diff --git a/devices/surface-hub/images/ICDstart-option.PNG b/devices/surface-hub/images/ICDstart-option.PNG
new file mode 100644
index 0000000000..1ba49bb261
Binary files /dev/null and b/devices/surface-hub/images/ICDstart-option.PNG differ
diff --git a/devices/surface-hub/images/choose-package.png b/devices/surface-hub/images/choose-package.png
new file mode 100644
index 0000000000..2bf7a18648
Binary files /dev/null and b/devices/surface-hub/images/choose-package.png differ
diff --git a/devices/surface-hub/images/connect-aad.png b/devices/surface-hub/images/connect-aad.png
new file mode 100644
index 0000000000..8583866165
Binary files /dev/null and b/devices/surface-hub/images/connect-aad.png differ
diff --git a/devices/surface-hub/images/express-settings.png b/devices/surface-hub/images/express-settings.png
new file mode 100644
index 0000000000..99e9c4825a
Binary files /dev/null and b/devices/surface-hub/images/express-settings.png differ
diff --git a/devices/surface-hub/images/license-terms.png b/devices/surface-hub/images/license-terms.png
new file mode 100644
index 0000000000..8dd34b0a18
Binary files /dev/null and b/devices/surface-hub/images/license-terms.png differ
diff --git a/devices/surface-hub/images/oobe.jpg b/devices/surface-hub/images/oobe.jpg
new file mode 100644
index 0000000000..53a5dab6bf
Binary files /dev/null and b/devices/surface-hub/images/oobe.jpg differ
diff --git a/devices/surface-hub/images/prov.jpg b/devices/surface-hub/images/prov.jpg
new file mode 100644
index 0000000000..1593ccb36b
Binary files /dev/null and b/devices/surface-hub/images/prov.jpg differ
diff --git a/devices/surface-hub/images/setupmsg.jpg b/devices/surface-hub/images/setupmsg.jpg
new file mode 100644
index 0000000000..12935483c5
Binary files /dev/null and b/devices/surface-hub/images/setupmsg.jpg differ
diff --git a/devices/surface-hub/images/sign-in-prov.png b/devices/surface-hub/images/sign-in-prov.png
new file mode 100644
index 0000000000..55c9276203
Binary files /dev/null and b/devices/surface-hub/images/sign-in-prov.png differ
diff --git a/devices/surface-hub/images/trust-package.png b/devices/surface-hub/images/trust-package.png
new file mode 100644
index 0000000000..8a293ea4da
Binary files /dev/null and b/devices/surface-hub/images/trust-package.png differ
diff --git a/devices/surface-hub/images/who-owns-pc.png b/devices/surface-hub/images/who-owns-pc.png
new file mode 100644
index 0000000000..d3ce1def8d
Binary files /dev/null and b/devices/surface-hub/images/who-owns-pc.png differ
diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
index 0d7c350af6..0f2f3d4d4f 100644
--- a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
+++ b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
@@ -12,7 +12,184 @@ author: TrudyHa
 
 # Create provisioning packages (Surface Hub)
 
+REWRITE FOR ICD CHANGES
 
+This topic explains how to create and apply a provisioning package to Surface Hub devices. For Surface Hub, you can use provisioning packages toadd certificates, customize policies, install Windows apps, or customize Windows Team settings. 
+
+You can apply a provisioning package on a USB during setup. 
+
+## Advantages
+-   You can configure new devices as part of the setup process. 
+
+-   No network connectivity required.
+
+-   Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](../whats-new/new-provisioning-packages.md)
+
+## Create the provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. When you install the ADK, you can select just Windows Imaging and Configuration Designer (ICD).  [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Advanced provisioning**.
+
+  ![ICD start options](images/icdstart-option.png)  
+  
+3. Name your project and click **Next**.
+
+4. Select **Common to Windows 10 team edition**, click **Next**, and then click **Finish**.
+
+5. In the project, under **Available customizations**, select **Common Team edition settings**. 
+
+
+### Add a policy to your package
+
+1. blah
+
+2. blah
+
+
+### Add a universal app to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. 
+
+2. For **UserContextApp**, specify the **PackageFamilyName** for the app. (how to find package family name)
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. (how will they know?)
+
+5. For **UserContextAppLicense**, enter the **LicenseProductID**. (where to get)
+
+
+### Add a certificate to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. 
+
+2. Enter a **CertificateName** and then click **Add**. 
+
+2. Enter the **CertificatePassword**. 
+
+3. For **CertificatePath**, browse and select the certificate to be used. 
+
+4. Set **ExportCertificate** to **False**.
+
+5. For **KeyLocation**, select **Software only**. 
+
+
+### Add other settings to your package 
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+### Build your package
+
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+
+2. Read the warning that project files may contain sensitive information, and click **OK**.
+> **Important**  When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+10. Set a value for **Package Version**.
+
+    **Tip**  
+    You can make changes to existing packages and change the version number to update previously applied packages.
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+        **Important**  
+        We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+    -   Shared network folder
+
+    -   SharePoint site
+
+    -   Removable media (USB/SD)
+
+    -   Email
+
+    -   USB tether (mobile only)
+
+    -   NFC (mobile only)
+
+
+
+## Apply package
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+6. Read and accept the Microsoft Software License Terms.  
+
+    ![Sign in](images/license-terms.png)
+    
+7. Select **Use Express settings**.
+
+    ![Get going fast](images/express-settings.png)
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+    ![Who owns this PC?](images/who-owns-pc.png)
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+    ![Connect to Azure AD](images/connect-aad.png)
+
+10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+    ![Sign in](images/sign-in-prov.png)
+
+## Learn more
+-   [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
+
+-   Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+-   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+
+OLD CONTENT
 For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning.
 
 In this topic, you'll find the following information: