diff --git a/.gitignore b/.gitignore
index 643bf6e6c0..b674ff367c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,11 @@ _site/
 Tools/NuGet/
 .optemp/
 
+
 .openpublishing.build.mdproj
 .openpublishing.buildcore.ps1
-packages.config
\ No newline at end of file
+packages.config
+windows/keep-secure/index.md
+
+# User-specific files  
+.vs/
\ No newline at end of file
diff --git a/.localization-config b/.localization-config
deleted file mode 100644
index c24369eb99..0000000000
--- a/.localization-config
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "locales": [ "zh-cn" ],
-  "files": ["!/*.md", "**/**/*.md", "**/*.md"],
-  "includeDependencies": true,
-  "autoPush": true,
-  "xliffVersion": "2.0",
-  "useJavascriptMarkdownTransformer": true
-}
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 469c22cfdc..2358d61c40 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -1,78 +1,107 @@
 {
-    "build_entry_point": "",
-    "git_repository_url_open_to_public_contributors": "",
-    "docsets_to_publish": [
-        {
-            "docset_name": "microsoft-edge",
-            "build_output_subfolder": "browsers/edge",
-            "locale": "en-us",
-            "version": 0,
-            "open_to_public_contributors": "false",
-            "type_mapping": {
-                "Conceptual": "Content"
-            }
-        },
-        {
-            "docset_name": "internet-explorer",
-            "build_output_subfolder": "browsers/internet-explorer",
-            "locale": "en-us",
-            "version": 0,
-            "open_to_public_contributors": "false",
-            "type_mapping": {
-                "Conceptual": "Content"
-            }
-        },
-        {
-            "docset_name": "windows",
-            "build_output_subfolder": "windows",
-            "locale": "en-us",
-            "version": 0,
-            "open_to_public_contributors": "false",
-            "type_mapping": {
-                "Conceptual": "Content"
-            }
-        },
-        {
-            "docset_name": "surface",
-            "build_output_subfolder": "devices/surface",
-            "locale": "en-us",
-            "version": 0,
-            "open_to_public_contributors": "false",
-            "type_mapping": {
-                "Conceptual": "Content"
-            }
-        },
-        {
-            "docset_name": "surface-hub",
-            "build_output_subfolder": "devices/surface-hub",
-            "locale": "en-us",
-            "version": 0,
-            "open_to_public_contributors": "false",
-            "type_mapping": {
-                "Conceptual": "Content"
-            }
-        },
-	    {
-            "docset_name": "mdop",
-            "build_output_subfolder": "mdop",
-            "locale": "en-us",
-            "version": 0,
-            "open_to_public_contributors": "false",
-            "type_mapping": {
-                "Conceptual": "Content"
-            }
-        },
-        {
-            "docset_name": "education",
-            "build_output_subfolder": "education",
-            "locale": "en-us",
-            "version": 0,
-            "open_to_public_contributors": "false",
-            "type_mapping": {
-                "Conceptual": "Content"
-            }
-        }
-    ],
-    "notification_subscribers": ["brianlic@microsoft.com"],
-    "branches_to_filter": [""]
+  "build_entry_point": "",
+  "need_generate_pdf": false,
+  "need_generate_intellisense": false,
+  "docsets_to_publish": [
+    {
+      "docset_name": "education",
+      "build_source_folder": "education",
+      "build_output_subfolder": "education",
+      "locale": "en-us",
+      "version": 0,
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content"
+      }
+    },
+    {
+      "docset_name": "internet-explorer",
+      "build_source_folder": "browsers/internet-explorer",
+      "build_output_subfolder": "browsers/internet-explorer",
+      "locale": "en-us",
+      "version": 0,
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content"
+      }
+    },
+    {
+      "docset_name": "itpro-hololens",
+      "build_source_folder": "devices/hololens",
+      "build_output_subfolder": "devices/hololens",
+      "locale": "en-us",
+      "version": 0,
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content",
+        "ManagedReference": "Content",
+        "RestApi": "Content"
+      },
+      "build_entry_point": "op"
+    },
+    {
+      "docset_name": "mdop",
+      "build_source_folder": "mdop",
+      "build_output_subfolder": "mdop",
+      "locale": "en-us",
+      "version": 0,
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content"
+      }
+    },
+    {
+      "docset_name": "microsoft-edge",
+      "build_source_folder": "browsers/edge",
+      "build_output_subfolder": "browsers/edge",
+      "locale": "en-us",
+      "version": 0,
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content"
+      }
+    },
+    {
+      "docset_name": "surface",
+      "build_source_folder": "devices/surface",
+      "build_output_subfolder": "devices/surface",
+      "locale": "en-us",
+      "version": 0,
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content"
+      }
+    },
+    {
+      "docset_name": "surface-hub",
+      "build_source_folder": "devices/surface-hub",
+      "build_output_subfolder": "devices/surface-hub",
+      "locale": "en-us",
+      "version": 0,
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content"
+      }
+    },
+    {
+      "docset_name": "windows",
+      "build_source_folder": "windows",
+      "build_output_subfolder": "windows",
+      "locale": "en-us",
+      "version": 0,
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content"
+      }
+    }
+  ],
+  "notification_subscribers": [
+    "brianlic@microsoft.com"
+  ],
+  "branches_to_filter": [
+    ""
+  ],
+  "git_repository_url_open_to_public_contributors": "",
+  "skip_source_output_uploading": false,
+  "dependent_repositories": []
 }
diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md
index ab4caaef1d..c15b35774b 100644
--- a/browsers/edge/Index.md
+++ b/browsers/edge/Index.md
@@ -12,9 +12,8 @@ title: Microsoft Edge - Deployment Guide for IT Pros (Microsoft Edge for IT Pros
 
 **Applies to:**
 
--   Windows 10
--   Windows 10 Mobile
-
+- Windows 10
+- Windows 10 Mobile
 
 Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge also introduces new features like Web Note, Reading View, and Cortana that you can use along with your normal web browsing abilities.
 
@@ -26,6 +25,7 @@ Microsoft Edge lets you stay up-to-date through the Windows Store and to manage
 | Topic                  | Description                         |
 | -----------------------| ----------------------------------- |
 |[Change history for Microsoft Edge](change-history-for-microsoft-edge.md) |Lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile. |
+|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Guidance about how to use both Microsoft Edge and Internet Explorer 11 in your enterprise.|
 | [Microsoft Edge requirements and language support](hardware-and-software-requirements.md) | Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.|
 | [Available policies for Microsoft Edge](available-policies.md)  | Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. <p>Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. |
 | [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) | If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. <p>Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. |
diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md
index df9d4246da..fb5ad0c6f2 100644
--- a/browsers/edge/TOC.md
+++ b/browsers/edge/TOC.md
@@ -1,5 +1,6 @@
 #[Microsoft Edge - Deployment Guide for IT Pros](index.md)
 ##[Change history for Microsoft Edge](change-history-for-microsoft-edge.md)
+##[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
 ##[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)
 ##[Available policies for Microsoft Edge](available-policies.md)
 ##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md)
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index c56c47624b..22c69f91b8 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -6,16 +6,15 @@ ms.prod: edge
 ms.mktglfcycl: explore
 ms.sitesec: library
 title: Available policies for Microsoft Edge (Microsoft Edge for IT Pros)
+localizationpriority: high
 ---
 
 # Available policies for Microsoft Edge
 
 **Applies to:**
 
--   Windows 10 Insider Preview
--   Windows 10 Mobile
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+- Windows 10
+- Windows 10 Mobile
 
 Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
 
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
index f10af1201c..61e8ba0de9 100644
--- a/browsers/edge/change-history-for-microsoft-edge.md
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -9,7 +9,19 @@ ms.sitesec: library
 # Change history for Microsoft Edge
 This topic lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile.
 
-For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/en-us/microsoft-edge/platform/changelog/).
+For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/).
+
+## July 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). |
+
+## July 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) | Content moved from What's New section. |
+|[Available policies for Microsoft Edge](available-policies.md) |Updated |
+
 
 ## June 2016
 |New or changed topic | Description |
diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md
index adb462310e..1a8c85b533 100644
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@@ -7,13 +7,14 @@ ms.mktglfcycl: support
 ms.sitesec: library
 ms.pagetype: appcompat
 title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros)
+localizationpriority: high
 ---
 
 # Use Enterprise Mode to improve compatibility
 
 **Applies to:**
 
--   Windows 10
+- Windows 10
 
 If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
 
diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
new file mode 100644
index 0000000000..436053d3ec
--- /dev/null
+++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
@@ -0,0 +1,52 @@
+---
+title: Microsoft Edge and Internet Explorer 11 (Microsoft Edge for IT Pros)
+description: Enterprise guidance for using Microsoft Edge and Internet Explorer 11.
+ms.assetid: 3c5bc4c4-1060-499e-9905-2504ea6dc6aa
+author: eross-msft
+ms.prod: edge
+ms.mktglfcycl: support
+ms.sitesec: library
+ms.pagetype: appcompat
+localizationpriority: high
+---
+
+# Browser: Microsoft Edge and Internet Explorer 11
+**Microsoft Edge content applies to:**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+**Internet Explorer 11 content applies to:**
+
+-   Windows 10
+
+## Enterprise guidance
+Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
+
+We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
+
+### Microsoft Edge
+Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
+
+-   **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
+-   **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
+-   **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
+-   **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
+
+### IE11
+IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
+
+-   **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
+-   **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.
+-   **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
+-   **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
+-   **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
+-   **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
+
+## Related topics
+- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
+- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
+- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
+- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
+- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
+- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md
index e7467694cc..2c56db269a 100644
--- a/browsers/edge/hardware-and-software-requirements.md
+++ b/browsers/edge/hardware-and-software-requirements.md
@@ -7,18 +7,21 @@ ms.mktglfcycl: support
 ms.sitesec: library
 ms.pagetype: appcompat
 title: Microsoft Edge requirements and language support (Microsoft Edge for IT Pros)
+localizationpriority: high
 ---
 
 # Microsoft Edge requirements and language support
 
 **Applies to:**
 
--   Windows 10
--   Windows 10 Mobile
+- Windows 10
+- Windows 10 Mobile
 
 
 Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.
 
+>**Note**<br>The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
+
 ## Minimum system requirements
 Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
 
diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md
index 9db29bd47d..17ac7d1722 100644
--- a/browsers/edge/security-enhancements-microsoft-edge.md
+++ b/browsers/edge/security-enhancements-microsoft-edge.md
@@ -5,9 +5,16 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
+localizationpriority: high
 ---
 
 # Security enhancements for Microsoft Edge
+
+**Applies to:**
+
+- Windows 10
+- Windows 10 Mobile
+
 Microsoft Edge is designed with significant security improvements, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows.
 
 ## Help to protect against web-based security threats
@@ -43,15 +50,15 @@ Microsoft Edge has a new rendering engine, Microsoft EdgeHTML, which is focused
 
 The Microsoft EdgeHTML engine also helps to defend against hacking through these new security standards features:
 
-- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks.
+- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks.
 
-- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured.
+- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured.
 
     **Note**<br>
     Both Microsoft Edge and Internet Explorer 11 support HSTS.
 
 #### All web content runs in an app container sandbox
-Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/en-US/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins.
+Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins.
 
 Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology, providing a stronger sandbox by adding deny-by-default and no-read-up semantics. EPM was turned on by default in the Windows 8 and Windows 8.1 immersive browser, but was optional on the Internet Explorer 10 and Internet Explorer 11 desktop versions.
 
@@ -68,10 +75,10 @@ The value of running 64-bit all the time is that it strengthens Windows Address
 #### New extension model and HTML5 support
 Back in 1996, we introduced ActiveX for web browser extensions in an attempt to let 3rd parties experiment with various forms of alternate content on the web. However, we quickly learned that browser extensions can come at a cost of security and reliability. For example, binary extensions can bring code and data into the browser’s processes without any protection, meaning that if anything goes wrong, the entire browser itself can be compromised or go down.
 
-Based on that learning, we’ve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/en-us/microsoft-edge/extensions/).
+Based on that learning, we’ve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/).
 
 #### Reduced attack surfaces
-In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/en-us/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that it’s not as backward compatible.
+In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that it’s not as backward compatible.
 
 Because of the reduced backward compatibility, we’ve given Microsoft Edge the ability to automatically fall back to Internet Explorer 11, using the Enterprise Mode Site List, for any apps that need backward compatibility.
 
diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md
index 440e179791..b0ec9a4b4f 100644
--- a/browsers/internet-explorer/TOC.md
+++ b/browsers/internet-explorer/TOC.md
@@ -1,4 +1,5 @@
 #[IE11 Deployment Guide for IT Pros](ie11-deploy-guide/index.md)
+##[Change history for the Internet Explorer 11 (IE11) Deployment Guide](ie11-deploy-guide/change-history-for-internet-explorer-11.md)
 ##[System requirements and language support for Internet Explorer 11](ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md)
 ##[List of updated features and tools - Internet Explorer 11 (IE11)](ie11-deploy-guide/updated-features-and-tools-with-ie11.md)
 ##[Install and Deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/install-and-deploy-ie11.md)
@@ -143,4 +144,5 @@
 ###[Use the URL .INS file to use an auto-configured proxy server](ie11-ieak/url-ins-file-setting.md)
 ##[IExpress Wizard for Windows Server 2008 R2 with SP1](ie11-ieak/iexpress-wizard-for-win-server.md)
 ###[IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md)
-###[Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md)
\ No newline at end of file
+###[Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md)
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/.vscode/settings.json b/browsers/internet-explorer/ie11-deploy-guide/.vscode/settings.json
new file mode 100644
index 0000000000..d6332e1831
--- /dev/null
+++ b/browsers/internet-explorer/ie11-deploy-guide/.vscode/settings.json
@@ -0,0 +1,5 @@
+// Place your settings in this file to overwrite default and user settings.
+{
+    "editor.snippetSuggestions": "none",
+    "editor.quickSuggestions": false
+}
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
index 76fc4cad35..816aad03bb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: How to use Group Policy to install ActiveX controls.
-ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3
 title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Group Policy and ActiveX installation
 
 ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
index 2a371e334b..99717bb268 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
-ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
 title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index db61a49c80..886cbed096 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2).
-ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd
 title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
index bb761657fb..6ae191787f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
 title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index 7ae8e40626..6f22bf4dfc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b
 title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
index 35311869b0..1774c25fd3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Administrative templates and Internet Explorer 11
-ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
 title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Administrative templates and Internet Explorer 11
 
 Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including:
@@ -72,4 +74,5 @@ Regardless which tool you're using to edit your Group Policy settings, you'll ne
 
 ## Related topics
 - [Administrative templates (.admx) for Windows 10 download](http://go.microsoft.com/fwlink/p/?LinkId=746579)
-- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](http://go.microsoft.com/fwlink/p/?LinkId=746580)
\ No newline at end of file
+- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](http://go.microsoft.com/fwlink/p/?LinkId=746580)
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
index 128ec70d49..ede7f497c1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: networking
 description: Auto configuration and auto proxy problems with Internet Explorer 11
-ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: networking
+ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
 title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Auto configuration and auto proxy problems with Internet Explorer 11
 You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
index b2219c09cc..9a5efa2a85 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: networking
 description: Auto configuration settings for Internet Explorer 11
-ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: networking
+ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
 title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Auto configuration settings for Internet Explorer 11
 Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).<p>**Important**<br>You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
index 4705ca8638..4844421fea 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: networking
 description: Auto detect settings Internet Explorer 11
-ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: networking
+ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
 title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Auto detect settings Internet Explorer 11
 After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
index b4de4ac246..3e63de28b0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: networking
 description: Auto proxy configuration settings for Internet Explorer 11
-ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: networking
+ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e
 title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Auto proxy configuration settings for Internet Explorer 11
 Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
index 00ff5c0914..00c6e38225 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: performance
 description: Browser cache changes and roaming profiles
-ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: performance
+ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
 title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Browser cache changes and roaming profiles
 We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index 90e7030ed4..b1243f0790 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -1,16 +1,34 @@
 ---
-title: Change history for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-description: This topic lists new and updated topics in the Internet Explorer 11 documentation for Windows 10 and Windows 10 Mobile.
-ms.prod: ie11
+localizationpriority: low
+title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
+description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
 ms.mktglfcycl: deploy
+ms.prod: ie11
 ms.sitesec: library
 ---
 
+
 # Change history for Internet Explorer 11
 This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
 
-## May 2016
-
+## August 2016
 |New or changed topic | Description |
 |----------------------|-------------|
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using &lt;emie&gt; and &lt;docMode&gt; together. |
\ No newline at end of file
+[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. |
+
+## July 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. |
+
+## June 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. |
+
+
+## May 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using &lt;emie&gt; and &lt;docMode&gt; together. |
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
index 0428d2e62b..846ede6863 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
-ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
 title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Check for a new Enterprise Mode site list xml file
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
index 1ad3d887f4..ccf72489f1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Choose how to deploy Internet Explorer 11 (IE11)
-ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
 title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Choose how to deploy Internet Explorer 11 (IE11)
 In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index fa044bc3ce..da141bbcc1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Choose how to install Internet Explorer 11 (IE11)
-ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
 title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Choose how to install Internet Explorer 11 (IE11)
 Before you install Internet Explorer 11, you should:
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index a5b982f662..ab5a60cbce 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -1,11 +1,12 @@
 ---
-description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
-ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
-ms.prod: ie11
+localizationpriority: low
 ms.mktglfcycl: deploy
-ms.sitesec: library
+description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
 author: eross-msft
+ms.prod: ie11
+ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
 title: Collect data using Enterprise Site Discovery
+ms.sitesec: library
 ---
 
 # Collect data using Enterprise Site Discovery
@@ -62,9 +63,50 @@ Data is collected on the configuration characteristics of IE and the sites it br
 |Number of visits        |  X  |  X  |  X  |  X  |Number of times a site has been visited.                                |
 |Zone                    |  X  |  X  |  X  |  X  |Zone used by IE to browse sites, based on browser settings.             |
 
-<p>**Important**<br>By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions.
 
-The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
+>**Important**<br>By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
+
+### Understanding the returned reason codes
+The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection.
+
+#### DocMode reason
+The codes in this table can tell you what document mode was set by IE for a webpage.<br>These codes only apply to Internet Explorer 10 and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.|
+|4 |Page is using an X-UA-compatible meta tag. |
+|5 |Page is using an X-UA-compatible HTTP header. |
+|6 |Page appears on an active **Compatibility View** list. |
+|7 |Page is using native XML parsing. |
+|9 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
+
+#### Browser state reason
+The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.<br>These codes only apply to Internet Explorer 10 and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. |
+|2 |Site appears on an active **Compatibility View** list, created in Group Policy. |
+|3 |Site appears on an active **Compatibility View** list, created by the user. |
+|4 |Page is using an X-UA-compatible tag. |
+|5 |Page state is set by the **Developer** toolbar. |
+|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. |
+|7 |Site appears on the Microsoft **Compatibility View (CV)** list. |
+|8 |Site appears on the **Quirks** list, created in Group Policy. |
+|11 |Site is using the default browser. |
+
+#### Zone
+The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.<br>These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|-1 |Internet Explorer is using an invalid zone. |
+|0 |Internet Explorer is using the Local machine zone. |
+|1 |Internet Explorer is using the Local intranet zone. |
+|2 |Internet Explorer is using the Trusted sites zone. |
+|3 |Internet Explorer is using the Internet zone. |
+|4 |Internet Explorer is using the Restricted sites zone. |
 
 ## Where is the data stored and how do I collect it?
 The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend:
@@ -76,8 +118,9 @@ The data is stored locally, in an industry-standard WMI class, .MOF file or in a
 ## WMI Site Discovery suggestions
 We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company.
 
-On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:<br>\[250bytes (per site visit) \* 20sites/day\* 30days = (approximately) 150KB \*1000users = (approximately) 150MB\].
-<p>**Important**<br>The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
+On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:<p>250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB 
+
+>**Important**<br>The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
 
 ## Getting ready to use Enterprise Site Discovery
 Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options:
@@ -90,16 +133,17 @@ Before you can start to collect your data, you must run the provided PowerShell
 
 ### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges
 You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
-<p>**Important**<br>You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output.
 
-![](images/wedge.gif) **To set up Enterprise Site Discovery**
+>**Important**<br>You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output.
+
+**To set up Enterprise Site Discovery**
 
 - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1`. For more info, see [about Execution Policies](http://go.microsoft.com/fwlink/p/?linkid=517460).
 
 ### WMI only: Set up your firewall for WMI data
 If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps:
 
-![](images/wedge.gif) **To set up your firewall**
+**To set up your firewall**
 
 1.	In **Control Panel**, click **System and Security**, and then click **Windows Firewall**.
 
@@ -109,65 +153,107 @@ If you choose to use WMI as your data output, you need to make sure that your WM
 
 ## Use PowerShell to finish setting up Enterprise Site Discovery
 You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).
-<p>**Important**<br>The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device.
+
+>**Important**<br>The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device.
 
 - **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process.
 
 - **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process.
 
- ![](images/wedge.gif) **To set up data collection using a domain allow list**
+**To set up data collection using a domain allow list**
  
  - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
  
-    **Important**<br>Wildcards, like \*.microsoft.com, aren’t supported.
+    >**Important**<br>Wildcards, like \*.microsoft.com, aren’t supported.
 
- ![](images/wedge.gif) **To set up data collection using a zone allow list**
+**To set up data collection using a zone allow list**
  
  - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
  
-    **Important**<br>Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
+    >**Important**<br>Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
 
 ## Use Group Policy to finish setting up Enterprise Site Discovery
 You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).
-<p>**Note**<br> All of the Group Policy settings can be used individually or as a group.
 
