Merge remote-tracking branch 'refs/remotes/origin/master' into atp-feedback

devices/surface-hub/TOC.md

@@ -1,8 +1,8 @@
 # [Microsoft Surface Hub](index.md)
 ## [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
 ### [Intro to Microsoft Surface Hub](intro-to-surface-hub.md)
-### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
 ### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
+#### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
 #### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
 ##### [Online deployment](online-deployment-surface-hub-device-accounts.md)
 ##### [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)
@@ -17,20 +17,22 @@
 #### [Setup worksheet](setup-worksheet-surface-hub.md)
 #### [First-run program](first-run-program-surface-hub.md)
 ### [Manage Microsoft Surface Hub](manage-surface-hub.md)
-#### [Accessibility](accessibility-surface-hub.md)
-#### [Change the Surface Hub device account](change-surface-hub-device-account.md)
-#### [Device reset](device-reset-surface-hub.md)
-#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md)
+#### [Remote Surface Hub management](remote-surface-hub-management.md)
+##### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
+##### [Monitor your Surface Hub](monitor-surface-hub.md)
+##### [Windows updates](manage-windows-updates-for-surface-hub.md)
+#### [Manage Surface Hub settings](manage-surface-hub-settings.md)
+##### [Local management for Surface Hub settings](local-management-surface-hub-settings.md)
+##### [Accessibility](accessibility-surface-hub.md)
+##### [Change the Surface Hub device account](change-surface-hub-device-account.md)
+##### [Device reset](device-reset-surface-hub.md)
+##### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
+##### [Wireless network management](wireless-network-management-for-surface-hub.md)
 #### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
-#### [Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md)
-#### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
-#### [Monitor your Surface Hub](monitor-surface-hub.md)
+#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md)
 #### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
 #### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
-#### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
 #### [Using a room control system](use-room-control-system-with-surface-hub.md)
-#### [Windows updates](manage-windows-updates-for-surface-hub.md)
-#### [Wireless network management](wireless-network-management-for-surface-hub.md)
 ### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
 ### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
-
+### [Change history for Surface Hub](change-history-surface-hub.md)

devices/surface-hub/accessibility-surface-hub.md

@@ -13,66 +13,44 @@ localizationpriority: medium
 
 # Accessibility (Surface Hub)
 
+Microsoft Surface Hub has the same accessibility options as Windows 10.
 
-Accessibility settings for the Microsoft Surface Hub can be changed by using the Settings app. You'll find them under **Ease of Access**. Your Surface Hub has the same accessibility options as Windows 10.
 
-The default accessibility settings for Surface Hub include:
+## Default accessibility settings
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Accessibility feature</th>
-<th align="left">Default setting</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p><strong>Narrator</strong></p></td>
-<td align="left"><p>Off</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Magnifier</strong></p></td>
-<td align="left"><p>Off</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>High contrast</strong></p></td>
-<td align="left"><p>No theme selected</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Closed captions</strong></p></td>
-<td align="left"><p>Defaults selected for <strong>Font</strong> and <strong>Background and window</strong>.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>Keyboard</strong></p></td>
-<td align="left"><p>On-screen <strong>Keyboard</strong>, <strong>Sticky Keys</strong>, <strong>Toggle Keys</strong>, and <strong>Filter Keys</strong> are all off.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Mouse</strong></p></td>
-<td align="left"><p>Defaults selected for <strong>Pointer size</strong>, <strong>Pointer color</strong> and <strong>Mouse keys</strong>.</p></td>
-</tr>
-</tbody>
-</table>
+The full list of accessibility settings are available to IT admins in the **Settings** app. The default accessibility settings for Surface Hub include:
 
- 
+| Accessibility feature | Default settings  |
+| --------------------- | ----------------- |
+| Narrator              | Off               |
+| Magnifier             | Off               |
+| High contrast         | No theme selected |
+| Closed captions       | Defaults selected for Font and Background and window |
+| Keyboard              | **On-screen Keyboard**, **Sticky Keys**, **Toggle Keys**, and **Filter Keys** are all off. |
+| Mouse                 | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
+| Other options         | Defaults selected for **Visual options** and **Touch feedback**. |
+
+Additionally, these accessibility features and apps are returned to default settings when users press [**I'm Done**](i-am-done-finishing-your-surface-hub-meeting.md):
+- Narrator
+- Magnifier
+- High contrast
+- Filter keys
+- Sticky keys
+- Toggle keys
+- Mouse keys
+
+
+## Change accessibility settings during a meeting
+
+During a meeting, users can toggle accessibility features and apps in a couple ways:
+- [Keyboard shortcuts](https://support.microsoft.com/en-us/help/13813/windows-10-microsoft-surface-hub-keyboard-shortcuts)
+- **Quick Actions** > **Ease of Access** from the status bar
+
+> ![Image showing Quick Action center on Surface Hub](images/sh-quick-action.png)
 
-You'll find additional settings under **Ease of Access** &gt; **Other options**.
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
-
- 
-
- 
-
-
-
-
-

devices/surface-hub/admin-group-management-for-surface-hub.md

@@ -32,7 +32,6 @@ To create a local admin, [choose to use a local admin during first run](first-ru
 
 Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admin’s password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD tenant, then you’ll need to [reset the device](device-reset-surface-hub.md) and go through the first-time program again.
 
-
 ### Domain join the device to Active Directory (AD)
 
 You can domain join the Surface Hub to your AD domain to allow users from a specified security group to configure settings. During first run, choose to use [Active Directory Domain Services](first-run-program-surface-hub.md#a-href-iduse-active-directoryause-active-directory-domain-services). You'll need to provide credentials that are capable of joining the domain of your choice, and the name of an existing security group. Anyone who is a member of that security group can enter their credentials and unlock Settings.
@@ -67,16 +66,10 @@ Surface Hubs use Azure AD join to:
 > [!IMPORTANT]
 > Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
 
-
 ### Which should I choose?
 
 If your organization is using AD or Azure AD, we recommend you either domain join or Azure AD join, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with your domain.
 
-
-### Summary
-
-
-
 | Option                                            | Requirements                            | Which credentials can be used to access the Settings app?  |
 |---------------------------------------------------|-----------------------------------------|-------|
 | Create a local admin account                      | None                                    | The user name and password specified during first run |
@@ -84,3 +77,4 @@ If your organization is using AD or Azure AD, we recommend you either domain joi
 | Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic   | Global administators only |
 |                                              | Your organization uses Azure AD Premium or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators |
 
+

devices/surface-hub/change-history-surface-hub.md

@@ -0,0 +1,34 @@
+---
+title: Change history for Surface Hub
+description: This topic lists new and updated topics for Surface Hub.
+keywords: change history
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Change history for Surface Hub
+
+This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
+
+## RELEASE: Windows Anniversary Update for Surface Hub (Windows 10, version 1607)
+The topics in this library have been updated for Windows 10, version 1607 (also known as Windows Anniversary Update for Surface Hub). These topics had significant updates for this release:
+- [Windows Updates (Surface Hub)](manage-windows-updates-for-surface-hub.md)
+- [Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md)
+- [Monitor your Microsoft Surface Hub](monitor-surface-hub.md)
+- [Create provisioning packages (Surface Hub)](provisioning-packages-for-certificates-surface-hub.md)
+- [Install apps on your Microsoft Surface Hub](install-apps-on-surface-hub.md)
+- [Device reset (Surface Hub)](device-reset-surface-hub.md)
+
+## October 2016
+| New or changed topic | Description |
+| --- | --- |
+| [Admin group management (Surface Hub)](admin-group-management-for-surface-hub.md) |Add note about automatic enrollment, and update table. |
+| [Password management (Surface Hub)](password-management-for-surface-hub-device-accounts.md) | Updates to content. |
+| [Create and test a device account (Surface Hub)](create-and-test-a-device-account-surface-hub.md) | Reorganize and streamline guidance on creating a device account.  |
+| [Introduction to Surface Hub](intro-to-surface-hub.md) | Move Surface Hub dependencies table to [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md). |
+| [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) | Add dependency table and reorganize topic. | 
+| [Local management for Surface Hub settings](local-management-surface-hub-settings.md) | New topic. |

devices/surface-hub/device-reset-surface-hub.md

@@ -30,6 +30,14 @@ Initiating a reset will return the device to the last cumulative Windows update,
 -   Local admins on the device
 -   Configurations from MDM or the Settings app
 
+> [!IMPORTANT]
+> Performing a device reset may take up to 2 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
+
+After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again. 
+
+
+## Reset a Surface Hub from Settings
+
 **To reset a Surface Hub**
 1.	On your Surface Hub, open **Settings**. 
 
@@ -43,14 +51,20 @@ Initiating a reset will return the device to the last cumulative Windows update,
 
     ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) 
 
-**Important Note**</br>
-Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
+## Reset a Surface Hub from Windows Recovery Environment
+ 
+On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from [Windows Recovery Environment](https://technet.microsoft.com/library/cc765966.aspx) (Windows RE). 
+
+**To reset a Surface Hub from Windows Recovery Environment**
+
+1.  From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. 
+2. The device should automatically boot into Windows RE. Select **Advanced Repair**.
+3. Select **Reset**.
+4. If prompted, enter your device's BitLocker key. 
 
-After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again. 
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/install-apps-on-surface-hub.md

@@ -13,22 +13,158 @@ localizationpriority: medium
 
 # Install apps on your Microsoft Surface Hub
 
+You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario.
 
-Admins can install apps can from either the Windows Store or the Windows Store for Business.
-
-## Using the Windows Store
+A few things to know about apps on Surface Hub:
+- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp).
+- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631).
+- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.
+- When submitting an app to the Windows Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
+- You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Windows Store to download and install apps.
 
 
-Admins can install apps on the device using the Windows Store app available in **Settings** > **System** > **Microsoft Surface Hub**. They can start the store app, sign in using their Microsoft account credentials, browse, purchase, and install the apps as with any other Windows device.
+## Develop and test apps
+While you're developing your own app, there are a few options for testing apps on Surface Hub.
 
-## Using the Store for Business
+### Developer Mode
+By default, Surface Hub only runs UWP apps that have been published to and signed by the Windows Store. Apps submitted to the Windows Store go through security and compliance tests as part of the [app certification process](https://msdn.microsoft.com/en-us/windows/uwp/publish/the-app-certification-process), so this helps safeguard your Surface Hub against malicious apps.
+ 
+By enabling developer mode, you can also install developer-signed UWP apps.
+ 
+> [!IMPORTANT]
+> After developer mode has been enabled, you will need to reset the Surface Hub to disable it. Resetting the device removes all local user files and configurations and then reinstalls Windows.
+
+**To turn on developer mode** 
+1.	From your Surface Hub, start **Settings**.
+2.	Type the device admin credentials when prompted.
+3.	Navigate to **Update & security** > **For developers**.
+4.	Select **Developer mode** and accept the warning prompt.
+
+### Visual Studio
+During development, the easiest way to test your app on a Surface Hub is using Visual Studio. Visual Studio's remote debugging feature helps you discover issues in your app before deploying it broadly. For more information, see [Test Surface Hub apps using Visual Studio](https://msdn.microsoft.com/windows/uwp/debug-test-perf/test-surface-hub-apps-using-visual-studio).
+
+### Provisioning package
+Use Visual Studio to [create an app package](https://msdn.microsoft.com/library/windows/apps/hh454036.aspx) for your UWP app, signed using a test certificate. Then use Windows Imaging and Configuration Designer (ICD) to create a provisioning package containing the app package. For more information, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
 
