files a/windows/update/images/genrule.png and /dev/null differ
diff --git a/windows/update/images/gp-branch.png b/windows/update/images/gp-branch.png
deleted file mode 100644
index 997bcc830a..0000000000
Binary files a/windows/update/images/gp-branch.png and /dev/null differ
diff --git a/windows/update/images/gp-exclude-drivers.png b/windows/update/images/gp-exclude-drivers.png
deleted file mode 100644
index 0010749139..0000000000
Binary files a/windows/update/images/gp-exclude-drivers.png and /dev/null differ
diff --git a/windows/update/images/gp-feature.png b/windows/update/images/gp-feature.png
deleted file mode 100644
index b862d545d4..0000000000
Binary files a/windows/update/images/gp-feature.png and /dev/null differ
diff --git a/windows/update/images/gp-quality.png b/windows/update/images/gp-quality.png
deleted file mode 100644
index d7ff30172d..0000000000
Binary files a/windows/update/images/gp-quality.png and /dev/null differ
diff --git a/windows/update/images/icd-adv-shared-pc.PNG b/windows/update/images/icd-adv-shared-pc.PNG
deleted file mode 100644
index a8da5fa78a..0000000000
Binary files a/windows/update/images/icd-adv-shared-pc.PNG and /dev/null differ
diff --git a/windows/update/images/icd-school.PNG b/windows/update/images/icd-school.PNG
deleted file mode 100644
index e6a944a193..0000000000
Binary files a/windows/update/images/icd-school.PNG and /dev/null differ
diff --git a/windows/update/images/icd-simple.PNG b/windows/update/images/icd-simple.PNG
deleted file mode 100644
index 7ae8a1728b..0000000000
Binary files a/windows/update/images/icd-simple.PNG and /dev/null differ
diff --git a/windows/update/images/icdbrowse.png b/windows/update/images/icdbrowse.png
deleted file mode 100644
index 53c91074c7..0000000000
Binary files a/windows/update/images/icdbrowse.png and /dev/null differ
diff --git a/windows/update/images/identitychoices.png b/windows/update/images/identitychoices.png
deleted file mode 100644
index 9a69c04f20..0000000000
Binary files a/windows/update/images/identitychoices.png and /dev/null differ
diff --git a/windows/update/images/launchicon.png b/windows/update/images/launchicon.png
deleted file mode 100644
index d469c68a2c..0000000000
Binary files a/windows/update/images/launchicon.png and /dev/null differ
diff --git a/windows/update/images/license-terms.png b/windows/update/images/license-terms.png
deleted file mode 100644
index 8dd34b0a18..0000000000
Binary files a/windows/update/images/license-terms.png and /dev/null differ
diff --git a/windows/update/images/lockdownapps.png b/windows/update/images/lockdownapps.png
deleted file mode 100644
index ad928d87bc..0000000000
Binary files a/windows/update/images/lockdownapps.png and /dev/null differ
diff --git a/windows/update/images/lockscreen.png b/windows/update/images/lockscreen.png
deleted file mode 100644
index 68c64e15ec..0000000000
Binary files a/windows/update/images/lockscreen.png and /dev/null differ
diff --git a/windows/update/images/lockscreenpolicy.png b/windows/update/images/lockscreenpolicy.png
deleted file mode 100644
index 30b6a7ae9d..0000000000
Binary files a/windows/update/images/lockscreenpolicy.png and /dev/null differ
diff --git a/windows/update/images/mdm-diag-report-powershell.PNG b/windows/update/images/mdm-diag-report-powershell.PNG
deleted file mode 100644
index 86f5b49211..0000000000
Binary files a/windows/update/images/mdm-diag-report-powershell.PNG and /dev/null differ
diff --git a/windows/update/images/mdm.png b/windows/update/images/mdm.png
deleted file mode 100644
index 8ebcc00526..0000000000
Binary files a/windows/update/images/mdm.png and /dev/null differ
diff --git a/windows/update/images/mobile-start-layout.png b/windows/update/images/mobile-start-layout.png
deleted file mode 100644
index d1055d6c87..0000000000
Binary files a/windows/update/images/mobile-start-layout.png and /dev/null differ
diff --git a/windows/update/images/oma-uri-shared-pc.png b/windows/update/images/oma-uri-shared-pc.png
deleted file mode 100644
index 68f9fa3b32..0000000000
Binary files a/windows/update/images/oma-uri-shared-pc.png and /dev/null differ
diff --git a/windows/update/images/oobe.jpg b/windows/update/images/oobe.jpg
deleted file mode 100644
index 53a5dab6bf..0000000000
Binary files a/windows/update/images/oobe.jpg and /dev/null differ
diff --git a/windows/update/images/package.png b/windows/update/images/package.png
deleted file mode 100644
index f5e975e3e9..0000000000
Binary files a/windows/update/images/package.png and /dev/null differ
diff --git a/windows/update/images/phoneprovision.png b/windows/update/images/phoneprovision.png
deleted file mode 100644
index 01ada29ac9..0000000000
Binary files a/windows/update/images/phoneprovision.png and /dev/null differ
diff --git a/windows/update/images/policytocsp.png b/windows/update/images/policytocsp.png
deleted file mode 100644
index 80ca76cb62..0000000000
Binary files a/windows/update/images/policytocsp.png and /dev/null differ
diff --git a/windows/update/images/powericon.png b/windows/update/images/powericon.png
deleted file mode 100644
index b497ff859d..0000000000
Binary files a/windows/update/images/powericon.png and /dev/null differ
diff --git a/windows/update/images/priv-telemetry-levels.png b/windows/update/images/priv-telemetry-levels.png
deleted file mode 100644
index 9581cee54d..0000000000
Binary files a/windows/update/images/priv-telemetry-levels.png and /dev/null differ
diff --git a/windows/update/images/prov.jpg b/windows/update/images/prov.jpg
deleted file mode 100644
index 1593ccb36b..0000000000
Binary files a/windows/update/images/prov.jpg and /dev/null differ
diff --git a/windows/update/images/provisioning-csp-assignedaccess.png b/windows/update/images/provisioning-csp-assignedaccess.png
deleted file mode 100644
index 14d49cdd89..0000000000
Binary files a/windows/update/images/provisioning-csp-assignedaccess.png and /dev/null differ
diff --git a/windows/update/images/resetdevice.png b/windows/update/images/resetdevice.png
deleted file mode 100644
index 4e265c3f8d..0000000000
Binary files a/windows/update/images/resetdevice.png and /dev/null differ
diff --git a/windows/update/images/settings-table.png b/windows/update/images/settings-table.png
deleted file mode 100644
index ada56513fc..0000000000
Binary files a/windows/update/images/settings-table.png and /dev/null differ
diff --git a/windows/update/images/settingsicon.png b/windows/update/images/settingsicon.png
deleted file mode 100644
index 0ad27fc558..0000000000
Binary files a/windows/update/images/settingsicon.png and /dev/null differ
diff --git a/windows/update/images/setupmsg.jpg b/windows/update/images/setupmsg.jpg
deleted file mode 100644
index 12935483c5..0000000000
Binary files a/windows/update/images/setupmsg.jpg and /dev/null differ
diff --git a/windows/update/images/sign-in-prov.png b/windows/update/images/sign-in-prov.png
deleted file mode 100644
index 55c9276203..0000000000
Binary files a/windows/update/images/sign-in-prov.png and /dev/null differ
diff --git a/windows/update/images/spotlight.png b/windows/update/images/spotlight.png
deleted file mode 100644
index 515269740b..0000000000
Binary files a/windows/update/images/spotlight.png and /dev/null differ
diff --git a/windows/update/images/spotlight2.png b/windows/update/images/spotlight2.png
deleted file mode 100644
index 27401c1a2b..0000000000
Binary files a/windows/update/images/spotlight2.png and /dev/null differ
diff --git a/windows/update/images/start-pinned-app.png b/windows/update/images/start-pinned-app.png
deleted file mode 100644
index e1e4a24a00..0000000000
Binary files a/windows/update/images/start-pinned-app.png and /dev/null differ
diff --git a/windows/update/images/startannotated.png b/windows/update/images/startannotated.png
deleted file mode 100644
index d46f3a70c2..0000000000
Binary files a/windows/update/images/startannotated.png and /dev/null differ
diff --git a/windows/update/images/starticon.png b/windows/update/images/starticon.png
deleted file mode 100644
index fa8cbdff10..0000000000
Binary files a/windows/update/images/starticon.png and /dev/null differ
diff --git a/windows/update/images/startlayoutpolicy.jpg b/windows/update/images/startlayoutpolicy.jpg
deleted file mode 100644
index d3c8d054fe..0000000000
Binary files a/windows/update/images/startlayoutpolicy.jpg and /dev/null differ
diff --git a/windows/update/images/starttemplate.jpg b/windows/update/images/starttemplate.jpg
deleted file mode 100644
index 900eed08c5..0000000000
Binary files a/windows/update/images/starttemplate.jpg and /dev/null differ
diff --git a/windows/update/images/taskbar-blank.png b/windows/update/images/taskbar-blank.png
deleted file mode 100644