- ![](images/wedge.gif) **To set up Enterprise Site Discovery using Group Policy**
+>**Note**<br> All of the Group Policy settings can be used individually or as a group.
+
+ **To set up Enterprise Site Discovery using Group Policy**
 
 -   Open your Group Policy editor, and go to these new settings:
 
-|Setting name and location  |Description  |Options  |
-|---------------------------|-------------|---------|
-|Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |<ul><li>**On.** Turns on WMI recording.</li><li>**Off.** Turns off WMI recording.</li></ul> |
-|Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |<ul><li>**XML file path.** Including this turns on XML recording.</li>   <li>**Blank.** Turns off XML recording.</li></ul> |
-|Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:<p>0 – Restricted Sites zone<br>0 – Internet zone<br>0 – Trusted Sites zone<br>0 – Local Intranet zone<br>0 – Local Machine zone<p>**Example 1:** Include only the Local Intranet zone<p>Binary representation: *00010*, based on:<p>0 – Restricted Sites zone<br>0 – Internet zone<br>0 – Trusted Sites zone<br>1 – Local Intranet zone<br>0 – Local Machine zone<p>**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones<p>Binary representation: *10110*, based on:<p>1 – Restricted Sites zone<br>0 – Internet zone<br>1 – Trusted Sites zone<br>1 – Local Intranet zone<br>1 – Local Machine zone |
-|Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:<p>microsoft.sharepoint.com<br>outlook.com<br>onedrive.com<br>timecard.contoso.com<br>LOBApp.contoso.com |
+    |Setting name and location  |Description  |Options  |
+    |---------------------------|-------------|---------|
+    |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |<ul><li>**On.** Turns on WMI recording.</li><li>**Off.** Turns off WMI recording.</li></ul> |
+    |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |<ul><li>**XML file path.** Including this turns on XML recording.</li><li>**Blank.** Turns off XML recording.</li></ul> |
+    |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:<p>0 – Restricted Sites zone<br>0 – Internet zone<br>0 – Trusted Sites zone<br>0 – Local Intranet zone<br>0 – Local Machine zone<p>**Example 1:** Include only the Local Intranet zone<p>Binary representation: *00010*, based on:<p>0 – Restricted Sites zone<br>0 – Internet zone<br>0 – Trusted Sites zone<br>1 – Local Intranet zone<br>0 – Local Machine zone<p>**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones<p>Binary representation: *10110*, based on:<p>1 – Restricted Sites zone<br>0 – Internet zone<br>1 – Trusted Sites zone<br>1 – Local Intranet zone<br>1 – Local Machine zone |
+    |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:<p>microsoft.sharepoint.com<br>outlook.com<br>onedrive.com<br>timecard.contoso.com<br>LOBApp.contoso.com |
 
 ### Combining WMI and XML Group Policy settings
-You can use both the WMI and XML settings individually or together, based on:
+You can use both the WMI and XML settings individually or together:
 
- ![](images/wedge.gif) **To turn off Enterprise Site Discovery**
-<ul>
-  <li><b>Turn on Site Discovery WMI output:</b> Off</li>
-  <li><b>Turn on Site Discovery XML output:</b> Blank</li>
-</ul>
+**To turn off Enterprise Site Discovery**
+<table>
+    <tr>
+        <th>Setting name</th>
+        <th>Option</th>
+    </tr>
+    <tr>
+        <td>Turn on Site Discovery WMI output</td>
+        <td>Off</td>
+    </tr>
+        <tr>
+        <td>Turn on Site Discovery XML output</td>
+        <td>Blank</td>
+    </tr>
+</table>
 
- ![](images/wedge.gif) **To turn on WMI recording only**
-<ul>
-  <li><b>Turn on Site Discovery WMI output:</b> On</li>
-  <li><b>Turn on Site Discovery XML output:</b> Blank</li>
-</ul>
+**Turn on WMI recording only**
+<table>
+    <tr>
+        <th>Setting name</th>
+        <th>Option</th>
+    </tr>
+    <tr>
+        <td>Turn on Site Discovery WMI output</td>
+        <td>On</td>
+    </tr>
+        <tr>
+        <td>Turn on Site Discovery XML output</td>
+        <td>Blank</td>
+    </tr>
+</table>
 
- ![](images/wedge.gif) **To turn on XML recording only**
-<ul>
-  <li><b>Turn on Site Discovery WMI output:</b> Off</li>
-  <li><b>Turn on Site Discovery XML output:</b> XML file path</li>
-</ul>
+**To turn on XML recording only**
+<table>
+    <tr>
+        <th>Setting name</th>
+        <th>Option</th>
+    </tr>
+    <tr>
+        <td>Turn on Site Discovery WMI output</td>
+        <td>Off</td>
+    </tr>
+        <tr>
+        <td>Turn on Site Discovery XML output</td>
+        <td>XML file path</td>
+    </tr>
+</table>
  
- ![](images/wedge.gif) **To turn on both WMI and XML recording**
-<ul>
-  <li><b>Turn on Site Discovery WMI output:</b> On</li>
-  <li><b>Turn on Site Discovery XML output:</b> XML file path</li>
-</ul>
+**To turn on both WMI and XML recording**
+<table>
+    <tr>
+        <th>Setting name</th>
+        <th>Option</th>
+    </tr>
+    <tr>
+        <td>Turn on Site Discovery WMI output</td>
+        <td>On</td>
+    </tr>
+        <tr>
+        <td>Turn on Site Discovery XML output</td>
+        <td>XML file path</td>
+    </tr>
+</table>
 
 ## Use Configuration Manager to collect your data
 After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
@@ -181,7 +267,7 @@ After you’ve collected your data, you’ll need to get the local files off of
 ### Collect your hardware inventory using the MOF Editor while connected to a client device
 You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
 
- ![](images/wedge.gif) **To collect your inventory**
+ **To collect your inventory**
 
 1.  From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
 
@@ -207,7 +293,7 @@ Your environment is now ready to collect your hardware inventory and review the
 ### Collect your hardware inventory using the MOF Editor with a .MOF import file
 You can collect your hardware inventory using the MOF Editor and a .MOF import file.
 
- ![](images/wedge.gif) **To collect your inventory**
+ **To collect your inventory**
 
 1.  From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
 
@@ -221,7 +307,7 @@ Your environment is now ready to collect your hardware inventory and review the
 ### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
 You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
 
- ![](images/wedge.gif) **To collect your inventory**
+**To collect your inventory**
 
 1.  Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `<configmanager_install_location>\inboxes\clifiles.src\hinv` directory.
 
@@ -289,8 +375,8 @@ You can collect your hardware inventory using the using the Systems Management S
     };
     ```
 
-3.  Save the file and close it to the same location.<br>
-Your environment is now ready to collect your hardware inventory and review the sample reports.
+3.  Save the file and close it to the same location.
+    Your environment is now ready to collect your hardware inventory and review the sample reports.
 