 
-For apps purchased through the Store for Business, download the Appxbundle, offline license, and the dependencies for the App from the store to a separate PC. Create a provisioning package and copy it to a USB drive. (See [Create a provisioning package](provisioning-packages-for-certificates-surface-hub.md).) Move the USB drive to the Surface Hub, and install the app on the device using the Settings app.
+## Submit apps to the Windows Store
+Once an app is ready for release, developers need to submit and publish it to the Windows Store. For more information, see [Publish Windows apps](https://developer.microsoft.com/store/publish-apps).
+
+During app submission, developers need to set **Device family availability** and **Organizational licensing** options to make sure the app will be available to run on Surface Hub.
+
+**To set device family availability**  
+1. On the [Windows Dev Center](https://developer.microsoft.com), navigate to your app submission page.
+2. Select **Packages**.
+3. Under Device family availability, select these options:
+    - **Windows 10 Desktop** (other device families are optional)
+    - **Let Microsoft decide whether to make the app available to any future device families**
+  
+![Image showing Device family availability page - part of Windows Store app submission process.](images/sh-device-family-availability.png)  
+    
+For more information, see [Device family availability](https://msdn.microsoft.com/windows/uwp/publish/upload-app-packages#device-family-availability).
+
+**To set organizational licensing**
+1. On the [Windows Dev Center](https://developer.microsoft.com), navigate to your app submission page.
+2. Select **Pricing and availability**.
+3. Under Organizational licensing, select **Allow disconnected (offline) licensing for organizations**.
+
+![Image showing Organizational licensing page - part of Windows Store app submission process.](images/sh-org-licensing.png)
+
+> [!NOTE]
+> **Make my app available to organizations with Store-managed (online) licensing and distribution** is selected by default.
+
+> [!NOTE]
+> Developers can also publish line-of-business apps directly to enterprises without making them broadly available in the Store. For more information, see [Distribute LOB apps to enterprises](https://msdn.microsoft.com/windows/uwp/publish/distribute-lob-apps-to-enterprises).
+
+For more information, see [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing).
+
+
+## Deploy released apps
+
+There are several options for installing apps that have been released to the Windows Store, depending on whether you want to evaluate them on a few devices, or deploy them broadly to your organization.
+
+To install released apps:
+- Download the app using the Windows Store app, or
+- Download the app package from the Windows Store for Business, and distribute it using a provisioning package or a supported MDM provider.
+
+### Windows Store app
+To evaluate apps released on the Windows Store, use the Windows Store app on the Surface Hub to browse and download apps.
+
+> [!NOTE]
+> Using the Windows Store app is not the recommended method of deploying apps at scale to your organization:
+> - To download apps, you must sign in to the Windows Store app with a Microsoft account or organizational account. However, you can only connect an account to a maximum of 10 devices at once. If you have more than 10 Surface Hubs, you will need to create multiple accounts or remove devices from your account between app installations.
+> - To install apps, you will need to manually sign in to the Windows Store app on each Surface Hub you own.
+
+**To browse the Windows Store on Surface Hub** 
+1.	From your Surface Hub, start **Settings**.
+2.	Type the device admin credentials when prompted.
+3.	Navigate to **This device** > **Apps & features**.
+4.	Select **Open Store**.
+
+### Download app packages from Windows Store for Business
+To download the app package you need to install apps on your Surface Hub, visit the [Windows Store for Business](https://www.microsoft.com/business-store). The Store for Business is where you can find, acquire, and manage apps for the Windows 10 devices in your organization, including Surface Hub.
+ 
+> [!NOTE]
+> Currently, Surface Hub only supports offline-licensed apps available through the Store for Business. App developers set offline-license availability when they submit apps.
+
+Find and acquire the app you want, then download:
+- The offline-licensed app package (either an .appx or an .appxbundle)
+- The *unencoded* license file (if you're using provisioning packages to install the app)
+- The *encoded* license file (if you're using MDM to distribute the app)
+- Any necessary dependency files
+
+For more information, see [Download an offline-licensed app](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app).
+
+### Provisioning package
+You can manually install the offline-licensed apps that you downloaded from the Store for Business on a few Surface Hubs using provisioning packages. Use Windows Imaging and Configuration Designer (ICD) to create a provisioning package containing the app package and *unencoded* license file that you downloaded from the Store for Business. For more information, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
+
+### Supported MDM provider
+To deploy apps to a large number of Surface Hubs in your organization, use a supported MDM provider. The table below shows which MDM providers support deploying offline-licensed app packages.
+
+| MDM provider                | Supports offline-licensed app packages |
+|-----------------------------|----------------------------------------|
+| On-premises MDM with System Center Configuration Manager (beginning in version 1602) | Yes |
+| Hybrid MDM with System Center Configuration Manager and Microsoft Intune | Yes |
+| Microsoft Intune standalone | No |
+| Third-party MDM provider    | Check to make sure your MDM provider supports deploying offline-licensed app packages. |
+
+**To deploy apps remotely using System Center Configuration Manager (either on-prem MDM or hybrid MDM)**
+
+> [!NOTE]
+> These instructions are based on the current branch of System Center Configuration Manager.
+
+1. Enroll your Surface Hubs to System Center Configuration Manager. For more information, see [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm).
+2. Download the offline-licensed app package, the *encoded* license file, and any necessary dependency files from the Store for Business. For more information, see [Download an offline-licensed app](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app). Place the downloaded files in the same folder on a network share.
+3. In the **Software Library** workspace of the Configuration Manager console, click **Overview** > **Application Management** > **Applications**.
+4. On the **Home** tab, in the **Create** group, click **Create Application**.
+5. On the **General** page of the **Create Application Wizard**, select the **Automatically detect information about this application from installation files** check box.
+6. In the **Type** drop-down list, select **Windows app package (\*.appx, \*.appxbundle)**.
+7. In the **Location** field, specify the UNC path in the form \\server\share\\filename for the offline-licensed app package that you downloaded from the Store for Business. Alternatively, click **Browse** to browse to the app package.
+8. On the **Import Information** page, review the information that was imported, and then click **Next**. If necessary, you can click **Previous** to go back and correct any errors.
+9. On the **General Information** page, complete additional details about the app. Some of this information might already be populated if it was automatically obtained from the app package.
+10. Click **Next**, review the application information on the Summary page, and then complete the Create Application Wizard. 
+11. Create a deployment type for the application. For more information, see [Create deployment types for the application](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/create-applications#create-deployment-types-for-the-application).
+12. Deploy the application to your Surface Hubs. For more information, see [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/deploy-applications).
+13. As needed, update the app by downloading a new package from the Store for Business, and publishing an application revision in Configuration Manager. For more information, see [Update and retire applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt595704.aspx). 
+
+> [!NOTE] 
+> If you are using System Center Configuration Manager (current branch), you can bypass the above steps by connecting the Store for Business to System Center Configuration Manager. By doing so, you can synchronize the list of apps you've purchased with System Center Configuration Manager, view these in the Configuration Manager console, and deploy them like you would any other app. For more information, see [Manage apps from the Windows Store for Business with System Center Configuration Manager](https://technet.microsoft.com/library/mt740630.aspx).
+
+
+## Summary
+
+There are a few different ways to install apps on your Surface Hub depending on whether you are developing apps, evaluating apps on a small number of devices, or deploying apps broadly to your oganization. This table summarizes the supported methods:
+
+| Install method             | Developing apps | Evaluating apps on <br> a few devices | Deploying apps broadly <br> to your organization |
+| -------------------------- | --------------- | ------------------------------------- | ---------------------- |
+| Visual Studio              | X |   |   |
+| Provisioning package       | X | X |   |
+| Windows Store app          |   | X |   |
+| Supported MDM provider     |   |   | X |
+
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/local-management-surface-hub-settings.md

@@ -0,0 +1,51 @@
+---
+title: Local management Surface Hub settings
+description: How to manage Surface Hub settings with Settings.
+keywords: manage Surface Hub, Surface Hub settings
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Local management for Surface Hub settings
+
+After initial setup of Microsoft Surface Hub, the device’s settings can be locally managed through **Settings**.
+
+## Surface Hub settings
+
+Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only cofigurable on Surface Hubs. 
+
+| Setting | Location | Description |
+| ------- | -------- | ----------- |
+| Device account | This device > Accounts | Set or change the Surface Hub's device account. |
+| Device account sync status | This device > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. |
+| Password rotation | This device > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. |
+| Change admin account password  | This device > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. |
+| Configure Operations Management Suite (OMS) | This device > Device management | Set up monitoring for your Surface Hub using OMS. |
+| Open the Windows Store app | This device > Apps & features | The Windows Store app is only available to admins through the Settings app. |
+| Skype for Business domain name | This device > Calling | Configure a domain name for your Skype for Business server. |
+| Default microphone and speaker settings | This device > Calling | Configure a default microphone and speaker for calls, and a default speaker for media playback. |
+| Turn off wireless projection using Miracast | This device > Wireless projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. |
+| Require a PIN for wireless projection | This device > Wireless projection | Choose whether people are required to enter a PIN before they use wireless projection. |
+| Wireless projection (Miracast) channel | This device > Wireless projection | Set the channel for Miracast projection. |
+| Meeting info shown on the welcome screen | This device > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. |
+| Welcome screen background |  This device > Welcome screen | Choose a background image for the welcome screen. |
+| Turn on screen with motion sensors | This device > Session & clean up | Choose whether the screen turns on when motion is detected. |
+| Session time out | This device > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. |
+| Sleep time out | This device > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. |
+| Friendly name | This device > About | Set the Surface Hub name that people will see when connecting wirelessly. |
+| Maintenance hours | Update & security > Windows Update > Advanced options | Configure when updates can be installed. |
+| Configure Windows Server Update Services (WSUS) server | Update & security > Windows Update > Advanced options | Change whether Surface Hub receives updates from a WSUS server instead of Windows Update. |
+| Save BitLocker key | Update & security > Recovery | Backup your Surface Hub's BitLocker key to a USB drive. |
+| Collect logs | Update & security > Recovery | Save logs to a USB drive to send to Microsoft later. | 
+
+## Related topics
+
+[Manage Surface Hub settings](manage-surface-hub-settings.md)
+
+[Remote Surface Hub management](remote-surface-hub-management.md)
+
+[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md

@@ -2,6 +2,7 @@
 title: Manage settings with a local admin account (Surface Hub)
 description: A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.
 ms.assetid: B4B3668B-985D-427E-8495-E30ABEECA679
+redirect_url: https://technet.microsoft.com/itpro/surface-hub/admin-group-management-for-surface-hub
 keywords: local admin account, Surface Hub, change local admin options
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -10,113 +11,3 @@ ms.pagetype: surfacehub
 author: TrudyHa
 localizationpriority: medium
 ---
-
-# Manage settings with a local admin account (Surface Hub)
-
-
-A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.
-
-Every device can be configured individually by opening the Settings app on the device you want to configure. However, to prevent people who are not administrators from changing the devices’ settings, the Settings app requires local administrator credentials to open the app and change settings.
-
-You can set up a local administrator in one of three ways (see [Setting up admins for this device](first-run-program-surface-hub.md#setup-admins)):
-
-1.  Create a local admin
-2.  Domain join the device (AD)
-3.  Azure Active Directory (Azure AD) join the device.
-
-### Which method should I choose?
-
-If your organization is using Active Directory or Azure AD, we recommend you either domain join or join Azure AD, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with your domain or organization.
-
-Preferably, a local admin is set up only if you do not have Active Directory or Azure AD, or if you cannot connect to your Active Directory or Azure AD during first run.
-
-### Summary table
-
-<table>
-<tr>
-<th>How is the local admin set up?</th>
-<th>Requirements</th>
-<th>Which credentials will open Settings?</th>
-</tr>
-<tr>
-<td>A local admin was created<p></p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>The credentials of the local admin account.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>The device is joined to a domain (AD)</p>
-</td>
-<td>
-<p>Your organization is using Active Directory</p>
-</td>
-<td>
-<p>Credentials of any Active Directory account from the security group that was specified furing first run.</p>
-</td>
-</tr>
-<tr>
-<td rowspan="2">
-<p>The device is joined to Azure AD</p>
-</td>
-<td>
-<p>Your organization is using Azure AD Basic</p>
-</td>
-<td>
-<p>Tenant or device admins</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Your organization is using Azure AD Premium</p>
-</td>
-<td>
-<p>Tenant or device admins, plus additional specified employees</p>
-</td>
-</tr>
-</table>
-
-### Create a local admin
-
-To create a local admin, choose to use a local admin during first run. This will create a single local admin account on the Surface Hub with the username and password of your choice. These same credentials will unlock the Settings app (see [Setting up admins for this device](first-run-program-surface-hub.md#setup-admins)). Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory or Azure Active Directory. If you decide to change the local admin’s password, you can do so in Settings. However, if you want to change from a local admin you created to a group from your domain or Azure AD organization, then you’ll need to reset the device and go through first-time setup again.
-
-### Domain join the device
-
-After you domain join the device, you can set up a security group from your domain as local administrators on the Surface Hub. You will need to provide credentials that are capable of joining the domain of your choice. After you domain join successfully, you will be asked to pick an existing security group to be set as the local admins. When the Setting app is opened, any user who is a member of that security group can enter their credentials and unlock Settings.
-
->**Note**  Surface Hubs domain join for the sole purpose of using a security group as local admins. Group policies are not applied after the device is domain joined.
-
- 
-
-### Azure AD join the device
-
-You can set up people from your Azure Active Directory (Azure AD) organization as local administrators on the Surface Hub after you Azure AD join the device. The people that are provisioned as local admins on your device depend on what Azure AD subscription you have. You will need to provide credentials that are capable of joining the Azure AD organization of your choice. After you join Azure AD successfully, the appropriate people will be set as local admins on the device. When the Setting app is opened, any user who was set up as a local admin as a result of joining Azure AD can enter their credentials and unlock Settings. We recommend that you use the device account to join Azure AD.
-
-Otherwise, if you don’t want to use the device account to join Azure AD, you can use either of the following accounts:
-
--   The org account of an admin who will manage the device, or
--   A separate account that is part of your organization and used only for joining Surface Hubs.
-
->**Note**  If your Azure AD organization is also configured with MDM enrollment, Surface Hubs will also be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be widely managed using an MDM solution, which opts these devices into remote management. You may want to choose an account to join Azure AD that benefits how you manage devices—you find more info about this in the [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm) section.
-
- 
-
-## Related topics
-
-
-[Manage Microsoft Surface Hub](manage-surface-hub.md)
-
-[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
-
- 
-
- 
-
-
-
-
-

devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md

@@ -13,116 +13,129 @@ localizationpriority: medium
 
 # Manage settings with an MDM provider (Surface Hub)
 
+Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see [Windows 10 mobile device management](https://msdn.microsoft.com/library/windows/hardware/dn914769.aspx).
 
-Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.
+Surface Hub has been validated with Microsoft’s first-party MDM providers:
+- On-premises MDM with System Center Configuration Manager (beginning in version 1602)
+- Hybrid MDM with System Center Configuration Manager and Microsoft Intune
+- Microsoft Intune standalone
 
-The Surface Hub operating system has a built-in management component that's used to communicate with the device management server. There are two parts to the Surface Hub management component: the enrollment client, which enrolls and configures the device to communicate with the enterprise management server; and the management client, which periodically synchronizes with the management server to check for and apply updates. Third-party MDM servers can manage Surface Hub devices by using the Mobile Device Management protocol.
+You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol.
 
-### Supported services
+## <a href="" id="enroll-into-mdm"></a>Enroll a Surface Hub into MDM
+You can enroll your Surface Hubs using automatic, bulk, or manual enrollment.
 
-Surface Hub management has been validated for the following MDM providers:
+> [!NOTE]
+> You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
 
--   Microsoft Intune
--   System Center Configuration Manager
+**To disable automatic enrollment for Microsoft Intune**
+1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory. 
+2. Click the **Applications** tab, then click **Microsoft Intune**.
+3. Under **Manage devices for these users**, click **Groups**. 
+4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. Do not include accounts that are used to enroll Surface Hubs into Intune. 5. Click the checkmark button, then click **Save**.
 
-### <a href="" id="enroll-into-mdm"></a>Enroll a Surface Hub into MDM
+### Bulk enrollment
+**To configure bulk enrollment**
+- Surface Hub supports the [Provisioning CSP](https://msdn.microsoft.com/library/windows/hardware/mt203665.aspx) for bulk enrollment into MDM. For more information, see [Windows 10 bulk enrollment](https://msdn.microsoft.com/library/windows/hardware/mt613115.aspx).<br>
+--OR--
+- If you have an on-premises System Center Configuration Manager infrastructure, see [How to bulk enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx).
 
-If you joined your Surface Hub to an Azure Active Directory (Azure AD) subscription, the device can automatically enroll into MDM and will be ready for remote management.
+### Manual enrollment
+You can manually enroll with an MDM using the **Settings** app on your Surface Hub. 
 
-Alternatively, the device can be enrolled like any other Windows device by going to **Settings** &gt; **Accounts** &gt; **Work access**.
+**To configure manual enrollment**
+1. From your Surface Hub, open **Settings**.
+2. Type the device admin credentials when prompted.
+3. Select **This device**, and navigate to **Device management**.
+4. Under **Device management**, select **+ Device management**.
+5. Follow the instructions in the dialog to connect to your MDM provider.
 
-![Image showing enroll in device maagement page.](images/managesettingsmdm-enroll.png)
+## Manage Surface Hub settings with MDM
 
-### Manage a device through MDM
+You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings)<!---, and some [Windows 10 settings](#supported-windows-10-settings)-->. Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML.
 
-The following table lists the device settings that can be managed remotely using MDM, including the OMA URI paths that 3rd party MDM providers need to create policies. Intune and System Center Configuration Manager have special templates to help create policies to manage these settings.
+### Supported Surface Hub CSP settings
 
-<table>
-<colgroup>
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left"></th>
-<th align="left">Setting</th>
-<th align="left">OMA URI</th>
-<th align="left">Type</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>1</p></td>
-<td align="left"><p>Auto Awake when someone is in the room</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/AutoWakeScreen</p></td>
-<td align="left"><p>Boolean</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>2</p></td>
-<td align="left"><p>Require that people must enter a PIN when pairing to the Surface Hub</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/PINRequired</p></td>
-<td align="left"><p>Boolean</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>3</p></td>
-<td align="left"><p>Set the maintenance window duration. This time is in minutes. As an example, to set a 3 hour duration, you set the value to 180.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/Duration</p></td>
-<td align="left"><p>Int</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>4</p></td>
-<td align="left"><p>Set the maintenance window start time. This time is in minutes past midnight. To set a 2:00 am start time, set a value of 120, meaning 120 minutes past midnight.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/MaintenanceHoursSimple/Hours/StartTime</p></td>
-<td align="left"><p>Int</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>5</p></td>
-<td align="left"><p>The Microsoft Operations Management Suite (OMS) Workspace ID that this device will connect to.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceID</p></td>
-<td align="left"><p>String</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>6</p></td>
-<td align="left"><p>The key that must be used when connecting to the specified OMS workspace.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/MOMAgent/WorkspaceKey</p></td>
-<td align="left"><p>String</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>7</p></td>
-<td align="left"><p>Choose the meeting information displayed on the welcome screen.</p>
-<p>Value : 0 - Show organizer and time only</p>
-<p>Value : 1 - Show organizer, time, and subject (subject is hidden for private meetings)</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/MeetingInfoOption</p></td>
-<td align="left"><p>Int</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>8</p></td>
-<td align="left"><p>Enable/Disable all Wireless Projection to the Surface Hub</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled</p></td>
-<td align="left"><p>Boolean</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>9</p></td>
-<td align="left"><p>Select a specific wireless channel on which Miracast Receive will operate</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Channel</p></td>
-<td align="left"><p>Int</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>10</p></td>
-<td align="left"><p>Change the background image for the welcome screen using a PNG image URL.</p></td>
-<td align="left"><p>./Vendor/MSFT/SurfaceHub/InBoxApps/Welcome/CurrentBackgroundPath (Note: must be accessed using https.)</p></td>
-<td align="left"><p>String</p></td>
-</tr>
-</tbody>
-</table>
+You can configure the Surface Hub settings in the following table using MDM. The table also tells if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
 
- 
+For more information, see [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). 
+
+| Setting              | Node in the SurfaceHub CSP         | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| -------------------- | ---------------------------------- | ------------------------- | ---------------------------------------- | ------------------------- |
+| Maintenance hours | MaintenanceHoursSimple/Hours/StartTime <br> MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes |
+| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
+| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
+| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.<br> Use a custom setting. | Yes |
+| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> Use a custom setting. | Yes |
+| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey | Yes | Yes.<br> Use a custom setting. | Yes |
+| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.<br> Use a custom setting. | Yes |
+| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.<br> Use a custom setting. | Yes |
+| Friendly name for wireless projection | Properties/FriendlyName | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Device account, including password rotation | DeviceAccount/*`<name_of_policy>`* <br> See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
+
+
+
+## Example: Manage Surface Hub settings with Micosoft Intune
+
+You can use Microsoft Intune to manage Surface Hub settings. 
+
+**To create a configuration policy from a template**
+
+You'll use the **Windows 10 Team general configuration policy** as the template.
+
+1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account.
+2. On the left-hand navigation menu, click **Policy**.
+3. In the Overview page, click **Add Policy**.
+4. On **Select a template for the new policy**, expand **Windows**, select **General Configuration (Windows 10 Team and later)**, and then click **Create Policy**.
+5. Configure your policy, then click **Save Policy**
+6. When prompted, click **Yes** to deploy your new policy to a user or device group. For more information, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune).
+
+**To create a custom configuration policy**
+
+You’ll need to create a custom policy to manage settings that are not available in the template. 
+
+1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account.
+2. On the left-hand navigation menu, click **Policy**.
+3. In the Overview page, click **Add Policy**.
+4. On **Select a template for the new policy**, expand **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+5. Type a name and optional description for the policy.
+6. Under OMA-URI Settings, click **Add**.
+7. Complete the form to create a new setting, and then click **OK**.
+8. Repeat Steps 6 and 7 for each setting you want to configure with this policy.
+9. Once you're done, click **Save Policy** and deploy it to a user or device group.
+
+## Example: Manage Surface Hub settings with System Center Configuration Manager
+System Center Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use System Center Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs.
+
+> [!NOTE]
+> These instructions are based on the current branch of System Center Configuration Manager.
+
+**To create a configuration item for Surface Hub settings**
+
+1. On the **Assets and Compliance** workspace of the Configuration Manager console, click **Overview** > **Compliance Settings** > **Configuration Items**.
+2. On the **Home** tab, in the **Create** group, click **Create Configuration Item**.
+3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item.
+4. Under **Specify the type of configuration item that you want to create**, select **Windows 8.1 and Windows 10**.
+5. Click **Categories** if you create and assign categories to help you search and filter configuration items in the Configuration Manager console.
+6. On the **Supported Platforms** page, select **Windows 10** > **All Windows 10 Team and higher**. Unselect the other Windows platforms. 
+7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**.
+8. On the **Windows 10 Team** page, configure the settings you require.
+9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**.
+10. On the **Additional Settings** page, click **Add**.
+11. On the **Browse Settings** dialog, click **Create Setting**.
+12. On the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting.
+13. Under **Setting type**, select **OMA URI**.
+14. Complete the form to create a new setting, and then click **OK**.
+15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**.
+16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**.
+17. Repeat Steps 10 to 16 for each custom setting you want to add to the configuration item.
+18. Once you're done, on the **Browse Settings** dialog, click **Close**.
+19. Complete the wizard. <br> You can view the new configuration item in the **Configuration Items** node of the **Assets and Compliance** workspace.
+
+For more information, see [Create configuration items for Windows 8.1 and Windows 10 devices managed without the System Center Configuration Manager client](https://docs.microsoft.com/sccm/compliance/deploy-use/create-configuration-items-for-windows-8.1-and-windows-10-devices-managed-without-the-client).
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/manage-surface-hub-settings.md

@@ -0,0 +1,24 @@
+---
+title: Manage Surface Hub settings
+description: This section lists topics for managing Surface Hub settings.
+keywords: Surface Hub accessibility settings, device account, device reset, windows updates, wireless network management
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Manage Surface Hub settings
+
+## In this section
+
+|Topic | Description|
+| ------ | --------------- |
+| [Local management for Surface Hub settings](local-management-surface-hub-settings.md) | Learn about Surface Hub settings.  |
+| [Accessibility](accessibility-surface-hub.md) | Accessibility settings for the Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10.|
+| [Change the Surface Hub device account](change-surface-hub-device-account.md) | You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned.|
+| [Device reset](device-reset-surface-hub.md) | You may need to reset your Surface Hub.|
+| [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md) | Options to configure domain name with Surface Hub.  |
+| [Wireless network management](wireless-network-management-for-surface-hub.md) | Surface Hub offers two options for network connectivity to your corporate network and Internet: wireless, and wired. While both provide network access, we recommend you use a wired connection. |

devices/surface-hub/manage-surface-hub.md

@@ -13,212 +13,25 @@ localizationpriority: medium
 
 # Manage Microsoft Surface Hub
 
+After initial setup of Microsoft Surface Hub, the device’s settings and configuration can be modified or changed in a couple ways:
 
-How to manage your Surface Hub after finishing the first-run program.
+- **Local management** - Every Surface Hub can be configured locally using the **Settings** app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. For more information, see [Local management for Surface Hub settings](local-management-surface-hub-settings.md).
+- **Remote management** - Surface Hub allow IT admins to manage settings and policies using a mobile device management (MDM) provider, such as Microsoft Intune, System Center Configuration Manager, and other third-party providers. Additionally, admins can monitor Surface Hubs using Microsoft Operations Management Suite (OMS). For more information, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md), and [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). 
 
-## Introduction
-
-
-After initial setup of Microsoft Surface Hub, the device’s settings and configuration can be modified or changed in several ways:
-
--   Local management: using the Settings app on the device
--   Remote management: using a mobile device management (MDM) solution, like Microsoft Intune, AirWatch, or System Center 2012 R2 Configuration Manager.
-
-For locally-managed devices, administrator credentials are required to use the Settings app. These can be login credentials for Active Directory, Azure Active Directory (Azure AD), or a local admin account. One of these will have been selected during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)).
-
-For remotely-managed devices, the device must be enrolled into an MDM solution, either during first run or in the Settings app.
-
-Be aware that the two management methods are not mutually exclusive—every device will have the capability to be locally managed, and devices can be remotely managed if you choose.
-
->**Note**  If a device is remotely managed, then any changes to local settings that are also remotely managed will only persist until the next time your Surface Hub syncs with your MDM solution. Once a sync occurs, the settings and policies defined on your MDM solution will be pushed to the device, overwriting the local changes.
-
- 
-
-## Surface Hub-only settings
-
-
-Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs.
-
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Setting</th>
-<th align="left">Location</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Change friendly name</p></td>
-<td align="left"><p>System - About</p></td>
-<td align="left"><p>Set the Surface Hub name that people will see when connecting wirelessly.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Collect logs</p></td>
-<td align="left"><p>System - About</p></td>
-<td align="left"><p>Collect logs to give to Microsoft Support.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Change meeting info shown on the welcome screen</p></td>
-<td align="left"><p>System – Microsoft Surface Hub</p></td>
-<td align="left"><p>Choose whether meeting organizer, time, and subject show up on the welcome screen.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Session time out</p></td>
-<td align="left"><p>System – Microsoft Surface Hub</p></td>
-<td align="left"><p>Choose how long the device needs to be inactive before returning to the welcome screen.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Turn on screen with motion sensors</p></td>
-<td align="left"><p>System – Microsoft Surface Hub</p></td>
-<td align="left"><p>Choose whether the screen turns on when motion is detected.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Configure Microsoft Operational Management Suite (MOMS)</p></td>
-<td align="left"><p>System – Microsoft Surface Hub</p></td>
-<td align="left"><p>Add information to set up monitoring using MOMS.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Change Skype for Business fully qualified domain name (FQDN)</p></td>
-<td align="left"><p>System – Microsoft Surface Hub</p></td>
-<td align="left"><p>Add the FQDN for a Skype for Business certificate.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Save BitLocker key</p></td>
-<td align="left"><p>System – Microsoft Surface Hub</p></td>
-<td align="left"><p>Set the default destination for saving the BitLocker recovery key to a USB drive.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Turn off wireless projection using Miracast</p></td>
-<td align="left"><p>Devices - Connect</p></td>
-<td align="left"><p>Choose whether presenters can wirelessly project to the Surface Hub using Miracast.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Require a PIN for wireless projection</p></td>
-<td align="left"><p>Devices - Connect</p></td>
-<td align="left"><p>Choose whether people are required to enter a PIN before they use wireless projection.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Wireless projection (Miracast) channel</p></td>
-<td align="left"><p>Devices - Connect</p></td>
-<td align="left"><p>Change the channel for Miracast projection.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Change device account</p></td>
-<td align="left"><p>Accounts - All accounts</p></td>
-<td align="left"><p>Change the Surface Hub's device account.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Check sync status</p></td>
-<td align="left"><p>Accounts - All accounts</p></td>
-<td align="left"><p>Check the sync status of the device account’s mail and calendar on the Surface Hub.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Turn on password rotation</p></td>
-<td align="left"><p>Accounts - All accounts</p></td>
-<td align="left"><p>Choose whether the device account’s password will automatically change every day (Active Directory only).</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Edit admin account</p></td>
-<td align="left"><p>Accounts - All accounts</p></td>
-<td align="left"><p>Change the password for the local admin account.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Change maintenance hours</p></td>
-<td align="left"><p>Updates &amp; security – Windows Update – Advanced settings</p></td>
-<td align="left"><p>Set the hours when updates can be installed.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Configure Windows Server Update Services (WSUS) server</p></td>
-<td align="left"><p>Updates &amp; security – Windows Update – Advanced settings</p></td>
-<td align="left"><p>Change whether the device receives updates from the WSUS you choose.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Which should I choose?
-
-
-If you plan to deploy multiple Surface Hubs, we recommend that you manage your devices remotely. This requires that your organization use an MDM solution to deploy policies.
-
-Every Surface Hub can be managed locally by an admin who physically logs in to the device. Which method is used to log in is decided during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)).
+> [!NOTE]
+> These management methods are not mutually exclusive. Devices can be both locally and remotely managed if you choose. However, MDM policies and settings will overwrite any local changes when the Surface Hub syncs with the management server. 
 