index 185027f2fd..0000000000
Binary files a/windows/update/images/taskbar-blank.png and /dev/null differ
diff --git a/windows/update/images/taskbar-default-plus.png b/windows/update/images/taskbar-default-plus.png
deleted file mode 100644
index 8afcebac09..0000000000
Binary files a/windows/update/images/taskbar-default-plus.png and /dev/null differ
diff --git a/windows/update/images/taskbar-default-removed.png b/windows/update/images/taskbar-default-removed.png
deleted file mode 100644
index b3ff924e9f..0000000000
Binary files a/windows/update/images/taskbar-default-removed.png and /dev/null differ
diff --git a/windows/update/images/taskbar-default.png b/windows/update/images/taskbar-default.png
deleted file mode 100644
index 41c6c72258..0000000000
Binary files a/windows/update/images/taskbar-default.png and /dev/null differ
diff --git a/windows/update/images/taskbar-generic.png b/windows/update/images/taskbar-generic.png
deleted file mode 100644
index 6d47a6795a..0000000000
Binary files a/windows/update/images/taskbar-generic.png and /dev/null differ
diff --git a/windows/update/images/taskbar-region-defr.png b/windows/update/images/taskbar-region-defr.png
deleted file mode 100644
index 6d707b16f4..0000000000
Binary files a/windows/update/images/taskbar-region-defr.png and /dev/null differ
diff --git a/windows/update/images/taskbar-region-other.png b/windows/update/images/taskbar-region-other.png
deleted file mode 100644
index fab367ef7a..0000000000
Binary files a/windows/update/images/taskbar-region-other.png and /dev/null differ
diff --git a/windows/update/images/taskbar-region-usuk.png b/windows/update/images/taskbar-region-usuk.png
deleted file mode 100644
index 6bba65ee81..0000000000
Binary files a/windows/update/images/taskbar-region-usuk.png and /dev/null differ
diff --git a/windows/update/images/taskbarSTARTERBLANK.png b/windows/update/images/taskbarSTARTERBLANK.png
deleted file mode 100644
index e206bdc196..0000000000
Binary files a/windows/update/images/taskbarSTARTERBLANK.png and /dev/null differ
diff --git a/windows/update/images/trust-package.png b/windows/update/images/trust-package.png
deleted file mode 100644
index 8a293ea4da..0000000000
Binary files a/windows/update/images/trust-package.png and /dev/null differ
diff --git a/windows/update/images/twain.png b/windows/update/images/twain.png
deleted file mode 100644
index 53cd5eadc7..0000000000
Binary files a/windows/update/images/twain.png and /dev/null differ
diff --git a/windows/update/images/uc-01.png b/windows/update/images/uc-01.png
deleted file mode 100644
index 7f4df9f6d7..0000000000
Binary files a/windows/update/images/uc-01.png and /dev/null differ
diff --git a/windows/update/images/uc-02.png b/windows/update/images/uc-02.png
deleted file mode 100644
index 8317f051c3..0000000000
Binary files a/windows/update/images/uc-02.png and /dev/null differ
diff --git a/windows/update/images/uc-02a.png b/windows/update/images/uc-02a.png
deleted file mode 100644
index d12544e3a0..0000000000
Binary files a/windows/update/images/uc-02a.png and /dev/null differ
diff --git a/windows/update/images/uc-03.png b/windows/update/images/uc-03.png
deleted file mode 100644
index 58494c4128..0000000000
Binary files a/windows/update/images/uc-03.png and /dev/null differ
diff --git a/windows/update/images/uc-03a.png b/windows/update/images/uc-03a.png
deleted file mode 100644
index 39412fc8f3..0000000000
Binary files a/windows/update/images/uc-03a.png and /dev/null differ
diff --git a/windows/update/images/uc-04.png b/windows/update/images/uc-04.png
deleted file mode 100644
index ef9a37d379..0000000000
Binary files a/windows/update/images/uc-04.png and /dev/null differ
diff --git a/windows/update/images/uc-04a.png b/windows/update/images/uc-04a.png
deleted file mode 100644
index 537d4bbe72..0000000000
Binary files a/windows/update/images/uc-04a.png and /dev/null differ
diff --git a/windows/update/images/uc-05.png b/windows/update/images/uc-05.png
deleted file mode 100644
index 21c8e9f9e0..0000000000
Binary files a/windows/update/images/uc-05.png and /dev/null differ
diff --git a/windows/update/images/uc-05a.png b/windows/update/images/uc-05a.png
deleted file mode 100644
index 2271181622..0000000000
Binary files a/windows/update/images/uc-05a.png and /dev/null differ
diff --git a/windows/update/images/uc-06.png b/windows/update/images/uc-06.png
deleted file mode 100644
index 03a559800b..0000000000
Binary files a/windows/update/images/uc-06.png and /dev/null differ
diff --git a/windows/update/images/uc-06a.png b/windows/update/images/uc-06a.png
deleted file mode 100644
index 15df1cfea0..0000000000
Binary files a/windows/update/images/uc-06a.png and /dev/null differ
diff --git a/windows/update/images/uc-07.png b/windows/update/images/uc-07.png
deleted file mode 100644
index de1ae35e82..0000000000
Binary files a/windows/update/images/uc-07.png and /dev/null differ
diff --git a/windows/update/images/uc-07a.png b/windows/update/images/uc-07a.png
deleted file mode 100644
index c0f2d9fd73..0000000000
Binary files a/windows/update/images/uc-07a.png and /dev/null differ
diff --git a/windows/update/images/uc-08.png b/windows/update/images/uc-08.png
deleted file mode 100644
index 877fcd64c0..0000000000
Binary files a/windows/update/images/uc-08.png and /dev/null differ
diff --git a/windows/update/images/uc-08a.png b/windows/update/images/uc-08a.png
deleted file mode 100644
index 89da287d3d..0000000000
Binary files a/windows/update/images/uc-08a.png and /dev/null differ
diff --git a/windows/update/images/uc-09.png b/windows/update/images/uc-09.png
deleted file mode 100644
index 37d7114f19..0000000000
Binary files a/windows/update/images/uc-09.png and /dev/null differ
diff --git a/windows/update/images/uc-09a.png b/windows/update/images/uc-09a.png
deleted file mode 100644
index f6b6ec5b60..0000000000
Binary files a/windows/update/images/uc-09a.png and /dev/null differ
diff --git a/windows/update/images/uc-10.png b/windows/update/images/uc-10.png
deleted file mode 100644
index 3ab72d10d2..0000000000
Binary files a/windows/update/images/uc-10.png and /dev/null differ
diff --git a/windows/update/images/uc-10a.png b/windows/update/images/uc-10a.png
deleted file mode 100644
index 1c6b8b01dc..0000000000
Binary files a/windows/update/images/uc-10a.png and /dev/null differ
diff --git a/windows/update/images/uc-11.png b/windows/update/images/uc-11.png
deleted file mode 100644
index 8b4fc568ea..0000000000
Binary files a/windows/update/images/uc-11.png and /dev/null differ
diff --git a/windows/update/images/uc-12.png b/windows/update/images/uc-12.png
deleted file mode 100644
index 4198684c99..0000000000
Binary files a/windows/update/images/uc-12.png and /dev/null differ
diff --git a/windows/update/images/uc-13.png b/windows/update/images/uc-13.png
deleted file mode 100644
index 117f9b9fd8..0000000000
Binary files a/windows/update/images/uc-13.png and /dev/null differ
diff --git a/windows/update/images/uc-14.png b/windows/update/images/uc-14.png
deleted file mode 100644
index 66047984e7..0000000000
Binary files a/windows/update/images/uc-14.png and /dev/null differ
diff --git a/windows/update/images/uc-15.png b/windows/update/images/uc-15.png
deleted file mode 100644
index c241cd9117..0000000000
Binary files a/windows/update/images/uc-15.png and /dev/null differ
diff --git a/windows/update/images/uc-16.png b/windows/update/images/uc-16.png
deleted file mode 100644
index e7aff4d4ed..0000000000
Binary files a/windows/update/images/uc-16.png and /dev/null differ
diff --git a/windows/update/images/uc-17.png b/windows/update/images/uc-17.png
deleted file mode 100644
index cb8e42ca5e..0000000000
Binary files a/windows/update/images/uc-17.png and /dev/null differ
diff --git a/windows/update/images/uc-18.png b/windows/update/images/uc-18.png
deleted file mode 100644
index 5eff59adc9..0000000000
Binary files a/windows/update/images/uc-18.png and /dev/null differ
diff --git a/windows/update/images/uc-19.png b/windows/update/images/uc-19.png
deleted file mode 100644
index 791900eafc..0000000000
Binary files a/windows/update/images/uc-19.png and /dev/null differ
diff --git a/windows/update/images/uc-20.png b/windows/update/images/uc-20.png
deleted file mode 100644
index 7dbb027b9f..0000000000
Binary files a/windows/update/images/uc-20.png and /dev/null differ
diff --git a/windows/update/images/uc-21.png b/windows/update/images/uc-21.png
deleted file mode 100644
index 418db41fe4..0000000000
Binary files a/windows/update/images/uc-21.png and /dev/null differ
diff --git a/windows/update/images/uc-22.png b/windows/update/images/uc-22.png
deleted file mode 100644
index 2ca5c47a61..0000000000
Binary files a/windows/update/images/uc-22.png and /dev/null differ
diff --git a/windows/update/images/uc-23.png b/windows/update/images/uc-23.png
deleted file mode 100644
index 58b82db82d..0000000000
Binary files a/windows/update/images/uc-23.png and /dev/null differ
diff --git a/windows/update/images/uc-24.png b/windows/update/images/uc-24.png
deleted file mode 100644
index 00bc61e3e1..0000000000
Binary files a/windows/update/images/uc-24.png and /dev/null differ
diff --git a/windows/update/images/uc-25.png b/windows/update/images/uc-25.png
deleted file mode 100644
index 4e0f0bdb03..0000000000
Binary files a/windows/update/images/uc-25.png and /dev/null differ
diff --git a/windows/update/images/uev-adk-select-uev-feature.png b/windows/update/images/uev-adk-select-uev-feature.png
deleted file mode 100644
index 1556f115c0..0000000000
Binary files a/windows/update/images/uev-adk-select-uev-feature.png and /dev/null differ
diff --git a/windows/update/images/uev-archdiagram.png b/windows/update/images/uev-archdiagram.png
deleted file mode 100644
index eae098e666..0000000000
Binary files a/windows/update/images/uev-archdiagram.png and /dev/null differ
diff --git a/windows/update/images/uev-checklist-box.gif b/windows/update/images/uev-checklist-box.gif
deleted file mode 100644
index 8af13c51d1..0000000000
Binary files a/windows/update/images/uev-checklist-box.gif and /dev/null differ
diff --git a/windows/update/images/uev-deployment-preparation.png b/windows/update/images/uev-deployment-preparation.png
deleted file mode 100644
index b665a0bfea..0000000000
Binary files a/windows/update/images/uev-deployment-preparation.png and /dev/null differ
diff --git a/windows/update/images/uev-generator-process.png b/windows/update/images/uev-generator-process.png
deleted file mode 100644
index e16cedd0a7..0000000000
Binary files a/windows/update/images/uev-generator-process.png and /dev/null differ
diff --git a/windows/update/images/w10servicing-f1-branches.png b/windows/update/images/w10servicing-f1-branches.png
deleted file mode 100644
index ac4a549aed..0000000000
Binary files a/windows/update/images/w10servicing-f1-branches.png and /dev/null differ
diff --git a/windows/update/images/waas-active-hours-policy.PNG b/windows/update/images/waas-active-hours-policy.PNG
deleted file mode 100644
index af80ef6652..0000000000
Binary files a/windows/update/images/waas-active-hours-policy.PNG and /dev/null differ
diff --git a/windows/update/images/waas-active-hours.PNG b/windows/update/images/waas-active-hours.PNG
deleted file mode 100644
index c262c302ed..0000000000
Binary files a/windows/update/images/waas-active-hours.PNG and /dev/null differ
diff --git a/windows/update/images/waas-auto-update-policy.PNG b/windows/update/images/waas-auto-update-policy.PNG
deleted file mode 100644
index 52a1629cbf..0000000000
Binary files a/windows/update/images/waas-auto-update-policy.PNG and /dev/null differ
diff --git a/windows/update/images/waas-do-fig1.png b/windows/update/images/waas-do-fig1.png
deleted file mode 100644
index 2a2b6872e9..0000000000
Binary files a/windows/update/images/waas-do-fig1.png and /dev/null differ
diff --git a/windows/update/images/waas-do-fig2.png b/windows/update/images/waas-do-fig2.png
deleted file mode 100644
index cc42b328eb..0000000000
Binary files a/windows/update/images/waas-do-fig2.png and /dev/null differ
diff --git a/windows/update/images/waas-do-fig3.png b/windows/update/images/waas-do-fig3.png
deleted file mode 100644
index d9182d3b20..0000000000
Binary files a/windows/update/images/waas-do-fig3.png and /dev/null differ
diff --git a/windows/update/images/waas-do-fig4.png b/windows/update/images/waas-do-fig4.png
deleted file mode 100644
index a66741ed90..0000000000
Binary files a/windows/update/images/waas-do-fig4.png and /dev/null differ
diff --git a/windows/update/images/waas-overview-patch.png b/windows/update/images/waas-overview-patch.png
deleted file mode 100644
index 6ac0a03227..0000000000
Binary files a/windows/update/images/waas-overview-patch.png and /dev/null differ
diff --git a/windows/update/images/waas-restart-policy.PNG b/windows/update/images/waas-restart-policy.PNG
deleted file mode 100644
index 936f9aeb08..0000000000
Binary files a/windows/update/images/waas-restart-policy.PNG and /dev/null differ
diff --git a/windows/update/images/waas-rings.png b/windows/update/images/waas-rings.png
deleted file mode 100644
index 041a59ce87..0000000000
Binary files a/windows/update/images/waas-rings.png and /dev/null differ
diff --git a/windows/update/images/waas-sccm-fig1.png b/windows/update/images/waas-sccm-fig1.png
deleted file mode 100644
index 6bf2b1c621..0000000000
Binary files a/windows/update/images/waas-sccm-fig1.png and /dev/null differ
diff --git a/windows/update/images/waas-sccm-fig10.png b/windows/update/images/waas-sccm-fig10.png
deleted file mode 100644
index ad3b5c922f..0000000000
Binary files a/windows/update/images/waas-sccm-fig10.png and /dev/null differ
diff --git a/windows/update/images/waas-sccm-fig11.png b/windows/update/images/waas-sccm-fig11.png
deleted file mode 100644
index 6c4f905630..0000000000
Binary files a/windows/update/images/waas-sccm-fig11.png and /dev/null differ
diff --git a/windows/update/images/waas-sccm-fig12.png b/windows/update/images/waas-sccm-fig12.png
deleted file mode 100644
index 87464dd5f1..0000000000
Binary files a/windows/update/images/waas-sccm-fig12.png and /dev/null differ
diff --git a/windows/update/images/waas-sccm-fig2.png b/windows/update/images/waas-sccm-fig2.png
deleted file mode 100644
index c83e7bc781..0000000000
Binary files a/windows/update/images/waas-sccm-fig2.png and /dev/null differ
diff --git a/windows/update/images/waas-sccm-fig3.png b/windows/update/images/waas-sccm-fig3.png
deleted file mode 100644
index dcbc83b8ff..0000000000
Binary files a/windows/update/images/waas-sccm-fig3.png and /dev/null differ
diff --git a/windows/update/images/waas-sccm-fig4.png b/windows/update/images/waas-sccm-fig4.png
deleted file mode 100644
index 782c5ca6ef..0000000000
Binary files a/windows/update/images/waas-sccm-fig4.png and /dev/null differ
diff --git a/windows/update/images/waas-sccm-fig5.png b/windows/update/images/waas-sccm-fig5.png
deleted file mode 100644
index cb399a6c6f..0000000000
Binary files a/windows/update/images/waas-sccm-fig5.png and /dev/null differ
diff --git a/windows/update/images/waas-sccm-fig6.png b/windows/update/images/waas-sccm-fig6.png
deleted file mode 100644
index 77dd02d61e..0000000000
Binary files a/windows/update/images/waas-sccm-fig6.png and /dev/null differ
diff --git a/windows/update/images/waas-sccm-fig7.png b/windows/update/images/waas-sccm-fig7.png
deleted file mode 100644
index a74c7c8133..0000000000
Binary files a/windows/update/images/waas-sccm-fig7.png and /dev/null differ
diff --git a/windows/update/images/waas-sccm-fig8.png b/windows/update/images/waas-sccm-fig8.png
deleted file mode 100644
index 2dfaf75ddf..0000000000
Binary files a/windows/update/images/waas-sccm-fig8.png and /dev/null differ
diff --git a/windows/update/images/waas-sccm-fig9.png b/windows/update/images/waas-sccm-fig9.png
deleted file mode 100644
index 311d79dc94..0000000000
Binary files a/windows/update/images/waas-sccm-fig9.png and /dev/null differ
diff --git a/windows/update/images/waas-strategy-fig1a.png b/windows/update/images/waas-strategy-fig1a.png
deleted file mode 100644
index 7a924c43bc..0000000000
Binary files a/windows/update/images/waas-strategy-fig1a.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig1.png b/windows/update/images/waas-wsus-fig1.png
deleted file mode 100644
index 14bf35958a..0000000000
Binary files a/windows/update/images/waas-wsus-fig1.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig10.png b/windows/update/images/waas-wsus-fig10.png
deleted file mode 100644
index 3efa119693..0000000000
Binary files a/windows/update/images/waas-wsus-fig10.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig11.png b/windows/update/images/waas-wsus-fig11.png
deleted file mode 100644
index ae6d79221a..0000000000
Binary files a/windows/update/images/waas-wsus-fig11.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig12.png b/windows/update/images/waas-wsus-fig12.png
deleted file mode 100644
index 47479ea1df..0000000000
Binary files a/windows/update/images/waas-wsus-fig12.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig13.png b/windows/update/images/waas-wsus-fig13.png
deleted file mode 100644
index f0b1578094..0000000000
Binary files a/windows/update/images/waas-wsus-fig13.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig14.png b/windows/update/images/waas-wsus-fig14.png
deleted file mode 100644
index b5b930ddad..0000000000