 ## View the sample reports with your collected data
 The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data.
@@ -337,26 +423,27 @@ After the XML files are created, you can use your own solutions to extract and p
 ```
 You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list.
 
- ![](images/wedge.gif) **To add your XML data to your Enterprise Mode site list**
+**To add your XML data to your Enterprise Mode site list**
 
 1.  Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
-![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png)
 
-2.  Go to your XML file to add the included sites to the tool, and then click **Open**.<br>
-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
+    ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png)
+
+2.  Go to your XML file to add the included sites to the tool, and then click **Open**.<br>Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
 
 3.  Click **OK** to close the **Bulk add sites to the list** menu.
 
 ## Turn off data collection on your client devices
 After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off.
 
- ![](images/wedge.gif) **To stop collecting data, using PowerShell**
+**To stop collecting data, using PowerShell**
 
--   On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1 –IEFeatureOff`.<p>**Note**<br>
-Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer.
+-   On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1 –IEFeatureOff`.
 
-     
- ![](images/wedge.gif) **To stop collecting data, using Group Policy**
+    >**Note**<br>Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer.
+
+
+**To stop collecting data, using Group Policy**
 
 1.  Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**.
 
@@ -365,7 +452,7 @@ Turning off data collection only disables the Enterprise Site Discovery feature
 ### Delete already stored data from client computers
 You can completely remove the data stored on your employee’s computers.
 
- ![](images/wedge.gif) **To delete all existing data**
+**To delete all existing data**
 
 -   On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands:
 
@@ -377,7 +464,7 @@ You can completely remove the data stored on your employee’s computers.
 
     -   `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'`
 
- ## Related topics
+## Related topics
 * [Enterprise Mode Site List Manager (schema v.2) download](http://go.microsoft.com/fwlink/?LinkId=746562)
 * [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md)
  
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
index 33f573e4ba..1d2df29b8f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Create packages for multiple operating systems or languages
-ms.assetid: 44051f9d-63a7-43bf-a427-d0a0a1c717da
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 44051f9d-63a7-43bf-a427-d0a0a1c717da
 title: Create packages for multiple operating systems or languages (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Create packages for multiple operating systems or languages
 You'll create multiple versions of your custom browser package if:
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
index b2e068e5f8..59d5f7b349 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Customize Internet Explorer 11 installation packages
-ms.assetid: 10a14a09-673b-4f8b-8d12-64036135e7fd
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 10a14a09-673b-4f8b-8d12-64036135e7fd
 title: Customize Internet Explorer 11 installation packages (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Customize Internet Explorer 11 installation packages
 You can customize Internet Explorer 11 to support various browser behaviors, multiple operating system versions and languages, and Setup information (.inf) files.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index ab440a2332..16af47ddd2 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
 description: Delete a single site from your global Enterprise Mode site list.
-title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
-ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a
+ms.pagetype: appcompat
+ms.mktglfcycl: deploy
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
+ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a
+title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
 ms.sitesec: library
-ms.pagetype: appcompat
 ---
 
+
 # Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
index e91b8ce485..846a265850 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
@@ -1,12 +1,14 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
-ms.assetid: f51224bd-3371-4551-821d-1d62310e3384
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: f51224bd-3371-4551-821d-1d62310e3384
 title: Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
+
 # Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)
 You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
index 9ba9bc1914..cc8ef4ae26 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Deploy Internet Explorer 11 using software distribution tools
-ms.assetid: fd027775-651a-41e1-8ec3-d32eca876d8a
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: fd027775-651a-41e1-8ec3-d32eca876d8a
 title: Deploy Internet Explorer 11 using software distribution tools (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Deploy Internet Explorer 11 using software distribution tools
 If you already manage software distribution and updates on your network through software distribution tools, you can also use these tools for ongoing deployments of Internet Explorer. Software distribution tools include:
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index cf0f73e234..bfea483922 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013.
-ms.assetid: 24f4dcac-9032-4fe8-bf6d-2d712d61cb0c
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 24f4dcac-9032-4fe8-bf6d-2d712d61cb0c
 title: Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index 77ad3c2aea..4b0660cb93 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices.
-ms.assetid: 00cb1f39-2b20-4d37-9436-62dc03a6320b
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 00cb1f39-2b20-4d37-9436-62dc03a6320b
 title: Deprecated document modes and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Deprecated document modes and Internet Explorer 11
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
index 2df84a765e..602456e9d1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
-ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea
 title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
index ee46784821..4a7966faaa 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Enable and disable add-ons using administrative templates and group policy
-ms.assetid: c6fe1cd3-0bfc-4d23-8016-c9601f674c0b
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: c6fe1cd3-0bfc-4d23-8016-c9601f674c0b
 title: Enable and disable add-ons using administrative templates and group policy (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Enable and disable add-ons using administrative templates and group policy
 Add-ons let your employees personalize Internet Explorer. You can manage IE add-ons using Group Policy and Group Policy templates.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
index 9d30f3ba62..0e467ceb7e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Enhanced Protected Mode problems with Internet Explorer
-ms.assetid: 15890ad1-733d-4f7e-a318-10399b389f45
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: 15890ad1-733d-4f7e-a318-10399b389f45
 title: Enhanced Protected Mode problems with Internet Explorer (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Enhanced Protected Mode problems with Internet Explorer
 Enhanced Protected Mode further restricts Protected Mode to deny potential attackers access to sensitive or personal information. If this feature is turned on, users might start to see errors asking them to turn it off, like **This webpage wants to run "npctrl.dll. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control**. If your users click the **Disable** box, Enhanced Protected Mode is turned off for only the single visit to that specific site. After the user leaves the site, Enhanced Protected Mode is automatically turned back on.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
index 50970689b7..1624192493 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
-ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e
 title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Enterprise Mode for Internet Explorer 11
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 1e91d25a85..0530962b03 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update.
-ms.assetid: 17c61547-82e3-48f2-908d-137a71938823
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 17c61547-82e3-48f2-908d-137a71938823
 title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Enterprise Mode schema v.1 guidance
 
 **Applies to:**
@@ -281,4 +283,5 @@ If you want to target specific sites in your organization.
 <li>contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.</li>
 </ul>
 </td></tr>
-</table>
\ No newline at end of file
+</table>
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index 88ee4fb670..1379a67bf3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10.
-ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5
 title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Enterprise Mode schema v.2 guidance
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
index 36e9f65461..0e139e5c9e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file.
-ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d
 title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Export your Enterprise Mode site list from the Enterprise Mode Site List Manager
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index 4e146ead03..7fec74ed4e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site.
-ms.assetid: 4b21bb27-aeac-407f-ae58-ab4c6db2baf6
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 4b21bb27-aeac-407f-ae58-ab4c6db2baf6
 title: Fix web compatibility issues using document modes and the Enterprise Mode site list (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Fix web compatibility issues using document modes and the Enterprise Mode site list
 The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. This addition to the site list is a continuation of our commitment to help you upgrade and stay up-to-date on the latest version of Internet Explorer, while still preserving your investments in existing apps.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
index 60d261f86c..bbe1126304 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list.
-ms.assetid: 9f80e39f-dcf1-4124-8931-131357f31d67
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 9f80e39f-dcf1-4124-8931-131357f31d67
 title: Fix validation problems using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Fix validation problems using the Enterprise Mode Site List Manager
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index 699ac6b08f..c790100b59 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Overview about Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
-ms.assetid: 63a7ef4a-6de2-4d08-aaba-0479131e3406
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: 63a7ef4a-6de2-4d08-aaba-0479131e3406
 title: Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
 Advanced Group Policy Management (AGPM) is an add-on license that available for the Microsoft Desktop Optimization Pack (MDOP). This license gives you change control and a role assignment-model that helps optimize Group Policy management and reduce the risk of widespread failures.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
index 93e3fc0b99..f084039195 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
-ms.assetid: ae3d227d-3da7-46b8-8a61-c71bfeae0c63
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security 
+ms.assetid: ae3d227d-3da7-46b8-8a61-c71bfeae0c63
 title: Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
 A Microsoft Management Console (MMC)-based tool that uses scriptable interfaces to manage Group Policy. The 32-bit and 64-bit versions are included with Windows Server R2 with Service Pack 1 (SP1) and Windows Server 2012 R2.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
index ec32390c66..c7f5e51beb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer.
-ms.assetid: 50383d3f-9ac9-4a30-8852-354b6eb9434a
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: 50383d3f-9ac9-4a30-8852-354b6eb9434a
 title: Group Policy and Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Group Policy and Internet Explorer 11 (IE11)
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
index fa923d9b37..82b8c15411 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Group Policy, the Local Group Policy Editor, and Internet Explorer 11
-ms.assetid: 6fc30e91-efac-4ba5-9ee2-fa77dcd36467
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: 6fc30e91-efac-4ba5-9ee2-fa77dcd36467
 title: Group Policy, the Local Group Policy Editor, and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Group Policy, the Local Group Policy Editor, and Internet Explorer 11
 A Microsoft Management Console (MMC)-based tool that manages both computer and user-related configurations for an individual computer policy. This tool is included with Windows® 7 Service Pack 1 (SP1) and Windows 8.1.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
index 35078a3e90..763f3e3eec 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Group Policy suggestions for compatibility with Internet Explorer 11
-ms.assetid: 7482c99f-5d79-4344-9e1c-aea9f0a68e18
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: 7482c99f-5d79-4344-9e1c-aea9f0a68e18
 title: Group Policy and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Group Policy and compatibility with Internet Explorer 11
 Internet Explorer 11 has many Group Policy entries that can be configured for keeping your environment managed and safe. This table includes all of our recommendations around security, performance, and compatibility with the previous versions of Internet Explorer, regardless of which Zone the website is in.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
index 10f870a052..fe85ee8a60 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Overview of the available Group Policy management tools
-ms.assetid: e33bbfeb-6b80-4e71-8bba-1d0369a87312
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: e33bbfeb-6b80-4e71-8bba-1d0369a87312
 title: Group Policy management tools (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Group Policy management tools
 Group Policy, based on Microsoft Active Directory Domain Services (AD DS), lets you manage your organization's computer and user settings as part of your Group Policy objects (GPOs), which are added and changed in the Group Policy Management Console (GPMC). GPOs can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. The most effective way to target a specific GPO is to use Windows Management Instrumentation (WMI) filters. Like, creating a WMI filter that applies a GPO only to computers with a specific make and model.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
index 1cb342649a..7a83784eb4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Info about Group Policy preferences versus Group Policy settings
-ms.assetid: f2264c97-7f09-4f28-bb5c-58ab80dcc6ee
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: f2264c97-7f09-4f28-bb5c-58ab80dcc6ee
 title: Group policy preferences and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Group policy preferences and Internet Explorer 11
 Group Policy preferences are less strict than Group Policy settings, based on:
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index ab3e07bb1c..eae262566b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Links to troubleshooting topics and log files that can help address Group Policy problems with Internet Explorer 11.
-ms.assetid: 0da0d9a9-200c-46c4-96be-630e82de017b
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: 0da0d9a9-200c-46c4-96be-630e82de017b
 title: Group Policy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Group Policy problems with Internet Explorer 11
 If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](http://go.microsoft.com/fwlink/p/?LinkId=279872).
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
index 932f43f074..c22a9b343e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Instructions about how to create and configure shortcut preference extensions to file system objects, URLs, and shell objects.
-ms.assetid: c6fbf990-13e4-4be7-9f08-5bdd43179b3b
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: c6fbf990-13e4-4be7-9f08-5bdd43179b3b
 title: Group Policy, Shortcut Extensions, and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Group Policy, Shortcut Extensions, and Internet Explorer 11
 Group Policy includes the Shortcuts preference extension, which lets you configure shortcuts to:
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
index a3cf84a188..3a4e3a12ec 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11
-ms.assetid: e3607cde-a498-4e04-9daa-b331412967fc
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: e3607cde-a498-4e04-9daa-b331412967fc
 title: Group Policy, Windows Powershell, and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Group Policy, Windows Powershell, and Internet Explorer 11
 Your domain-joined Group Policy Objects (GPOs) can use any of Group Policy-related “cmdlets” that run within Windows PowerShell.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
index 78cd0493c7..d75450f2f7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
-ms.assetid: cacd5d68-700b-4a96-b4c9-ca2c40c1ac5f
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: cacd5d68-700b-4a96-b4c9-ca2c40c1ac5f
 title: Import your Enterprise Mode site list to the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Import your Enterprise Mode site list to the Enterprise Mode Site List Manager
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index 26af9a6794..890a2f44e7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use this guide to learn about the several options and processes you'll need to consider while you're planning for, deploying, and customizing Internet Explorer 11 for your employee's devices.
-ms.assetid: bddc2d97-c38d-45c5-9588-1f5bbff2e9c3
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: bddc2d97-c38d-45c5-9588-1f5bbff2e9c3
 title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Internet Explorer 11 (IE11) - Deployment Guide for IT Pros
 
 **Applies to:**
@@ -55,4 +57,5 @@ IE11 offers differing experiences in Windows 8.1:
 ## Related topics
 - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
 - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](http://go.microsoft.com/fwlink/p/?LinkId=760643)
\ No newline at end of file
+- [Microsoft Edge - Deployment Guide for IT Pros](http://go.microsoft.com/fwlink/p/?LinkId=760643)
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
index 34618dbf50..c75819476b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment.
-ms.assetid: caca18c1-d5c4-4404-84f8-d02bc562915f
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: caca18c1-d5c4-4404-84f8-d02bc562915f
 title: Install and Deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Install and Deploy Internet Explorer 11 (IE11)
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index dd1116c424..c14130d8c1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
-ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616
 title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 #  Install Internet Explorer 11 (IE11) using Microsoft Intune
 Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=301805).
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
index f6560589bc..10ee844152 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to install the Internet Explorer 11 update using Microsoft Deployment Toolkit (MDT) and your Windows images.
-ms.assetid: e16f9144-170c-4964-a62d-0d1a16f4cd1f
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: e16f9144-170c-4964-a62d-0d1a16f4cd1f
 title: Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images
 
 You can install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index d89f7f25bd..e2d8357a13 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager
-ms.assetid: 9ede9722-29b3-4cb7-956d-ffa91e7bedbd
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 9ede9722-29b3-4cb7-956d-ffa91e7bedbd
 title: Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager
 You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](http://go.microsoft.com/fwlink/p/?linkid=276664). Complete these steps for each operating system and platform combination.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
index 82866d766a..90d10b49a1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to install the Internet Explorer 11 update using your network
-ms.assetid: 85f6429d-947a-4031-8f93-e26110a35828
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 85f6429d-947a-4031-8f93-e26110a35828
 title: Install Internet Explorer 11 (IE11) using your network (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Install Internet Explorer 11 (IE11) using your network
 You can install Internet Explorer 11 (IE11) over your network by putting your custom IE11 installation package in a shared network folder and letting your employees run the Setup program on their own computers. You can create the network folder structure manually, or you can run Internet Explorer Administration Kit 11 (IEAK 11).
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
index a6e2c79c58..bc3474ac70 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to install the Internet Explorer 11 update using third-party tools and command-line options.
-ms.assetid: 30190c66-49f7-4ca4-8b57-a47656aa0c7e
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 30190c66-49f7-4ca4-8b57-a47656aa0c7e
 title: Install Internet Explorer 11 (IE11) using third-party tools (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Install Internet Explorer 11 (IE11) using third-party tools
 You can install Internet Explorer 11 (IE11) using third-party electronic software distribution (ESD) systems and these command-line options:
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index 61cf35bf43..834f2e439a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to install the Internet Explorer 11 update using Windows Server Update Services (WSUS)'
-ms.assetid: 6cbd6797-c670-4236-8423-e0919478f2ce
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 6cbd6797-c670-4236-8423-e0919478f2ce
 title: Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS)
 Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](http://go.microsoft.com/fwlink/p/?LinkID=276790).
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
index 1a16679847..436279ba14 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to fix potential installation problems with Internet Explorer 11
-ms.assetid: 3ae77745-86ac-40a9-a37d-eebbf37661a3
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 3ae77745-86ac-40a9-a37d-eebbf37661a3
 title: Install problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Install problems with Internet Explorer 11
 Most Internet Explorer 11 installations are straightforward and work the way they should. But it's possible that you might have problems.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
index a8d097f152..c51449c0b6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to fix intranet search problems with Internet Explorer 11
-ms.assetid: 3ee71d93-d9d2-48e1-899e-07932c73faa6
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 3ee71d93-d9d2-48e1-899e-07932c73faa6
 title: Fix intranet search problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Fix intranet search problems with Internet Explorer 11
 After upgrading to Internet Explorer 11, you might experience search issues while using your intranet site.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
index 0f2607cf87..8f73d5b3da 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer.
-ms.assetid: eb3cce62-fc7b-41e3-97b6-2916b85bcf55
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: eb3cce62-fc7b-41e3-97b6-2916b85bcf55
 title: Manage Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Manage Internet Explorer 11
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
index 9e9f124417..9b2e1ed634 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: support
 description: IEM-configured settings have been deprecated for Internet Explorer 10 and newer. Use this topic to learn where to go to fix the affected settings through Group Policy Preferences, Administrative Templates (.admx), or the IEAK.
-ms.assetid: 89084e01-4e3f-46a6-b90e-48ee58d6821c
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: support
-ms.sitesec: library
+ms.assetid: 89084e01-4e3f-46a6-b90e-48ee58d6821c
 title: Missing Internet Explorer Maintenance settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Missing Internet Explorer Maintenance settings for Internet Explorer 11
 
 **Applies to:**
@@ -88,4 +90,5 @@ The Advanced IEM settings, including Corporate and Internet settings, were also
 |IEM setting |Description |Replacement tool |
 |------------|------------|-----------------|
 |Corporate settings |Specifies the location of the file with the settings you use to make IE work best in your organization. |On the <b>Additional Settings</b> page of IEAK 11, expand <b>Corporate Settings</b>, and then customize how your organization handles temporary Internet files, code downloads, menu items, and toolbar buttons. |
-|Internet settings |Specifies the location of the file that includes your default IE settings. |In the <b>Internet Settings Group Policy Preferences</b> dialog box, click the <b>Advanced</b> tab, and then update your Internet-related settings, as required<p>-OR-<p>On the <b>Additional Settings</b> page of IEAK 11, expand <b>Internet Settings</b>, and then customize your default values in the <b>Internet Options</b> dialog box. |
\ No newline at end of file
+|Internet settings |Specifies the location of the file that includes your default IE settings. |In the <b>Internet Settings Group Policy Preferences</b> dialog box, click the <b>Advanced</b> tab, and then update your Internet-related settings, as required<p>-OR-<p>On the <b>Additional Settings</b> page of IEAK 11, expand <b>Internet Settings</b>, and then customize your default values in the <b>Internet Options</b> dialog box. |
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
index 5dd33850fe..7bb84e0a16 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: support
 description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers.
-ms.assetid: 501c96c9-9f03-4913-9f4b-f67bd9edbb61
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: support
-ms.sitesec: library
+ms.assetid: 501c96c9-9f03-4913-9f4b-f67bd9edbb61
 title: Missing the Compatibility View Button (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Missing the Compatibility View Button
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
index e495db7d28..e958cd4c17 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: support
 description: How to turn managed browser hosting controls back on in Internet Explorer 11.
-ms.assetid: b0b7f60f-9099-45ab-84f4-4ac64d7bcb43
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: support
-ms.sitesec: library
+ms.assetid: b0b7f60f-9099-45ab-84f4-4ac64d7bcb43
 title: .NET Framework problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # .NET Framework problems with Internet Explorer 11
 If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index 5a056a8d4f..4f515957e4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -1,33 +1,78 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: New group policy settings for Internet Explorer 11
-ms.assetid: 669cc1a6-e2cb-403f-aa31-c1de52a615d1
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: 669cc1a6-e2cb-403f-aa31-c1de52a615d1
 title: New group policy settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # New group policy settings for Internet Explorer 11
 Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including:
 
-|Policy                     |Category path                 |Supported on |Explanation                        |
-|---------------------------|------------------------------|-------------|-----------------------------------|
-|Turn off loading websites and content in the background to optimize performance |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |IE11 |This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.<p>If you enable this policy setting, IE doesn't load any websites or content in the background.<p>If you disable this policy setting, IE preemptively loads websites and content in the background.<p>If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. |
-|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |`Administrative Templates\Windows Components\Internet Explorer` |IE11 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.<p>If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.<p>If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.<p>If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. |
-|Turn off phone number detection |`Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing` |IE11 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.<p>If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.<p>If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.<p>If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. |
-|Allow IE to use the HTTP2 network protocol |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |IE11 on Windows 8.1 |This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.<p>If you enable this policy setting, IE uses the HTTP2 network protocol.<p>If you disable this policy setting, IE won't use the HTTP2 network protocol.<p>If you don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Internet Options settings. The default is on. |
-|Don't run antimalware programs against ActiveX controls<br>(Internet, Restricted Zones) |<ul><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone`</li></ul> |IE11 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using IE Security settings. |
-|Don't run antimalware programs against ActiveX controls<br>(Intranet, Trusted, Local Machine Zones) |<ul><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone`</li></ul> |IE11 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using IE Security settings. |
-|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |IE11 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>**Important:**<br> Some ActiveX controls and toolbars may not be available when 64-bit processes are used.<p>If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default. |
-|Turn off sending UTF-8 query strings for URLs |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |IE11 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.<p>If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:<ul><li><b>0.</b> Never encode query strings.</li><li><b>1.</b> Only encode query strings for URLs that aren't in the Intranet zone.</li><li><b>2.</b> Only encode query strings for URLs that are in the Intranet zone.</li><li><b>3.</b> Always encode query strings.</li></ul>If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. |
-|Turn off sending URL path as UTF-8 |`User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding` |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.<p>If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.<p>If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.<p>If you don't configure this policy setting, users can turn this behavior on or off. |
-|Turn off the flip ahead with page prediction feature |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.<p>Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop.<p>If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.<p>If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.<p>If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm. |
-|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |`Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History` |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**<br>This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the Personalized Tracking Protection List, which blocks third-party items while the user is browsing.<p>**In IE11:**<br>This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions stored for visited website.<p>This feature is available in the **Delete Browsing History** dialog box.<p>If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.<p>If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.<p>If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. |
-|Always send Do Not Track header |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.<p>If you enable this policy setting, IE sends a DNT:1 header with all HTTP and HTTPS requests. The DNT:1 header signals to the servers not to track the user.<p>**In Internet Explorer 9 and 10:**<br>If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.<p>**In at least IE11:**<br>If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.<p>If you don't configure the policy setting, users can select the Always send Do Not Track header option on the Advanced tab of the Internet Options dialog box. By selecting this option, IE sends a DNT:1 header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a DNT:0 header. By default, this option is enabled. |
-|Let users turn on and use Enterprise Mode from the **Tools** menu |`Administrative Templates\Windows Components\Internet Explorer` |IE11 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.<p>If you turn this setting on, users can see and use the Enterprise Mode option from the **Tools** menu. If you turn this setting on, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.<p>If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. |
-|Use the Enterprise Mode IE website list |`Administrative Templates\Windows Components\Internet Explorer` |IE11 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.<p>If you enable this policy setting, IE downloads the website list from `HKCU` or `HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server (https://), to help protect against data tampering.<p>If you disable or don’t configure this policy setting, IE opens all websites using Standard mode. |
+|Policy |Category Path |Supported on |Explanation |
+|-------|--------------|-------------|------------|
+|Turn off loading websites and content in the background to optimize performance |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.<p>If you enable this policy setting, IE doesn't load any websites or content in the background.<p>If you disable this policy setting, IE preemptively loads websites and content in the background.<p>If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. |
+|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.<p>If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.<p>If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.<p>If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. |
+|Turn off phone number detection |Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing |IE11 on Windows 10 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.<p>If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.<p>If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.<p>If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. |
+|Allow IE to use the SPDY/3 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.<p>If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.<p>If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.<p>If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced* tab of the **Internet Options** dialog box. The default is on.<p>**Note**<br>We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. |
+|Allow IE to use the HTTP2 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.<p>If you enable this policy setting, IE uses the HTTP2 network protocol.<p>If you disable this policy setting, IE won't use the HTTP2 network protocol.<p>If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on. |
+|Don't run antimalware programs against ActiveX controls<br>(Internet, Restricted Zones) |<ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone</li></ul> |IE11 on Windows 10 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. |
+|Don't run antimalware programs against ActiveX controls<br>(Intranet, Trusted, Local Machine Zones) |<ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone</li></ul> |IE11 on Windows 10 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. |
+|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.<p>**Important**<br>When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
+|Turn off sending UTF-8 query strings for URLs |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.<p>If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:<ul><li>**0.** Never encode query strings.</li><li>**1.** Only encode query strings for URLs that aren't in the Intranet zone.</li><li>**2.** Only encode query strings for URLs that are in the Intranet zone.</li><li>**3.** Always encode query strings.</li></ul><p>If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. |