 ## In this section
 
+Learn about managing and updating Surface Hub.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Accessibility](accessibility-surface-hub.md)</p></td>
-<td align="left"><p>Accessibility settings for the Surface Hub can be changed by using the Settings app. You'll find them under <strong>Ease of Access</strong>. Your Surface Hub has the same accessibility options as Windows 10.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Change the Surface Hub device account](change-surface-hub-device-account.md)</p></td>
-<td align="left"><p>You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Device reset](device-reset-suface-hub.md)</p></td>
-<td align="left"><p>You may wish to reset your Surface Hub.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Install apps on your Surface Hub](install-apps-on-surface-hub.md)</p></td>
-<td align="left"><p>Admins can install apps can from either the Windows Store or the Windows Store for Business.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md)</p></td>
-<td align="left"><p>A local admin account will be set up on every Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)</p></td>
-<td align="left"><p>Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Monitor your Surface Hub](monitor-surface-hub.md)</p></td>
-<td align="left"><p>Monitoring for Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Save your BitLocker key](save-bitlocker-key-surface-hub.md)</p></td>
-<td align="left"><p>Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Using a room control system](use-room-control-system-with-surface-hub.md)</p></td>
-<td align="left"><p>Room control systems can be used with your Surface Hub.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Windows updates](manage-windows-updates-for-surface-hub.md)</p></td>
-<td align="left"><p>You can manage Windows updates on your Surface Hub by setting the maintenance window, deferring updates, or using WSUS.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Wireless network management](wireless-network-management-for-surface-hub.md)</p></td>
-<td align="left"><p>Surface Hub offers two options for network connectivity to your corporate network and Internet: wireless, and wired. While both provide network access, we recommend you use a wired connection.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
-
-
-
+| Topic | Description |
+| ----- | ----------- |
+| [Remote Surface Hub management](remote-surface-hub-management.md) |Topics related to managing your Surface Hub remotely. Include install apps, managing settings with MDM and monitoring with Operations Management Suite. |
+| [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network |
+| [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Windows Store or the Windows Store for Business.|
+| [End a meeting with I’m done](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap I'm Done to clean up any sensitive data and prepare the device for the next meeting.|
+| [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.|
+| [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.|
+| [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
 

devices/surface-hub/manage-windows-updates-for-surface-hub.md

@@ -13,61 +13,125 @@ localizationpriority: medium
 
 # Windows updates (Surface Hub)
 
+New releases of the Surface Hub operating system are published through Windows Update, just like releases of Windows 10. There are a couple of ways you can manage which updates are installed on your Surface Hubs, and the timing for when updates are applied.
+- **Windows Update for Business** - New in Windows 10, Windows Update for Business is a set of features designed to provide enterprises additional control over how and when Windows Update installs releases, while reducing device management costs. Using this method, Surface Hubs are directly connected to Microsoft’s Windows Update service.
+- **Windows Server Update Services (WSUS)** - Set of services that enable IT administrators to obtain the updates that Windows Update determines are applicable to the devices in their enterprise, perform additional testing and evaluation on the updates, and select the updates they want to install. Using this method, Surface Hubs will receive updates from WSUS rather than Windows Update.
 
-You can manage Windows updates on your Microsoft Surface Hub by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS).
+You can also configure Surface Hub to receive updates from both Windows Update for Business and WSUS. See [Integrate Windows Update for Business with Windows Server Update Services](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-integrate-wufb#integrate-windows-update-for-business-with-windows-server-update-services) for details.
 
-### Maintenance window
+| Capabilities | Windows Update for Business | Windows server Update Services (WSUS) |
+| ------------ | --------------------------- | ------------------------------------- |
+| Receive updates directly from Microsoft's Windows Update service, with no additional infrastructure required.  | Yes  | No  |
+| Defer updates to provide additional time for testing and evaluation. | Yes  | Yes  |
+| Deploy updates to select groups of devices. | Yes | Yes |
+| Define maintenance windows for installing updates. | Yes  | Yes  |
+
+> [!TIP]
+> Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Optimize update delivery for Windows 10 updates](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-optimize-windows-10-updates) for details.
+
+> [!NOTE]
+> Surface Hub does not currently support rolling back updates.
+
+
+## Surface Hub servicing model
+
+Surface Hub uses the Windows 10 servicing model, referred to as Windows as a Service (WaaS). Traditionally, new features are added only in new versions of Windows that are released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
+
+Microsoft publishes two types of Surface Hub releases broadly on an ongoing basis:
+- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish an average of two to three new feature upgrades per year.
+- **Quality updates** - Updates that focus on the installation of security fixes, drivers, and other servicing updates. Microsoft expects to publish one cumulative quality update per month.
+
+In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.
+
+The Surface Hub operating system is available on **Current Branch (CB)** and **Current Branch for Business (CBB)**. Like other editions of Windows 10, the servicing lifetime of CB or CBB is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
+
+For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview).
+
+
+## Use Windows Update for Business
+Surface Hubs, like all Windows 10 devices, include **Windows Update for Business (WUfB)** to enable you to control how your devices are being updated. Windows Update for Business helps reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. For more information, see [Manage updates using Windows Update for Business](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb).
+
+**To set up Windows Update for Business:**
+1. [Group Surface Hub into deployment rings](#group-surface-hub-into-deployment-rings)
+2. [Configure Surface Hub to use Current Branch or Current Branch for Business](#configure-surface-hub-to-use-current-branch-or-current-branch-for-business).
+2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
+
+> [!NOTE]
+> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-wufb-intune)
+
+
+### Group Surface Hub into deployment rings
+Use deployment rings to control when updates roll out to your Surface Hubs, giving you time to validate them. For example, you can update a small pool of devices first to verify quality before a broader roll-out to your organization. Depending on who manages Surface Hub in your organization, consider incorporating Surface Hub into the deployment rings that you've built for your other Windows 10 devices. For more information about deployment rings, see [Build deployment rings for Windows 10 updates](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-deployment-rings-windows-10-updates).
+
+This table gives examples of deployment rings.
+
+| Deployment ring | Ring size | Servicing branch | Deferral for feature updates | Deferral for quality updates (security fixes, drivers, and other updates) | Validation step |
+| --------- | --------- | --------- | --------- | --------- | --------- |
+| Evaluation (e.g. non-critical or test devices) | Small | Current Branch (CB) | None. Devices receive feature updates immediately after CB is released. | None. Devices receive quality updates immediately after CB is released. | Manually test and evaluate new functionality. Pause updates if there are issues. |
+| Pilot (e.g. devices used by select teams) | Medium | Current Branch for Business (CBB) | None. Devices receive feature updates immediately once CBB is released. | None. Devices receive quality updates immediately after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Broad deployment (e.g. most of the devices in your organization) | Large | Current Branch for Business (CBB) |  60 days after CBB is released. | 14 days after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Mission critical (e.g. devices in executive boardrooms) | Small | Current Branch for Business (CBB) |  180 days after CBB is released (maximum deferral for feature updates). | 30 days after CBB is released (maximum deferral for quality updates). | Monitor device usage and user feedback. |
+
+
+### Configure Surface Hub to use Current Branch or Current Branch for Business
+By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches).
+
+**To manually configure Surface Hub to use CB or CBB:**
+1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**. 
+2. Select **Defer feature updates**.
+
+To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
+
+
+### Configure when Surface Hub receives updates
+Once you've determined deployment rings for your Surface Hubs, configure update deferral policies for each ring:
+- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
+- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
+
+> [!NOTE]
+> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
+
+
+## Use Windows Server Update Services (WSUS)
+
+You can connect Surface Hub to your WSUS server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
+
+**To manually connect a Surface Hub to a WSUS server:**
+1. Open **Settings** on your Surface Hub.
+2. Enter the device admin credentials when prompted.
+3. Navigate to **Update & security** > **Windows Update** > **Advanced options** > **Configure Windows Server Update Services (WSUS) server**.
+4. Click **Use WSUS Server to download updates** and type the URL of your WSUS server.
+
+To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
+
+
+## Maintenance window
+
+To ensure the device is always available for use during business hours, Surface Hub performs its administrative functions during a specified maintenance window. During the maintenance window, the Surface Hub automatically installs updates through Windows Update or WSUS, and reboots the device if needed.
+
+Surface Hub follows these guidelines to apply updates:
+-   Install the update during the next maintenance window. If a meeting is scheduled to start during a maintenance window, or the Surface Hub sensors detect that the device is being used, the pending update will be postponed to the following maintenance window.
+-   If the next maintenance window is past the update’s prescribed grace period, the device will calculate the next available slot during business hours using the estimated install time from the update’s metadata. It will continue to postpone the update if a meeting is scheduled, or the Surface Hub sensors detect that the device is being used.
+-   If a pending update is past the update’s prescribed grace period, the update will be immediately installed. If a reboot is needed, the Surface Hub will automatically reboot during the next maintenance window.
+
+> [!NOTE]
+> Allow time for updates when you first setup your Surface Hub. For example, a backlog of virus definitions may be available, which should be immediately installed.
 
 A default maintenance window is set for all new Surface Hubs:
+-   **Start time:** 3:00 AM
+-   **Duration:** 1 hour
 
--   Start time: 3:00 AM
--   Duration: 1 hour
+**To manually change the maintenance window:**
+1.  Open **Settings** on your Surface Hub.
+2.  Navigate to **Update & security** > **Windows Update** > **Advanced options**.
+3.  Under **Maintenance hours**, select **Change**.
 
-Most Windows updates are downloaded and installed automatically by Surface Hub. You can change the maintenance window to limit when the device can be automatically rebooted after a Windows update installation. For those updates that require a reboot of the device, the update installation will be postponed until the maintenance window begins. If a meeting is scheduled to start during the maintenance window, or if the Surface Hub sensors detect that the device is being used, the pending installation will be postponed to the next maintenance window.
+To change the maintenance window using MDM, set the **MOMAgent** node in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt608323.aspx). See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for more details.
 
->**Note**: If an update installation has been pending for 28 days, on the 28th day the update will be forcibly installed. The device will ignore meetings or sensor status and reboot during the maintenance window.
-
- 
-
-To change the default maintenance window:
-
-1.  Open the Settings app.
-2.  Navigate to **Update and Security** > **Advanced Options**.
-3.  Under **Maintenance hours**, click **Change**.
-
-### Deferring Windows updates
-
-You can choose to defer downloading or installing updates that install new Windows features. When you do, new Windows features won’t be downloaded or installed for up to several months. Deferring updates doesn’t affect security updates, which will be downloaded and installed as usual.
-
-To defer Windows feature updates:
-
-1.  Open the Settings app.
-2.  Navigate to **Update and Security** > **Advanced Options**.
-3.  Click on the checkbox for **Defer upgrades**.
-
-### Using WSUS
-
-You can use WSUS to manage the download and installation of Windows updates on your Surface Hub.
-
-To connect a Surface Hub to a WSUS server:
-
-1.  Open the Settings app.
-2.  Navigate to **Update and Security** > **Advanced Options**.
-3.  Click on the checkbox for **Configure Windows Server Update Services (WSUS) server**.
-4.  Check the box for **Use WSUS Server to download updates** and enter the WSUS endpoint.
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
 
- 
-
- 
-
-
-
-
-

devices/surface-hub/monitor-surface-hub.md

@@ -13,72 +13,132 @@ localizationpriority: medium
 
 # Monitor your Microsoft Surface Hub
 
+Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS). The [Operations Management Suite](https://go.microsoft.com/fwlink/?LinkId=718138) is Microsoft's IT management solution that helps you manage and protect your entire IT infrastructure, including your Surface Hubs.
 
-Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
 
-The [Operations Management Suite (OMS)](https://go.microsoft.com/fwlink/?LinkId=718138) is Microsoft's IT management solution that helps you manage and protect your entire IT infrastructure, including your Surface Hubs. You can use OMS to help you track the health of your Surface Hubs as well as understand how they are being used. Log files are read on the devices and sent to the OMS service. Issues like servers being offline, the calendar not syncing, or the device account being unable to log into Skype are shown in OMS in the Surface Hub dashboard. By using the data in the dashboard, you can identify devices that are not running, or that are having other problems, and potentially apply fixes for the detected issues.
+Surface Hub is offered as a Log Analytics solution in OMS, allowing you to collect and view usage and reliability data across all your Surface Hubs. Use the Surface Hub solution to:
+- Inventory your Surface Hubs.
+- View a snapshot of usage and reliability data for Skype meetings, wired and wireless projection, and apps on your Surface Hubs.
+- Create custom alerts to respond quickly if your Surface Hubs report software or hardware issues.
 