Binary files a/windows/update/images/waas-wsus-fig14.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig15.png b/windows/update/images/waas-wsus-fig15.png
deleted file mode 100644
index 95e38c039e..0000000000
Binary files a/windows/update/images/waas-wsus-fig15.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig16.png b/windows/update/images/waas-wsus-fig16.png
deleted file mode 100644
index 3848ac1772..0000000000
Binary files a/windows/update/images/waas-wsus-fig16.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig17.png b/windows/update/images/waas-wsus-fig17.png
deleted file mode 100644
index 5511da3e5c..0000000000
Binary files a/windows/update/images/waas-wsus-fig17.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig18.png b/windows/update/images/waas-wsus-fig18.png
deleted file mode 100644
index f9ac774754..0000000000
Binary files a/windows/update/images/waas-wsus-fig18.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig19.png b/windows/update/images/waas-wsus-fig19.png
deleted file mode 100644
index f69d793afe..0000000000
Binary files a/windows/update/images/waas-wsus-fig19.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig2.png b/windows/update/images/waas-wsus-fig2.png
deleted file mode 100644
index 167774a6c9..0000000000
Binary files a/windows/update/images/waas-wsus-fig2.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig20.png b/windows/update/images/waas-wsus-fig20.png
deleted file mode 100644
index ea6bbb350a..0000000000
Binary files a/windows/update/images/waas-wsus-fig20.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig3.png b/windows/update/images/waas-wsus-fig3.png
deleted file mode 100644
index 272e8c05e9..0000000000
Binary files a/windows/update/images/waas-wsus-fig3.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig4.png b/windows/update/images/waas-wsus-fig4.png
deleted file mode 100644
index bb5f27e3da..0000000000
Binary files a/windows/update/images/waas-wsus-fig4.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig5.png b/windows/update/images/waas-wsus-fig5.png
deleted file mode 100644
index 23faf303c6..0000000000
Binary files a/windows/update/images/waas-wsus-fig5.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig6.png b/windows/update/images/waas-wsus-fig6.png
deleted file mode 100644
index 7857351d19..0000000000
Binary files a/windows/update/images/waas-wsus-fig6.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig7.png b/windows/update/images/waas-wsus-fig7.png
deleted file mode 100644
index e7f02649d2..0000000000
Binary files a/windows/update/images/waas-wsus-fig7.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig8.png b/windows/update/images/waas-wsus-fig8.png
deleted file mode 100644
index da5f620425..0000000000
Binary files a/windows/update/images/waas-wsus-fig8.png and /dev/null differ
diff --git a/windows/update/images/waas-wsus-fig9.png b/windows/update/images/waas-wsus-fig9.png
deleted file mode 100644
index f3d5a4eb6a..0000000000
Binary files a/windows/update/images/waas-wsus-fig9.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-gp-broad.png b/windows/update/images/waas-wufb-gp-broad.png
deleted file mode 100644
index 92b71c8936..0000000000
Binary files a/windows/update/images/waas-wufb-gp-broad.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-gp-cb2-settings.png b/windows/update/images/waas-wufb-gp-cb2-settings.png
deleted file mode 100644
index ae6ed4d856..0000000000
Binary files a/windows/update/images/waas-wufb-gp-cb2-settings.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-gp-cb2.png b/windows/update/images/waas-wufb-gp-cb2.png
deleted file mode 100644
index 006a8c02d3..0000000000
Binary files a/windows/update/images/waas-wufb-gp-cb2.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-gp-cbb1-settings.png b/windows/update/images/waas-wufb-gp-cbb1-settings.png
deleted file mode 100644
index c9e1029b8b..0000000000
Binary files a/windows/update/images/waas-wufb-gp-cbb1-settings.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-gp-cbb2-settings.png b/windows/update/images/waas-wufb-gp-cbb2-settings.png
deleted file mode 100644
index e5aff1cc89..0000000000
Binary files a/windows/update/images/waas-wufb-gp-cbb2-settings.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-gp-cbb2q-settings.png b/windows/update/images/waas-wufb-gp-cbb2q-settings.png
deleted file mode 100644
index 33a02165c6..0000000000
Binary files a/windows/update/images/waas-wufb-gp-cbb2q-settings.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-gp-create.png b/windows/update/images/waas-wufb-gp-create.png
deleted file mode 100644
index d74eec4b2e..0000000000
Binary files a/windows/update/images/waas-wufb-gp-create.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-gp-edit-defer.png b/windows/update/images/waas-wufb-gp-edit-defer.png
deleted file mode 100644
index c697b42ffd..0000000000
Binary files a/windows/update/images/waas-wufb-gp-edit-defer.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-gp-edit.png b/windows/update/images/waas-wufb-gp-edit.png
deleted file mode 100644
index 1b8d21a175..0000000000
Binary files a/windows/update/images/waas-wufb-gp-edit.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-gp-scope-cb2.png b/windows/update/images/waas-wufb-gp-scope-cb2.png
deleted file mode 100644
index fcacdbea57..0000000000
Binary files a/windows/update/images/waas-wufb-gp-scope-cb2.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-gp-scope.png b/windows/update/images/waas-wufb-gp-scope.png
deleted file mode 100644
index a04d8194df..0000000000
Binary files a/windows/update/images/waas-wufb-gp-scope.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-intune-cb2a.png b/windows/update/images/waas-wufb-intune-cb2a.png
deleted file mode 100644
index 3e8c1ce19e..0000000000
Binary files a/windows/update/images/waas-wufb-intune-cb2a.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-intune-cbb1a.png b/windows/update/images/waas-wufb-intune-cbb1a.png
deleted file mode 100644
index bc394fe563..0000000000
Binary files a/windows/update/images/waas-wufb-intune-cbb1a.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-intune-cbb2a.png b/windows/update/images/waas-wufb-intune-cbb2a.png
deleted file mode 100644
index a980e0e43a..0000000000
Binary files a/windows/update/images/waas-wufb-intune-cbb2a.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-intune-step11a.png b/windows/update/images/waas-wufb-intune-step11a.png
deleted file mode 100644
index 7291484c93..0000000000
Binary files a/windows/update/images/waas-wufb-intune-step11a.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-intune-step19a.png b/windows/update/images/waas-wufb-intune-step19a.png
deleted file mode 100644
index de132abd28..0000000000
Binary files a/windows/update/images/waas-wufb-intune-step19a.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-intune-step2a.png b/windows/update/images/waas-wufb-intune-step2a.png
deleted file mode 100644
index 9a719b8fda..0000000000
Binary files a/windows/update/images/waas-wufb-intune-step2a.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-intune-step7a.png b/windows/update/images/waas-wufb-intune-step7a.png
deleted file mode 100644
index daa96ba18c..0000000000
Binary files a/windows/update/images/waas-wufb-intune-step7a.png and /dev/null differ
diff --git a/windows/update/images/waas-wufb-update-compliance.png b/windows/update/images/waas-wufb-update-compliance.png
deleted file mode 100644
index 0c1bbaea7c..0000000000
Binary files a/windows/update/images/waas-wufb-update-compliance.png and /dev/null differ
diff --git a/windows/update/images/who-owns-pc.png b/windows/update/images/who-owns-pc.png
deleted file mode 100644
index d3ce1def8d..0000000000
Binary files a/windows/update/images/who-owns-pc.png and /dev/null differ
diff --git a/windows/update/images/wifisense-grouppolicy.png b/windows/update/images/wifisense-grouppolicy.png
deleted file mode 100644
index 1142d834bd..0000000000
Binary files a/windows/update/images/wifisense-grouppolicy.png and /dev/null differ
diff --git a/windows/update/images/wifisense-registry.png b/windows/update/images/wifisense-registry.png
deleted file mode 100644
index cbb1fa8347..0000000000
Binary files a/windows/update/images/wifisense-registry.png and /dev/null differ
diff --git a/windows/update/images/wifisense-settingscreens.png b/windows/update/images/wifisense-settingscreens.png
deleted file mode 100644
index cbb6903177..0000000000
Binary files a/windows/update/images/wifisense-settingscreens.png and /dev/null differ
diff --git a/windows/update/images/win10-mobile-mdm-fig1.png b/windows/update/images/win10-mobile-mdm-fig1.png
deleted file mode 100644
index 6ddac1df99..0000000000
Binary files a/windows/update/images/win10-mobile-mdm-fig1.png and /dev/null differ
diff --git a/windows/update/images/win10servicing-fig2-featureupgrade.png b/windows/update/images/win10servicing-fig2-featureupgrade.png
deleted file mode 100644
index e4dc76b44f..0000000000
Binary files a/windows/update/images/win10servicing-fig2-featureupgrade.png and /dev/null differ
diff --git a/windows/update/images/win10servicing-fig3.png b/windows/update/images/win10servicing-fig3.png
deleted file mode 100644
index 688f92b173..0000000000
Binary files a/windows/update/images/win10servicing-fig3.png and /dev/null differ
diff --git a/windows/update/images/win10servicing-fig4-upgradereleases.png b/windows/update/images/win10servicing-fig4-upgradereleases.png
deleted file mode 100644
index 961c8bebe2..0000000000
Binary files a/windows/update/images/win10servicing-fig4-upgradereleases.png and /dev/null differ
diff --git a/windows/update/images/win10servicing-fig5.png b/windows/update/images/win10servicing-fig5.png
deleted file mode 100644
index dc4b2fc5b2..0000000000
Binary files a/windows/update/images/win10servicing-fig5.png and /dev/null differ
diff --git a/windows/update/images/win10servicing-fig6.png b/windows/update/images/win10servicing-fig6.png
deleted file mode 100644
index 4cdc5f9c6f..0000000000
Binary files a/windows/update/images/win10servicing-fig6.png and /dev/null differ
diff --git a/windows/update/images/win10servicing-fig7.png b/windows/update/images/win10servicing-fig7.png
deleted file mode 100644
index 0a9a851449..0000000000
Binary files a/windows/update/images/win10servicing-fig7.png and /dev/null differ
diff --git a/windows/update/images/wufb-config1a.png b/windows/update/images/wufb-config1a.png
deleted file mode 100644
index 1514b87528..0000000000
Binary files a/windows/update/images/wufb-config1a.png and /dev/null differ
diff --git a/windows/update/images/wufb-config2.png b/windows/update/images/wufb-config2.png
deleted file mode 100644
index f54eef9a50..0000000000
Binary files a/windows/update/images/wufb-config2.png and /dev/null differ
diff --git a/windows/update/images/wufb-config3a.png b/windows/update/images/wufb-config3a.png
deleted file mode 100644
index 538028cfdc..0000000000
Binary files a/windows/update/images/wufb-config3a.png and /dev/null differ
diff --git a/windows/update/images/wufb-do.png b/windows/update/images/wufb-do.png
deleted file mode 100644
index 8d6c9d0b8a..0000000000
Binary files a/windows/update/images/wufb-do.png and /dev/null differ
diff --git a/windows/update/images/wufb-groups.png b/windows/update/images/wufb-groups.png
deleted file mode 100644
index 13cdea04b0..0000000000
Binary files a/windows/update/images/wufb-groups.png and /dev/null differ
diff --git a/windows/update/images/wufb-pause-feature.png b/windows/update/images/wufb-pause-feature.png
deleted file mode 100644
index afeac43e29..0000000000
Binary files a/windows/update/images/wufb-pause-feature.png and /dev/null differ
diff --git a/windows/update/images/wufb-qual.png b/windows/update/images/wufb-qual.png
deleted file mode 100644
index 4a93408522..0000000000
Binary files a/windows/update/images/wufb-qual.png and /dev/null differ
diff --git a/windows/update/images/wufb-sccm.png b/windows/update/images/wufb-sccm.png
deleted file mode 100644
index 1d568c1fe4..0000000000
Binary files a/windows/update/images/wufb-sccm.png and /dev/null differ
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
index 2f75b278ca..6b8301ccab 100644
--- a/windows/whats-new/contribute-to-a-topic.md
+++ b/windows/whats-new/contribute-to-a-topic.md
@@ -1,5 +1,5 @@
---
-title: Edit an existing topic using the Contribute link
+title: Edit an existing topic using the Edit link
description: Instructions about how to edit an existing topic by using the Contribute link on TechNet.
keywords: contribute, edit a topic
ms.prod: w10
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
---
-# Edit an existing topic using the Contribute link
+# Editing existing Windows IT professional documentation
You can now make suggestions and update existing, public content with a GitHub account and a simple click of a link.
>**Note**
@@ -16,12 +16,11 @@ You can now make suggestions and update existing, public content with a GitHub a
**To edit a topic**
1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before contributing to any Microsoft repositories.
-If you've already contributed to Microsoft repositories in the past, congratulations!
-You've already completed this step.
+If you've already contributed to Microsoft repositories in the past, congratulations! You've already completed this step.
-2. Go to the page on TechNet that you want to update, and then click **Contribute**.
+2. Go to the page on TechNet that you want to update, and then click **Edit**.
- 
+ 
3. Log into (or sign up for) a GitHub account.
@@ -62,10 +61,13 @@ You've already completed this step.
The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to one of the following places:
- - [Windows 10](https://technet.microsoft.com/itpro/windows)
- - [Internet Explorer 11](https://technet.microsoft.com/itpro/internet-explorer)
- - [Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge)
- - [Surface](https://technet.microsoft.com/itpro/surface)
- - [Surface Hub](https://technet.microsoft.com/itpro/surface-hub)
- - [Windows 10 for Education](https://technet.microsoft.com/edu/windows)
- - [Microsoft Desktop Optimization Pack](https://technet.microsoft.com/itpro/mdop)
+ - [Windows 10](https://docs.microsoft.com/windows/windows-10)
+ - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy)
+ - [Surface](https://docs.microsoft.com/surface)
+ - [Surface Hub](https://docs.microsoft.com/surface-hub)
+ - [HoloLens](https://docs.microsoft.com/hololens)
+ - [Microsoft Store](https://docs.microsoft.com/microsoft-store)
+ - [Windows 10 for Education](https://docs.microsoft.com/education/windows)
+ - [Windows 10 for SMB](https://docs.microsoft.com/windows/smb)
+ - [Internet Explorer 11](https://docs.microsoft.com/internet-explorer)
+ - [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/microsoft-desktop-optimization-pack)
\ No newline at end of file
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
new file mode 100644
index 0000000000..f2cd5d5e8b
--- /dev/null
+++ b/windows/whats-new/docfx.json
@@ -0,0 +1,41 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg",
+ "**/*.gif"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {
+ "uhfHeaderId": "MSDocsHeader-WindowsIT",
+ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
+ },
+ "fileMetadata": {},
+ "template": [],
+ "dest": "win-whats-new"
+ }
+}
\ No newline at end of file
diff --git a/windows/whats-new/images/contribute-link.png b/windows/whats-new/images/contribute-link.png
index 6b17e6dd56..4cf685e54e 100644
Binary files a/windows/whats-new/images/contribute-link.png and b/windows/whats-new/images/contribute-link.png differ
diff --git a/windows/whats-new/images/preview-changes.png b/windows/whats-new/images/preview-changes.png
index f98b2c6443..cb4ecab594 100644
Binary files a/windows/whats-new/images/preview-changes.png and b/windows/whats-new/images/preview-changes.png differ
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index f23a6b2556..09d1e54940 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -23,7 +23,7 @@ Below is a list of some of the new and updated features included in the initial
With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
-[Learn more about provisioning in Windows 10.](../deploy/provisioning-packages.md)
+[Learn more about provisioning in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
## Security
@@ -36,7 +36,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e
- A new [AppLocker](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx).
-[Learn how to manage AppLocker within your organization](../keep-secure/applocker-overview.md).
+[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
### Bitlocker
@@ -56,7 +56,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e
- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings."
-[Learn how to deploy and manage BitLocker within your organization](../keep-secure/bitlocker-overview.md).
+[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview).
### Credential Guard
@@ -69,16 +69,16 @@ With Windows 10, you can create provisioning packages that let you quickly and e
- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy.
- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled.
-[Learn how to deploy and manage Credential Guard within your organization](../keep-secure/credential-guard.md).
+[Learn how to deploy and manage Credential Guard within your organization](/windows/access-protection/credential-guard/credential-guard).
### Easier certificate management
-For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](~/keep-secure/installing-digital-certificates-on-windows-10-mobile.md)
+For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile)
### Microsoft Passport
-In Windows 10, [Microsoft Passport](~/keep-secure/manage-identity-verification-using-microsoft-passport.md) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
+In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
@@ -97,9 +97,9 @@ In Windows 10, security auditing has added some improvements:
##### New audit subcategories
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
-- [Audit Group Membership](../keep-secure/audit-group-membership.md) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
+- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
-- [Audit PNP Activity](../keep-secure/audit-pnp-activity.md) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
+- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
@@ -188,7 +188,7 @@ Event ID 4826 has been added to track the following changes to the Boot Configur
Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
-[Learn how to manage your security audit policies within your organization](../keep-secure/security-auditing-overview.md).
+[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview).
### Trusted Platform Module
@@ -200,9 +200,9 @@ Event ID 6416 has been added to track when an external device is detected throug
The following sections describe the new and changed functionality in the TPM for Windows 10:
- [Device health attestation](#bkmk-dha)
-- [Microsoft Passport](microsoft-passport.md) support
-- [Device Guard](../keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) support
-- [Credential Guard](../keep-secure/credential-guard.md) support
+- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support
+- [Device Guard](/windows/access-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
+- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support
### Device health attestation
@@ -214,7 +214,7 @@ Some things that you can check on the device are:
> **Note** The device must be running Windows 10 and it must support at least TPM 2.0.
-[Learn how to deploy and manage TPM within your organization](../keep-secure/trusted-platform-module-overview.md).
+[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview).
### User Account Control
@@ -222,7 +222,7 @@ User Account Control (UAC) helps prevent malware from damaging a computer and he
You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
-For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](../keep-secure/user-account-control-group-policy-and-registry-key-settings.md).
+For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
In Windows 10, User Account Control has added some improvements.
@@ -230,7 +230,7 @@ In Windows 10, User Account Control has added some improvements.
- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](http://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
-[Learn how to manage User Account Control within your organization](../keep-secure/user-account-control-overview.md).
+[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview).
### VPN profile options
@@ -242,7 +242,7 @@ Windows 10 provides a set of VPN features that both increase enterprise security
- Lock down VPN
- Integration with Microsoft Passport for Work
-[Learn more about the VPN options in Windows 10.](../keep-secure/vpn-profile-options.md)
+[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options)
## Management
@@ -298,16 +298,16 @@ Lockdown settings can also be configured for device look and feel, such as a the
### Customized Start layout
-A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](../manage/customize-and-export-start-layout.md).
+A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout).
-Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](../configure/windows-spotlight.md).
+Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight).
### Windows Store for Business
**New in Windows 10, version 1511**
With the Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
-For more information, see [Windows Store for Business overview](../manage/windows-store-for-business-overview.md).
+For more information, see [Windows Store for Business overview](/microsoft-store/windows-store-for-business-overview).
## Updates
@@ -325,9 +325,9 @@ By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279
Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](http://technet.microsoft.com/library/gg682129.aspx).
-Learn more about [Windows Update for Business](../plan/windows-update-for-business.md).
+Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
-For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md).
+For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates).
## Microsoft Edge
Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
@@ -347,7 +347,7 @@ We also recommend that you upgrade to IE11 if you're running any earlier version
## Learn more
-- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)
+- [Windows 10 release information](https://technet.microsoft.com/windows/release-info)
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 87a9c88d26..07612029c5 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -1,7 +1,6 @@
---
title: What's new in Windows 10, version 1607 (Windows 10)
description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile.
-ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"]
ms.prod: w10
ms.mktglfcycl: deploy
@@ -26,11 +25,11 @@ In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you
Windows ICD now includes simplified workflows for creating provisioning packages:
-- [Simple provisioning to set up common settings for Active Directory-joined devices](~/deploy/provision-pcs-for-initial-deployment.md)
-- [Advanced provisioning to deploy certificates and apps](~/deploy/provision-pcs-with-apps-and-certificates.md)
+- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)
+- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates)
- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain)
-[Learn more about using provisioning packages in Windows 10.](../deploy/provisioning-packages.md)
+[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
### Windows Upgrade Analytics
@@ -50,7 +49,7 @@ Use Upgrade Analytics to get:
The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
-[Learn more about planning and managing Windows upgrades with Windows Upgrade Analytics.](../deploy/manage-windows-upgrades-with-upgrade-analytics.md)
+[Learn more about planning and managing Windows upgrades with Windows Upgrade Analytics.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-analytics)
## Windows updates
@@ -78,12 +77,12 @@ Additional changes for Windows Hello in Windows 10, version 1607:
- Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
-[Learn more about Windows Hello for Business.](../keep-secure/manage-identity-verification-using-microsoft-passport.md)
+[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification)
### VPN
- The VPN client can integrate with the Conditional Access Framework, a cloud-pased policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
-- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](../keep-secure/protect-enterprise-data-using-edp.md), previously known as Enterprise Data Protection.
+- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
@@ -101,28 +100,28 @@ Windows Information Protection (WIP) helps to protect against this potential dat
### Windows Defender
Several new features and management options have been added to Windows Defender in Windows 10, version 1607.
-- [Windows Defender Offline in Windows 10](../keep-secure/windows-defender-offline.md) can be run directly from within Windows, without having to create bootable media.
-- [Use PowerShell cmdlets for Windows Defender](../keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md) to configure options and run scans.
-- [Enable the Block at First Sight feature in Windows 10](../keep-secure/windows-defender-block-at-first-sight.md) to leverage the Windows Defender cloud for near-instant protection against new malware.
-- [Configure enhanced notifications for Windows Defender in Windows 10](../keep-secure/windows-defender-enhanced-notifications.md) to see more informaiton about threat detections and removal.
-- [Run a Windows Defender scan from the command line](../keep-secure/run-cmd-scan-windows-defender-for-windows-10.md).
-- [Detect and block Potentially Unwanted Applications with Windows Defender](../keep-secure/enable-pua-windows-defender-for-windows-10.md) during download and install times.
+- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
+- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans.
+- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-block-at-first-sight) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more informaiton about threat detections and removal.
+- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus).
+- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times.
### Windows Defender Advanced Threat Protection (ATP)
With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
-[Learn more about Windows Defender Advanced Threat Protection (ATP)](../keep-secure/windows-defender-advanced-threat-protection.md).
+[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
## Management
### Use Remote Desktop Connection for PCs joined to Azure Active Directory
-From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](../manage/connect-to-remote-aadj-pc.md)
+From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc)
### Taskbar configuration
-Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](../manage/windows-10-start-layout-options-and-policies.md)
+Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies)
### Mobile device management and configuration service providers (CSPs)
@@ -130,7 +129,7 @@ Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilit
### Shared PC mode
-Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](../configure/set-up-shared-or-guest-pc.md)
+Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc)
### Application Virtualization (App-V) for Windows 10
@@ -138,7 +137,7 @@ Application Virtualization (App-V) enables organizations to deliver Win32 applic
With the release of Windows 10, version 1607, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
-[Learn how to deliver virtual applications with App-V.](../manage/appv-getting-started.md)
+[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started)
### User Experience Virtualization (UE-V) for Windows 10
@@ -148,7 +147,7 @@ With User Experience Virtualization (UE-V), you can capture user-customized Wind
With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
-[Learn how to synchronize user-customized settings with UE-V.](../manage/uev-for-windows.md)
+[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows)
## Learn more
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 73a74e3409..6b9af04119 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -14,10 +14,10 @@ ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
Below is a list of some of the new and updated content that discusses Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
-For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md).
+For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
>[!NOTE]
->Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).
+>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).
## Configuration
@@ -33,12 +33,12 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof
-[Learn more about Windows Configuration Designer.](../configure/provisioning-packages.md)
+[Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages)
-### Bulk enrollment in Azure Active Directory
+### Azure Active Directory join in bulk
-Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Bulk enrollment in Azure AD is available in the desktop, mobile, kiosk, and Surface Hub wizards.
+Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
@@ -51,16 +51,16 @@ The following new Group Policy and mobile device management (MDM) settings are a
- **Do not use diagnostic data for tailored experiences**
- **Turn off the Windows Welcome Experience**
-[Learn more about Windows Spotlight.](../configure/windows-spotlight.md)
+[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight)
### Start and taskbar layout
Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro.
-Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md).
+Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
-[Additional MDM policy settings are available for Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md). New MDM policy settings include:
+[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep)
@@ -75,6 +75,8 @@ Cortana is Microsoft’s personal digital assistant, who helps busy people get t
Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
+For more info about Cortana at work, see [Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview)
+
## Deployment
@@ -86,7 +88,7 @@ The GPT partition format is newer and enables the use of larger and more disk pa
Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
-For details, see [MBR2GPT.EXE](../deploy/mbr-to-gpt.md).
+For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
## Security
@@ -95,7 +97,7 @@ For details, see [MBR2GPT.EXE](../deploy/mbr-to-gpt.md).
New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10, version 1703 include:
- **Detection**
Enhancements to the detection capabilities include:
- - [Use the threat intelligence API to create custom alerts](../keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
+ - [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks
- Upgraded detections of ransomware and other advanced attacks
- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed
@@ -104,104 +106,118 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations.
Other investigation enhancements include:
- - [Investigate a user account](../keep-secure/investigate-user-windows-defender-advanced-threat-protection.md) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
- - [Alert process tree](../keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
- - [Pull alerts using REST API](../keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) - Use REST API to pull alerts from Windows Defender ATP.
+ - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
+ - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
+ - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP.
- **Response**
When detecting an attack, security response teams can now take immediate action to contain a breach:
- - [Take response actions on a machine](../keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- - [Take response actions on a file](../keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
+ - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+ - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
- **Other features**
- - [Check sensor health state](../keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
+ - [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].
+
### Windows Defender Antivirus
-Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md).
+Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
The new library includes information on:
-- [Deploying and enabling AV protection](../keep-secure/deploy-windows-defender-antivirus.md)
-- [Managing updates](../keep-secure/manage-updates-baselines-windows-defender-antivirus.md)
-- [Reporting](../keep-secure/report-monitor-windows-defender-antivirus.md)
-- [Configuring features](../keep-secure/configure-windows-defender-antivirus-features.md)
-- [Troubleshooting](../keep-secure/troubleshoot-windows-defender-antivirus.md)
+- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus)
+- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus)
+- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus)
+- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features)
+- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus)
Some of the highlights of the new library include:
-- [Evaluation guide for Windows Defender AV](../keep-secure/evaluate-windows-defender-antivirus.md)
-- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](../keep-secure/deployment-vdi-windows-defender-antivirus.md)
+- [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus)
+- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus)
New features for Windows Defender AV in Windows 10, version 1703 include:
-- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md)
-- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
-- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
+- [Updates to how the Block at First Sight feature can be configured](/windows/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
+- [The ability to specify the level of cloud-protection](/windows/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus)
+- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/windows-defender-antivirus/windows-defender-security-center-antivirus)
-In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](../keep-secure/configure-real-time-protection-windows-defender-antivirus.md).
+In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](/windows/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
### Device Guard and Credential Guard
Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime.
-For more information, see [Device Guard Requirements](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-requirements-for-improved-security) and [Credential Guard Security Considerations](../keep-secure/credential-guard-requirements.md#security-considerations).
+For more information, see [Device Guard Requirements](/windows/access-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard) and [Credential Guard Security Considerations](/windows/access-protection/credential-guard//credential-guard-requirements#security-considerations).
### Group Policy Security Options
-The security setting [**Interactive logon: Display user information when the session is locked**](../keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
A new security policy setting
-[**Interactive logon: Don't display username at sign-in**](../keep-secure/interactive-logon-dont-display-username-at-sign-in.md) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
### Windows Hello for Business
-You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
+You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
-For Windows Phone devices, an adminisrator is able to initiate a remote PIN reset through the Intune portal.
+For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**.
-For more details, check out [What if I forget my PIN?](../keep-secure/hello-why-pin-is-better-than-password.md#what-if-i-forget-my-pin).
+For more details, check out [What if I forget my PIN?](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password#what-if-i-forget-my-pin).
+
+### Windows Information Protection (WIP) and Azure Active Directory (Azure AD)
+Microsoft Azure Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Azure Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md).
+
+You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md).
## Update
### Windows Update for Business
-The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-quality-updates).
+The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
+
+
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
### Windows Insider for Business
-We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](../update/waas-windows-insider-for-business.md).
+We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business).
### Optimize update delivery
-[Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now supported on System Center Configuration Manager, starting with version 1702 of Configuration Manager, in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+With changes delivered in Windows 10, version 1703, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+
+>[!NOTE]
+> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
Added policies include:
-- [Allow uploads while the device is on battery while under set Battery level](../update/waas-delivery-optimization.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
-- [Enable Peer Caching while the device connects via VPN](../update/waas-delivery-optimization.md#enable-peer-caching-while-the-device-connects-via-vpn)
-- [Minimum RAM (inclusive) allowed to use Peer Caching](../update/waas-delivery-optimization.md#minimum-ram-allowed-to-use-peer-caching)
-- [Minimum disk size allowed to use Peer Caching](../update/waas-delivery-optimization.md#minimum-disk-size-allowed-to-use-peer-caching)
-- [Minimum Peer Caching Content File Size](../update/waas-delivery-optimization.md#minimum-peer-caching-content-file-size)
+- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
+- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn)
+- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching)
+- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
+- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
-To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](../update/waas-delivery-optimization.md)
+To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization)
### Uninstalled in-box apps no longer automatically reinstall
-When upgrading to Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. (Apps de-provisioned by IT administrators will still be reinstalled.)
+Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
+
+Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10, version 1607 (or earlier) to version 1703.
## Management
### New MDM capabilities
-Windows 10, version 1703 adds many new [configuration service providers (CSPs)](../configure/how-it-pros-can-use-configuration-service-providers.md) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
+Windows 10, version 1703 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
Some of the other new CSPs are:
@@ -209,14 +225,15 @@ Some of the other new CSPs are:
- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
-- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for fixed drives and removable drives.
+- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx).
-- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
+- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
+IT pros can use the new [MDM Migration Analysis Tool (MMAT)](http://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
@@ -226,26 +243,41 @@ The Windows version of mobile application management (MAM) is a lightweight solu
For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
+### MDM diagnostics
+In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
### Application Virtualization for Windows (App-V)
-Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
For more info, see the following topics:
-- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-provision-a-vm.md)
-- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-sequencing.md)
-- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md)
-- [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md)
+- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
+- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
+- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
+- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
+
+### Windows diagnostic data
+
+Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
+
+- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields)
+- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data)
+
+### Group Policy spreadsheet
+
+Learn about the new Group Policies that were added in Windows 10, version 1703.
+
+- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
## Windows 10 Mobile enhancements
### Lockdown Designer
-The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md).
+The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](/windows/configuration/mobile-devices/lockdown-xml).
-[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md)
+[Learn more about the Lockdown Designer app.](/windows/configuration/mobile-devices/mobile-lockdown-designer)
### Other enhancements
@@ -258,7 +290,7 @@ Windows 10 Mobile, version 1703 also includes the following enhancements:
- OTC update tool
- Continuum display management
- Individually turn off the monitor or phone screen when not in use
- - Indivudally adjust screen time-out settings
+ - Indiviudally adjust screen time-out settings
- Continuum docking solutions
- Set Ethernet port properties
- Set proxy properties for the Ethernet port
@@ -275,7 +307,7 @@ The development of Upgrade Readiness has been heavily influenced by input from t
For more information about Upgrade Readiness, see the following topics:
- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/)
-- [Manage Windows upgrades with Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md)
+- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
### Update Compliance
@@ -284,4 +316,4 @@ Update Compliance helps you to keep Windows 10 devices in your organization secu
Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
-For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md).
+For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).
diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md
index c2f98f8924..c786010f49 100644
--- a/windows/whats-new/windows-10-insider-preview.md
+++ b/windows/whats-new/windows-10-insider-preview.md
@@ -1,7 +1,6 @@
---
title: Documentation for Windows 10 Insider Preview (Windows 10)
description: Preliminary documentation for some Windows 10 features in Insider Preview.
-ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education upgrade is active.
+**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education switch is active.
-->
-
+
After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, telemetry data is analyzed by the Upgrade Readiness Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades.
For more information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
-[Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
-->
-
+
Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers.
@@ -42,7 +42,7 @@ Query based computer groups are recommended in the initial release of this featu
When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example:
-
+
To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example:
@@ -50,7 +50,7 @@ To create a computer group, open **Log Search** and create a query based on **Ty
Type=UAComputer Manufacturer=DELL
```
-
+
When you are satisfied that the query is returning the intended results, add the following text to your search:
@@ -60,25 +60,25 @@ When you are satisfied that the query is returning the intended results, add the
This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example:
-
+
Your new computer group will now be available in Upgrade Readiness. See the following example:
-
+
### Using Computer Groups
When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready.
-
+
Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**:
-
+
Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**:
-
+
A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed.
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
new file mode 100644
index 0000000000..2e289b8a5b
--- /dev/null
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -0,0 +1,263 @@
+---
+title: Upgrade Readiness deployment script (Windows 10)
+description: Deployment script for Upgrade Readiness.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Upgrade Readiness deployment script
+
+To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
+
+>[!IMPORTANT]
+>Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
+
+For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
+
+> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, please download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
+
+The Upgrade Readiness deployment script does the following:
+
+1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
+2. Verifies that user computers can send data to Microsoft.
+3. Checks whether the computer has a pending restart.
+4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
+5. If enabled, turns on verbose mode for troubleshooting.