+|Turn off sending URL path as UTF-8 |User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.<p>If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.<p>If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.<p>If you don't configure this policy setting, users can turn this behavior on or off. |
+|Turn off the flip ahead with page prediction feature |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.<p>If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.<p>If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.<p>If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.<p>**Note**<br>Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
+|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**<br>This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.<p>**In IE11:**<br>This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.<p>If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.<p>If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.<p>If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. |
+|Always send Do Not Track header |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.<p>If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.<p>**In Internet Explorer 9 and 10:**<br>If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.<p>**In at least IE11:**<br>If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.<p>If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced* tab of the **Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. |
+|Turn off the ability to launch report site problems using a menu option |Administrative Templates\Windows Components\Internet Explorer\Browser menus |Internet Explorer 11 |This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.<p>If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.<p>If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. |
+|Allow only approved domains to use the TDC ActiveX control |<ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone</li></ul> |IE11 in Windows 10 |This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.<p>If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.<p>If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. |
+|Turn on Site Discovery XML output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.<p>**Note:**<br>Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Turn on Site Discovery WMI output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.<p>**Note:**<br>Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Limit Site Discovery output by Domain |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.<p>**Note:**<br>You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
+|Limit Site Discovery output by Zone |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.<p>To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:<ul><li>0 – Restricted Sites zone</li><li>0 – Internet zone</li><li>0 – Trusted Sites zone</li><li>0 – Local Intranet zone</li><li>0 – Local Machine zone</li></ul><br>**Example 1:** Include only the Local Intranet zone (binary representation: 00010), based on:<br><ul><li>0 – Restricted Sites zone</li><li>0 – Internet zone</li><li>0 – Trusted Sites zone</li><li>1 – Local Intranet zone</li><li>0 – Local Machine zone</li></ul><br>**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:<br><ul><li>1 – Restricted Sites zone</li><li>0 – Internet zone</li><li>1 – Trusted Sites zone</li><li>1 – Local Intranet zone</li><li>1 – Local Machine zone</li></ul><p>**Note:**<br>You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
+|Allow SSL3 Fallback |Administrative Templates\Windows Components\Internet Explorer\Security Features |Internet Explorer 11 on Windows 10 |This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.<p>If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.<p>If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.**Important:**<br>By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. |
+|Turn off automatic download of the ActiveX VersionList |Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management |At least Windows Internet Explorer 8 |This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.<p>If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.<p>If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.<p>**Important:**<br>Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic. |
+|Let users turn on and use Enterprise Mode from the **Tools** menu |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.<p>If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.<p>If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. |
+|Use the Enterprise Mode IE website list |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1511 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.<p>If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.<p>If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
+|Send all sites not included in the Enterprise Mode Site List to Microsoft Edge |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.<p>If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.<p>If you disable or don't configure this policy setting, all sites will open based on the currently active browser.<p>**Note:**<br>If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. |
+|Show message when opening sites in Microsoft Edge using Enterprise Mode |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.<p>If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.<p>If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 ## Removed Group Policy settings
 IE11 no longer supports these Group Policy settings:
@@ -45,16 +90,10 @@ IE11 no longer supports these Group Policy settings:
 ## Viewing your policy settings
 After you've finished updating and deploying your Group Policy, you can use the Resultant Set of Policy (RSoP) snap-in to view your settings.
 
- ![](images/wedge.gif) **To use the RSoP snap-in**
+**To use the RSoP snap-in**
 
 1.  Open and run the Resultant Set of Policy (RSoP) wizard, specifying the information you want to see.
 
 2.  Open your wizard results in the Group Policy Management Console (GPMC).<p>
 For complete instructions about how to add, open, and use RSoP, see [Use the RSoP Snap-in](http://go.microsoft.com/fwlink/p/?LinkId=395201)
 
- 
-
- 
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 95c8543bf5..d401d44c35 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Use out-of-date ActiveX control blocking to help you know when IE prevents a webpage from loading outdated ActiveX controls and to update the outdated control, so that it’s safer to use.
-ms.assetid: e61866bb-1ff1-4a8d-96f2-61d3534e8199
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: e61866bb-1ff1-4a8d-96f2-61d3534e8199
 title: Out-of-date ActiveX control blocking (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Out-of-date ActiveX control blocking
 
 **Applies to:**
@@ -194,4 +196,5 @@ For more info, see [about_Execution_Policies](http://go.microsoft.com/fwlink/p/?
 
 3.  **Optional:** Set up your domain firewall for WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md).
 
-The inventory info appears in the WMI class, `IEAXControlBlockingAuditInfo`, located in the WMI namespace, *root\\cimv2\\IETelemetry*. To collect the inventory info from your client computers, we recommend using System Center 2012 R2 Configuration Manager or any agent that can access the WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md).
\ No newline at end of file
+The inventory info appears in the WMI class, `IEAXControlBlockingAuditInfo`, located in the WMI namespace, *root\\cimv2\\IETelemetry*. To collect the inventory info from your client computers, we recommend using System Center 2012 R2 Configuration Manager or any agent that can access the WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md).
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index dfe720a878..65ac8b88b0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: support
 description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback.
-ms.assetid: c4b75ad3-9c4a-4dd2-9fed-69f776f542e6
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: support
-ms.sitesec: library
+ms.assetid: c4b75ad3-9c4a-4dd2-9fed-69f776f542e6
 title: Problems after installing Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Problems after installing Internet Explorer 11
 After you install Internet Explorer 11 in your organization, you might run into the following issues. By following these suggestions, you should be able to fix them.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 14a0aa7e47..e8d5863f27 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Instructions about how to clear all of the sites from your global Enterprise Mode site list.
-ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97
 title: Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
index 49b9d38c79..4972cd8ee7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Instructions about how to remove sites from a local compatibility view list.
-ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9
 title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Remove sites from a local compatibility view list
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
index caed9d1c1b..1e353200e8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Instructions about how to remove sites from a local Enterprise Mode site list.
-ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2
 title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Remove sites from a local Enterprise Mode site list
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
index c22234e870..5ac02b4039 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
-ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a
 title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Save your site list to XML in the Enterprise Mode Site List Manager
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 51d34e4165..ebb873545e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Search to see if a specific site already appears in your global Enterprise Mode site list.
-ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9 
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9
 title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Search your Enterprise Mode site list in the Enterprise Mode Site List Manager
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 541477f154..4857a6af0a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10.
-ms.assetid: f486c9db-0dc9-4cd6-8a0b-8cb872b1d361
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: f486c9db-0dc9-4cd6-8a0b-8cb872b1d361
 title: Set the default browser using Group Policy (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Set the default browser using Group Policy
 You can use the Group Policy setting, **Set a default associations configuration file**, to set the default browser for your company devices running Windows 10.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index 4bbb754737..7d015c9dbe 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Set up and turn on Enterprise Mode logging and data collection in your organization.
-ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde
 title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Set up Enterprise Mode logging and data collection
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
index 464be0d98d..455a3aa91f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: support
+ms.pagetype: appcompat
 description: Reviewing log files to learn more about potential setup problems with Internet Explorer 11.
-ms.assetid: 2cd79988-17d1-4317-bee9-b3ae2dd110a0
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: support
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 2cd79988-17d1-4317-bee9-b3ae2dd110a0
 title: Setup problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Setup problems with Internet Explorer 11
 Installing Internet Explorer creates the following log files, which are stored in the Windows installation folder (typically, the C:\\Windows folder):
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index f087763a35..5725a55e97 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Lists the minimum system requirements and supported languages for Internet Explorer 11.
-ms.assetid: 27185e3d-c486-4e4a-9c51-5cb317c0006d
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 27185e3d-c486-4e4a-9c51-5cb317c0006d
 title: System requirements and language support for Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # System requirements and language support for Internet Explorer 11 (IE11)
 
 **Applies to:**
@@ -21,7 +23,7 @@ title: System requirements and language support for Internet Explorer 11 (IE11)
 Internet Explorer 11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support.
 
 ## Minimum system requirements for IE11
-IE11 is pre-installed on Windows 8.1 and Windows Server 2012 R2 and is listed here for reference. It's also supported on Windows 10, but isn't pre-installed. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/en-us/library/mt156988.aspx).
+IE11 is pre-installed on Windows 8.1 and Windows Server 2012 R2 and is listed here for reference. It's also supported on Windows 10, but isn't pre-installed. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx).
 
 **Important**<br> 
 IE11 isn't supported on Windows 8 or Windows Server 2012.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
index 74b34e10b8..7dec9d7851 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: support
 description: Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer.
-ms.assetid: 0361c1a6-3faa-42b2-a588-92439eebeeab
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: support
-ms.sitesec: library
+ms.assetid: 0361c1a6-3faa-42b2-a588-92439eebeeab
 title: Troubleshoot Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Troubleshoot Internet Explorer 11 (IE11)
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index 02aacfd395..25e253872a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: How to turn Enteprrise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it.
-ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3
 title: Turn off Enterprise Mode (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Turn off Enterprise Mode
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
index 7789175f6c..16525df353 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: support
 description: Turn off natural metrics for Internet Explorer 11
-ms.assetid: e31a27d7-662e-4106-a3d2-c6b0531961d5
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: support
-ms.sitesec: library
+ms.assetid: e31a27d7-662e-4106-a3d2-c6b0531961d5
 title: Fix font rendering problems by turning off natural metrics (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Fix font rendering problems by turning off natural metrics
 By default, Internet Explorer 11 uses “natural metrics”. Natural metrics use inter-pixel spacing that creates more accurately rendered and readable text, avoiding many common font rendering problems with Windows Internet Explorer 9 or older sites.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index b0be90bcc7..b468dcd7ac 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -1,14 +1,16 @@
 ---
-description: How to turn on Enterprise Mode and specify a site list. 
-ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: How to turn on Enterprise Mode and specify a site list.
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
 title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Turn on Enterprise Mode and use a site list
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index e6f9fb3380..e816e64698 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Turn on local user control and logging for Enterprise Mode.
-ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1
 title: Turn on local control and logging for Enterprise Mode (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Turn on local control and logging for Enterprise Mode
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
index af3d3cb6a3..e1ef9cf2e4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: High-level info about some of the new and updated features for Internet Explorer 11.
-ms.assetid: f53c6f04-7c60-40e7-9fc5-312220f08156
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: f53c6f04-7c60-40e7-9fc5-312220f08156
 title: List of updated features and tools - Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # List of updated features and tools - Internet Explorer 11 (IE11)
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
index 07af66b6be..3a69ea0490 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager.
-ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
 title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Enterprise Mode Site List Manager
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index 2166cdd0e0..5178b33d1f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: support
 description: Info about where features went in the IEAK11, where the Favorites, Command, and Status bars went, and where the search bar went.
-ms.assetid: 7324faff-ccb6-4e14-ad91-af12dbca575e
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: support
-ms.sitesec: library
+ms.assetid: 7324faff-ccb6-4e14-ad91-af12dbca575e
 title: User interface problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # User interface problems with Internet Explorer 11
 Some of the features in both Internet Explorer 11 and IEAK 11 have moved around. Here are some of the more common changes.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
index bf9b76e571..ebce77b430 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
 description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode.
-ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a
 title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Using IE7 Enterprise Mode or IE8 Enterprise Mode
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index 949cd32611..ba9ab11557 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use IEAK 11 while planning, customizing, and building the custom installation package.
-ms.assetid: af93742f-f955-44ab-bfa2-7bf0c99045d3
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: af93742f-f955-44ab-bfa2-7bf0c99045d3
 title: Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages
 Internet Explorer Administration Kit 11 (IEAK 11) helps you set up, deploy, and maintain Internet Explorer 11.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index d8790ddf45..31a9c2207f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use Setup Information (.inf) files to create installation packages.
-ms.assetid: 04fa2ba8-8d84-4af6-ab99-77e4f1961b0e
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 04fa2ba8-8d84-4af6-ab99-77e4f1961b0e
 title: Using Setup Information (.inf) files to create packages (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Using Setup Information (.inf) files to create install packages
 IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](http://go.microsoft.com/fwlink/p/?LinkId=327959).
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
index ad843a3a06..3ead82e3b6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: virtualization
 description: Virtualization and compatibility with Internet Explorer 11
-ms.assetid: b0388c04-2584-4b6d-a7a8-4e0476773a80
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: virtualization
+ms.assetid: b0388c04-2584-4b6d-a7a8-4e0476773a80
 title: Virtualization and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Virtualization and compatibility with Internet Explorer 11
 If your company is considering upgrading to the latest version of Internet Explorer, but is hesitant because of a large number of web apps that need to be tested and moved, we recommend that you consider virtualization. Virtualization lets you set up a virtual environment where you can run earlier versions of IE.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index 2e952c7915..deb9fe9032 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: Info about the features included in Enterprise Mode with Internet Explorer 11.
-ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa
 title: What is Enterprise Mode (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # What is Enterprise Mode?
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index af8996de35..28b690e5d6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -1,14 +1,16 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: support
+ms.pagetype: security
 description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update.
-ms.assetid: fafeaaee-171c-4450-99f7-5cc7f8d7ba91
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: support
-ms.sitesec: library
-ms.pagetype: security
+ms.assetid: fafeaaee-171c-4450-99f7-5cc7f8d7ba91
 title: What is the Internet Explorer 11 Blocker Toolkit? (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # What is the Internet Explorer 11 Blocker Toolkit?
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
index af8d54f7b2..f8a608179f 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: explore
 description: Frequently asked questions about Internet Explorer 11 for IT Pros
-ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: explore
-ms.sitesec: library
+ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3
 title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Internet Explorer 11 - FAQ for IT Pros
 Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration.
 
@@ -145,4 +147,5 @@ Group Policy settings can be set to open either IE or Internet Explorer for the
 ## Related topics
 - [Microsoft Edge - Deployment Guide for IT Pros](http://go.microsoft.com/fwlink/p/?LinkId=760643)
 - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
\ No newline at end of file
+- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
+
diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
index a72ab5e2d6..4e54434a53 100644
--- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Accelerators page in the IEAK 11 Customization Wizard to add accelerators to employee devices.
-ms.assetid: 208305ad-1bcd-42f3-aca3-0ad1dda7048b
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 208305ad-1bcd-42f3-aca3-0ad1dda7048b
 title: Use the Accelerators page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Accelerators page in the IEAK 11 Wizard
 The **Accelerators** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add accelerators to your employee computers. Accelerators are contextual menu options that can quickly get to a web service from any webpage. For example, an accelerator can look up a highlighted word in the dictionary or a selected location on a map.
 
diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
index 1c7812e8fc..133e7f4411 100644
--- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use IEAK 11 to add and approve ActiveX controls for your organization.
-ms.assetid: 33040bd1-f0e4-4541-9fbb-16e0c76752ab
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 33040bd1-f0e4-4541-9fbb-16e0c76752ab
 title: Add and approve ActiveX controls using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Add and approve ActiveX controls using IEAK 11
 There are two main approaches to how you can control the use of ActiveX controls in your company. For more info about ActiveX controls, including how to manage the controls using Group Policy, see [Group Policy and ActiveX installation](../ie11-deploy-guide/activex-installation-using-group-policy.md) in the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
 
diff --git a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
index 0a3b15979e..1ed9bf67b0 100644
--- a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK.
-ms.assetid: 7ae4e747-49d2-4551-8790-46a61b5fe838
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 7ae4e747-49d2-4551-8790-46a61b5fe838
 title: Use the Add a Root Certificate page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Add a Root Certificate page in the IEAK 11 Wizard
 We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK.
 
diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
index f6aede477d..ef6c2ef932 100644
--- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Additional Settings page in IEAK 11 Customization Wizard for additional settings that relate to your employee’s desktop, operating system, and security.
-ms.assetid: c90054af-7b7f-4b00-b55b-5e5569f65f25
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: c90054af-7b7f-4b00-b55b-5e5569f65f25
 title: Use the Additional Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Additional Settings page in the IEAK 11 Wizard
 The **Additional Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you pick additional custom, corporate, and Internet settings that relate to your employee’s desktop, operating system, and security. If you don’t change a setting, it’ll be ignored.
 
diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
index cb2f3af34a..35814166ac 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Automatic Configuration page in the IEAK 11 Customization Wizard to add URLs to auto-configure IE.
-ms.assetid: de5b1dbf-6e4d-4f86-ae08-932f14e606b0
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: de5b1dbf-6e4d-4f86-ae08-932f14e606b0
 title: Use the Automatic Configuration page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Automatic Configuration page in the IEAK 11 Wizard
 The **Automatic Configuration** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you provide URLs to the files that’ll automatically configure Internet Explorer 11 for a group of employees or devices.
 
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index a33c77cae8..54459ebc13 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to set up automatic detection for DHCP or DNS servers using IEAK 11 in your organization.
-ms.assetid: c6bfe7c4-f452-406f-b47e-b7f0d8c44ae1
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: c6bfe7c4-f452-406f-b47e-b7f0d8c44ae1
 title: Set up auto detection for DHCP or DNS servers using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Set up auto detection for DHCP or DNS servers using IEAK 11
 Set up your network to automatically detect and customize Internet Explorer 11 when it’s first started. Automatic detection is supported on both Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), letting your servers detect and set up your employee’s browser settings from a central location, using a configuration URL (.ins file) or a JavaScript proxy configuration file (.js, .jvs, or .pac).
 
@@ -51,4 +53,5 @@ Create a canonical name (CNAME) alias record, named **WPAD**. This record lets y
 2.  After the database file propagates to the server, the DNS name, `wpad.<domain>.com` resolves to the server name that includes your automatic configuration file.
 
 **Note**<br>
-IE11 creates a default URL template based on the host name,**wpad**. For example, `http://wpad.<domain>.com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.
\ No newline at end of file
+IE11 creates a default URL template based on the host name,**wpad**. For example, `http://wpad.<domain>.com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.
+
diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
index 62239b4d46..ee3c61b17f 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Automatic Version Synchronization page in the IEAK 11 Customization Wizard to download the IE11 Setup file each time you run the Wizard.
-ms.assetid: bfc7685f-843b-49c3-8b9b-07e69705840c
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: bfc7685f-843b-49c3-8b9b-07e69705840c
 title: Use the Automatic Version Synchronization page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Automatic Version Synchronization page in the IEAK 11 Wizard
 The **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 runs the synchronization process every time you run the wizard, downloading the Internet Explorer 11 Setup file to your computer. The Setup file includes the required full and express packages.
 
diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
index ff5b52268c..9c66fd3777 100644
--- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: A list of steps to follow before you start to create your custom browser installation packages.
-ms.assetid: 6ed182b0-46cb-4865-9563-70825be9a5e4
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: 6ed182b0-46cb-4865-9563-70825be9a5e4
 title: Before you start using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Before you start using IEAK 11
 Go through this list, making sure you’ve answered all of the questions before you run Internet Explorer Administration Kit 11 (IEAK 11) and the Customization Wizard.
 
diff --git a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
index dac3198b66..ecbaa2500e 100644
--- a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the \[Branding\] .INS file setting to set up your custom branding and setup info in your browser install package.
-ms.assetid: cde600c6-29cf-4bd3-afd1-21563d2642df
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: cde600c6-29cf-4bd3-afd1-21563d2642df
 title: Use the Branding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Branding .INS file to create custom branding and setup info
 Info about the custom branding and setup information in your browser package.
 
diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
index fa8d449cf1..08004bb0a9 100644
--- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
-description: How to use the Browser User Interface page in the IEAK 11 Customization Wizard to change the toolbar buttons and the title bar. 
-ms.assetid: c4a18dcd-2e9c-4b5b-bcc5-9b9361a79f0d
+localizationpriority: low
+ms.mktglfcycl: deploy
+description: How to use the Browser User Interface page in the IEAK 11 Customization Wizard to change the toolbar buttons and the title bar.
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: c4a18dcd-2e9c-4b5b-bcc5-9b9361a79f0d
 title: Use the Browser User Interface page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Browser User Interface page in the IEAK 11 Wizard
 The **Browser User Interface** page of the Internet Explorer Customization Wizard 11 lets you change the toolbar buttons and the title bar text in IE.
 
diff --git a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
index dea816e8c3..f11633eec9 100644
--- a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: Use the \[BrowserToolbars\] .INS file setting to customize your Internet Explorer toolbar and buttons.
-ms.assetid: 83af0558-9df3-4c2e-9350-44f7788efa6d
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: 83af0558-9df3-4c2e-9350-44f7788efa6d
 title: Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons
 Info about how to customize the Internet Explorer toolbar.
 
diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
index 234b5314b8..f4bab58e1e 100644
--- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Browsing Options page in the IEAK 11 Customization Wizard to manage items in the Favorites, Favorites Bar, and Feeds section.
-ms.assetid: d6bd71ba-5df3-4b8c-8bb5-dcbc50fd974e
 author: eross-msft
 ms.prod: ie111
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: d6bd71ba-5df3-4b8c-8bb5-dcbc50fd974e
 title: Use the Browsing Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Browsing Options page in the IEAK 11 Wizard
 The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you decide how you want to manage items in the **Favorites, Favorites Bar, and Feeds** section, including the Microsoft-provided default items.
 
diff --git a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
index d5d956d65f..1ea07d8c49 100644
--- a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the \[CabSigning\] .INS file setting to customize the digital signature info for your apps.
-ms.assetid: 098707e9-d712-4297-ac68-7d910ca8f43b
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 098707e9-d712-4297-ac68-7d910ca8f43b
 title: Use the CabSigning .INS file to customize the digital signature info for your apps (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the CabSigning .INS file to customize the digital signature info for your apps
 Info about how to customize the digital signature info for your apps.
 
@@ -16,4 +18,5 @@ Info about how to customize the digital signature info for your apps.
 |InfoURL |`<url_for_certificates>` |URL that appears on the **Certificate** dialog box. |
 |Name |`<company_name>` |Company name associated with the certificate. |
 |pvkFile |`<file_path>` |File path to the privacy key file. |
-|spcFile |`<file_path>` |File path to the certificate file.|
\ No newline at end of file
+|spcFile |`<file_path>` |File path to the certificate file.|
+
diff --git a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
index 623ebff701..26271c2666 100644
--- a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
@@ -1,15 +1,18 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
 description: We’re sorry. We’ve removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11.
-ms.assetid: 51d8f80e-93a5-41e4-9478-b8321458bc30
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: appcompat
+ms.assetid: 51d8f80e-93a5-41e4-9478-b8321458bc30
 title: Use the Compatibility View page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Compatibility View page in the IEAK 11 Wizard
 We’re sorry. We’ve changed the way Compatibility View works in Internet Explorer 11 and have removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. For more info about the changes we’ve made to the Compatibility View functionality, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md).
 
-Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page.
\ No newline at end of file
+Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page.
+
diff --git a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
index ae61348d3f..0775380c68 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
@@ -1,14 +1,17 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: We’re sorry. We’ve removed all of the functionality included on the **Connection Manager** page of the Internet Explorer Customization Wizard 11.
-ms.assetid: 1edaa7db-cf6b-4f94-b65f-0feff3d4081a
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 1edaa7db-cf6b-4f94-b65f-0feff3d4081a
 title: Use the Connection Manager page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Connection Manager page in the IEAK 11 Wizard
 We're sorry. We've removed all of the functionality included on the Connection Manager page of the Internet Explorer Customization Wizard 11.
 
-Click **Next** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page or **Back** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page.
\ No newline at end of file
+Click **Next** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page or **Back** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page.
+
diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
index 3ff0ad3e5d..0d7cf5093e 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Connection Settings page in IEAK 11 Customization Wizard to import and preset connection settings on your employee’s computers.
-ms.assetid: dc93ebf7-37dc-47c7-adc3-067d07de8b78
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: dc93ebf7-37dc-47c7-adc3-067d07de8b78
 title: Use the Connection Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Connection Settings page in the IEAK 11 Wizard
 The **Connection Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you import the connection settings from your computer, to preset the connection settings on your employee’s computers.
 
@@ -31,4 +33,5 @@ The **Connection Settings** page of the Internet Explorer Administration Kit (IE
 
 2.  Check the **Delete existing Dial-up Connection Settings** box to clear any existing settings on your employee’s computers.
 
-3.  Click **Next** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page or **Back** to go to the [Connection Manager](connection-mgr-ieak11-wizard.md) page.
\ No newline at end of file
+3.  Click **Next** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page or **Back** to go to the [Connection Manager](connection-mgr-ieak11-wizard.md) page.
+
diff --git a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
index 63ebc27054..76e9f16992 100644
--- a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: Use the \[ConnectionSettings\] .INS file setting to specify the network connection settings needed to install your custom package.
-ms.assetid: 41410300-6ddd-43b2-b9e2-0108a2221355
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: 41410300-6ddd-43b2-b9e2-0108a2221355
 title: Use the ConnectionSettings .INS file to review the network connections for install (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the ConnectionSettings .INS file to review the network connections for install
 Info about the network connection settings used to install your custom package. This section creates a common configuration on all of your employee’s computers.
 
@@ -16,4 +18,5 @@ Info about the network connection settings used to install your custom package.