-### OMS requirements
+## Add Surface Hub to Operations Management Suite
 
-In order to manage your Surface Hubs from the Microsoft Operations Management Suite (OMS), you'll need the following:
+1. **Sign in to Operations Management Suite (OMS)**. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+2. **Create a new OMS workspace**. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
+3. **Link Azure subscription to your workspace**. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
 
--   A valid [subscription to OMS](http://www.microsoft.com/server-cloud/operations-management-suite/overview.aspx).
--   [Subscription level](https://go.microsoft.com/fwlink/?LinkId=718139) in line with the number of devices. OMS pricing varies depending on how many devices are enrolled, and how much data it processes. You'll want to take this into consideration when planning your Surface Hub rollout.
+    > [!NOTE] 
+    > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
 
-Next, you will either add an OMS subscription to your existing Microsoft Azure subscription or create a new workspace directly through the OMS portal. Detailed instructions for setting up the account can be found at: [Onboard in minutes](https://go.microsoft.com/fwlink/?LinkId=718141). Once the OMS subscription is set up, there are two ways to enroll your Surface Hub devices:
+4. **Add Surface Hub solution**. In the Solutions Gallery, select the **Surface Hub** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace.
 
-1.  Automatically through [InTune](https://go.microsoft.com/fwlink/?LinkId=718150), or
-2.  Manually through Settings.
+## Use the Surface Hub dashboard
+From the **Overview** page in your OMS workspace, click the Surface Hub tile to see the Surface Hub dashboard. Use the dashboard to get a snapshot of usage and reliability data across your Surface Hubs. Click into each view on the dashboard to see detailed data, modify the query as desired, and create alerts.
 
-### Setting up monitoring
+> [!NOTE]
+> Most of these views show data for the past 30 days, but this is subject to your subscription's data retention policy.
 
-You can monitor health and activity of your Surface Hub using Microsoft Operations Management Suite (OMS). The device can be enrolled in OMS remotely, using InTune, or locally, by using Settings.
+**Active Surface Hubs**
 
-### Enrolling devices through InTune
+Use this view to get an inventory of all your Surface Hubs. Once connected to OMS, each Surface Hub periodically sends a "heartbeat" event to the server. This view shows Surface Hubs that have reported a heartbeat in the past 24 hours.
 
-You'll need the workspace ID and primary key for your Surface Hub. You can get those from the OMS portal.
+<!--
+**Skype meetings**
 
-InTune is a Microsoft product that allows you to centrally manage the OMS configuration settings that will be applied to one or more of your devices. Follow these steps to configure your devices through InTune:
+Use this view to get usage data for Skype over the past 30 days. The graph shows the total number of Skype Meetings started across your Surface Hubs, and a breakdown between scheduled meetings, ad hoc meetings, and PSTN calls.
+-->
+ 
+**Wireless projection**
 
-1.  Sign in to InTune.
-2.  Navigate to **Settings** &gt; **Connected Sources**.
-3.  Create or edit a policy based on the Surface Hub template.
-4.  Navigate to the OMS section of the policy, and add the **workspace ID** and **primary key** to the policy.
-5.  Save the policy.
-6.  Associate the policy with the appropriate group of devices.
+Use this view to get usage and reliability data for wireless projection over the past 30 days. The graph shows the total number of wireless connections across all your Surface Hubs, which provides an indication whether people in your organization are using this feature. If it's a low number, it may suggest a need to provide training to help people in your organization learn how to wirelessly connect to a Surface Hub.
+ 
+Also, the graph shows a breakdown of successful and unsuccessful connections. If you see a high number of unsuccessful connections, devices may not properly support wireless projection using Miracast. For best performance, Microsoft suggests that devices run a WDI Wi-Fi driver and a WDDM 2.0 graphics driver. Use the details view to learn if wireless projection problems are common with particular devices.
+ 
+When a connection fails, users can also do the following if they are using a Windows laptop or phone:
+- Remove the paired device from **Settings** > **Devices** > **Connected devices**, then try to connect again.
+- Reboot the device.
+ 
+**Wired projection**
 
-InTune will now sync the OMS settings with the devices in the target group, enrolling them in your OMS workspace.
+Use this view to get usage and reliability data for wired projection over the past 30 days. If the graph shows a high number of unsuccessful connections, it may indicate a connectivity issue in your audio-visual pipeline. For example, if you use a HDMI repeater or a center-of-room control panel, they may need to be restarted.
+ 
+**Application usage**
 
-### Enrolling devices using the Settings app
+Use this view to get usage data for apps on your Surface Hubs over the past 30 days. The data comes from app launches on your Surface Hubs, not including Skype for Business. This view helps you understand which Surface Hub apps are the most valuable in your organization. If you are deploying new line-of-business apps in your environment, this can also help you understand how often they are being used.
+ 
+**Application Crashes**
 
-You'll need the workspace ID and primary key for your Surface Hub. You can get those from the OMS portal.
+Use this view to get reliability data for apps on your Surface Hubs over the past 30 days. The data comes from app crashes on your Surface Hubs. This view helps you detect and notify app developers of poorly behaving in-box and line-of-business apps.
+ 
+**Sample Queries**
 
-If you don't use InTune to manage your environment, you can enroll devices manually through **Settings**:
+Use this to create custom alerts based on a recommended set of queries. Alerts help you respond quickly if your Surface Hubs report software or hardware issues. For more inforamtion, see [Set up alerts using sample queries](#set-up-alerts-with-sample-queries).
 
-1.  From your Surface Hub, start **Settings**.
-2.  Enter the device admin credentials when prompted.
-3.  Click **System**, and navigate to Microsoft Operations Management Suite.
-4.  Click **Configure**.
-5.  Select **Enable monitoring**.
-6.  In the OMS settings dialog, type the **workspace ID**.
-7.  Repeat steps 5 and 6 for the **primary key**.
-8.  Click **OK** to complete the configuration.
+## Set up alerts with sample queries
 
+Use alerts to respond quickly if your Surface Hubs report software or hardware issues. Alert rules automatically run log searches according to a schedule, and runs one or more actions if the results match specific criteria. For more information, see [Alerts in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-alerts/).
+ 
+The Surface Hub Log Analytics solution comes with a set of sample queries to help you set up the appropriate alerts and understand how to resolve issues you may encounter. Use them as a starting point to plan your monitoring and support strategy.
+
+This table describes the sample queries in the Surface Hub solution:
+
+| Alert type | Impact | Recommended remediation | Details |
+| ---------- | ------ | ----------------------- | ------- |
+| Software   | Error  | **Reboot the device**. <br> Reboot manually, or using the [Reboot configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx). <br> Suggest doing this between meetings to minimize impact to your people in your organization. | Trigger conditions: <br> - A critical process in the Surface Hub operating system, such as the shell, projection, or Skype, crashes or becomes non-responsive. <br> - The device hasn't reported a heartbeat in the past 24 hours. This may be due to network connectivity issue or network-related hardware failure, or an error with the telemetry reporting system. |
+| Software   | Error  | **Check your Exchange service**. <br> Verify: <br> - The service is available. <br> - The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details.| Triggers when there's an error syncing the device calendar with Exchange. |
+| Software   | Error  | **Check your Skype for Business service**. <br> Verify: <br> - The service is available. <br> - The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details. <br> - The domain name for Skype for Business is properly configured - see [Configure a domain name](use-fully-qualified-domain-name-surface-hub.md). | Triggers when Skype fails to sign in. |
+| Software   | Error  | **Reset the device**. <br> This takes some time, so you should take the device offline. <br> For more information, see [Device reset](device-reset-surface-hub.md).| Triggers when there is an error cleaning up user and app data at the end of a session. When this operation repeatedly fails, the device is locked to protect user data. You must reset the device to continue. |
+| Hardware   | Warning | **None**. Indicates negligible impact to functionality.| Triggers when there is an error with any of the following hardware components: <br> - Virtual pen slots <br> - NFC driver <br> - USB hub driver <br> - Bluetooth driver <br> - Proximity sensor <br> - Graphical performance (video card driver) <br> - Mismatched hard drive <br> - No keyboard/mouse detected |
+| Hardware   | Error | **Contact Microsoft support**. <br> Indicates impact to core functionality (such as Skype, projection, touch, and internet connectivity). <br> **Note** Some events, including heartbeat, include the device’s serial number that you can use when contacting support.| Triggers when there is an error with any of the following hardware components. <br> **Components that affect Skype**: <br> - Speaker driver <br> - Microphone driver <br> - Camera driver <br> **Components that affect wired and wireless projection**: <br> - Wired touchback driver <br> - Wired ingest driver <br> - Wireless adapter driver <br> - Wi-Fi Direct error <br> **Other components**: <br> - Touch digitizer driver <br> - Network adapter error (not reported to OMS)|
+
+**To set up an alert**
+1.	From the Surface Hub solution, select one of the sample queries.
+2.	Modify the query as desired. See Log Analytics search reference to learn more.
+3.	Click **Alert** at the top of the page to open the **Add Alert Rule** screen. See [Alerts in Log Analytics](https://azure.microsoft.com/en-us/documentation/articles/log-analytics-alerts/) for details on the options to configure the alert.
+4.	Click **Save** to complete the alert rule. It will start running immediately.
+
+## Enroll your Surface Hub
+
+For Surface Hub to connect to and register with the OMS service, it must have access to the port number of your domains and the URLs. This table list the ports that OMS needs. For more information, see [Configure proxy and firewall settings in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-proxy-firewall/).
+
+| Agent resource              | Ports | Bypass HTTPS inspection? |
+| --------------------------- | ----- | ------------------------ |
+| *.ods.opinsights.azure.com  | 443   | Yes |
+| *.oms.opinsights.azure.com  | 443   | Yes |
+| *.blob.core.windows.net     | 443   | Yes |
+| ods.systemcenteradvisor.com | 443   | No  |
+
+The Microsoft Monitoring Agent, used to connect devices to OMS, is integrated with the Surface Hub operating system, so there is no need to install additional clients to connect Surface Hub to OMS.
+ 
+Once your OMS workspace is set up, there are several ways to enroll your Surface Hub devices:
+- [Settings app](#enroll-using-the-settings-app)
+- [Provisioning package](#enroll-using-a-provisioning-package)
+- [MDM provider](#enroll-using-a-mdm-provider), such as Microsoft Intune and Configuration Manager
+ 
+You'll need the workspace ID and primary key of your OMS workspace. You can get these from the OMS portal.
+ 
+### Enroll using the Settings app
+
+**To Enroll using the settings app**
+
+1. From your Surface Hub, start **Settings**.
+2. Enter the device admin credentials when prompted.
+3. Select **This device**, and navigate to **Device management**.
+4. Under **Monitoring**, select **Configure OMS settings**.
+5. In the OMS settings dialog, select **Enable monitoring**.
+6. Type the workspace ID and primary key of your OMS workspace. You can get these from the OMS portal.
+7. Click **OK** to complete the configuration.
+ 
 A confirmation dialog will appear telling you whether or not the OMS configuration was successfully applied to the device. If it was, the device will start sending data to OMS.
 
-### Monitoring devices
-
-Monitoring your Surface Hubs using OMS is much like monitoring any other enrolled devices.
-
-1.  Sign in to the OMS portal.
-2.  Navigate to the Surface Hub solution pack dashboard.
-3.  Your device's health will be displayed here.
-
-You can create OMS alerts based on existing or custom queries that use the data collected through OMS.
+### Enroll using a provisioning package
+You can use a provisioning package to enroll your Surface Hub. For more infomation, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
+ 
+### Enroll using a MDM provider
+You can enroll Surface Hub into OMS using the SurfaceHub CSP. Intune and Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. For more information, see [Manage Surface Hub settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md).
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md

@@ -13,248 +13,209 @@ localizationpriority: medium
 
 # Create provisioning packages (Surface Hub)
 
+This topic explains how to create a provisioning package using the Windows Imaging and Configuration Designer (ICD), and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings.
 
-For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning.
+You can apply a provisioning package using a USB during first run, or through the **Settings** app. 
 
-In this topic, you'll find the following information:
 
--   [Introduction to provisioning packages](#intro-prov-pkg)
--   [What can provisioning packages configure for Microsoft Surface Hubs?](#what-can-prov-pkg)
--   [How do I create and deploy a provisioning package?](#how-do-i-prov-pkg)
--   [Requirements](#requirements-prov-pkg)
--   [Install the Windows Imaging and Configuration Designer](#installing-wicd-prov-pkg)
--   [Create a provisioning package for certificates](#creating-prov-pkg-certs)
--   [Create a provisioning package for apps](#creating-prov-pkg-apps)
--   [Deploy a provisioning package to a Surface Hub](#deploy-to-hub-prov-pkg)
-    -   [Deploy a provisioning package using first run](#deploy-via-oobe-prov-pkg)
-    -   [Deploy a provisioning package using Settings](#deploy-via-settings-prov-pkg)
+## Advantages
+-   Quickly configure devices without using a MDM provider.
 
-### <a href="" id="intro-prov-pkg"></a>Introduction to provisioning packages
+-   No network connectivity required.
 
-Provisioning packages are created using Windows Imaging and Configuration Designer (WICD), which is a part of the Windows Assessment and Deployment Kit (ADK). For Surface Hub, the provisioning packages can be placed on a USB drive.
+-   Simple to apply.
 
-### <a href="" id="what-can-prov-pkg"></a>What can provisioning packages configure for Surface Hubs?
+[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/whats-new/new-provisioning-packages)
 
-Currently, you can use provisioning packages to install certificates and to install Universal Windows Platform (UWP) apps on your Surface Hub. These are the only two supported scenarios.
 
-You may use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange or Skype for Business, or to sideload apps that don't come from the Windows Store (for example, your own in-house apps).
+## Requirements 
 
->**Note**  Provisioning can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, you must use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
+To create and apply a provisioning package to a Surface Hub, you'll need the following:
 
- 
-
-### <a href="" id="how-do-i-prov-pkg"></a>How do I create and deploy a provisioning package?
-
-Provisioning packages must be created using the Windows Imaging and Configuration Designer (ICD).
-
-### <a href="" id="requirements-prov-pkg"></a>Requirements
-
-In order to create and deploy provisioning packages, all of the following are required:
-
--   Access to the Settings app on Surface Hub (using admin credentials which were configured at initial setup of the Surface Hub).
--   Windows Imaging and Configuration Designer (ICD), which is installed as a part of the windows 10 Assessment and Deployment Kit (ADK).
+-   Windows Imaging and Configuration Designer (ICD), which is installed as a part of the [Windows 10 Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740).
 -   A PC running Windows 10.
--   USB flash drive.
+-   A USB flash drive.
+-   If you apply the package using the **Settings** app, you'll need device admin credentials.
 
-### <a href="" id="installing-wicd-prov-pkg"></a>Install the Windows Imaging and Configuration Designer
+You'll create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub.
 
-1.  The Windows Imaging and Configuration Designer (ICD) is installed as part of the Windows 10 ADK. The installer for the ADK can be downloaded from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718147).
-    >**Note**  The ADK must be installed on a separate PC, not on the Surface Hub.  
 
-2.  Run the installer, and set your preferences for installation. When asked what features you want to install, you will see a checklist like the one in the following figure. Note that **Windows Performance Toolkit** and **Windows Assessment Toolkit** should be unchecked, as they are not needed to run the ICD.
+## Supported items for Surface Hub provisioning packages
 
-    Before going to the next step, make sure you have the following checked:
+Currently, you can add these items to provisioning packages for Surface Hub:
+- **Certificates** - You can add certificates, if needed, to authenticate to Microsoft Exchange.
+- **Universal Windows Platform (UWP) apps** - You can install UWP apps. This can be an offline-licensed app from the Windows Store for Business, or an app created by an in-house dev.
+- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
+- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx).
 
-    -   **Deployment Tools**
-    -   **Windows Preinstallation Environment**
-    -   **Imaging and Configuration Designer**
-    -   **User State Migration Tool**
 
-    All four of these features are required to run the ICD and create a package for the Surfact Hub.
+## Create the provisioning package
 
-    ![Image showing Windows ADK install page - select features to install.](images/idcfeatureschecklist.png)
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. When you install the ADK, you can choose to install only the Imaging and Configuration Designer (ICD).  [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
 
-3.  Continue with the installer until the ADK is installed. This may take a while, because the installer downloads remote content.
+1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`).
 
-### <a href="" id="creating-prov-pkg-certs"></a>Create a provisioning package for certificates
+2. Click **Advanced provisioning**.
 
-This example will demonstrate how to create a provisioning package to install a certificate.
+    ![ICD start options](images/ICDstart-option.PNG)  
+  
+3. Name your project and click **Next**.
 
-1.  On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu.
+4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**.
 
-    ![Image showing Start page in Windows Imaging and Configuration Designer.](images/wicd-screen01a.png)
+    ![ICD new project](images/icd-new-project.png)
 
-2.  When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**.
+5. In the project, under **Available customizations**, select **Common Team edition settings**.
 
-    ![Image showing New project screen for Windows Imaging and Configuration Designer.](images/wicd-screen02a.png)
+    ![ICD common settings](images/icd-common-settings.png)
 
-    Select the settings that are **Common to all Windows editions**, and click **Next**.
 
-    ![Image showing project settings in Windows Imaging and Configuration Designer.](images/wicd-screen02b.png)
+### Add a certificate to your package
+You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange.
 
-    When asked to import a provisioning package, just click **Finish.**
+> [!NOTE]
+> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.
 
-    ![Image showing option for importing a provisioning package.](images/wicd-screen02c.png)
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. 
 
-3.  ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **Runtime settings** and then expand **Certificates**. Click **Root certificates**.
+2. Enter a **CertificateName** and then click **Add**. 
 
-    ![Image showing Windows Imaging and Configuration Designer's man page.](images/wicd-screen03a.png)
+2. Enter the **CertificatePassword**. 
 
-    In the center pane, you’ll be asked to specify a **CertificateName** for the Root certificate. You can set this to whatever you want. For the example, we've used the same name as the project. Click **Add**, and an entry will be added in the left pane.
+3. For **CertificatePath**, browse and select the certificate. 
 
-4.  In the **Available customizations** pane on the left, a new category has appeared for **CertificatePath** underneath the **CertificateName** you provided. There’s also a red exclamation icon indicating that there is a required field that needs to be set. Click **CeritficatePath**.
+4. Set **ExportCertificate** to **False**.
 
-    ![Image showing available customizations in Windows Imaging and Configuration Designer.](images/wicd-screen04a.png)
+5. For **KeyLocation**, select **Software only**.
 
-5.  In the center pane, you’ll be asked to specify the path for the certificate. Enter the name of the .cer file that you want to deploy, either by typing or clicking **Browse**. It must be a root certificate. The provisioning package created will copy the .cer file into the package it creates.
 
-    ![icd tiles](images/wicd-screen06a.png)
+### Add a Universal Windows Platform (UWP) app to your package
+Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business.
 
-6.  Verify that the path is set, then click **Export** in the top menu and choose **Provisioning package**.
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**.
 
-    ![icd tiles](images/wicd-screen07a.png)
+2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \<PFM\>...\</PFM\> tags.
 
-7.  You'll see a series of dialog boxes next. In the first one, either accept the defaults, or enter new values as needed, and click **Next**. You'll most likely want to accept the defaults.
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
 
-    ![icd tiles](images/wicd-screen08a.png)
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies.
 
-    Click **Next** again in the security options dialog box, because this package doesn't need to be encrypted or signed.
+If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package.
 
-    ![icd tiles](images/wicd-screen09a.png)
+1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license".
 
-    Choose where to save the provisioning package, and click **Next**.
+2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**.
 
-    ![icd tiles](images/wicd-screen10a.png)
+3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \<License\> tag, use the value in the **LicenseID** attribute.
 
-    Review the information shown, and if it looks good, click **Build**.
+4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1.
 
-    ![icd tiles](images/wicd-screen11a.png)
 
-    You will see a confirmation dialog box similar to the one following. Click the link under **Output location** to open the directory containing the provisioning package.
+### Add a policy to your package
+Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD.
 
-    ![icd tiles](images/wicd-screen12a.png)
+1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**.
 
-8.  Copy the .ppkg from the output directory into the root directory of a USB drive. If it’s not at the root, it won’t be recognized by the device. You’ve finished making the provisioning package—now you just need to deploy it to the Surface Hub.
+2. Select one of the available policy areas.
 
-### <a href="" id="creating-prov-pkg-apps"></a>Create a provisioning package for apps
+3. Select and set the policy you want to add to your provisioning package.
 
-This example will demonstrate how to create a provisioning package to install offline-licensed apps purchased from the Windows Store for Business. For information on offline-licensed apps and what you need to download in order to install them, see [Distribute offline apps](https://go.microsoft.com/fwlink/?LinkId=718148).
 
-For each app you want to install on Surface Hubs, you'll need to download:
+### Add Surface Hub settings to your package 
 
--   App metadata
--   App package
--   App license
+You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package. 
 
-Depending on the app, you may or may not need to download a new app framework.
+1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**.
 
-1.  On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu.
+2. Select one of the available setting areas.
 
-    ![icd tiles](images/wicd-screen01a.png)
+3. Select and set the setting you want to add to your provisioning package. 
 
-2.  When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**.
 
-    ![icd tiles](images/wicd-screen-apps-02a.png)
+## Build your package
 
-    Select the settings that are **Common to all Windows desktop editions**, and click **Next**.
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
 
-    ![icd tiles](images/wicd-screen02b.png)
+2. Read the warning that project files may contain sensitive information, and click **OK**.
 
-    When asked to import a provisioning package, just click **Finish.**
+    > [!IMPORTANT]
+    > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
-    ![icd tiles](images/wicd-screen02c.png)
+3. On the **Export** menu, click **Provisioning package**.
 
-3.  ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **UniversalAppInstall** and click **DeviceContextApp**.
+4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources.
 
-    ![icd tiles](images/wicd-screen-apps-03a.png)
+5. Set a value for **Package Version**, and then select **Next.**
 
-    In the center pane, you’ll be asked to specify a **PackageFamilyName** for the app. This is one of the things you downloaded from the Store for Business. Click **Add**, and an entry will be added in the left pane.
+    > [!TIP]
+    > You can make changes to existing packages and change the version number to update previously applied packages.
 
-4.  In the **Available customizations** pane on the left, new categories will be displayed for **ApplicationFile** and **LaunchAppAtLogin** underneath the **PackageFamilyName** you just entered. Enter the appx filename in the **ApplicationFile** box in the center pane.
+6. Optional: You can choose to encrypt the package and enable package signing.
 
-    ![icd tiles](images/wicd-screen-apps-04a.png)
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
 
-    Generally, **LaunchAppAtLogin** should be set to **Do not launch app** or **NOT CONFIGURED**.
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package.
 
-5.  Next, click **DeviceContextAppLicense** in the left pane. In the center pane, you’ll be asked to specify the **LicenseProductId**. Click **Add**. Back in the left pane, click on the **LicenseProductId** that you just added. In the center pane, you'll need to specify **LicenseInstall**. Enter the name of the license file that you previously downloaded from the Store for Business, either by typing or clicking **Browse**. The file will have a extension of "ms-windows-store-license".
+        > [!IMPORTANT]
+        > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
 
-    ![icd tiles](images/wicd-screen-apps-06a.png)
+7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+Optionally, you can click **Browse** to change the default output location.
 
-6.  Verify that the path is set, then click **Export** in the top menu and choose **Provisioning package**.
+8. Click **Next**.
 
-    ![icd tiles](images/wicd-screen07a.png)
+9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
 
-7.  You'll see a series of dialog boxes next. In the first one, either accept the defaults, or enter new values as needed, and click **Next**. You'll most likely want to accept the defaults.
+10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
 
-    ![icd tiles](images/wicd-screen-apps-08a.png)
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
 
-    Click **Next** again in the security options dialog box, because this package doesn't need to be encrypted or signed.
+11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive.
 
-    ![icd tiles](images/wicd-screen09a.png)
 
-    Choose where to save the provisioning package, and click **Next**.
+## Apply a provisioning package to Surface Hub
 
-    ![icd tiles](images/wicd-screen-apps-10a.png)
+There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings). 
 
-    Review the information shown, and if it looks good, click **Build**.
 
-    ![icd tiles](images/wicd-screen-apps-11a.png)
+### Apply a provisioning package during first run
 
-    You will see a confirmation dialog box similar to the one following. Click the link under **Output location** to open the directory containing the provisioning package.
+> [!IMPORTANT]
+> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings.
 
-    ![icd tiles](images/wicd-screen-apps-12a.png)
+1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding.
 
-8.  Copy the .ppkg from the output directory into the root directory of a USB drive. If it’s not at the root, it won’t be recognized by the device. You’ve finished making the provisioning package—now you just need to deploy it to the Surface Hub.
+2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**.
 
-### <a href="" id="deploy-to-hub-prov-pkg"></a>Deploy a provisioning package to a Surface Hub
+    ![Set up device?](images/provisioningpackageoobe-01.png)
 
-The following two methods for deploying provisioning packages apply to any kind of provisioning package that is being deployed to a Surface Hub. There is no difference in the way cert provisioning packages and app provisioning packages are installed. You may see different description text in the UI depending on what the package is for, but the process is still the same.
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
 
-### <a href="" id="deploy-via-oobe-prov-pkg"></a>Deploy a provisioning package using first run
+    ![Provision this device](images/provisioningpackageoobe-02.png)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run.
 
-1.  When you turn on the Surface Hub for the first time, the first run process will display the page titled **Hi there**. Make sure the settings on this page are correct before you proceed. (See [Hi there page](first-run-program-surface-hub.md#first-page) for details.) Once you've deployed your provisioning package, the first run process will not return here. It will continue to the next screen.
-2.  Insert the USB drive into the Surface Hub.
-3.  Press the Windows key on the separate keyboard five times. You’ll see a dialog box asking whether you want to set up your device. Click **Set Up**.
+    ![Choose a package](images/provisioningpackageoobe-03.png)
 
-    ![image with set up device message for surface hub.](images/provisioningpackageoobe-01.png)IMage
+5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. The package will be applied, and you'll be taken to the next page in the first-run program.
 
-4.  Click on **Removable Media** in the **Provision From** dropdown list, then click **Next**.
+    ![Do you trust this package?](images/provisioningpackageoobe-04.png)
 
-    ![image with provision this device page for surface hub. ](images/provisioningpackageoobe-02.png)
 
-5.  The available packages in the root directory of the USB drive will be listed. Note that you can only install one package during first run. Select the package you want to install and then click **Next**.
+### Apply a package using Settings
 
-    ![image with choose a package page for surface hub. ](images/provisioningpackageoobe-03.png)
-
-6.  You’ll then see a dialog asking if it’s from a source you trust. Click **Yes, add it**. The certificate will be installed, and you’ll be taken to the next page of first run.
-
-    ![image with ](images/provisioningpackageoobe-04.png)
-
-### <a href="" id="deploy-via-settings-prov-pkg"></a>Deploy a provisioning package using Settings
-
-1.  Insert the USB drive into the Surface Hub you want to deploy to.
-2.  On the Surface Hub, open **Settings** and enter in the admin credentials.
-3.  Navigate to **System &gt; Work Access**. Under the header **Related settings**, click on **Add or remove a management package**.
-4.  Here, click the button for **Add a package**.
-
-    ![Image showing provisioining packages page in Settings.](images/provisioningpackagesettings-01.png)
-
-5.  Click **Removable media** from the dropdown list. You will see a list of available provisioning packages on the **Settings** page.
-
-    ![Image showing add a package page in Settings.](images/provisioningpackagesettings-02.png)
-
-6.  Choose your package and click **Add**.
-
-    ![Image showing select a package box.](images/provisioningpackagesettings-03.png)
-
-7.  You may have to re-enter the admin credentials if User Access Control (UAC) asks for them.
-8.  You’ll see a confirmation dialog box. Click **Yes, add it**. The certificate will be installed.
-
- 
-
- 
+1. Insert the USB flash drive containing the .ppkg file into the Surface Hub.
 