+6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
+7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
+
+To run the Upgrade Readiness deployment script:
+
+1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+
+2. Edit the following parameters in RunConfig.bat:
+
+ 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
+
+ 2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry.
+
+ 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
+
+ > *logMode = 0 log to console only*
+ >
+ > *logMode = 1 log to file and console*
+ >
+ > *logMode = 2 log to file only*
+
+3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
+
+ > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
+ >
+ > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
+ >
+ > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
+ >
+ > *IEOptInLevel = 3 Data collection is enabled for all sites*
+
+4. The latest version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
+
+ The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
+
+ This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints:
+
+ \*vortex\*.data.microsoft.com
-->
-
+
Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them.
diff --git a/windows/deployment/upgrade/upgrade-readiness-release-notes.md b/windows/deployment/upgrade/upgrade-readiness-release-notes.md
new file mode 100644
index 0000000000..38b0510215
--- /dev/null
+++ b/windows/deployment/upgrade/upgrade-readiness-release-notes.md
@@ -0,0 +1,5 @@
+---
+title: Upgrade Readiness release notes (Windows 10)
+description: Provides tips and limitations about Upgrade Readiness.
+redirect_url: https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-requirements#important-information-about-this-release
+---
\ No newline at end of file
diff --git a/windows/deploy/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md
similarity index 96%
rename from windows/deploy/upgrade-readiness-requirements.md
rename to windows/deployment/upgrade/upgrade-readiness-requirements.md
index 5593a4eb72..eb98ebd2cf 100644
--- a/windows/deploy/upgrade-readiness-requirements.md
+++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md
@@ -30,7 +30,7 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1
Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
-Windows 10 LTSB is not supported by Upgrade Readiness. The LTSB (long term servicing branch) of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#long-term-servicing-branch) to understand more about LTSB.
+Windows 10 LTSB is not supported by Upgrade Readiness. The LTSB (long term servicing branch) of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-branch) to understand more about LTSB.
## Operations Management Suite
@@ -50,7 +50,7 @@ Upgrade Readiness can be integrated with your installation of Configuration Mana
After you’ve signed in to Operations Management Suite and added the Upgrade Readiness solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Readiness.
-See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
+See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
diff --git a/windows/deploy/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
similarity index 70%
rename from windows/deploy/upgrade-readiness-resolve-issues.md
rename to windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
index bb0e2c452d..9ca055c5f5 100644
--- a/windows/deploy/upgrade-readiness-resolve-issues.md
+++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
@@ -9,7 +9,16 @@ author: greg-lindsay
This section of the Upgrade Readiness workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them.
-You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
+## In this section
+
+The blades in the **Step 2: Resolve issues** section are:
+
+- [Review applications with known issues](#review-applications-with-known-issues)
+- [Review applications with no known issues](#review-applications-with-no-known-issues)
+- [Review known driver issues](#review-known-driver-issues)
+- [Prioritize app and driver testing](#prioritize-app-and-driver-testing)
+
+>You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
Upgrade decisions include:
@@ -19,13 +28,6 @@ Upgrade decisions include:
| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.
-->
-
+
To change an application's upgrade decision:
@@ -75,15 +77,15 @@ For applications assessed as **Fix available**, review the table below for detai
Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example:
-
+
If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance.
-
+
If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows.
-
+
>[!TIP]
>Within the Upgrade Readiness data model, an object of Type **UAApp** refers to a particular application installed on a specific computer.
@@ -109,7 +111,7 @@ The following table lists possible values for **ReadyForWindows** and what they
Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
-
+
Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
@@ -129,7 +131,7 @@ To change an application's upgrade decision:
Drivers that won’t migrate to the new operating system are listed, grouped by availability.
-
+
Availability categories are explained in the table below.
@@ -150,3 +152,55 @@ To change a driver’s upgrade decision:
4. Click **Save** when finished.
+## Prioritize app and driver testing
+
+Planning and executing an OS upgrade project can be overwhelming. When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan.
+
+### Proposed action plan
+
+The Upgrade Readiness proposed action plan is an optimally ordered list of apps and drivers that are in need of review. By testing apps and drivers in the order suggested by the proposed action plan, you are able to increase your number of “Ready to upgrade” computers in an efficient manner. The action plan can be a very powerful tool during upgrade planning – but it’s most helpful when it’s used correctly. This topic explains the proposed action plan, describes how to use it, and calls out a few misconceptions and invalid use cases that you should avoid.
+
+The proposed action plan represents the order thath Microsoft recommends you rationalize the upgrade-readiness of your apps and drivers. By validating apps and drivers in the order proposed, you can ensure that you are testing efficiently.
+
+Each item in the proposed action plan represents either an application or a driver that you have not yet marked “Ready to upgrade.”
+
+>Since “Low install count” apps are automatically marked “Ready to upgrade”, you will not see any of these apps in the proposed action plan.
+
+Each item in the plan has the following attributes:
+
+| Attribute | Description | Example value |
+|-----------------------|------------------------------------------|----------------|
+| ItemRank | The location of this item in the context of the proposed action plan. For example, the item with ItemRank 7 is the 7th item in the Plan. It is crucial that the Plan is viewed in order by increasing ItemRank. Sorting the Plan in any other way invalidates the insights that the Plan provides. | 7 |
+| ItemType | Whether this item is an app or driver -- possible values are: "App" and "Driver." | App |
+| ItemName | The name of the app or driver that is in need of review. | Microsoft Visual C++ 2005 Redistributable (x64) |
+| ItemVendor | The vendor of the app or driver. | Microsoft Corporation |
+| ItemVersion | The version of the app or driver. | 12.1.0.1 |
+| ItemLanguage | If this item is an application, then this field will be the language of the app. If the item is a driver, then this will say "N/A." | English |
+| ItemHardwareId | If this item is a driver, then this field will be the hardware id of the driver. If the item is an app, then this will say "N/A." | N/A |
+| Upgrade Decision | The upgrade decision you have provided for this app or driver. If you have not defined an upgrade decision, then you will see the default value of “Not reviewed.” | Review in progress |
+| ComputersUnblocked | Assuming you have already marked all previous items in the proposed action plan “Ready to upgrade”, this represents the number of additional computers that will become “Ready to upgrade” by testing this app or driver and giving it an upgrade decision of “Ready to upgrade”. For example, if ComputersUnblocked is 200, then resolving any issues associated with the app/driver in question will make 200 new computers “Ready to upgrade.” | 200 |
+| CumulativeUnblocked | The total number of computers that will become “Ready to upgrade” if you validate and mark this and all prior items in the proposed action plan “Ready to upgrade”. For example, if ItemRank is 7, and CumulativeUnblocked is 950, then fixing items 1 thru 7 in the proposed action plan will cause 950 of your computers to become “Ready to upgrade.” | 950 |
+| CumulativeUnblockedPct | The percentage of your machines that will become “Ready to upgrade” if you make this and all prior items in the proposed action plan “Ready to upgrade.” | 0.24 |
+
+See the following example action plan items (click the image for a full-size view):
+
+
+
+
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-**Figure 1. Device protection and threat resistance as part of the Windows 10 security defenses**
+*Figure 1. Device protection and threat resistance as part of the Windows 10 security defenses*
## The security threat landscape
-Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks and the personal enjoyment of temporarily taking a system offline. Since then, attacker’s motives have shifted toward monetizing their attacks, which includes holding machines and data hostage until the owners pay the demanded ransom, and exploiting the valuable information the attackers discover for monetary gain. Unlike these examples, modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that results in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets, seemingly unlimited human resources, and unknown motives. Threats like these require a different approach and mitigations that can meet the challenge.
+Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of of temporarily taking a system offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge.
-In recognition of this landscape, Windows 10, version 1703 includes multiple security features that were created to make it difficult (and costly) to find and exploit software vulnerabilities. These features are designed to:
+In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities. These features are designed to:
- Eliminate entire classes of vulnerabilities
- Break exploitation techniques
-- Contain damage and prevent persistence
+- Contain the damage and prevent persistence
- Limit the window of opportunity to exploit
@@ -47,48 +47,46 @@ The following sections provide more detail about security mitigations in Windows
## Windows 10 mitigations that you can configure
-Windows 10 mitigations that you can configure are listed in the following two tables. The first table focuses on features such as Device Guard, and the second table describes memory protection options such as Data Execution Prevention. Memory protection options provide specific mitigations against malware that attempts to manipulate memory to gain control of a system.
+Windows 10 mitigations that you can configure are listed in the following two tables. The first table covers a wide array of protections for devices and users across the enterprise and the second table drills down into specific memory protections such as Data Execution Prevention. Memory protection options provide specific mitigations against malware that attempts to manipulate memory in order to gain control of a system.
**Table 1 Windows 10 mitigations that you can configure**
| Mitigation and corresponding threat | Description and links |
|---|---|
-| **Windows Defender SmartScreen**,](../images/UR-lift-report.jpg){kind=link}