 |ConnectName0 |`<connection_name>` |Name for the connection. |
 |ConnectName1 |`<connection_name>` |Secondary name for the connection. |
 |DeleteConnectionSettings |<ul><li>**0.** Don’t remove the connection settings during installation.</li><li>**1.** Remove the connection settings during installation.<p>**Note**<br>This only appears for the **Internal** version of the IEAK 11.</li></ul> |Determines whether to remove the existing connection settings during installation of your custom package. |
-|Option |<ul><li>**0.** Don’t let employees import connection settings.</li><li>**1.** Let employees import connection settings.</li></ul> |Determines whether an employee can import connection settings into the Internet Explorer Customization Wizard. |
\ No newline at end of file
+|Option |<ul><li>**0.** Don’t let employees import connection settings.</li><li>**1.** Let employees import connection settings.</li></ul> |Determines whether an employee can import connection settings into the Internet Explorer Customization Wizard. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
index 6b52865341..7b502d02d9 100644
--- a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
@@ -1,17 +1,20 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: How to create your folder structure on the computer that you’ll use to build your custom browser package.
-ms.assetid: e0d05a4c-099f-4f79-a069-4aa1c28a1080
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: e0d05a4c-099f-4f79-a069-4aa1c28a1080
 title: Create the build computer folder structure using IEAK 11  (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Create the build computer folder structure using IEAK 11
 Create your build environment on the computer that you’ll use to build your custom browser package. Your license agreement determines your folder structure and which version of Internet Explorer Administration Kit 11 (IEAK 11) you’ll use: **Internal** or **External**.
 
 |Name             |Version               |Description                                              |
 |-----------------|----------------------|---------------------------------------------------------|
 |`\<root_folder>` |Internal and External |The main, placeholder folder used for all files built by IEAK or that you referenced in your custom package.|
-|`\<root_folder>\Dist` |Internal only |Destination directory for your files. You’ll only need this folder if you’re creating your browser package on a network drive. |
\ No newline at end of file
+|`\<root_folder>\Dist` |Internal only |Destination directory for your files. You’ll only need this folder if you’re creating your browser package on a network drive. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
index 027de7e6c3..db345fee37 100644
--- a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: Review this list of tasks and references before you create and deploy your Internet Explorer 11 custom install packages.
-ms.assetid: fe71c603-bf07-41e1-a477-ade5b28c9fb3
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: fe71c603-bf07-41e1-a477-ade5b28c9fb3
 title: Tasks and references to consider before creating and deploying custom packages using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Tasks and references to consider before creating and deploying custom packages using IEAK 11
 Review this list of tasks and references to help you use the Internet Explorer Administration Kit 11 (IEAK 11) to set up, deploy, and manage Internet Explorer 11 in your company.
 
@@ -17,4 +19,5 @@ Review this list of tasks and references to help you use the Internet Explorer A
 |Prep your environment and get all of the info you'll need for running IEAK 11 |<ul><li>[Create the build computer folder structure using IEAK 11](create-build-folder-structure-ieak11.md)</li><li>[Customize the Toolbar button and Favorites List icons using IEAK 11](guidelines-toolbar-and-favorites-list-ieak11.md)</li><li>[Before you install your package over your network using IEAK 11](prep-network-install-with-ieak11.md)</li><li>[Set up auto detection for DHCP or DNS servers using IEAK 11](auto-detection-dhcp-or-dns-servers-ieak11.md)</li><li>[Register an uninstall app for custom components using IEAK 11](register-uninstall-app-ieak11.md)</li><li>[Add and approve ActiveX controls using the IEAK 11](add-and-approve-activex-controls-ieak11.md)</li><li>[Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ieak11-wizard-custom-options.md)</li><li>[Security features and IEAK 11 ](security-and-ieak11.md)</li></ul> |
 |Run the Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard |<ul><li>[Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md)</li><li>[Use the Platform Selection page in the IEAK 11 Wizard](platform-selection-ieak11-wizard.md)</li><li>[Use the Language Selection page in the IEAK 11 Wizard](language-selection-ieak11-wizard.md)</li><li>[Use the Package Type Selection page in the IEAK 11 Wizard](pkg-type-selection-ieak11-wizard.md)</li><li>[Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md)</li><li>[Use the Automatic Version Synchronization page in the IEAK 11 Wizard](auto-version-sync-ieak11-wizard.md)</li><li>[Use the Custom Components page in the IEAK 11 Wizard](custom-components-ieak11-wizard.md)</li><li>[Use the Internal Install page in the IEAK 11 Wizard](internal-install-ieak11-wizard.md)</li><li>[Use the User Experience page in the IEAK 11 Wizard](user-experience-ieak11-wizard.md)</li><li>[Use the Browser User Interface page in the IEAK 11 Wizard](browser-ui-ieak11-wizard.md)</li><li>[Use the Search Providers page in the IEAK 11 Wizard](search-providers-ieak11-wizard.md)</li><li>[Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md)</li><li>[Use the Accelerators page in the IEAK 11 Wizard](accelerators-ieak11-wizard.md)</li><li>[Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](favorites-favoritesbar-and-feeds-ieak11-wizard.md)</li><li>[Use the Browsing Options page in the IEAK 11 Wizard](browsing-options-ieak11-wizard.md)</li><li>[Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](first-run-and-welcome-page-ieak11-wizard.md)</li><li>[Use the Compatibility View page in the IEAK 11 Wizard](compat-view-ieak11-wizard.md)</li><li>[Use the Connection Manager page in the IEAK 11 Wizard](connection-mgr-ieak11-wizard.md)</li><li>[Use the Connection Settings page in the IEAK 11 Wizard](connection-settings-ieak11-wizard.md)</li><li>[Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md)</li><li>[Use the Proxy Settings page in the IEAK 11 Wizard](proxy-settings-ieak11-wizard.md)</li><li>[Use the Security and Privacy Settings page in the IEAK 11 Wizard](security-and-privacy-settings-ieak11-wizard.md)</li><li>[Use the Add a Root Certificate page in the IEAK 11 Wizard](add-root-certificate-ieak11-wizard.md)</li><li>[Use the Programs page in the IEAK 11 Wizard](programs-ieak11-wizard.md)</li><li>[Use the Additional Settings page in the IEAK 11 Wizard](additional-settings-ieak11-wizard.md)</li><li>[Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](wizard-complete-ieak11-wizard.md)</li></ul> |
 |Review your policy settings and create multiple versions of your install package. |<ul><li>[Create multiple versions of your custom package using IEAK 11](create-multiple-browser-packages-ieak11.md)</li><li>[Use the RSoP snap-in to review policy settings](rsop-snapin-for-policy-settings-ieak11.md)<p>**Note**<br>For deployment instructions, additional troubleshooting, and post-installation management, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)</li></ul> |
-|Review the general IEAK Customization Wizard 11 information, which applies throughout the process. |<ul><li>[Troubleshoot custom package and IEAK 11 problems](troubleshooting-custom-browser-pkg-ieak11.md)</li><li>[File types used or created by IEAK 11](file-types-ieak11.md)</li><li>[Customize Automatic Search using IEAK 11](customize-automatic-search-for-ie.md)</li><li>[Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md)</li><li>[Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md)</li><li>[Use proxy auto-configuration (.pac) files with IEAK 11](proxy-auto-config-examples.md)</li><li>[IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md)</li></ul> |
\ No newline at end of file
+|Review the general IEAK Customization Wizard 11 information, which applies throughout the process. |<ul><li>[Troubleshoot custom package and IEAK 11 problems](troubleshooting-custom-browser-pkg-ieak11.md)</li><li>[File types used or created by IEAK 11](file-types-ieak11.md)</li><li>[Customize Automatic Search using IEAK 11](customize-automatic-search-for-ie.md)</li><li>[Use the uninstallation .INF files to uninstall custom components](create-uninstall-inf-files-for-custom-components.md)</li><li>[Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md)</li><li>[Use proxy auto-configuration (.pac) files with IEAK 11](proxy-auto-config-examples.md)</li><li>[IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md)</li></ul> |
+
diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
index 6a0431b323..568dfaaa3d 100644
--- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Steps to create multiple versions of your custom browser if you support more than 1 version of Windows, more than 1 language, or have different features in each package.
-ms.assetid: 4c5f3503-8c69-4691-ae97-1523091ab333
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 4c5f3503-8c69-4691-ae97-1523091ab333
 title: Create multiple versions of your custom package using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Create multiple versions of your custom package using IEAK 11
 You'll need to create multiple versions of your custom browser package if:
 
@@ -28,4 +30,5 @@ The Internet Explorer Customization Wizard 11 stores your original settings in t
 3.  Run the wizard again, choosing the newly renamed folder as the destination directory for your output files.<p>
 **Important**<br>Except for the **Title bar** text, **Favorites**, **Links bar**, **Home** page, and **Search bar**, we recommend that you keep all of your wizard settings the same for all of your build computers.
 
-4.  Repeat this process until you’ve created a package for each version of your custom installation package.
\ No newline at end of file
+4.  Repeat this process until you’ve created a package for each version of your custom installation package.
+
diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
index cb69adb1be..bcc88868ed 100644
--- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
+++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use Setup information (.inf) files to uninstall custom components from your custom browser packages.
-ms.assetid: 8257aa41-58de-4339-81dd-9f2ffcc10a08
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 8257aa41-58de-4339-81dd-9f2ffcc10a08
 title: Use Setup information (.inf) files to uninstall custom components (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use uninstallation .INF files to uninstall custom components
 The Internet Explorer Administration Kit 11 (IEAK 11) uses Setup information (.inf) files to provide installation instructions for your custom browser packages. You can also use this file to uninstall your custom components by removing the files, registry entries, and shortcuts, and adding your custom component to the list of programs that can be uninstalled from **Uninstall or change a program**.
 
@@ -19,4 +21,5 @@ Where *description* is the string that’s shown in the **Uninstall or change a
 2.  Add another new key and value to:<br>`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString”",,"command-line"`<p>
 Where *command-line* is the command that’s run when the component is picked from the **Uninstall or change a program** box.
 
-Your uninstall script must also remove your key from under the **Uninstall** registry key, so that your component no longer appears in the **Uninstall or change a program** after uninstallation. You can also run just a section of an .inf file by using the Setupx.dll InstallHinfSection entry point. To make this work, your installation script must copy the .inf file to the Windows\Inf folder for your custom component.
\ No newline at end of file
+Your uninstall script must also remove your key from under the **Uninstall** registry key, so that your component no longer appears in the **Uninstall or change a program** after uninstallation. You can also run just a section of an .inf file by using the Setupx.dll InstallHinfSection entry point. To make this work, your installation script must copy the .inf file to the Windows\Inf folder for your custom component.
+
diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
index 454afe5dde..180fc0121e 100644
--- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
-description: How to use the Custom Components page in the IEAK 11 Customization Wizard to add additional components for your employees to install with IE. 
-ms.assetid: 38a2b90f-c324-4dc8-ad30-8cd3e3e901d7
+localizationpriority: low
+ms.mktglfcycl: deploy
+description: How to use the Custom Components page in the IEAK 11 Customization Wizard to add additional components for your employees to install with IE.
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 38a2b90f-c324-4dc8-ad30-8cd3e3e901d7
 title: Use the Custom Components page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Custom Components page in the IEAK 11 Wizard
 The **Custom Components** page of the Internet Explorer Customization Wizard 11 lets you add up to 10 additional components that your employees can install at the same time they install IE. These components can be created by Microsoft or your organization as either compressed cabinet (.cab) or self-extracting executable (.exe) files. If you’re using Microsoft components, make sure you have the latest version and software patches from the [Microsoft Support](http://go.microsoft.com/fwlink/p/?LinkId=258658) site. To include Microsoft Update components, you must bundle the associated files into a custom component.
 
diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
index 223eb8bbfe..78c4f245a3 100644
--- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
@@ -1,16 +1,19 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: Use the \[CustomBranding\] .INS file setting to specify the location of your branding cabinet (.cab) file.
-ms.assetid: 9c74e239-65c5-4aa5-812f-e0ed80c5c2b0
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: 9c74e239-65c5-4aa5-812f-e0ed80c5c2b0
 title: Use the CustomBranding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the CustomBranding .INS file to create custom branding and setup info
 Provide the URL to your branding cabinet (.cab) file.
 
 |Name       |Value                           | Description                                                  |
 |-----------|--------------------------------|--------------------------------------------------------------|
-|Branding |`<cab_file_url>` |The location of your branding cabinet (.cab) file. For example, http://www.&lt;your_server&gt;.net/cabs/branding.cab.|
\ No newline at end of file
+|Branding |`<cab_file_url>` |The location of your branding cabinet (.cab) file. For example, http://www.&lt;your_server&gt;.net/cabs/branding.cab.|
+
diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
index def77f424a..7bb21bf9bd 100644
--- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
+++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: manage
 description: Customize Automatic Search in Internet Explorer so that your employees can type a single word into the Address box to search for frequently used pages.
-ms.assetid: 694e2f92-5e08-49dc-b83f-677d61fa918a
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: manage
-ms.sitesec: library
+ms.assetid: 694e2f92-5e08-49dc-b83f-677d61fa918a
 title: Customize Automatic Search using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Customize Automatic Search for Internet Explorer using IEAK 11
 Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ( [OpenSearch 1.1 Draft 5](http://go.microsoft.com/fwlink/p/?LinkId=208582)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers.
 
diff --git a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
index 8c39fcada8..ae010258c3 100644
--- a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the \[ExtRegInf\] .INS file setting to specify your Setup information (.inf) files and the installation mode for your custom components.
-ms.assetid: 53148422-d784-44dc-811d-ef814b86a4c6
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 53148422-d784-44dc-811d-ef814b86a4c6
 title: Use the ExtRegInf .INS file to specify your installation files and mode (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the ExtRegInf .INS file to specify installation files and mode
 Info about how to specify your Setup information (.inf) files and the instsallation mode for your custom components.
 
@@ -18,4 +20,5 @@ Info about how to specify your Setup information (.inf) files and the instsallat
 |Inetres    |*string* |The name of the .inf file and the install mode for components. For example, *,inetres.inf,DefaultInstall.         |
 |Inetset    |*string* |The name of the .inf file and the install mode for components. For example, *,inetset.inf,DefaultInstall.         |
 |Subs       |*string* |The name of the .inf file and the install mode for components. For example, *,subs.inf,DefaultInstall.            |
-|ConnectionSettings |*string* |The name of the .inf file and the install mode for components. For example, *,connect.inf,DefaultInstall. |
\ No newline at end of file
+|ConnectionSettings |*string* |The name of the .inf file and the install mode for components. For example, *,connect.inf,DefaultInstall. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
index 27fbfbed18..fc1ffdd687 100644
--- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Favorites, Favorites Bar, and Feeds page in IEAK 11 Customization Wizard to add links, web slices, and feeds to your custom browser package.
-ms.assetid: 84afa831-5642-4b8f-b7df-212a53ec8fc7
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 84afa831-5642-4b8f-b7df-212a53ec8fc7
 title: Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard
 The **Favorites, Favorites Bar, and Feeds** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add:
 
diff --git a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
index b85f2f805e..51042e42b8 100644
--- a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the \[FavoritesEx\] .INS file setting to specify your Favorites icon file, whether Favorites is available offline, and your Favorites URLs.
-ms.assetid: 55de376a-d442-478e-8978-3b064407b631
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 55de376a-d442-478e-8978-3b064407b631
 title: Use the FavoritesEx .INS file for your Favorites icon and URLs (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the FavoritesEx .INS file for your Favorites icon and URLs
 Info about where you store your **Favorites** icon file, whether your **Favorites** are available offline, and the URLs for each **Favorites** site.
 
@@ -16,4 +18,5 @@ Info about where you store your **Favorites** icon file, whether your **Favorite
 |IconFile1       |`<path_and_file_name>` |An icon (.ico file) that represents the **Favorites** item you’re adding. |
 |Offline1        |<ul><li>**0.** Makes the **Favorites** item unavailable for offline browsing.</li><li>**1.** Makes the **Favorites** item available for offline browsing.</li></ul> |Determines if the **Favorites** item is available for offline browsing. |
 |Title1          |`<favorites_title>` |Title for the **Favorites** item. |
-|Url1            |`<favorites_url>`   |URL to the **Favorites** item.    |
\ No newline at end of file
+|Url1            |`<favorites_url>`   |URL to the **Favorites** item.    |
+
diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
index 0fea681fea..6c37c85e24 100644
--- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
-description: How to use the Feature Selection page in the IEAK 11 Customization Wizard to choose which parts of the setup processes and Internet Explorer 11 to change for your company. 
-ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8
+localizationpriority: low
+ms.mktglfcycl: deploy
+description: How to use the Feature Selection page in the IEAK 11 Customization Wizard to choose which parts of the setup processes and Internet Explorer 11 to change for your company.
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8
 title: Use the Feature Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Feature Selection page in the IEAK 11 Wizard
 The **Feature Selection** page of the Internet Explorer Customization Wizard 11 lets you choose which parts of the setup processes and Internet Explorer 11 to change for your company, including:
 
diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
index a04ce46b84..9081a2c20e 100644
--- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
-description: How to use the File Locations page in the IEAK 11 Customization Wizard to change the location of your install package and IE11 folders. 
-ms.assetid: bd0620e1-0e07-4560-95ac-11888c2c389e
+localizationpriority: low
+ms.mktglfcycl: deploy
+description: How to use the File Locations page in the IEAK 11 Customization Wizard to change the location of your install package and IE11 folders.
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: bd0620e1-0e07-4560-95ac-11888c2c389e
 title: Use the File Locations page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the File Locations page in the IEAK 11 Wizard
 The **File Locations** page of the Internet Explorer Customization Wizard 11 lets you change the location of your folders, including:
 
diff --git a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
index 3d717ed9ce..5c4deb0b5d 100644
--- a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: Review the file types that are created and used by tools in the Internet Explorer Administration Kit 11 (IEAK 11).
-ms.assetid: e5735074-3e9b-4a00-b1a7-b8fd8baca327
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: e5735074-3e9b-4a00-b1a7-b8fd8baca327
 title: File types used or created by IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # File types used or created by IEAK 11
 A list of the file types used or created by tools in IEAK 11:
 
@@ -27,4 +29,5 @@ A list of the file types used or created by tools in IEAK 11:
 |.js and .jvs |JScript and JavaScript files that let you configure and maintain your advanced proxy settings. For more info, see the [Use the Automatic Configuration page in the IEAK 11 Wizard](auto-config-ieak11-wizard.md) page. |
 |.pvk |A file format used by some certification authorities to store the private key of the digital certificate. The public part of the digital certificate is stored in an SPC file, while the private part is stored in the PVK file. For more info, see the **Understanding certificates** section of the [Security features and IEAK 11](security-and-ieak11.md) page. |
 |.sed |Connection profile files, created by the CMAK tool, including the instructions for building the self-extracting executable (.exe) file for your service profiles.<p>**Important**<br>You must never edit a .sed file. |
-|.spc |The software publishing certificate file, which includes:<ul><li>The name and other identifying information of the owner of the certificate.</li><li>The public key associated with the certificate.</li><li>The serial number.</li><li>The length of time the certificate is valid.</li><li>The digital signature of the certification authority that issued the certificate.</li></ul> |
\ No newline at end of file
+|.spc |The software publishing certificate file, which includes:<ul><li>The name and other identifying information of the owner of the certificate.</li><li>The public key associated with the certificate.</li><li>The serial number.</li><li>The length of time the certificate is valid.</li><li>The digital signature of the certification authority that issued the certificate.</li></ul> |
+
diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
index 67cc64816d..c3ae5a99f1 100644
--- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the First Run Wizard and Welcome Page Options page in the IEAK 11 Customization Wizard to set what your employee’s see the first time they log on to IE, based on their operating system.
-ms.assetid: 85f856a6-b707-48a9-ba99-3a6e898276a9
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 85f856a6-b707-48a9-ba99-3a6e898276a9
 title: Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard
 The **First Run Wizard and Welcome Page Options** page of the Internet Explorer Customization Wizard 11 lets you decide what your employee’s see the first time they log on to IE, based on their operating system.
 
diff --git a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
index ccb24ecb0d..ec2a66bc57 100644
--- a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: Customization guidelines for your Internet Explorer toolbar button and Favorites List icons.
-ms.assetid: bddc8f23-9ac1-449d-ad71-f77f43ae3b5c
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: bddc8f23-9ac1-449d-ad71-f77f43ae3b5c
 title: Customize the toolbar button and Favorites List icons using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Customize the Toolbar button and Favorites List icons using IEAK 11
 Use these customization guidelines to change the browser toolbar button and the **Favorites List** icons, using your own branding and graphics.
 
@@ -18,4 +20,5 @@ Use these customization guidelines to change the browser toolbar button and the
 |Browser toolbar button |2 icon (.ico) files with color images for active and inactive states. | 
 |Favorites List icons   |1 icon (.ico) file for each new URL. |
 
-Your icons must use the .ico file extension, no other image file extension works.
\ No newline at end of file
+Your icons must use the .ico file extension, no other image file extension works.
+
diff --git a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
index 4e453ca996..8d43bef26a 100644
--- a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: List of supported hardware and software requirements for Internet Explorer 11 and the Internet Explorer Administration Kit 11.
-ms.assetid: c50b86dc-7184-43d1-8daf-e750eb88dabb
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: c50b86dc-7184-43d1-8daf-e750eb88dabb
 title: Hardware and software requirements for Internet Explorer 11 and the IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Hardware and software requirements for Internet Explorer 11 and the IEAK 11
 Before you can use the Internet Explorer Administration Kit 11 and the Internet Explorer Customization Wizard 11, you must first install Internet Explorer 11. For more info about installing IE11, see the [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md) page.
 
diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
index 3e42c5a20a..753268c6b2 100644
--- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the \[HideCustom\] .INS file setting to decide whether to hide the GUID for each custom component.
-ms.assetid: e673f7b1-c3aa-4072-92b0-20c6dc3d9277
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: e673f7b1-c3aa-4072-92b0-20c6dc3d9277
 title: Use the HideCustom .INS file to hide the GUID for each custom component (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the HideCustom .INS file to hide the GUID for each custom component
 Info about whether to hide the globally unique identifier (GUID) for each of your custom components.
 
diff --git a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
index 87f73061b5..9bb18ee1b1 100644
--- a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
+++ b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Reference about the command-line options and return codes for Internet Explorer Setup.
-ms.assetid: 40c23024-cb5d-4902-ad1b-6e8a189a699f
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 40c23024-cb5d-4902-ad1b-6e8a189a699f
 title: Internet Explorer Setup command-line options and return codes (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Internet Explorer Setup command-line options and return codes
 You can use command-line options along with a tool like IExpress to package your custom version of Internet Explorer and to perform a batch installation across your organization.
 
@@ -59,3 +61,4 @@ Windows Setup needs to tell you whether IE successfully installed. However, beca
 ## Related topics
 - [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md)
 - [Express Wizard command-line options](iexpress-command-line-options.md)
+
diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-admin-guide-for-it-pros.md b/browsers/internet-explorer/ie11-ieak/ieak11-admin-guide-for-it-pros.md
index d21dc1f28f..b8b5064c08 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak11-admin-guide-for-it-pros.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak11-admin-guide-for-it-pros.md
@@ -1,14 +1,15 @@
 ---
-description: Use this guide to learn about the several options and processes you'll need to consider while using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
+localizationpriority: low
+ms.mktglfcycl: plan
 description: IEAK 11 - Internet Explorer Administration Kit 11 Users Guide
-ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
 title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
 Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
 
@@ -28,4 +29,5 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1
 |IE                                        |The immersive browser, or IE, without a specific version.  |
 |Internet Explorer for the desktop         |The desktop browser. This is the only experience available when running IE11 on Windows 7 SP1.  |
 |IE11                                      |The whole browser, which includes both IE and Internet Explorer for the desktop.  |
-|Internet Explorer Customization Wizard 11 |Step-by-step wizard screens that help you create custom IE11 installation packages. |
\ No newline at end of file
+|Internet Explorer Customization Wizard 11 |Step-by-step wizard screens that help you create custom IE11 installation packages. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
index 0073e17a2c..db66d6f706 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: Review the options available to help you customize your browser install packages for deployment to your employee's devices.
-ms.assetid: 4b804da3-c3ac-4b60-ab1c-99536ff6e31b
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: 4b804da3-c3ac-4b60-ab1c-99536ff6e31b
 title: Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options
 Use the Internet Explorer Administration Kit 11 (IEAK 11) and the Internet Explorer Customization Wizard 11 to customize your browser install packages for deployment to your employee's devices.
 
@@ -34,4 +36,5 @@ IEAK 11 lets you customize a lot of Internet Explorer 11, including the IE and
 |[Add a Root Certification](add-root-certificate-ieak11-wizard.md) |No longer supported |This functionality has been removed for IE11. |
 |[Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) |The **Security Zones and Privacy** settings are supported by both experiences. The **Content Ratings** are only supported on Internet Explorer for the desktop. |Decide if you want to:<ul><li>Customize your security zones and privacy settings</li><p>-OR-<p><li>Import your current security zones and privacy settings</li><p>-AND-<p><li>Customize your content ratings settings</li><p>-OR-<p><li>Import your current content ratings settings</li></ul> |
 |[Programs](programs-ieak11-wizard.md) |Internet Explorer for the desktop |Decide your default programs or import your current settings. |
-|[Additional Settings](additional-settings-ieak11-wizard.md) |Both |Decide how to set up multiple IE settings that appear in the **Internet Options** box. |
\ No newline at end of file
+|[Additional Settings](additional-settings-ieak11-wizard.md) |Both |Decide how to set up multiple IE settings that appear in the **Internet Options** box. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
index 86d40fa16e..249c01e34c 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Reference about the command-line options for the IExpress Wizard.
-ms.assetid: aa16d738-1067-403c-88b3-bada12cf9752
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: aa16d738-1067-403c-88b3-bada12cf9752
 title: IExpress Wizard command-line options (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 **Applies to:**
 - Windows Server 2008 R2 with SP1
 
@@ -34,3 +36,4 @@ For more information, see [Command-line switches for IExpress software update pa
 ## Related topics
 - [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md)
 - [Internet Explorer Setup command-line options and return codes](ie-setup-command-line-options-and-return-codes.md)
+
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
index d6b43635ee..a863e88fd8 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the IExpress Wizard on Windows Server 2008 R2 with SP1 to create self-extracting files to run your custom Internet Explorer Setup program.
-ms.assetid: 5100886d-ec88-4c1c-8cd7-be00da874c57
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 5100886d-ec88-4c1c-8cd7-be00da874c57
 title: IExpress Wizard for Windows Server 2008 R2 with SP1 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # IExpress Wizard for Windows Server 2008 R2 with SP1
 Use the IExpress Wizard and its associated command-line options to create self-extracting files that automatically run your custom Internet Explorer Setup (.inf or .exe file) program that’s contained inside.
 
diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
index b58454d722..7d15c80a0e 100644
--- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Important URLs - Home Page and Support page in the IEAK 11 Customization Wizard to choose one or more **Home** pages and an online support page for your customized version of IE.
-ms.assetid: 19e34879-ba9d-41bf-806a-3b9b9b752fc1
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 19e34879-ba9d-41bf-806a-3b9b9b752fc1
 title: Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard
 The **Important URLS – Home Page and Support** page of the Internet Explorer Customization Wizard 11 lets you choose one or more **Home** pages and an online support page for your customized version of IE.
 
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index 583bc698fd..6397aad190 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -1,14 +1,15 @@
 ---
-description: Use this guide to learn about the several options and processes you'll need to consider while using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
+localizationpriority: low
+ms.mktglfcycl: plan
 description: IEAK 11 - Internet Explorer Administration Kit 11 Users Guide
-ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
 title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
 Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
 
@@ -33,4 +34,5 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1
 ## Related topics
 - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
 - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](http://go.microsoft.com/fwlink/p/?LinkId=760643)
\ No newline at end of file
+- [Microsoft Edge - Deployment Guide for IT Pros](http://go.microsoft.com/fwlink/p/?LinkId=760643)
+
diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
index 7718f63678..f96568d6ab 100644
--- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Internal Install page in the IEAK 11 Customization Wizard to customize Setup for the default browser and the latest browser updates.
-ms.assetid: 33d078e3-75b8-455b-9126-f0d272ed676f
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 33d078e3-75b8-455b-9126-f0d272ed676f
 title: Use the Internal Install page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Internal Install page in the IEAK 11 Wizard
 The **Internal Install** page of the Internet Explorer Customization Wizard 11 lets you customize Setup for the default browser and the latest browser updates, based on your company’s guidelines.
 
diff --git a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
index 5971510317..01f34bb4f1 100644
--- a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
@@ -1,16 +1,19 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the \[ISP_Security\] .INS file setting to add the root certificate for your custom Internet Explorer package.
-ms.assetid: 4eca2de5-7071-45a2-9c99-75115be00d06
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 4eca2de5-7071-45a2-9c99-75115be00d06
 title: Use the ISP_Security .INS file to add your root certificate (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the ISP_Security .INS file to add your root certificate
 Info about where you store the root certificate you’re adding to your custom package.
 
 |Name           |Value                  |Description                                                                               |
 |---------------|-----------------------|------------------------------------------------------------------------------------------|