+2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted.
 
+3. Navigate to **This device** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**.
 
+4. Select **Add a package**.
 
+5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted.
 
+6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**.

devices/surface-hub/remote-surface-hub-management.md

@@ -0,0 +1,21 @@
+---
+title: Remote Surface Hub management
+description: This section lists topics for managing Surface Hub.
+keywords: remote management, MDM, install apps, monitor Surface Hub, Operations Management Suite, OMS
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Remote Surface Hub management
+
+## In this section
+
+|Topic | Description|
+| ------ | --------------- |
+| [Manage settings with an MDM provider]( https://technet.microsoft.com/itpro/surface-hub/manage-settings-with-mdm-for-surface-hub) | Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.|
+| [Monitor your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/monitor-surface-hub) | Monitoring for Surface Hub devices is enabled through Microsoft Operations Management Suite.|
+| [Windows updates](https://technet.microsoft.com/itpro/surface-hub/manage-windows-updates-for-surface-hub) | You can manage Windows updates on your Surface Hub by setting the maintenance window, deferring updates, or using WSUS.|

devices/surface-hub/save-bitlocker-key-surface-hub.md

@@ -24,11 +24,11 @@ There are several ways to manage your BitLocker key on the Surface Hub.
 
 2.  If you’ve joined the Surface Hub to Azure Active Directory (Azure AD), the BitLocker key will be stored under the account that was used to join the device.
 
-3.  If you’re using a local admin account to manage the device, you can save the BitLocker key by going to Settings and navigating to **System** > **Microsoft Surface Hub**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
+3.  If you’re using a local admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** > **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
+
 
 ## Related topics
 
-
 [Manage Microsoft Surface Hub](manage-surface-hub.md)
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md

@@ -7,21 +7,19 @@ author: TrudyHa
 localizationpriority: medium
 ---
 
-# When to use a fully qualified domain name with Surface Hub
+# Configure domain name for Skype for Business
 
-A fully qualified domain name (FQDN) is a domain name that explicitly states the location in the Domain Name System (DNS) hierarchy. All levels of a domain are specified. In the case of Skype for Business on the Surface Hub, there are a few scenarios where you need to use a FQDN.
+There are a few scenarios where you need to specify the domain name of your Skype for Business server:
 - **Multiple DNS suffixes** - When your Skype for Business infrastructure has disjointed namespaces such that one or more servers have a DNS suffix that doesn't match the suffix of the sign-in address (SIP) for Skype for Business.  
 - **Skype for Business and Exchange suffixes are different** - When the suffix of the sign-in address for Skype for Business differs from the suffix of the Exchange address used for the device account.
-- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails.  The Skype app needs to know the FQDN of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
+- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails.  Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
 
-## Add FQDN to Surface Hub 
+**To configure the domain name for your Skype for Business server**</br>
+1. On Surface Hub, open **Settings**.
+2. Click **This device**, and then click **Calling**. 
+3. Under **Skype for Business configuration**, click **Configure domain name**. 
+4. Type the domain name for your Skype for Business server, and then click **Ok**. 
+> [!TIP]
+> You can type multiple domain names, separated by commas. <br> For example: lync.com, outlook.com, lync.glbdns.microsoft.com
 
-You use the Settings app on Surface Hub to add FQDN information. You can add multiple entries, if needed. 
-
-**To add Skype for Business Server FQDN**</br>
-1. On Surface Hub open the **Settings** app.
-2. Navigate to **System**, **Microsoft Surface Hub**. 
-3. Under **Skype for Business**, click **Add FQDN**. 
-4. Type the FQDN for the Skype for Business certificate. You can type multiple FQDNs separated by a comma. For example: lync.com, outlook.com, lync.glbdns.microsoft.com. 
-
- ![Add Skype for Business FQDN to Settings](images/system-settings-add-fqdn.png)
+    ![Add Skype for Business FQDN to Settings](images/system-settings-add-fqdn.png)

devices/surface-hub/wireless-network-management-for-surface-hub.md

@@ -36,10 +36,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele
 
 1.  On the Surface Hub, open **Settings** and enter your admin credentials.
 2.  Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
-
-    ![Image showing where to find Advanced options for Network & Internect, Wi-Fi settings.](images/networkmgtwireless-03.png)
-
-3.  The system will show you the properties for the wireless network connection.
+3.  Surface Hub shows you the properties for the wireless network connection.
 
     ![Image showing properties for connected Wi-Fi.](images/networkmgtwireless-04.png)
 

education/windows/chromebook-migration-guide.md

@@ -35,8 +35,8 @@ App migration or replacement is an essential part of your Chromebook migration.
 
 Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio).
 
-**Note**  
-The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
+> [!NOTE]  
+> The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
 
  
 

education/windows/index.md

@@ -1,6 +1,7 @@
 ---
 title: Windows 10 for Education (Windows 10)
-description: Learn about using Windows 10 in schools.
+description: Learn how to use Windows 10 in schools.
+keywords: Windows 10, education
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -9,24 +10,37 @@ author: jdeckerMS
 ---
 
 # Windows 10 for Education
-[Windows 10 Education and Windows 10 Pro Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers and students to do great things.
+<link rel="stylesheet" href="https://az835927.vo.msecnd.net/sites/uwp/Resources/css/custom.css">
 
-[Find out how to get Windows 10 Education or Windows 10 Pro Education for your school](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
+[Windows 10 Education and Windows 10 Pro Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers, and students to do great things.
 
-[Learn more about what features and functionality are supported in each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+## ![Learn more about Windows](images/education.png) Learn
 
-## In this section
+<div class="side-by-side"> <div class="side-by-side-content">
+<div class="side-by-side-content-left"><p>
+<b>[Windows 10 editions for education customers](windows-editions-for-education-customers.md)</b><br />Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.</p></div>
+<div class="side-by-side-content-right"><p><b>[Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)</b><br />Find out more about the features and functionality we support in each edition of Windows.</p><p>
+<b>[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)</b><br />When you've made your decision, find out how to buy Windows for your school.</p></div>
+ </div></div>
 
-|Topic |Description |
-|------|------------|
-| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education.  |
-| [Provisioning options for Windows 10](set-up-windows-10.md) | Learn about your options for setting up Windows 10.  |
-| [Get Minecraft Education Edition](get-minecraft-for-education.md) | Learn how to get early access to **Minecraft Education Edition**. |
-| [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 |
-| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. |
-| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in a school. |
-| [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) |Learn how to deploy Windows 10 in a school district.|
-| [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. |
+## ![Plan for Windows 10 in your school](images/clipboard.png) Plan
+
+<div class="side-by-side"> <div class="side-by-side-content">
+<div class="side-by-side-content-left"><p>
+<b>[Provisioning options for Windows 10](set-up-windows-10.md)</b><br />Depending on your school's device management needs, Windows offers a variety of options that you can use to set up Windows 10 on your devices.</p><p>
+<b>[Get Minecraft Education Edition](get-minecraft-for-education.md)</b><br />Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.</p></div>
+<div class="side-by-side-content-right"><p><b>[Take tests in Windows 10](take-tests-in-windows-10.md)</b><br />Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.</p>
+<p><b>[Chromebook migration guide](chromebook-migration-guide.md)</b><br />Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.</p></div>
+ </div></div>
+
+ ## ![Deploy Windows 10 for education](images/PCicon.png) Deploy
+
+ <div class="side-by-side"> <div class="side-by-side-content">
+ <div class="side-by-side-content-left"><p><b>[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)</b><br />Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.</p></div>
+ <div class="side-by-side-content-right"><p>
+ <b>[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)</b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p><p>
+ <b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p></div>
+   </div></div>
 
 ## Related topics
 

windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md

@@ -47,10 +47,8 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
 
 2.  On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
 
-    **Note**  
-    The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
-
-     
+    >[!NOTE]
+    >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
 
 3.  On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
 
@@ -58,16 +56,14 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
 
 5.  On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
 
-    ![figure 15](images/mdt-06-fig16.png)
+    ![Add the DaRT component to the Configuration Manager boot image](images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image")
 
     Figure 15. Add the DaRT component to the Configuration Manager boot image.
 
 6.  On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice.
 
-    **Note**  
-    It will take a few minutes to generate the boot image.
-
-     
+    >[!NOTE]
+    >It will take a few minutes to generate the boot image.
 
 7.  Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
 
@@ -75,9 +71,9 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
 
 9.  Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image.
 
-    ![figure 16](images/fig16-contentstatus.png)
+    ![Content status for the Zero Touch WinPE x64 boot image](images/fig16-contentstatus.png "Content status for the Zero Touch WinPE x64 boot image")
 
-    Figure 16. Content status for the Zero Touch WinPE x64 boot image.
+    Figure 16. Content status for the Zero Touch WinPE x64 boot image
 
 10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
 

windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md

@@ -49,25 +49,25 @@ To configure permissions for the various service accounts needed for operating s
 
 2.  Select the Service Accounts OU and create the CM\_JD account using the following settings:
 
-    1.  Name: CM\_JD
+    * Name: CM\_JD
 
-    2.  User logon name: CM\_JD
+    * User logon name: CM\_JD
 
-    3.  Password: P@ssw0rd
+    * Password: P@ssw0rd
 
-    4.  User must change password at next logon: Clear
+    * User must change password at next logon: Clear
 
-    5.  User cannot change password: Select
+    * User cannot change password: Select
 
-    6.  Password never expires: Select
+    * Password never expires: Select
 
 3.  Repeat the step, but for the CM\_NAA account.
 
 4.  After creating the accounts, assign the following descriptions:
 
-    1.  CM\_JD: Configuration Manager Join Domain Account
+    * CM\_JD: Configuration Manager Join Domain Account
 
-    2.  CM\_NAA: Configuration Manager Network Access Account
+    * CM\_NAA: Configuration Manager Network Access Account
 
 ![figure 6](images/mdt-06-fig06.png)
 
@@ -93,39 +93,37 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach
 
 3.  The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted:
 
-    1.  Scope: This object and all descendant objects
+    * Scope: This object and all descendant objects
 
-    2.  Create Computer objects
+    * Create Computer objects
 
-    3.  Delete Computer objects
+    * Delete Computer objects
 
-    4.  Scope: Descendant Computer objects
+    * Scope: Descendant Computer objects
 
-    5.  Read All Properties
+    * Read All Properties
 
-    6.  Write All Properties
+    * Write All Properties
 
-    7.  Read Permissions
+    * Read Permissions
 
-    8.  Modify Permissions
+    * Modify Permissions
 
-    9.  Change Password
+    * Change Password
 
-    10. Reset Password
+    * Reset Password
 
-    11. Validated write to DNS host name
+    * Validated write to DNS host name
 
-    12. Validated write to service principal name
+    * Validated write to service principal name
 
 ## <a href="" id="sec03"></a>Review the Sources folder structure
 
 
 To support the packages you create in this section, the following folder structure should be created on the Configuration Manager primary site server (CM01):
 
-**Note**  
-In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
-
- 
+>[!NOTE]  
+>In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
 
 -   E:\\Sources
 
@@ -168,9 +166,9 @@ To extend the Configuration Manager console with MDT 2013 Update 2 wizards and t
 
 5.  From the Start screen, run Configure ConfigManager Integration with the following settings:
 
-    1.  Site Server Name: CM01.contoso.com
+    * Site Server Name: CM01.contoso.com
 
-    2.  Site code: PS1
+    * Site code: PS1
 
 ![figure 8](images/mdt-06-fig08.png)
 
@@ -221,15 +219,15 @@ Configuration Manager has many options for starting a deployment, but starting v
 
 3.  In the **PXE** tab, select the following settings:
 
-    1.  Enable PXE support for clients
+    * Enable PXE support for clients
 
-    2.  Allow this distribution point to respond to incoming PXE requests
+    * Allow this distribution point to respond to incoming PXE requests
 
-    3.  Enable unknown computer support
+    * Enable unknown computer support
 
-    4.  Require a password when computers use PXE
+    * Require a password when computers use PXE
 
-    5.  Password and Confirm password: Passw0rd!
+    * Password and Confirm password: Passw0rd!
 
     ![figure 12](images/mdt-06-fig13.png)
 

windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md

@@ -82,6 +82,7 @@ During a computer replace, these are the high-level steps that occur:
     1.  Select a task sequence to execute on this computer: Backup Only Task Sequence
         * Specify where to save your data and settings: Specify a location
         * Location: \\\\MDT01\\MigData$\\PC0002
+        
         >[!NOTE]  
         >If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
          

windows/deploy/resolve-windows-10-upgrade-errors.md

@@ -18,6 +18,8 @@ localizationpriority: high
 
 This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
 
+If you are not an IT administrator, you can try the [quick fixes](#quick-fixes) listed in this topic. If the quick fixes do not resolve your issue, see [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors) for more information.
+
 ## In this topic
 
 The following sections and procedures are provided in this guide:
@@ -63,6 +65,7 @@ WIM = Windows image (Microsoft)
 The following steps can resolve many Windows upgrade problems.
 