-|RootCertPath |`<path_and_file_name>` |Location and name of the root certificate you want to add to your custom install package. |
\ No newline at end of file
+|RootCertPath |`<path_and_file_name>` |Location and name of the root certificate you want to add to your custom install package. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
index 7aed4e8eb9..cbd3082236 100644
--- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Language Selection page in the IEAK 11 Customization Wizard to choose the lanaguage for your IEAK 11 custom package.
-ms.assetid: f9d4ab57-9b1d-4cbc-9398-63f4938df1f6
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: f9d4ab57-9b1d-4cbc-9398-63f4938df1f6
 title: Use the Language Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Language Selection page in the IEAK 11 Wizard
 The **Language Selection** page of the Internet Explorer Customization Wizard 11 lets you choose the language for your Internet Explorer Administration Kit 11 (IEAK 11) custom package. You can create custom Internet Explorer 11 packages in any of the languages your operating system version is available in.
 
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index d1a1939d26..87187bf8c3 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: Learn about which version of the IEAK 11 you should run, based on your license agreement.
-ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15
 title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Determine the licensing version and features to use in IEAK 11
 You must pick a version of IEAK 11 to run during installation, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can pick from, the steps you’ll have to follow to deploy your Internet Explorer 11 package, and how you’ll manage the browser after deployment.
 
@@ -45,4 +47,5 @@ You must pick a version of IEAK 11 to run during installation, either **Externa
 |Not available                             |Add a root certificate                    |
 |Programs                                  |Programs                                  |
 |Additional settings                       |Not available                             |
-|Wizard complete                           |Wizard complete                           |
\ No newline at end of file
+|Wizard complete                           |Wizard complete                           |
+
diff --git a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
index 4144e944ad..0a11cced95 100644
--- a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
@@ -1,16 +1,19 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the \[Media\] .INS file setting to specify the types of media on which your custom install package is available.
-ms.assetid: c57bae60-d520-49a9-a77d-da43f7ebe5b8
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: c57bae60-d520-49a9-a77d-da43f7ebe5b8
 title: Use the Media .INS file to specify your install media (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Media .INS file to specify your install media
 The types of media on which your custom install package is available.
 
 |Name |Value |Description      |
 |-----|------|-----------------|
-|Build_LAN |<ul><li>**0.** Don’t create the LAN-based installation package.</li><li>**1.** Create the LAN-based installation package.</li></ul> |Determines whether you want to create a LAN-based installation package. |
\ No newline at end of file
+|Build_LAN |<ul><li>**0.** Don’t create the LAN-based installation package.</li><li>**1.** Create the LAN-based installation package.</li></ul> |Determines whether you want to create a LAN-based installation package. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
index 02d75e4a77..02429b575c 100644
--- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Package Type Selection page in the IEAK 11 Customization Wizard to pick the media type you’ll use to distribute your custom package.
-ms.assetid: dd91f788-d05e-4f45-9fd5-d951abf04f2c
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: dd91f788-d05e-4f45-9fd5-d951abf04f2c
 title: Use the Package Type Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Package Type Selection page in the IEAK 11 Wizard
 The **Package Type Selection** page of the Internet Explorer Customization Wizard 11 lets you pick which type of media you’ll use to distribute your custom installation package. You can pick more than one type, if you need it.
 
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index 345e690dd9..f6b5085ea3 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package.
-ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218
 title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 #  Use the Platform Selection page in the IEAK 11 Wizard
 The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
 
diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
index ee0f635579..cf4de55861 100644
--- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: Learn about what you need to do before you deploy your custom browser package using IEAK 11 over your network.
-ms.assetid: 2c66d22a-4a94-47cc-82ab-7274abe1dfd6
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: 2c66d22a-4a94-47cc-82ab-7274abe1dfd6
 title: Before you install your package over your network using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Before you install your package over your network using IEAK 11
 Employees can install the custom browser package using a network server. However, you must either lower the intranet security level or make the server a trusted site.
 
@@ -25,4 +27,5 @@ Employees can install the custom browser package using a network server. However
 
 2. Type the location of the server with the downloadable custom browser package, and then click **Add**.
 
-3. Repeat this step for every server that will include the custom browser package for download.
\ No newline at end of file
+3. Repeat this step for every server that will include the custom browser package for download.
+
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index b1bd1220ef..947b670ab7 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services.
-ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc
 title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 #  Use the Programs page in the IEAK 11 Wizard
 The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer.
 
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
index 931dc09282..78978d8119 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Learn about how to use a proxy auto-configuration (.pac) file to specify an automatic proxy URL.
-ms.assetid: 6c94708d-71bd-44bd-a445-7e6763b374ae
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 6c94708d-71bd-44bd-a445-7e6763b374ae
 title: Use proxy auto-configuration (.pac) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use proxy auto-configuration (.pac) files with IEAK 11
 These are various ways you can use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. We've included some examples here to help guide you, but you'll need to change the proxy names, port numbers, and IP addresses to match your organization's info.
 
@@ -171,4 +173,5 @@ function FindProxyForURL(url, host)
  else 
  return "DIRECT";
  }
-```
\ No newline at end of file
+```
+
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
index 902b4c3cd9..eb04586dcd 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the \[Proxy\] .INS file setting to define whether to use a proxy server.
-ms.assetid: 30b03c2f-e3e5-48d2-9007-e3fd632f3c18
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 30b03c2f-e3e5-48d2-9007-e3fd632f3c18
 title: Use the Proxy .INS file to specify a proxy server (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Proxy .INS file to specify a proxy server
 Info about whether to use a proxy server. If yes, this also includes the host names for the proxy server.
 
@@ -20,4 +22,5 @@ Info about whether to use a proxy server. If yes, this also includes the host na
 |Proxy_Override |`<proxy_name>` |The host name for the proxy server. For example, `<local>`. |
 |Secure_Proxy_Server |`<proxy_name>` |The host name for the secure proxy server. |
 |Socks_Proxy_Server |`<proxy_name>` |The host name for the SOCKS proxy server. |
-|Use_Same_Proxy |<ul><li>**0.** Don’t use the same proxy server for all services.</li><li>**1.** Use the same proxy server for all services.</li></ul> |Determines whether to use a single proxy server for all services. |
\ No newline at end of file
+|Use_Same_Proxy |<ul><li>**0.** Don’t use the same proxy server for all services.</li><li>**1.** Use the same proxy server for all services.</li></ul> |Determines whether to use a single proxy server for all services. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
index 9f9c0ed357..bc7d4bb78f 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Proxy Settings page in the IEAK 11 Customization Wizard to pick the proxy servers used to connect to required services.
-ms.assetid: 1fa1eee3-e97d-41fa-a48c-4a6e0dc8b544
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 1fa1eee3-e97d-41fa-a48c-4a6e0dc8b544
 title: Use the Proxy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Proxy Settings page in the IEAK 11 Wizard
 The **Proxy Settings** page of the Internet Explorer Customization Wizard 11 lets you pick the proxy servers used by your employees to connect for services required by the custom install package.
 
diff --git a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
index c047eef68c..1a490542ed 100644
--- a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
@@ -1,12 +1,14 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Learn how to register an uninstall app for your custom components, using IEAK 11.
-ms.assetid: 4da1d408-af4a-4c89-a491-d6f005fd5005
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
+ms.assetid: 4da1d408-af4a-4c89-a491-d6f005fd5005
 title: Register an uninstall app for custom components using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
 ---
 
+
 # Register an uninstall app for custom components using IEAK 11
 Register the uninstall apps for any custom components you’ve included in your Internet Explorer 11 package. Registering these apps lets your employees remove the components later, using **Uninstall or change a program** in the Control Panel.
 
@@ -18,4 +20,5 @@ While you’re running your custom component setup process, your app can add inf
 |Subkey |Data type |Value      |
 |-------|----------|-----------|
 |DisplayName |*string* |Friendly name for your uninstall app. This name must match your **Uninstall Key** in the **Add a Custom Component** page of the Internet Explorer Customization Wizard 11. For more info, see the [Custom Components](custom-components-ieak11-wizard.md) page.  |
-|UninstallString |*string* |Full command-line text, including the path, to uninstall your component. You must not use a batch file or a sub-process. |
\ No newline at end of file
+|UninstallString |*string* |Full command-line text, including the path, to uninstall your component. You must not use a batch file or a sub-process. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
index 789f64a8b7..e1c2731a4b 100644
--- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: manage
 description: Learn how to use the Resultant Set of Policy (RSoP) snap-in to view your policy settings.
-ms.assetid: 0f21b320-e879-4a06-8589-aae6fc264666
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: manage
-ms.sitesec: library
+ms.assetid: 0f21b320-e879-4a06-8589-aae6fc264666
 title: Use the RSoP snap-in to review policy settings (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Using the Resultant Set of Policy (RSoP) snap-in to review policy settings
 After you’ve deployed your custom Internet Explorer package to your employees, you can use the Resultant Set of Policy (RSoP) snap-in to view your created policy settings. The RSoP snap-in is a two-step process. First, you run the RSoP wizard to determine what information should be viewed. Second, you open the specific items in the console window to view the settings. For complete instructions about how to use RSoP, see [Resultant Set of Policy](http://go.microsoft.com/fwlink/p/?LinkId=259479).
 
diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
index bd5e4c8c12..d58f446135 100644
--- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Search Providers page in the IEAK 11 Customization Wizard to add additional providers and set the default.
-ms.assetid: 48cfaba5-f4c0-493c-b656-445311b7bc52
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 48cfaba5-f4c0-493c-b656-445311b7bc52
 title: Use the Search Providers page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Search Providers page in the IEAK 11 Wizard
 The **Search Providers** page of the Internet Explorer Customization Wizard 11 lets you add a default search provider (typically, Bing®) and additional providers to your custom version of IE.
 
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
index 5802534823..1464b71931 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: plan
 description: Learn about the security features available in Internet Explorer 11 and IEAK 11.
-ms.assetid: 5b64c9cb-f8da-411a-88e4-fa69dea473e2
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: plan
-ms.sitesec: library
+ms.assetid: 5b64c9cb-f8da-411a-88e4-fa69dea473e2
 title: Security features and IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Security features and IEAK 11
 Use Internet Explorer in conjunction with your new and existing security measures, to make sure the computers in your company aren’t compromised while on the Internet.
 
@@ -55,4 +57,5 @@ You must keep your private key, private. To do this, we recommend:
 
 -   **Tamper-proof storage.** Save your private keys on secure, tamper-proof hardware devices.
 
--   **Security.** Protect your private keys using physical security measures, such as cameras and card readers.
\ No newline at end of file
+-   **Security.** Protect your private keys using physical security measures, such as cameras and card readers.
+
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
index 77a5c40dbf..a59c87f2d8 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the Security and Privacy Settings page in the IEAK 11 Customization Wizard to manage your security zones, privacy settings, and content ratings.
-ms.assetid: cb7cd1df-6a79-42f6-b3a1-8ae467053f82
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: cb7cd1df-6a79-42f6-b3a1-8ae467053f82
 title: Use the Security and Privacy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Security and Privacy Settings page in the IEAK 11 Wizard
 The **Security and Privacy Settings** page of the Internet Explorer Customization Wizard 11 lets you manage your security zones, privacy settings, and content ratings. These settings help restrict the types of content your employees can access from the Internet, including any content that might be considered offensive or otherwise inappropriate in a corporate setting.
 
diff --git a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
index 733b53831c..2c1379c97b 100644
--- a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the \[Security Imports\] .INS file setting to decide whether to import security info to your custom package.
-ms.assetid: 19791c44-aaa7-4f37-9faa-85cbdf29f68e
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 19791c44-aaa7-4f37-9faa-85cbdf29f68e
 title: Use the Security Imports .INS file to import security info (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Security Imports .INS file to import security info
 Info about how to import security information from your local device to your custom package.
 
@@ -17,4 +19,5 @@ Info about how to import security information from your local device to your cus
 |ImportRatings |<ul><li>**0.** Don’t import the existing settings.</li><li>**1.** Import the existing settings.</li></ul> |Whether to import the existing Content Ratings settings. |
 |ImportSecZones |<ul><li>**0.** Don’t import the existing settings.</li><li>**1.** Import the existing settings.</li></ul> |Whether to import the existing Security Zone settings. |
 |ImportSiteCert |<ul><li>**0.** Don’t import the existing authorities.</li><li>**1.** Import the existing authorities.</li></ul> |Whether to import the existing site certification authorities. |
-|Win16SiteCerts |<ul><li>**0.** Don’t use the site certificates.</li><li>**1.** Use the site certificates.</li></ul> |Whether to use site certificates for computers running 16-bit versions of Windows. |
\ No newline at end of file
+|Win16SiteCerts |<ul><li>**0.** Don’t use the site certificates.</li><li>**1.** Use the site certificates.</li></ul> |Whether to use site certificates for computers running 16-bit versions of Windows. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
index 6d83d55a3e..b6c2290c54 100644
--- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: support
 description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package.
-ms.assetid: 9e22cc61-6c63-4cab-bfdf-6fe49db945e4
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: support
-ms.sitesec: library
+ms.assetid: 9e22cc61-6c63-4cab-bfdf-6fe49db945e4
 title: Troubleshoot custom package and IEAK 11 problems (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Troubleshoot custom package and IEAK 11 problems
 While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package.
 
diff --git a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
index 853199a71b..d508dffd3a 100644
--- a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server.
-ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7
 title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the URL .INS file to use an auto-configured proxy server
 Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server.
 
@@ -30,4 +32,5 @@ Info about whether to use an auto-configured proxy server. If yes, this also inc
 |Quick_Link_X_Name |`<quick_link_X_name>` |The name of the site associated with another Quick Link. |
 |Quick_Link_X_Offline |<ul><li>**0.** Don’t make the Quick Links available offline.</li><li>**1.** Make the Quick Links available offline.</li></ul> |Determines whether to make the Quick Links available for offline browsing. |
 |Search_Page |`<default_search_url>` |The URL to the default search page. |
-|UseLocalIns |<ul><li>**0.** Don’t use a local .ins file.</li><li>**1.** Use a local .ins file.</li></ul> |Determines whether to use a local Internet Settings (.ins) file |
\ No newline at end of file
+|UseLocalIns |<ul><li>**0.** Don’t use a local .ins file.</li><li>**1.** Use a local .ins file.</li></ul> |Determines whether to use a local Internet Settings (.ins) file |
+
diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
index 0027d5ce6d..11278110c1 100644
--- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
-ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa
 title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the User Experience page in the IEAK 11 Wizard
 The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process.
 
diff --git a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
index d08e772fa9..dc16dd86ec 100644
--- a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
+++ b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
-ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977
 title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Using Internet Settings (.INS) files with IEAK 11
 Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file.
 
@@ -27,4 +29,5 @@ Here's a list of the availble .INS file settings:
 |[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. |
 |[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. |
 |[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. |
-|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. |
\ No newline at end of file
+|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
index 9c4b3bea88..2fad3b0d54 100644
--- a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
@@ -1,13 +1,15 @@
 ---
-description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package. 
-ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc
+localizationpriority: low
+ms.mktglfcycl: deploy
+description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
 author: eross-msft
 ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.sitesec: library
+ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc
 title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
 ---
 
+
 # Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard
 The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**.
 
diff --git a/browsers/internet-explorer/index.md b/browsers/internet-explorer/index.md
index 480d0fb2fc..b3d34f728c 100644
--- a/browsers/internet-explorer/index.md
+++ b/browsers/internet-explorer/index.md
@@ -1,13 +1,15 @@
 ---
+localizationpriority: low
+ms.mktglfcycl: deploy
 description: The landing page for IE11 that lets you access the documentation.
-assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
 author: eross-msft
 ms.prod: IE11
-ms.mktglfcycl: deploy
-ms.sitesec: library
 title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
+ms.sitesec: library
 ---
 
+
 # Internet Explorer 11 (IE11)
 Find info about Internet Explorer 11 that's important to IT Pros.
 
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
new file mode 100644
index 0000000000..06913f7aef
--- /dev/null
+++ b/devices/hololens/TOC.md
@@ -0,0 +1 @@
+# [Index](index.md)
\ No newline at end of file
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
new file mode 100644
index 0000000000..c6dc9e418d
--- /dev/null
+++ b/devices/hololens/docfx.json
@@ -0,0 +1,37 @@
+{
+  "build": {
+    "content": [
+      {
+        "files": [
+          "**/*.md"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "devices/hololens/**",
+          "**/includes/**"
+        ]
+      }
+    ],
+    "resource": [
+      {
+        "files": [
+          "**/*.png",
+          "**/*.jpg"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "devices/hololens/**",
+          "**/includes/**"
+        ]
+      }
+    ],
+    "overwrite": [],
+    "externalReference": [],
+    "globalMetadata": {},
+    "fileMetadata": {},
+    "template": [
+      null
+    ],
+    "dest": "devices/hololens"
+  }
+}
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
new file mode 100644
index 0000000000..beccdc8994
--- /dev/null
+++ b/devices/hololens/index.md
@@ -0,0 +1 @@
+# Index test file for Open Publishing
\ No newline at end of file
diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md
index 4c4b6a6425..4950e97e51 100644
--- a/devices/surface-hub/accessibility-surface-hub.md
+++ b/devices/surface-hub/accessibility-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.pagetype: surfacehub
 ms.sitesec: library
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Accessibility (Surface Hub)
diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md
index daab251d41..cf642f2291 100644
--- a/devices/surface-hub/admin-group-management-for-surface-hub.md
+++ b/devices/surface-hub/admin-group-management-for-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub, security
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Admin group management (Surface Hub)
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index 7fd65a2aa4..6b6083ba4b 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Appendix: PowerShell (Surface Hub)
@@ -34,7 +35,7 @@ You can check online for updated versions at [Surface Hub device account scripts
 What do the scripts do?
 
 -   Create device accounts for setups using pure single-forest on-premises (Microsoft Exchange and Skype 2013 and later only) or online (Microsoft Office 365), that are configured correctly for your Surface Hub.
--   Validate existing device accounts for any setup (on-premises, online, or hybrid using Exchange or Lync 2010 or later) to make sure they're compatible with Surface Hub.
+-   Validate existing device accounts for any setup (on-premises or online) to make sure they're compatible with Surface Hub.
 -   Provide a base template for anyone wanting to create their own device account creation or validation scripts.
 
 What do you need in order to run the scripts?
diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
index 8712782546..f6cad56654 100644
--- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Applying ActiveSync policies to device accounts (Surface Hub)
diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md
index 0760c66e33..6dc6bf7016 100644
--- a/devices/surface-hub/change-surface-hub-device-account.md
+++ b/devices/surface-hub/change-surface-hub-device-account.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Change the Microsoft Surface Hub device account
diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
index 35d14c4df5..c32f557d19 100644
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Connect other devices and display with Surface Hub
@@ -130,7 +131,7 @@ When a Surface hub is connected to guest computer with the wired connect USB por
 
 -   HID-compliant mouse
 
-**Universal serial bus conntrollers**
+**Universal serial bus controllers**
 
 -   Generic USB hub
 
@@ -224,7 +225,7 @@ In replacement PC mode, the embedded computer of the Surface Hub is turned off a
 
 ### Software requirements
 
-You can run Surface Hub in replacement PC mode with 64-bit versions of Windows 10 Home, Windows 10 Pro and Windows 10 Enterprise. You can download the  [Surface Hub Replacement PC driver package](https://www.microsoft.com/en-us/download/details.aspx?id=52210) from the Microsoft download center. We recommend that you install these drivers on any computer you plan to use as a replacement PC.
+You can run Surface Hub in replacement PC mode with 64-bit versions of Windows 10 Home, Windows 10 Pro and Windows 10 Enterprise. You can download the  [Surface Hub Replacement PC driver package](https://www.microsoft.com/download/details.aspx?id=52210) from the Microsoft download center. We recommend that you install these drivers on any computer you plan to use as a replacement PC.
 
 ### Hardware requirements
 
@@ -389,7 +390,7 @@ Replacement PC ports on 84" Surface Hub.
 
 **To use replacement PC mode**
 
-1.  Download and install the [Surface Hub Replacement PC driver package](https://www.microsoft.com/en-us/download/details.aspx?id=52210) on the replacement PC.
+1.  Download and install the [Surface Hub Replacement PC driver package](https://www.microsoft.com/download/details.aspx?id=52210) on the replacement PC.
 
     **Note**  We recommend that you set sleep or hibernation on the replacement PC so the Surface Hub will turn off the display when it isn't being used.
 
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index 1f4a231d66..d60f54e1b2 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Create a device account using UI (Surface Hub)
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index aeb2e566ac..b1888116aa 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Create and test a device account (Surface Hub)
@@ -55,11 +56,11 @@ These properties represent the minimum configuration for a device account to wor
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Exchange mailbox (Exchange 2010 or later, or Exchange Online)</p></td>
+<td align="left"><p>Exchange mailbox (Exchange 2013 or later, or Exchange Online)</p></td>
 <td align="left"><p>Enabling the account with an Exchange mailbox gives the device account the capability to receive and send both mail and meeting requests, and to display a meetings calendar on the Surface Hub’s welcome screen. The Surface Hub mailbox must be a room mailbox.</p></td>
 </tr>
 <tr class="even">
-<td align="left"><p>Skype for Business-enabled (Lync/Skype for Business 2010 or later or Skype for Business Online)</p></td>
+<td align="left"><p>Skype for Business-enabled (Lync/Skype for Business 2013 or later or Skype for Business Online)</p></td>
 <td align="left"><p>Skype for Business must be enabled in order to use various conferencing features, like video calls, IM, and screen-sharing.</p></td>
 </tr>
 <tr class="odd">
@@ -116,8 +117,6 @@ You can check online for updated versions at [Surface Hub device account scripts
 
 Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
 
-![Image showing deployment options: online, on-premises, or hybrid.](images/deploymentoptions-01.png)
-
 -   [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organization’s environment is deployed entirely on Office 365.
 -   [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.
 -   [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md): Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365.
diff --git a/devices/surface-hub/device-reset-suface-hub.md b/devices/surface-hub/device-reset-suface-hub.md
index b90a11ada6..f91cbdd7b9 100644
--- a/devices/surface-hub/device-reset-suface-hub.md
+++ b/devices/surface-hub/device-reset-suface-hub.md
@@ -2,7 +2,7 @@
 title: Device reset (Surface Hub)
 description: You may wish to reset your Microsoft Surface Hub.
 ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF
-redirect_url: https://technet.microsoft.com/en-us/itpro/surface-hub/device-reset-surface-hub
+redirect_url: https://technet.microsoft.com/itpro/surface-hub/device-reset-surface-hub
 keywords: reset Surface Hub
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -11,36 +11,6 @@ ms.pagetype: surfacehub
 author: TrudyHa
 ---
 
-# Device reset (Surface Hub)
-
-
-You may wish to reset your Microsoft Surface Hub.
-
-Typical reasons for a reset include:
-
--   The device isn’t running well after installing an update.
--   You’re repurposing the device for a new meeting space and want to reconfigure it.
--   You want to change how you locally manage the device.
-
-Initiating a reset will return the device to the last cumulative Windows update, and remove all local user files and configuration, including:
-
--   The device account
--   MDM enrollment
--   Domain join or Azure AD join information
--   Local admins on the device
--   Configurations from MDM or the Settings app
-
-**Important Note**</br>
-Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
-
-After the reset, you'll be taken through the [first run program](first-run-program-surface-hub.md) again.
-
-## Related topics
-
-
-[Manage Microsoft Surface Hub](manage-surface-hub.md)
-
-[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
 
  
 
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index d2e58dc6fc..fe97b78978 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Device reset (Surface Hub)
diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
index f2264e2d63..3e9df023a1 100644
--- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Microsoft Exchange properties (Surface Hub)
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index 449c447e5c..8305a2bd53 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # First-run program (Surface Hub)
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index 7d9bfa37be..478ae597cd 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Hybrid deployment (Surface Hub)
diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
index db6e9ddd5f..45d66f1d0a 100644
--- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
+++ b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # End a Surface Hub meeting with I'm Done
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index f526e77791..03268e3bb2 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Microsoft Surface Hub
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index 2056f2a6f7..76cf98911f 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub, store
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Install apps on your Microsoft Surface Hub
diff --git a/devices/surface-hub/intro-to-surface-hub.md b/devices/surface-hub/intro-to-surface-hub.md
index f8903f20cd..d8a4c1c1e2 100644
--- a/devices/surface-hub/intro-to-surface-hub.md
+++ b/devices/surface-hub/intro-to-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Intro to Microsoft Surface Hub
@@ -33,7 +34,7 @@ The capabilities of your Surface Hub will depend on what other Microsoft product
 <tbody>
 <tr class="odd">
 <td align="left"><p>One-touch meeting join, meetings calendar, and email (for example, sending whiteboards)</p></td>
-<td align="left"><p>Device account with Microsoft Exchange 2010 or later, or Exchange Online and a network connection to where the account is hosted.</p></td>
+<td align="left"><p>Device account with Microsoft Exchange 2013 or later, or Exchange Online and a network connection to where the account is hosted.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Meetings using Skype for Business</p></td>
diff --git a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
index 59a5eb9898..05b356e461 100644
--- a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Manage settings with a local admin account (Surface Hub)
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 5fe5d1931c..1db4d6fbe1 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub, mobility
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Manage settings with an MDM provider (Surface Hub)
@@ -34,7 +35,7 @@ Alternatively, the device can be enrolled like any other Windows device by going
 
 ### Manage a device through MDM
 
-The following table lists the device settings that can be managed remotely using MDM, including the OMA URI paths that 3rd party MDM providers need to create policies. Intune and SCCM have special templates to help create policies to manage these settings.
+The following table lists the device settings that can be managed remotely using MDM, including the OMA URI paths that 3rd party MDM providers need to create policies. Intune and System Center Configuration Manager have special templates to help create policies to manage these settings.
 
 <table>
 <colgroup>
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index 7baf06e0be..f1ea0e3ebc 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Manage Microsoft Surface Hub
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index fdf19039e5..c4d7d2f8d9 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Windows updates (Surface Hub)
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index 2055b8369d..3083553e68 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Monitor your Microsoft Surface Hub
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 678465138b..e948c327bb 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # On-premises deployment (Surface Hub)
@@ -15,7 +16,7 @@ author: TrudyHa
 
 This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
 
-If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, or are using Exchange 2010 or Lync 2010, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
+If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
 
 1.  Start a remote PowerShell session from a PC and connect to Exchange.
 
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 87f72ef2f2..a7304bb73f 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Online deployment with Office 365 (Surface Hub)
@@ -15,7 +16,7 @@ author: TrudyHa
 
 This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment.
 
-If you have a pure, online (O365) deployment, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-os356-ps-scripts) to create device accounts. If you’re using Microsoft Exchange 2010 or Lync 2010, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
+If you have a pure, online (O365) deployment, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-os356-ps-scripts) to create device accounts. 
 
 1.  Start a remote PowerShell session on a PC and connect to Exchange.
 
diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
index 58fc3a9004..9ebb5d145d 100644
--- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub, security
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Password management (Surface Hub)
diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md
index 2a95ec05e4..7c201fd78e 100644
--- a/devices/surface-hub/physically-install-your-surface-hub-device.md
+++ b/devices/surface-hub/physically-install-your-surface-hub-device.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub, readiness
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Physically install Microsoft Surface Hub
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index d4af065b4b..17ad527a67 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Prepare your environment for Microsoft Surface Hub
diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
index 0d7c350af6..cbad03aa49 100644
--- a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
+++ b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Create provisioning packages (Surface Hub)
@@ -34,7 +35,7 @@ Provisioning packages are created using Windows Imaging and Configuration Design
 
 ### <a href="" id="what-can-prov-pkg"></a>What can provisioning packages configure for Surface Hubs?
 
-Currently, you can use provisioning packages to install certificates and to install Universal App Platform (UAP) apps on your Surface Hub. These are the only two supported scenarios.
+Currently, you can use provisioning packages to install certificates and to install Universal Windows Platform (UWP) apps on your Surface Hub. These are the only two supported scenarios.
 
 You may use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange or Skype for Business, or to sideload apps that don't come from the Windows Store (for example, your own in-house apps).
 
diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md
index 869f0a540b..1658d8de1a 100644
--- a/devices/surface-hub/save-bitlocker-key-surface-hub.md
+++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub, security
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Save your BitLocker key (Surface Hub)
diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md
index 1323fc0f77..0ce8d6e7d7 100644
--- a/devices/surface-hub/set-up-your-surface-hub.md
+++ b/devices/surface-hub/set-up-your-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: mediumh
 ---
 
 # Set up Microsoft Surface Hub
diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md
index 9f23b06daa..2dc1778f87 100644
--- a/devices/surface-hub/setup-worksheet-surface-hub.md
+++ b/devices/surface-hub/setup-worksheet-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Setup worksheet (Surface Hub)
diff --git a/devices/surface-hub/surface-hub-administrators-guide.md b/devices/surface-hub/surface-hub-administrators-guide.md
index 8a1a636282..6b08e5cb6f 100644
--- a/devices/surface-hub/surface-hub-administrators-guide.md
+++ b/devices/surface-hub/surface-hub-administrators-guide.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Microsoft Surface Hub administrator's guide
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index f5c70dacc3..cc3bd57b95 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: support
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Troubleshoot Microsoft Surface Hub
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index 258a618516..e948577807 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -4,6 +4,7 @@ description: Troubleshoot common problems, including setup issues, Exchange Acti
 ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
 keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"]
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # When to use a fully qualified domain name with Surface Hub
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index 79edc9e9a3..71051b3d27 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Using a room control system (Surface Hub)
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index a84ca0aa97..8593840926 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub, networking
 author: TrudyHa
+localizationpriority: medium
 ---
 
 # Wireless network management (Surface Hub)
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 0b2f363936..07d07e34a6 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -2,6 +2,7 @@
 ## [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
 ## [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
 ## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)
+## [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
 ## [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
 ## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)
 ## [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)
@@ -16,4 +17,5 @@
 ## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
 ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
 ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
+## [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
 
diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
index c90f8d9b3a..a590b85c20 100644
--- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
+++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
@@ -3,6 +3,7 @@ title: Advanced UEFI security features for Surface Pro 3 (Surface)
 description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
 ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93
 keywords: security, features, configure, hardware, device, custom, script, update
+localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices, security
diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md
index 3c18712be2..aa17e2e68f 100644
--- a/devices/surface/customize-the-oobe-for-surface-deployments.md
+++ b/devices/surface/customize-the-oobe-for-surface-deployments.md
@@ -3,6 +3,7 @@ title: Customize the OOBE for Surface deployments (Surface)
 description: This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization.
 ms.assetid: F6910315-9FA9-4297-8FA8-2C284A4B1D87
 keywords: deploy, customize, automate, network, Pen, pair, boot
+localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index b2a06e1583..6ee5c0b6f6 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -3,6 +3,7 @@ title: Download the latest firmware and drivers for Surface devices (Surface)
 description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
 ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
 keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device
+localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
new file mode 100644
index 0000000000..a29f37c0ef
--- /dev/null
+++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
@@ -0,0 +1,759 @@
+---
+title: Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit (Surface)
+description: Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.
+keywords: windows 10 surface, automate, customize, mdt
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: surface
+ms.sitesec: library
+author: Scottmca
+---
+
+# Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit
+
+#### Applies to
+* Surface Pro 4
+* Surface Book
+* Surface 3
+* Windows 10
+
+This article walks you through the recommended process to deploy Windows 10 to Surface devices with Microsoft deployment technologies. The process described in this article yields a complete Windows 10 environment including updated firmware and drivers for your Surface device along with applications like Microsoft Office 365 and the Surface app. When the process is complete, the Surface device will be ready for use by the end user. You can customize this process to include your own applications and configuration to meet the needs of your organization. You can also follow the guidance provided in this article to integrate deployment to Surface devices into existing deployment strategies.
+
+By following the procedures in this article, you can create an up-to-date reference image and deploy this image to your Surface devices, a process known as *reimaging*. Reimaging will erase and overwrite the existing environment on your Surface devices. This process allows you to rapidly configure your Surface devices with identical environments that can be configured to precisely fit your organization’s requirements. 
+
+An alternative to the reimaging process is an upgrade process. The upgrade process is non-destructive and instead of erasing the existing environment on your Surface device, it allows you to install Windows 10 while retaining your user data, applications, and settings. You can read about how to manage and automate the upgrade process of Surface devices to Windows 10 at [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md). 
+
+The goal of the deployment process presented in this article is automation. By leveraging the many technologies and tools available from Microsoft, you can create a process that requires only a single touch on the devices being deployed. The automation can load the deployment environment; format the device; prepare an updated Windows image with the drivers required for the device; apply that image to the device; configure the Windows environment with licensing, membership in a domain, and user accounts; install applications; apply any Windows updates that were not included in the reference image; and log out.
+
+By automating each aspect of the deployment process, you not only greatly decrease the effort involved, but you create a process that can be easily repeated and where human error becomes less of a factor. Take for example a scenario where you create a reference image for the device manually, but you accidentally install conflicting applications and cause the image to become unstable. In this scenario you have no choice but to begin again the manual process of creating your image. If in this same scenario you had automated the reference image creation process, you could repair the conflict by simply editing a step in the task sequence and then re-running the task sequence.
+
+## Deployment tools
+
+The deployment process described in this article leverages a number of Microsoft deployment tools and technologies. Some of these tools and technologies are included in Windows client and Windows Server, such as Hyper-V and Windows Deployment Services (WDS), while others are available as free downloads from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/windows.aspx).
+
+#### Microsoft Deployment Toolkit
+
+The Microsoft Deployment Toolkit (MDT) is the primary component of a Windows deployment. It serves as a unified interface for most of the Microsoft deployment tools and technologies, such as the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), User State Migration Tool (USMT), and many other tools and technologies. Each of these is discussed throughout this article. The unified interface, called the *Deployment Workbench*, facilitates automation of the deployment process through a series of stored deployment procedures, known as a *task sequence*. Along with these task sequences and the many scripts and tools that MDT provides, the resources for a Windows deployment (driver files, application installation files, and image files) are stored in a network share known as the *deployment share*. 
+
+You can download and find out more about MDT at [Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/windows/dn475741).
+
+#### Windows Assessment and Deployment Kit
+
+Although MDT is the tool you will interact with most during the deployment process, the deployment tools found in the Windows ADK perform most of the deployment tasks during the deployment process. The resources for deployment are held within the MDT deployment share, but it is the collection of tools included in Windows ADK that access the image files, stage drivers and Windows updates, run the deployment experience, provide instructions to Windows Setup, and back up and restore user data.
+
+You can download and find out more about the Windows ADK at [Download the Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#windowsadk).
+
+#### Windows 10 installation media
+
+Before you can perform a deployment with MDT, you must first supply a set of operating system installation files and an operating system image. These files and image can be found on the physical installation media (DVD) for Windows 10. You can also find these files in the disk image (ISO file) for Windows 10, which you can download from the [Volume Licensing Service Center (VLSC)](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+
+>**Note:**&nbsp;&nbsp;The installation media generated from the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
+
+#### Windows Server
+
+Although MDT can be installed on a Windows client, to take full advantage of Windows Deployment Services’ ability to network boot, a full Windows Server environment is recommended. To provide network boot for UEFI devices like Surface with WDS, you will need Windows Server 2008 R2 or later.
+
+>**Note:**&nbsp;&nbsp;To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter).
+
+#### Windows Deployment Services
+
+Windows Deployment Services (WDS) is leveraged to facilitate network boot capabilities provided by the Preboot Execution Environment (PXE) server. The boot media generated by MDT is loaded onto the Surface device simply by pressing Enter at the prompt when the device attempts to boot from the attached network adapter or Surface Dock.
+
+#### Hyper-V virtualization platform
+
+The process of creating a reference image should always be performed in a virtual environment. When you use a virtual machine as the platform to build your reference image, you eliminate the need for installation of additional drivers. The drivers for a Hyper-V virtual machine are included by default in the factory Windows 10 image. When you avoid the installation of additional drivers – especially complex drivers that include application components like control panel applications – you ensure that the image created by your reference image process will be as universally compatible as possible.
+
+>**Note:**&nbsp;&nbsp;A Generation 1 virtual machine is recommended for the preparation of a reference image in a Hyper-V virtual environment.
+
+Because customizations are performed by MDT at the time of deployment, the goal of reference image creation is not to perform customization but to increase performance during deployment by reducing the number of actions that need to occur on each deployed device. The biggest action that can slow down an MDT deployment is the installation of Windows updates. When MDT performs this step during the deployment process, it downloads the updates on each deployed device and installs them. By installing Windows updates in your reference image, the updates are already installed when the image is deployed to the device and the MDT update process only needs to install updates that are new since the image was created or are applicable to products other than Windows (for example, Microsoft Office updates).
+
+>**Note:**&nbsp;&nbsp;Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library.  Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
+
+#### Surface firmware and drivers
+
+For your deployed Windows environment to function correctly on your Surface devices, you will need to install the drivers used by Windows to communicate with the components of your device. These drivers are available for download in the Microsoft Download Center for each Surface device. You can find the correct Microsoft Download Center page for your device at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
+
+When you browse to the specific Microsoft Download Center page for your device, you will notice that there are two files available for download. One file is a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. The other file is an archive (.zip) file. This file contains the individual driver files that are used during deployment, or for manual installation with Device Manager. The file that you will need to download is the .zip archive file. You can read more about the difference between the firmware and driver pack file types at [Manage Surface driver and firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-pro-3-firmware-updates).
+
+
+In addition to the driver files that help Windows communicate with the hardware components of the Surface device, the .zip file you download will also contain firmware updates. These firmware updates will update the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. The firmware of an out-of-date Surface device is thus updated when the device reboots during and after the Windows deployment process.
+
+>**Note:**&nbsp;&nbsp;Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices.
+
+#### Application installation files
+
+In addition to the drivers that are used by Windows to communicate with the Surface device’s hardware and components, you will also need to provide the installation files for any applications that you want to install on your deployed Surface devices. To automate the deployment of an application, you will also need to determine the command-line instructions for that application to perform a silent installation. In this article, the Surface app and Microsoft Office 365 will be installed as examples of application installation. The application installation process can be used with any application with installation files that can be launched from command line.
+
+>**Note:**&nbsp;&nbsp;If the application files for your application are stored on your organization’s network and will be accessible from your Surface devices during the deployment process, you can deploy that application directly from that network location. To use installation files from a network location, use the **Install Application Without Source Files or Elsewhere on the Network** option in the MDT New Application Wizard, which is described in the [Import applications](#import-applications) section later in this article.
+
+#### Microsoft Surface Deployment Accelerator
+
+If you want to deploy only to Surface devices or you want an accelerated method to perform deployment to Surface devices, you can use the Microsoft Surface Deployment Accelerator to generate an MDT deployment share complete with Surface device drivers, Surface apps, and pre-configured task sequences to create a reference image and perform deployment to Surface devices. Microsoft Surface Deployment Accelerator can automatically import boot images into WDS and prepare WDS for network boot (PXE). You can download the Microsoft Surface Deployment Accelerator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
+
+### Install the deployment tools
+
+Before you can configure the deployment environment with Windows images, drivers, and applications, you must first install the deployment tools that will be used throughout the deployment process. The three main tools to be installed are WDS, Windows ADK, and MDT. WDS provides the capacity for network boot, Windows ADK provides several deployment tools that perform specific deployment tasks, and MDT provides automation and a central interface from which to manage and control the deployment process.
+
+To boot from the network with either your reference virtual machines or your Surface devices, your deployment environment must include a Windows Server environment. The Windows Server environment is required to install WDS and the WDS PXE server. Without PXE support, you will be required to create physical boot media, such as a USB stick to perform your deployment – MDT and Windows ADK will still be required, but Windows Server is not required. Both MDT and Windows ADK can be installed on a Windows client and perform a Windows deployment.
+
+>**Note:**&nbsp;&nbsp;To download deployment tools directly to Windows Server, you must disable [Internet Explorer Enhanced Security Configuration](https://technet.microsoft.com/library/dd883248). On Windows Server 2012 R2, this can be performed directly through the **Server Manager** option on the **Local Server** tab. In the **Properties** section, **IE Enhanced Security Configuration** can be found on the right side. You may also need to enable the **File Download** option for the **Internet** zone through the **Security** tab of **Internet Options**.
+
+#### Install Windows Deployment Services
+
+Windows Deployment Services (WDS) is a Windows Server role. To add the WDS role to a Windows Server 2012 R2 environment, use the Add Roles and Features Wizard, as shown in Figure 1. Start the Add Roles and Features Wizard from the **Manage** button of **Server Manager**. Install both the Deployment Server and Transport Server role services.
+
+![Install the Windows Deployment Services role](images\surface-deploymdt-fig1.png "Install the Windows Deployment Services role")
+
+*Figure 1. Install the Windows Deployment Services server role*
+
+After the WDS role is installed, you need to configure WDS. You can begin the configuration process from the WDS node of Server Manager by right-clicking your server’s name and then clicking **Windows Deployment Services Management Console**. In the **Windows Deployment Services** window, expand the **Servers** node to find your server, right-click your server, and then click **Configure** in the menu to start the Windows Deployment Services Configuration Wizard, as shown in Figure 2.
+
+![Configure PXE response for Windows Deployment Services](images\surface-deploymdt-fig2.png "Configure PXE response for Windows Deployment Services")
+
+*Figure 2. Configure PXE response for Windows Deployment Services*
+
+>**Note:**&nbsp;&nbsp;Before you configure WDS make sure you have a local NTFS volume that is not your system drive (C:) available for use with WDS. This volume is used to store WDS boot images, deployment images, and configuration.
+
+Using the Windows Deployment Services Configuration Wizard, configure WDS to fit the needs of your organization. You can find detailed instructions for the installation and configuration of WDS at [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426). On the **PXE Server Initial Settings** page, be sure to configure WDS so that it will respond to your Surface devices when they attempt to boot from the network. If you have already installed WDS or need to change your PXE server response settings, you can do so on the **PXE Response** tab of the **Properties** of your server in the Windows Deployment Services Management Console.
+
+>**Note:**&nbsp;&nbsp;You will add boot images to WDS when you update your boot images in MDT. You do not need to add boot images or Windows images to WDS when you configure the role.
+
+#### Install Windows Assessment and Deployment Kit
+
+To install Windows ADK, run the Adksetup.exe file that you downloaded from [Download the Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#adkwin10). Windows ADK must be installed before MDT. You should always download and use the most recent version of Windows ADK. A new version is usually released corresponding with each new version of Windows.
+
+>**Note:**&nbsp;&nbsp;You can also use the Adksetup.exe file to download the Windows ADK installation files locally for use on other devices.
+
+When you get to the **Select the features you want to install** page, you only need to select the **Deployment Tools** and **Windows Preinstallation Environment (Windows PE)** check boxes to deploy Windows 10 using MDT, as shown in Figure 3. 
+
+![Required options for deployment with MDT](images\surface-deploymdt-fig3.png "Required options for deployment with MDT")
+
+*Figure 3. Only Deployment Tools and Windows PE options are required for deployment with MDT*
+
+#### Install Microsoft Deployment Toolkit
+
+After the Windows ADK installation completes successfully, you can install MDT. When you download MDT, ensure that you download the version that matches the architecture of your deployment server environment. For Windows Server the architecture is 64-bit. Download the MDT installation file that ends in **x64**. When MDT is installed you can use the default options during the installation wizard, as shown in Figure 4.
+
+![MDT installation with default options](images/surface-deploymdt-fig4.png "MDT installation with default options")
+
+*Figure 4. Install the Microsoft Deployment Toolkit with default options*
+
+Before you can open the MDT Deployment Workbench, you must enable execution of scripts in PowerShell. If you do not do this, the following error message may be displayed: *"Initialization Error PowerShell is required to use the Deployment Workbench.  Please install PowerShell then relaunch Deployment Workbench."*
+
+To enable the execution of scripts, run the following cmdlet in PowerShell as an Administrator:
+
+   `Set-ExecutionPolicy RemoteSigned -Scope CurrentUser`
+
+## Create a reference image
+
+Now that you have installed the required tools, you can begin the first step of customizing your deployment environment to your needs – create a reference image. Because the reference image should be created in a virtual machine where there is no need for drivers to be installed, and because the reference image will not include applications, you can use the MDT deployment environment almost entirely with default settings.
+
+### Create a deployment share
+
+Now that you have the tools installed, the next step is to configure MDT for the creation of a reference image. Before you can perform the process of creating a reference image, MDT needs to be set up with a repository for scripts, images, and other deployment resources. This repository is known as the *deployment share*. After the deployment share is created, you must supply MDT with a complete set of Windows 10 installation files, the last set of tools required before MDT can perform reference image creation.
+
+To create the deployment share, follow these steps:
+
+1. Open the Deployment Workbench from your Start menu or Start screen, as shown in Figure 5.
+
+   ![The MDT Deployment Workbench](images\surface-deploymdt-fig5.png "The MDT Deployment Workbench")
+
+   *Figure 5. The MDT Deployment Workbench*
+
+2. Right-click the **Deployment Shares** folder, and then click **New Deployment Share** to start the New Deployment Share Wizard, as shown in Figure 6.
+
+   ![Summary page of the New Deployment Share Wizard](images\surface-deploymdt-fig6.png "Summary page of the New Deployment Share Wizard")
+
+   *Figure 6. The Summary page of the New Deployment Share Wizard*
+
+3. Create a new deployment share with New Deployment Share Wizard with the following steps:
+
+  * **Path** – Specify a local folder where the deployment share will reside, and then click **Next**.
+
+      >**Note:**&nbsp;&nbsp;Like the WDS remote installation folder, it is recommended that you put this folder on an NTFS volume that is not your system volume.
+
+  * **Share** – Specify a name for the network share under which the local folder specified on the **Path** page will be shared, and then click **Next**.
+
+      >**Note:**&nbsp;&nbsp;The share name cannot contain spaces.
+
+      >**Note:**&nbsp;&nbsp;You can use a Dollar Sign (**$**) to hide your network share so that it will not be displayed when users browse the available network shares on the server in File Explorer.
+
+  * **Descriptive Name** – Enter a descriptive name for the network share (this descriptive name can contain spaces), and then click **Next**. The descriptive name will be the name of the folder as it appears in the Deployment Workbench.
+  * **Options** – You can accept the default options on this page. Click **Next**.
+  * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the deployment share.
+  * **Progress** – While the deployment share is being created, a progress bar is displayed on this page to indicate the status of the deployment share creation process.
+  * **Confirmation** – When the deployment share creation process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Deployment Share Wizard.
+
+4. When the New Deployment Share Wizard is complete, you can expand the Deployment Shares folder to find your newly created deployment share.
+5. You can expand your deployment share, where you will find several folders for the resources, scripts, and components of your MDT deployment environment are stored.
+
+To secure the deployment share and prevent unauthorized access to the deployment resources, you can create a local user on the deployment share host and configure permissions for that user to have read-only access to the deployment share only. It is especially important to secure access to the deployment share if you intend to automate the logon to the deployment share during the deployment boot process. By automating the logon to the deployment share during the boot of deployment media, the credentials for that logon are stored in plaintext in the bootstrap.ini file on the boot media.
+
+>**Note:**&nbsp;&nbsp;If you intend to capture images (such as the reference image) with this user, the user must also have write permission on the Captures folder in the MDT deployment share.
+
+You now have an empty deployment share that is ready for you to add the resources that will be required for reference image creation and deployment to Surface devices.
+
+### Import Windows installation files
+
+The first resources that are required to perform a deployment of Windows are the installation files from Windows 10 installation media. Even if you have an already prepared reference image, you still need to supply the unaltered installation files from your installation media. The source of these files can be a physical disk, or it can be an ISO file like the download from the Volume Licensing Service Center (VLSC).
+
+>**Note:**&nbsp;&nbsp;A 64-bit operating system is required for compatibility with Surface Pro 4, Surface Book, Surface Pro 3, and Surface 3.
+
+To import Windows 10 installation files, follow these steps:
+
+1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench, and then click **New Folder** to open the **New Folder** page, as shown in Figure 7.
+
+   ![Create a new folder on the New Folder page](images\surface-deploymdt-fig7.png "Create a new folder on the New Folder page")
+   
+   *Figure 7. Create a new folder on the New Folder page*
+
+2. On the **New Folder** page a series of steps is displayed, as follows:
+  * **General Settings** – Enter a name for the folder in the **Folder Name** field (for example, Windows 10 Enterprise), add any comments you want in the **Comments** field, and then click **Next**.
+  * **Summary** – Review the specified configuration of the new folder on this page, and then click **Next**.
+  * **Progress** – A progress bar will be displayed on this page while the folder is created. This page will likely pass very quickly.
+  * **Confirmation** – When the new folder has been created, a **Confirmation** page displays the success of the operation. Click **Finish** to close the **New Folder** page.
+3. Expand the Operating Systems folder to see the newly created folder.
+4. Right-click the newly created folder, and then click **Import Operating System** to launch the Import Operating System Wizard, as shown in Figure 8.
+
+   ![Import source files with the Import Operating System Wizard](images\surface-deploymdt-fig8.png "Import source files with the Import Operating System Wizard")
+
+   *Figure 8. Import source files with the Import Operating System Wizard*
+
+5. The Import Operating System Wizard walks you through the import of your operating system files, as follows:
+  * **OS Type** – Click **Full Set of Source Files** to specify that you are importing the Windows source files from installation media, and then click **Next**.
+  * **Source** – Click **Browse**, move to and select the folder or drive where your installation files are found, and then click **Next**.
+  * **Destination** – Enter a name for the new folder that will be created to hold the installation files, and then click **Next**.
+  * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+  * **Progress** – While the installation files are imported, a progress bar is displayed on this page.
+  * **Confirmation** – When the operating system import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Operating System Wizard.
+6.	Expand the folder you created in Step 1 to see the entry for your newly imported installation files for Windows 10.
+
+Now that you’ve imported the installation files from the installation media, you have the files that MDT needs to create the reference image and you are ready to instruct MDT how to create the reference image to your specifications.
+
+### Create reference image task sequence
+
+As described in the [Deployment tools](#deployment-tools) section of this article, the goal of creating a reference image is to keep the Windows environment as simple as possible while performing tasks that would be common to all devices being deployed. You should now have a basic MDT deployment share configured with default options and a set of unaltered, factory installation files for Windows 10. This simple configuration is perfect for reference image creation because the deployment share contains no applications or drivers to interfere with the process.
+
+>**Note:**&nbsp;&nbsp;For some organizations keeping a simple deployment share without applications or drivers is the simplest solution for creation of reference images. You can easily connect to more than one deployment share from a single Deployment Workbench and copy images from a simple, reference-image-only deployment share to a production deployment share complete with drivers and applications.
+
+To create the reference image task sequence, follow these steps:
+
+1. Right-click the **Task Sequences** folder under your deployment share in the Deployment Workbench, and then click **New Task Sequence** to start the New Task Sequence Wizard, as shown in Figure 9.
+
+   ![Create new task sequence to deploy and update a Windows 10 reference environment](images\surface-deploymdt-fig9.png "Create new task sequence to deploy and update a Windows 10 reference environment")
+
+   *Figure 9. Create a new task sequence to deploy and update a Windows 10 reference environment*
+
+2. The New Task Sequence Wizard presents a series of steps, as follows:
+  * **General Settings** – Enter an identifier for the reference image task sequence in the **Task Sequence ID** field, a name for the reference image task sequence in the **Task Sequence Name** field, and any comments for the reference image task sequence in the **Task Sequence Comments** field, and then click **Next**.
+  >**Note:**&nbsp;&nbsp;The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
+  * **Select Template** – Select **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
+  * **Select OS** – Navigate to and select the Windows 10 image you imported with the Windows 10 installation files, and then click **Next**.
+  * **Specify Product Key** – Click **Do Not Specify a Product Key at This Time**, and then click **Next**.
+  * **OS Settings** – Enter a name, organization, and home page URL in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
+  * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
+  >**Note:**&nbsp;&nbsp;During creation of a reference image, any specified Administrator password will be automatically removed when the image is prepared for capture with Sysprep. During reference image creation, a password is not necessary, but is recommended to remain in line with best practices for production deployment environments.
+  * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
+  * **Progress** – While the task sequence is created, a progress bar is displayed on this page.
+  * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
+2. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
+3. Select the **Task Sequence** tab to view the steps that are included in the Standard Client Task Sequence template, as shown in Figure 10.
+
+   ![Enable Windows Update in the reference image task sequence](images\surface-deploymdt-fig10.png "Enable Windows Update in the reference image task sequence")
+
+   *Figure 10. Enable Windows Update in the reference image task sequence*
+
+4. Select the **Windows Update (Pre-Application Installation)** option, located under the **State Restore** folder.
+5. Click the **Options** tab, and then clear the **Disable This Step** check box.
+6. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option.
+7. Click **OK** to apply changes to the task sequence, and then close the task sequence properties window.
+
+### Generate and import MDT boot media
+
+To boot the reference virtual machine from the network, the MDT deployment share first must be updated to generate boot media with the resources that have been added in the previous sections.
+
+To update the MDT boot media, follow these steps:
+
+1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard, as shown in Figure 11.
+
+   ![Generate boot images with the Update Deployment Share Wizard](images\surface-deploymdt-fig11.png "Generate boot images with the Update Deployment Share Wizard")
+
+   *Figure 11. Generate boot images with the Update Deployment Share Wizard*
+
+2. Use the Update Deployment Share Wizard to create boot images with the following process:
+  * **Options** – Click **Completely Regenerate the Boot Images**, and then click **Next**.
+  >**Note:**&nbsp;&nbsp;Because this is the first time the newly created deployment share has been updated, new boot images will be generated regardless of which option you select on the **Options** page.
+  * **Summary** – Review the specified options on this page before you click **Next** to begin generation of boot images.
+  * **Progress** – While the boot images are being generated, a progress bar is displayed on this page.
+  * **Confirmation** – When the boot images have been generated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
+3. Confirm that boot images have been generated by navigating to the deployment share in File Explorer and opening the Boot folder. The following files should be displayed, as shown in Figure 12:
+  * **LiteTouchPE_x86.iso**
+  * **LiteTouchPE_x86.wim**
+  * **LiteTouchPE_x64.iso**
+  * **LiteTouchPE_x64.wim**
+
+
+   ![Boot images in the Boot folder after Update Deployment Share Wizard completes](images\surface-deploymdt-fig12.png "Boot images in the Boot folder after Update Deployment Share Wizard completes")
+
+   *Figure 12. Boot images displayed in the Boot folder after completion of the Update Deployment Share Wizard*
+
+To import the MDT boot media into WDS for PXE boot, follow these steps:
+
+1. Open Windows Deployment Services from the Start menu or Start screen.