 <OL>
+<LI>Remove nonessential external hardware, such as docks and USB devices.</LI> 
 <LI>Check all hard drives for errors and attempt repairs. To automatically repair hard drives, open an elevated command prompt, switch to the drive you wish to repair, and type the following command. You will be required to reboot the computer if the hard drive being repaired is also the system drive.
 <UL>
 <LI>chkdsk /F</LI>
@@ -81,14 +84,12 @@ The following steps can resolve many Windows upgrade problems.
   <LI>Verify compatibility information and re-install antivirus applications after the upgrade.</LI></LI>
   </UL>
 <LI>Uninstall all nonessential software.</LI>
-<LI>Remove nonessential external hardware, such as docks and USB devices.</LI> 
 <LI>Update firmware and drivers.</LI>
 <LI>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</LI>
 <LI>Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS.
 </OL>
 
 
-
 ## Upgrade error codes
 
 If the upgrade process is not successful, Windows Setup will return two codes:

windows/deploy/upgrade-analytics-get-started.md

@@ -101,7 +101,7 @@ IMPORTANT: Restart user computers after you install the compatibility update KBs
 
 | **Site discovery** | **KB** |
 |----------------------|-----------------------------------------------------------------------------|
-| [Review site discovery](upgrade-analytics-review-site-discovery.md)         | Site discovery requires the [July 2016 security update for Internet Explorer](https://support.microsoft.com/en-us/kb/3170106) (KB3170106) or later.  |
+| [Review site discovery](upgrade-analytics-review-site-discovery.md)         | Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.  |
 
 
 ### Automate data collection

windows/deploy/upgrade-analytics-review-site-discovery.md

@@ -15,7 +15,7 @@ This section of the Upgrade Analytics workflow provides an inventory of web site
 
 Ensure the following prerequisites are met before using site discovery:
 
-1. Install the latest Internet Explorer 11 Cumulative Update. This update provides the capability for site discovery and is available in the [July 2016 cumulative update](https://support.microsoft.com/kb/3170106) and later.
+1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. 
 2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
 3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script) to allow Internet Explorer data collection before you run it. 
 

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -16,6 +16,8 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 
 | New or changed topic | Description |
 | --- | --- |
+|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about the icon overlay option. This icon now only appears on corporate files in the Save As and File Explore views. |
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added content about using ActiveX controls.|
 |[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |New |
 |[VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
 

windows/keep-secure/create-wip-policy-using-intune.md

@@ -457,11 +457,11 @@ After you've decided where your protected apps can access enterprise data on you
 
 	    - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
 
-    - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files or in the **Start** menu, on top of the tiles for your unenlightened protected apps. The options are:
+    - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explore views. The options are:
 
-    	- **Yes (recommended).** Allows the Windows Information Protection icon overlay to appear for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
+    	- **Yes (recommended).** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explore views.
 
-	    - **No, or not configured.** Stops the Windows Information Protection icon overlay from appearing for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
+	    - **No, or not configured.** Stops the Windows Information Protection icon overlay from appearing on corporate files in the Save As and File Explore views.
 
 2. Click **Save Policy**.
 

windows/keep-secure/create-wip-policy-using-sccm.md

@@ -443,7 +443,7 @@ There are no default locations included with WIP, you must add each of your netw
 
         - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
 
-        - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+        - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explore views.
 
 5.	In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
     

windows/keep-secure/limitations-with-wip.md

@@ -71,7 +71,12 @@ This table provides info about the most common problems you might encounter whil
     </tr>
     <tr>
         <td>You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
-        <td>A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.</td>
-        <td>Open File Explorer and change the file ownership to **Personal** before you upload.</td>
+        <td>A message appears stating that the content is marked as <strong>Work</strong> and the user isn't given an option to override to <strong>Personal</strong>.</td>
+        <td>Open File Explorer and change the file ownership to <strong>Personal</strong> before you upload.</td>
+    </tr>
+    <tr>
+        <td>ActiveX controls should be used with caution.</td>
+        <td>Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.</td>
+        <td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<p>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td>
     </tr>
 </table>                 

windows/keep-secure/windows-security-baselines.md

@@ -11,6 +11,11 @@ author: brianlic-msft
 
 # Windows security baselines
 
+**Applies to**
+
+- Windows 10
+- Windows Server 2012 R2
+	
 Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
 
 We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
@@ -54,7 +59,6 @@ To help faster deployments and increase the ease of managing Windows, Microsoft
  -  [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381)
  -  [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380)
 
-
 ### Windows Server security baselines
 
  -  [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382)

windows/manage/TOC.md

@@ -17,7 +17,9 @@
 #### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
 ### [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
 ### [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+### [Manage device restarts after updates](waas-restart.md)
 ## [Manage corporate devices](manage-corporate-devices.md)
+### [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
 ### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
 ### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
 ### [New policies for Windows 10](new-policies-for-windows-10.md)

windows/manage/change-history-for-manage-and-update-windows-10.md

@@ -16,8 +16,10 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
 
 | New or changed topic | Description |
 | --- | --- |
+| [Manage device restarts after updates](waas-restart.md) | New |
 | [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. |
-| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. |
+| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. |
+
 
 ## September 2016
 

windows/manage/join-windows-10-mobile-to-azure-active-directory.md

@@ -81,9 +81,9 @@ An added work account provides the same SSO experience in browser apps like Offi
 
     An MDM service is required for managing Azure AD-joined devices. You can use MDM to push settings to devices, as well as application and certificates used by VPN, Wi-Fi, etc. Azure AD Premium or [Enterprise Mobility Suite (EMS)](https://go.microsoft.com/fwlink/p/?LinkID=723984) licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM. [Learn more about setting up your Azure AD tenant for MDM auto-enrollment.](https://go.microsoft.com/fwlink/p/?LinkID=691615)
 
--   **Microsoft Passport**
+-   **Windows Hello**
 
-    Creating a Microsoft Passport (PIN) is required on Windows 10 Mobile by default and cannot be disabled. [You can control Microsoft Passport policies](https://go.microsoft.com/fwlink/p/?LinkId=735079) using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Windows Hello (biometrics such as fingerprint or iris) can be used for Passport authentication. Creating a Microsoft Passport requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Microsoft Passport for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004)
+    Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policiesusing controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004)
 
 -   **Conditional access**
 

windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -92,7 +92,7 @@ See the following table for a summary of the management settings for Windows 10
 |     [16.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | |
 | [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |
 | [18. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |
-| [19. Teredo](#bkmk-teredo) | | | | | ![Check mark](images/checkmark.png) |
+| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) |
 | [20. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [22. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) |
@@ -121,7 +121,7 @@ See the following table for a summary of the management settings for Windows Ser
 | [16. Settings > Privacy](#bkmk-settingssection) | | | | |
 |     [16.1 General](#bkmk-priv-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | | |
-| [19. Teredo](#bkmk-teredo) | | | | ![Check mark](images/checkmark.png) |
+| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) |
 | [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [22. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) |
 | [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | |
@@ -138,7 +138,7 @@ See the following table for a summary of the management settings for Windows Ser
 | [5. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [12. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | |
 | [17. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | |
-| [19. Teredo](#bkmk-teredo) | | | ![Check mark](images/checkmark.png) |
+| [19. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) |
 | [21. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 
@@ -1115,7 +1115,14 @@ To turn off Messaging cloud sync:
 
 ### <a href="" id="bkmk-teredo"></a>19. Teredo
 
-You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
+You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
+
+>[!NOTE]  
+>If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work.
+
+-   Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** &gt; **TCPIP Settings** &gt; **IPv6 Transition Technologies** &gt; **Set Teredo State** and set it to **Disabled State**.
+
+    -or-
 
 -   From an elevated command prompt, run **netsh interface teredo set state disabled**
 

windows/manage/manage-windows-10-in-your-organization-modern-management.md

@@ -0,0 +1,121 @@
+---
+title: Manage Windows 10 in your organization - transitioning to modern management
+description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
+keywords: ["MDM", "device management", "group policy", "Azure Active Directory"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: devices
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Manage Windows 10 in your organization - transitioning to modern management
+
+Use of personal devices for work, as well as employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
+
+Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist.
+
+Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as System Center Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
+
+This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
+
+-   [Deployment and Provisioning](#deployment-and-provisioning)
+
+-   [Identity and Authentication](#identity-and-authentication)
+
+-   [Configuration](#settings-and-configuration)
+
+-   [Updating and Servicing](#updating-and-servicing)
+
+## Reviewing the management options with Windows 10
+
+Windows 10 offers a range of management options, as shown in the following diagram:
+
+<img src="images/windows-10-management-range-of-options.png" alt="The path to modern IT" width="766" height="654" />
+
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Rights Management Service, Office 365, and the Windows Store for Business.
+
+## Deployment and Provisioning
+
+With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
+
+<!-- The phrase "Windows Imaging and Configuration Designer (ICD)" below might need to be changed to "Windows Configuration Designer" -->
+
+-   Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like Microsoft Intune.
+
+-   Create self-contained provisioning packages built with the Windows Imaging and Configuration Designer (ICD).
+
+-   Use traditional imaging techniques such as deploying custom images using System Center Configuration Manager.
+
+You have multiple options for upgrading to Windows 10. For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
+
+## Identity and Authentication
+
+You can use Windows 10 and services like Azure Active Directory in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+
+You can envision user and device management as falling into these two categories:
+
+-   **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
+
+-   For corporate devices, they can set up corporate access with Azure AD Join. When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud.
+    Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
+
+-   Likewise, for personal devices, employees can use a new, simplified BYOD experience to add their work account to Windows, then access work resources on the device.
+
+-   **Domain joined PCs and tablets used for traditional applications and access to important resources.** These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises.
+    With Windows 10, if you have an on-premises Active Directory domain that’s integrated with Azure AD, when employee devices are joined, they automatically register with Azure AD. This provides:
+
+    -   Single sign-on to cloud and on-premises resources from everywhere
+
+    -   Enterprise roaming of settings
+
+    -   Conditional access to corporate resources based on the health or configuration of the device
+
+    -   Windows Hello for Business
+
+    -   Windows Hello
+
+    Domain joined PCs and tablets can continue to be managed with the System Center Configuration Manager client or Group Policy.
+
+For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices/).
+
+As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
+
+![Decision tree for device authentication options](images/windows-10-management-cyod-byod-flow.png)
+
+## Settings and Configuration
+
+Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. 
+
+**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. This makes MDM the best choice for devices that are constantly on the go.
+
+**Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings, or very specific Windows Firewall rules. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices:
+
+-   Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
+
+-   Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
+
+You can use the following generalized decision tree to review the management choices for devices in your organization:
+
+![Decision tree for device configuration options](images/windows-10-management-gp-intune-flow.png)
+
+## Updating and Servicing
+
+With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes.
+
+MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
+
+## Next steps
+
+There are a variety of steps you can take to begin the process of modernizing device management in your organization:
+
+-   **Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate.
+
+-   **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
+
+-   **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
+
+-   **Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability.
+
+-   **Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. As additional capabilities become available in the cloud-identity/MDM model, Microsoft is committed to providing a clear path from traditional to modern management.

windows/manage/uev-upgrade-uev-from-previous-releases.md

@@ -19,9 +19,11 @@ If you’re already using UE-V 2.x and you’re planning to upgrade user devices
 
 2.	Verify that UE-V settings were migrated correctly.
 
-3.	Enable the UE-V service on user devices.
+3.  Set the template storage path to your current template store.
 
-4.	Install the UE-V template generator if you want to synchronize application settings for custom applications.
+4.	Enable the UE-V service on user devices.
+
+5.	Install the UE-V template generator if you want to synchronize application settings for custom applications.
 
 > **Important**  You can upgrade your existing UE-V installation to Windows 10, version 1607 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you’ll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10, version 1607..   
 
@@ -49,7 +51,11 @@ After upgrading a user device to Windows 10, version 1607, it’s important to v
 
 2.	Navigate to **HKEY_LOCAL_MACHINE\Software\Microsoft\UEV\Agent\Configuration.**
 
-3.	Verify that the settings storage path and the settings template catalog path are pointing to the same locations as before you upgraded the device to Windows 10. 
+3.	Verify that the settings storage path and the settings template catalog path are pointing to the same locations as before you upgraded the device to Windows 10.
+
+## Set the template storage path to your current template store
+
+Template Settings Storage Path will not automatically migrate. Run Set-UEVConfiguration in PowerShell or use the settings storage path Group Policy to configure and point to your current settings storage folder.
 
 ## Enable the UE-V service on user devices
 

windows/manage/waas-branchcache.md

@@ -64,3 +64,4 @@ In addition to these steps, there is one requirement for WSUS to be able to use
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
 - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
 - [Manage Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)

windows/manage/waas-configure-wufb.md

@@ -215,4 +215,5 @@ Enabling allows user to set deferral periods for upgrades and updates.  It also
 - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
 - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)

windows/manage/waas-delivery-optimization.md

@@ -225,7 +225,7 @@ To specify which devices are preferred, you can set the **Max Cache Age** config
 
 On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet:
 
--  Set **DOBackgroundQoS** with a low value, for example `65536` which is the equivalent of 64 KB/s.
+-  Set **DOMinBackgroundQoS** with a low value, for example `65536` which is the equivalent of 64 KB/s.
 
 ## Learn more
 
@@ -249,3 +249,4 @@ On devices that are not preferred, you can choose to set the following policy to
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
 - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
 - [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)

windows/manage/waas-deployment-rings-windows-10-updates.md

@@ -73,4 +73,5 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
 - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage device restarts after updates](waas-restart.md)
 

windows/manage/waas-integrate-wufb.md

@@ -106,4 +106,5 @@ For Windows 10, version 1607, organizations already managing their systems with
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
 - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
 - [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
 

windows/manage/waas-manage-updates-configuration-manager.md

@@ -404,3 +404,4 @@ or Manage Windows 10 updates using System Center Configuration Manager (this top
 - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
 - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage device restarts after updates](waas-restart.md)

windows/manage/waas-manage-updates-wsus.md

@@ -348,4 +348,5 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
 - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)

windows/manage/waas-manage-updates-wufb.md

@@ -132,5 +132,6 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
 - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
 - [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
 
 

windows/manage/waas-mobile-updates.md

@@ -75,6 +75,7 @@ If a device running Windows 10 Mobile Enterprise, version 1511, has Windows Upda
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
 - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
 - [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
 
 
 

windows/manage/waas-optimize-windows-10-updates.md

@@ -70,5 +70,6 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
 - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage device restarts after updates](waas-restart.md)
 
 

windows/manage/waas-overview.md

@@ -177,6 +177,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
 - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage device restarts after updates](waas-restart.md)