+2. Expand **Servers** and your deployment server.
+3. Click the **Boot Images** folder, as shown in Figure 13.
+
+   ![Start the Add Image Wizard from the Boot Images folder](images\surface-deploymdt-fig13.png "Start the Add Image Wizard from the Boot Images folder")
+
+   *Figure 13. Start the Add Image Wizard from the Boot Images folder*
+
+4. Right-click the **Boot Images** folder, and then click **Add Boot Image** to open the Add Image Wizard, as shown in Figure 14.
+
+   ![Import the LiteTouchPE_x86.wim MDT boot image](images\surface-deploymdt-fig14.png "Import the LiteTouchPE_x86.wim MDT boot image")
+
+   *Figure 14. Import the LiteTouchPE_x86.wim MDT boot image*
+
+5. The Add Image Wizard displays a series of steps, as follows:
+  * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, click **Open**, and then click **Next**.
+  * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
+  * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
+  * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
+
+>**Note:**&nbsp;&nbsp;Only the 32-bit boot image, LiteTouchPE_x86.wim, is required to boot from BIOS devices, including Generation 1 Hyper-V virtual machines like the reference virtual machine.
+
+If your WDS configuration is properly set up to respond to PXE clients, you should now be able to boot from the network with any device with a network adapter properly configured for network boot (PXE).
+
+>**Note:**&nbsp;&nbsp;If your WDS server resides on the same server as DHCP or in a different subnet than the devices you are attempting to boot, additional configuration may be required. For more information, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351).
+
+### Deploy and capture a reference image
+
+Your deployment environment is now set up to create a reference image for Windows 10 complete with Windows Updates.
+
+>**Note:**&nbsp;&nbsp;You cannot install version updates (such as Windows 10, Version 1511) in a reference image. To create a reference image with a new version of Windows, you must use installation files from that version of Windows. When  you install a version update in Windows, it effectively performs an upgrade to a new version of Windows, and upgraded installations of Windows cannot be prepared for deployment with Sysprep.<br/><br/>
+By using a fully automated task sequence in an MDT deployment share dedicated to reference image creation, you can greatly reduce the time and effort required to create new reference images and it is the best way to ensure that your organization is ready for feature updates and new versions of Windows 10.
+
+You can now boot from the network with a virtual machine to run the prepared task sequence and generate a reference image. When you prepare your virtual machine in Hyper-V for reference image creation, consider the following:
+
+* Use a Generation 1 virtual machine for the simplicity of drivers and to ensure maximum compatibility with both BIOS and UEFI devices.
+* Ensure your virtual machine has at least 1 GB of system memory at boot. You can ensure that the virtual machine has at least 1 GB of memory at boot but allow the memory to adjust after boot by using Dynamic Memory. You can read more about Dynamic Memory in the [Hyper-V Dynamic Memory Overview](https://technet.microsoft.com/library/hh831766).
+* Ensure your virtual machine uses a legacy network adapter to support network boot (PXE); that network adapter should be connected to the same network as your deployment server, and that network adapter should receive an IP address automatically via DHCP.
+* Configure your boot order such that PXE Boot is the first option.
+
+When your virtual machine (VM) is properly configured and ready, start or boot the VM and be prepared to press the F12 key when prompted to boot via PXE from the WDS server.
+
+Perform the reference image deployment and capture using the following steps:
+
+1. Start your virtual machine and press the F12 key when prompted to boot to the WDS server via PXE, as shown in Figure 15.
+
+   ![Start network boot by pressing the F12 key](images\surface-deploymdt-fig15.png "Start network boot by pressing the F12 key")
+
+   *Figure 15. Start network boot by pressing the F12 key*
+
+2. Click **Run the Deployment Wizard to Install a New Operating System** to begin the MDT deployment process.
+3. Enter your MDT username and password, a user with rights to access the MDT deployment share over the network and with rights to write to the Captures folder in the deployment share.
+4. After your credentials are validated, the Windows Deployment Wizard will start and process the boot and deployment share rules.
+5. The Windows Deployment Wizard displays a series of steps, as follows:
+  * **Task Sequence** – Select the task sequence you created for reference image creation (it should be the only task sequence available), and then click **Next**.
+  * **Computer Details** – Leave the default computer name, workgroup name, and the **Join a Workgroup** option selected, and then click **Next**. The computer name and workgroup will be reset when the image is prepared by Sysprep and captured.
+  * **Move Data and Settings** – Leave the default option of **Do Not Move User Data and Settings** selected, and then click **Next**.
+  * **User Data (Restore)** – Leave the default option of **Do Not Restore User Data and Settings** selected, and then click **Next**.
+  * **Locale and Time** – Leave the default options for language and time settings selected. The locale and time settings will be specified during deployment of the image to other devices. Click **Next**.
+  * **Capture Image** – Click the **Capture an Image of this Reference Computer** option, as shown in Figure 16. In the **Location** field, keep the default location of the Captures folder. You can keep or change the name of the image file in the **File Name** field. When you are finished, click **Next**.
+  
+  ![Capture an image of the reference machine](images\surface-deploymdt-fig16.png "Capture an image of the reference machine")
+    
+  *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment*
+
+  * **Ready** – You can review your selections by expanding **Details** on the **Ready** page. Click **Begin** when you are ready to perform the deployment and capture of your reference image.
+
+6. Your reference task sequence will run with the specified options.
+
+As the task sequence processes the deployment, it will automatically perform the following tasks:
+* Install the Windows 10 image from the installation files you supplied
+* Reboot into Windows 10
+* Run Windows updates until all Windows updates have been installed and the Windows environment is fully up to date
+* Run Sysprep and prepare the Windows 10 environment for deployment
+* Reboot into WinPE
+* Capture an image of the Windows 10 environment and store it in the Captures folder in the MDT deployment share
+
+>**Note:**&nbsp;&nbsp;The Windows Update process can take some time to complete as it searches the Internet for updates, downloads those updates, and then installs them. By performing this process now, in the reference environment, you eliminate the need to perform these tasks on each deployed device and significantly reduce the amount of time and bandwidth required to perform your deployment. 
+
+When the task sequence completes, your virtual machine will be off and a new reference image complete with updates will be ready in your MDT deployment share for you to import it and prepare your deployment environment for deployment to Surface devices.
+
+## Deploy Windows 10 to Surface devices
+
+With a freshly prepared reference image, you are now ready to configure the deployment process for deployment to the Surface devices. Use the steps detailed in this section to produce a deployment process that requires minimal effort on each Surface device to produce a complete and ready-to-use Windows 10 environment.
+
+### Import reference image
+
+After the reference image has been created and stored in the Captures folder, you need to add it to your MDT deployment share as an image for deployment. You perform this task by using the same process that you used to import the installation files for Windows 10.
+
+To import the reference image for deployment, use the following steps:
+
+1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench or the folder you created in when you imported Windows 10 installation files, and then click **Import Operating System** to start the Import Operating System Wizard. 
+2. Import the custom image with the Import Operating System Wizard by using the following steps:
+  * **OS Type** – Select Custom Image File to specify that you are importing the Windows source files from installation media, and then click **Next**.
+  * **Image** – Click **Browse**, and then navigate to and select the image file in the **Captures** folder in your deployment share. Select the **Move the Files to the Deployment Share Instead of Copying Them** checkbox if desired. Click **Next**. 
+  * **Setup** – Click **Setup Files are not Neededf**, and then click **Next**.
+  * **Destination** – Enter a name for the new folder that will be created to hold the image file, and then click **Next**.
+  * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+  * **Progress** – While the image is imported, a progress bar is displayed on this page.
+  * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Operating System Wizard.
+3.	Expand the folder in which you imported the image to verify that the import completed successfully.
+
+>**Note:**&nbsp;&nbsp;You can import the reference image into the same deployment share that you used to create your reference image, or you could import the reference image into a new deployment share for deployment to your Surface devices. If you chose to create a new deployment share for deployment of your reference image, remember that you still need to import a full set of installation files from installation media.
+
+Now that your updated reference image is imported, it is time to prepare your deployment environment for deployment to Surface devices complete with drivers, applications, and automation.
+
+### Import Surface drivers
+
+Before you can deploy your updated reference image to Surface devices, or any physical environment, you need to supply MDT with the drivers that Windows will use to communicate with that physical environment. For Surface devices you can download all of the drivers required by Windows in a single archive (.zip) file in a format that is ready for deployment. In addition to the drivers that are used by Windows to communicate with the hardware and components, Surface firmware and driver packs also include updates for the firmware of those components. By installing the Surface firmware and driver pack, you will also bring your device’s firmware up to date. If you have not done so already, download the drivers for your Surface device listed at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
+
+Many devices require that you import drivers specifically for WinPE in order for the MDT boot media to communicate with the deployment share and to boot properly on that device. Even Surface Pro 3 required that network drivers be imported specifically for WinPE for deployment of Windows 8.1. Fortunately, for Windows 10 deployments to Surface devices, all of the required drivers for operation of WinPE are contained within the out-of-box drivers that are built into Windows 10. It is still a good idea to prepare your environment with folder structure and selection profiles that allow you to specify drivers for use in WinPE. You can read more about that folder structure in **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec05).
+
+To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow these steps:
+
+1. Extract the downloaded archive (.zip) file to a folder that you can easily locate. Keep the driver files separate from other drivers or files.
+2. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share. 
+3. If you have not already created a folder structure by operating system version, you should do so now and create under the Windows 10 x64 folder a new folder for Surface Pro 4 drivers named Surface Pro 4. Your Out-of-Box Drivers folder should resemble the following structure, as shown in Figure 17:
+   * WinPE x86
+   * WinPE x64
+   * Windows 10 x64
+     * Microsoft Corporation
+       * Surface Pro 4
+
+   ![Recommended folder structure for drivers](images\surface-deploymdt-fig17.png "Recommended folder structure for drivers")
+
+   *Figure 17. The recommended folder structure for drivers*
+
+4. Right-click the **Surface Pro 4** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 18.
+
+   ![Progress page during drivers import](images\surface-deploymdt-fig18.png "Progress page during drivers import")
+
+   *Figure 18. The Progress page during drivers import*
+
+5. The Import Driver Wizard displays a series of steps, as follows:
+  * **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 4 firmware and drivers in Step 1.
+  * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+  * **Progress** – While the drivers are imported, a progress bar is displayed on this page.
+  * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
+6.	Click the **Surface Pro 4** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 19.
+
+   ![Drivers for Surface Pro 4 imported and organized in the MDT deployment share](images\surface-deploymdt-fig19.png "Drivers for Surface Pro 4 imported and organized in the MDT deployment share")
+
+   *Figure 19. Drivers for Surface Pro 4 imported and organized in the MDT deployment share*
+
+### Import applications
+
+You can import any number of applications into MDT for installation on your devices during the deployment process. You can configure your applications and task sequences to prompt you during deployment to pick and choose which applications are installed, or you can use your task sequence to explicitly define which applications are installed. For more information, see **Step 4: Add an application** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec04).
+
+#### Import Microsoft Office 365 Installer
+
+The Office Deployment Tool is a free download available in the Microsoft Download Center that allows IT professionals and system administrators to download and prepare Office installation packages for Office Click-to-Run. You can find the Office Deployment Tool and instructions to download Click-to-Run for Office 365 installation source files at [Download Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/library/jj219424).
+
+Download and install the version of Office Deployment Tool (ODT), for Office 2013 or Office 2016, that fits your organization’s needs and use the steps provided by that page to download the Office installation files for use with MDT.
+
+After you have downloaded the source files for your version of Office Click-to-Run, you need to edit the Configuration.xml file with instructions to install Office Click-to-Run silently. To configure the Office Deployment Tool for silent installation, follow these steps:
+
+1. Right-click the existing **Configuration.xml** file, and then click **Edit**.
+2. This action opens the file in Notepad. Replace the existing text with the following:
+  ```
+   <Configuration> 
+   <Add OfficeClientEdition="32">  
+    <Product ID="O365ProPlusRetail" >  
+     <Language ID="en-us" />        
+    </Product>  
+   </Add> 
+   <Display Level="None" AcceptEULA="TRUE" /> </Configuration>
+```
+
+3. Save the file.
+
+The default behavior of Setup.exe is to look for the source files in the path that contains **Setup.exe**. If the installation files are not found in this folder, the Office Deployment Tool will default to online source files from an Internet connection.
+
+For MDT to perform an automated installation of office, it is important to configure the **Display Level** option to a value of **None**. This setting is used to suppress the installation dialog box for silent installation. It is required that the **AcceptEULA** option is set to **True** to accept the license agreement when the **Display Level** option is set to **None**. With both of these options configured, the installation of Office will occur without the display of dialog boxes which could potentially cause the installation to pause until a user can address an open dialog box.
+
+Now that the installation and configuration files are prepared, the application can be imported into the deployment share by following these steps:
+
+1. Open the Deployment Workbench. 
+2. Expand the deployment share, right-click the **Applications** folder, and then click **New Application** to start the New Application Wizard, as shown in Figure 20.
+
+   ![Enter the command and directory for Office 2016 Click-to-Run](images\surface-deploymdt-fig20.png "Enter the command and directory for Office 2016 Click-to-Run")
+
+   *Figure 20. Enter the command and directory for Office 2016 Click-to-Run*
+
+3. The New Application Wizard walks you through importing the Office 2016 Click-to-Run files, as follows:
+  * **Application Type** – Click **Application with Source Files**, and then click **Next**.
+  * **Details** – Enter a name for the application (for example, Office 2016 Click-to-Run) in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**.
+  * **Source** – Click **Browse** to navigate to and select the folder where you downloaded the Office installation files with the Office Deployment Tool, and then click **Next**.
+  * **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name.
+  * **Command Details** – Enter the Office Deployment Tool installation command line:
+
+     `Setup.exe /configure configuration.xml`
+
+  * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+  * **Progress** – While the installation files are imported, a progress bar is displayed on this page.
+  * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard.
+
+4. You should now see the **Office 2016 Click-to-Run** item under the **Applications** folder in the Deployment Workbench.
+
+#### Import Surface app installer
+
+The Surface app is a Windows Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/en-us/support/apps-and-windows-store/surface-app?os=windows-10).
+
+To perform a deployment of the Surface app, you will need to download the app files through Windows Store for Business. You can find detailed instructions on how to download the Surface app through Windows Store for Business at [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/en-us/itpro/surface/deploy-surface-app-with-windows-store-for-business).
+
+After you have downloaded the installation files for Surface app, including the AppxBundle and license files, you can import these files into the deployment share through the same process as a desktop application like Microsoft Office. Both the AppxBundle and license files must be together in the same folder for the import process to complete successfully. Use the following command on the **Command Details** page to install the Surface app:
+   ```
+DISM.exe /Online /Add-ProvisionedAppxPackage /PackagePath: Microsoft.SurfaceHub_10.0.342.0_neutral_~_8wekyb3d8bbwe.AppxBundle /LicensePath: Microsoft.SurfaceHub_8wekyb3d8bbwe_a53ef8ab-9dbd-dec1-46c5-7b664d4dd003.xml
+   ```
+
+### Create deployment task sequence
+
+The next step in the process is to create the deployment task sequence. This task sequence will be configured to completely automate the deployment process and will work along with customized deployment share rules to reduce the need for user interaction down to a single touch. Before you can make  customizations to include all of this automation, the new task sequence has to be created from a template.
+
+To create the deployment task sequence, follow these steps:
+1. In the Deployment Workbench, under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
+2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
+  * **General Settings** – Enter an identifier for the deployment task sequence in the **Task Sequence ID** field, a name for the deployment task sequence in the **Task Sequence Name** field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, then click **Next**.
+  >**Note:**&nbsp;&nbsp;The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
+  * **Select Template** – Click **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
+  * **Select OS** – Navigate to and select the reference image that you imported, and then click **Next**.
+  * **Specify Product Key** – Select the product key entry that fits your organization's licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
+  * **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
+  * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
+  * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
+  * **Progress** – While the task sequence is being created, a progress bar is displayed on this page.
+  * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
+
+After the task sequence is created it can be modified for increased automation, such as the installation of applications without user interaction, the selection of drivers, and the installation of Windows updates.
+
+1. Click the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
+2. Click the **Task Sequence** tab to view the steps that are included in the new task sequence.
+3. Click the **Windows Update (Pre-Application Installation)** step, located under the **State Restore** folder.
+4. Click the **Options** tab, and then clear the **Disable This Step** check box.
+5. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option.
+6. Between the two **Windows Update** steps is the **Install Applications** step. Click the **Install Applications** step, and then click **Add**.
+7. Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 21.
+
+   ![A new Install Application step in the deployment task sequence](images\surface-deploymdt-fig21.png "A new Install Application step in the deployment task sequence")
+
+   *Figure 21. A new Install Application step in the deployment task sequence*
+
+8. On the **Properties** tab of the new **Install Application** step, enter **Install Microsoft Office 2016 Click-to-Run** in the **Name** field.
+9. Click **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
+10.	Select Office 2016 Click-to-Run from the list of applications, and then click **OK**.
+11.	Repeat Steps 6 through 10 for the Surface app.
+12.	Expand the **Preinstall** folder, and then click the **Enable BitLocker (Offline)** step.
+13.	Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu.
+14. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 22), configure the following options:
+  * **Name** – Set DriverGroup001
+  * **Task Sequence Variable** – DriverGroup001
+  * **Value** – Windows 10 x64\%Make%\%Model%
+
+   ![Configure a new Set Task Sequence Variable step in the deployment task sequence](images\surface-deploymdt-fig22.png "Configure a new Set Task Sequence Variable step in the deployment task sequence")
+
+   Figure 22. Configure a new Set Task Sequence Variable step in the deployment task sequence
+
+15.	Select the **Inject Drivers** step, the next step in the task sequence.
+16.	On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 23), configure the following options:
+  * In the **Choose a selection profile** drop-down menu, select **Nothing**.
+  * Click the **Install all drivers from the selection profile** button.
+
+   ![Configure deployment task sequence not to choose the drivers to inject into Windows](images\surface-deploymdt-fig23.png "Configure deployment task sequence not to choose the drivers to inject into Windows")
+
+   *Figure 23. Configure the deployment task sequence not to choose the drivers to inject into Windows*
+
+17.	Click **OK** to apply changes to the task sequence and close the task sequence properties window.
+
+### Configure deployment share rules
+
+The experience of users during a Windows deployment is largely governed by a set of rules that control how the MDT and Windows Deployment Wizard experience should proceed. These rules are stored in two configuration files. Boot media rules are stored in the Bootstrap.ini file that is processed when the MDT boot media is first run. Deployment share rules are stored in the Customsettings.ini file and tell the Windows Deployment Wizard how to operate (for example, what screens to show and what questions to ask). By using these the rules stored in these two files, you can completely automate the process of deployment to where you will not be asked to supply the answer to any questions during deployment and the deployment will perform all tasks completely on its own.
+
+#### Configure Bootstrap.ini
+
+Bootstrap.ini is the simpler of the two rule files. The purpose it serves is to provide instructions from when the MDT boot media starts on a device until the Windows Deployment Wizard is started. The primary use of this file is to provide the credentials that will be used to log on to the deployment share and start the Windows Deployment Wizard.
+
+To automate the boot media rules, follow these steps:
+
+1. Right-click your deployment share in the Deployment Workbench, and then click **Properties**.
+2. Click the **Rules** tab, and then click **Edit Bootstrap.ini** to open Bootstrap.ini in Notepad.
+3. Replace the text of the Bootstrap.ini file with the following text:
+
+  ```
+  [Settings]
+  Priority=Model,Default
+
+  [Surface Pro 4]
+  DeployRoot=\\STNDeployServer\DeploymentShare$
+  UserDomain=STNDeployServer
+  UserID=MDTUser
+  UserPassword=P@ssw0rd
+  SkipBDDWelcome=YES
+
+  [Surface Pro 4]
+  DeployRoot=\\STNDeployServer\DeploymentShare$
+  ```
+
+4. Press Ctrl+S to save Bootstrap.ini, and then close Notepad.
+
+You can use a number of variables in both boot media and deployment share rules to apply rules only when certain conditions are met. For example, you can use MAC addresses to identify specific machines where MDT will run fully automated, but will run with required user interaction on all other devices. You can also use the model of the device to instruct the MDT boot media to perform different actions based on computer model, much as the way **[Surface Pro 4]** is listed in Step 3. You can use the following cmdlet in a PowerShell session to see what the Model variable would be on a device:
+   
+```wmic csproduct get name```
+
+Rules used in the text shown in Step 3 include:
+
+* **DeployRoot** – Used to specify the deployment share that the MDT boot media will connect to.
+* **UserDomain** – Used to specify the domain or computer where the MDT user account is located.
+* **UserID** – Used to specify the MDT user account for automatic logon to the deployment share.
+* **UserPassword** – Used to specify the MDT user password for automatic logon to the deployment share.
+* **SkipBDDWelcome** – Used to skip the Welcome page and to start the Windows Deployment Wizard immediately using the specified credentials and deployment share.
+
+#### Configure CustomSettings.ini
+
+The bulk of the rules used to automate the MDT deployment process are stored in the deployment share rules, or the Customsettings.ini file. In this file you can answer and hide all of the prompts from the Windows Deployment Wizard, which yields a deployment experience that mostly consists of a progress bar that displays the automated actions occurring on the device. The deployment share rules are shown directly in the **Rules** tab of the deployment share properties, as shown in Figure 24.
+
+![Deployment share rules configured for automation of the Windows Deployment Wizard](images\surface-deploymdt-fig24.png "Deployment share rules configured for automation of the Windows Deployment Wizard")
+
+*Figure 24. Deployment share rules configured for automation of the Windows Deployment Wizard*
+
+To configure automation for the production deployment, copy and paste the following text into the text box on the **Rules** tab of your deployment share properties:
+
+   ```
+[Settings]
+Priority=Model,Default
+Properties=MyCustomProperty
+
+[Surface Pro 4]
+SkipTaskSequence=YES
+TaskSequenceID=Win10SP4
+
+[Default]
+OSInstall=Y
+SkipCapture=YES
+SkipAdminPassword=YES
+SkipProductKey=YES
+SkipComputerBackup=YES
+SkipBitLocker=YES
+SkipBDDWelcome=YES
+SkipUserData=YES
+UserDataLocation=AUTO
+SkipApplications=YES
+SkipPackageDisplay=YES
+SkipComputerName=YES
+SkipDomainMembership=YES
+JoinDomain=contoso.com
+DomainAdmin=MDT
+DomainAdminDomain=contoso
+DomainAdminPassword=P@ssw0rd
+SkipLocaleSelection=YES
+KeyboardLocale=en-US
+UserLocale=en-US
+UILanguage=en-US
+SkipTimeZone=YES
+TimeZoneName=Pacific Standard Time
+UserID=MDTUser
+UserDomain=STNDeployServer
+UserPassword=P@ssw0rd
+SkipSummary=YES
+SkipFinalSummary=YES
+FinishAction=LOGOFF
+   ```
+Rules used in this example include:
+
+* **SkipTaskSequence** – This rule is used to skip the **Task Sequence** page where the user would have to select between available task sequences.
+* **TaskSequenceID** – This rule is used to instruct the Windows Deployment Wizard to run a specific task sequence. In this scenario the task sequence ID should match the deployment task sequence you created in the previous section.
+* **OSInstall** – This rule indicates that the Windows Deployment Wizard will be performing an operating system deployment.
+* **SkipCapture** – This rule prevents the **Capture Image** page from being displayed, prompting the user to create an image of this device after deployment.
+* **SkipAdminPassword** – This rule prevents the **Admin Password** page from being displayed. The Administrator password specified in the task sequence will still be applied.
+* **SkipProductKey** – This rule prevents the **Specify Product Key** page from being displayed. The product key specified in the task sequence will still be applied.
+* **SkipComputerBackup** – This rule prevents the **Move Data and Settings** page from being displayed, where the user is asked if they would like to make a backup of the computer before performing deployment.
+* **SkipBitLocker** – This rule prevents the **BitLocker** page from being displayed, where the user is asked if BitLocker Drive Encryption should be used to encrypt the device.
+* **SkipBDDWelcome** – This rule prevents the **Welcome** page from being displayed, where the user is prompted to begin Windows deployment.
+* **SkipUserData** – This rule prevents the **User Data (Restore)** page from being displayed, where the user is asked to restore previously backed up user data in the new environment.
+* **UserDataLocation** – This rule prevents the user from being prompted to supply a location on the User Data (Restore) page.
+* **SkipApplications** – This rule prevents the **Applications** page from being displayed, where the user is prompted to select from available applications to be installed in the new environment.
+* **SkipPackageDisplay** – This rule prevents the **Packages** page from being displayed, where the user is prompted to select from available packages to be installed in the new environment.
+* **SkipComputerName** – This rule, when combined with the **SkipDomainMembership** rule, prevents the **Computer Details** page from being displayed, where the user is asked to supply computer name and join a domain or workgroup.
+* **SkipDomainMembership** – This rule, when combined with the **SkipComputerName** rule, prevents the **Computer Details** page from being displayed, where the user is asked to supply computer name and join a domain or workgroup.
+* **JoinDomain** – This rule instructs the Windows Deployment Wizard to have the computer join the specified domain using the specified credentials. 
+* **DomainAdmin** – This rule specifies the username for the domain join operation.
+* **DomainAdminDomain** – This rule specifies the domain for the username for the domain join operation.
+* **DomainAdminPassword** – This rule specifies the password for the username for the domain join operation.
+* **SkipLocaleSelection** –  This rule, along with the **SkipTimeZone** rule, prevents the **Locale and Time** page from being displayed.
+* **KeyboardLocale** – This rule is used to specify the keyboard layout for the deployed Windows environment.
+* **UserLocale** – This rule is used to specify the geographical locale for the deployed Windows environment.
+* **UILanguage** – This rule is used to specify the language to be used in the deployed Windows environment.
+* **SkipTimeZone** –  This rule, along with the **SkipLocaleSelection** rule, prevents the **Locale and Time** page from being displayed.
+* **TimeZoneName** – This rule is used to specify the time zone for the deployed Windows environment.
+* **UserID** – This rule is used to supply the username under which the MDT actions and task sequence steps are performed.
+* **UserDomain** – This rule is used to supply the domain for the username under which the MDT actions and task sequence steps are performed.
+* **UserPassword** – This rule is used to supply the password for the username under which the MDT actions and task sequence steps are performed.
+* **SkipSummary** – This rule prevents the **Summary** page from being displayed before the task sequence is run, where the user is prompted to confirm the selections before beginning the task sequence.
+* **SkipFinalSummary** – This rule prevents the **Summary** page from being displayed when the task sequence has completed.
+* **FinishAction** – This rule specifies whether to log out, reboot, or shut down the device after the task sequence has completed.
+
+You can read about all of the possible deployment share and boot media rules in the [Microsoft Deployment Toolkit Reference](https://technet.microsoft.com/library/dn781091).
+
+### Update and import updated MDT boot media
+
+The process to update MDT boot media with these new rules and changes to the deployment share is very similar to the process to generate boot media from scratch.
+
+To update the MDT boot media, follow these steps:
+
+1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard.
+2. The Update Deployment Share Wizard displays a series of steps, as follows:
+  * **Options** – Choose between the **Completely Regenerate the Boot Images** or **Optimize the Boot Image Updating Process** options. Completely regenerating the boot images will take more time, but produces boot media that is not fragmented and does not contain out of date components. Optimizing the boot image updating process will proceed more quickly, but may result in longer load times when booting via PXE. Click **Next**.
+  * **Summary** – Review the specified options on this page before you click **Next** to begin the update of boot images.
+  * **Progress** – While the boot images are being updated a progress bar is displayed on this page.
+  * **Confirmation** – When the boot images have been updated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
+
+To import the updated MDT boot media into WDS for PXE boot, follow these steps:
+
+1. Open Windows Deployment Services from the Start menu or Start screen.
+2. Expand **Servers** and your deployment server.
+3. Click the **Boot Images** folder.
+4. Right-click the existing MDT boot image, and then click **Replace Image** to open the Replace Boot Image Wizard.
+5. Replace the previously imported MDT boot image with the updated version by using these steps in the Replace Boot Image Wizard:
+  * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, and then click **Open**. Click **Next**.
+  * **Available Images** – Only one image should be listed and selected **LiteTouch Windows PE (x86)**, click **Next**.
+  * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
+  * **Summary** – Review your selections for importing a boot image into WDS, and then click **Next**.
+  * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Replace Boot Image Wizard.
+6. Right-click the **Boot Images** folder, and then click **Add Image** to open the Add Image Wizard.
+7. Add the new 64-bit boot image for 64-bit UEFI device compatibility with the Add Image Wizard , as follows:
+  * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, select **LiteTouchPE_x64.wim**, and then click **Open**. Click **Next**.
+  * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
+  * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
+  * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
+
+>**Note:**&nbsp;&nbsp;Although it is a best practice to replace and update the boot images in WDS whenever the MDT deployment share is updated, for deployment to Surface devices the 32-bit boot image, LiteTouchPE_x86.wim, is not required. Only the 64-bit boot image is required for 64-bit UEFI devices.
+
+### Deploy Windows to Surface
+
+With all of the automation provided by the deployment share rules and task sequence, performing the deployment on each Surface device becomes as easy as a single touch.
+
+>**Note:**&nbsp;&nbsp;For the deployment to require only a single touch, the Surface devices must be connected to a keyboard, connected to the network with a Microsoft Surface USB Ethernet Adapter or Surface Dock, and configured with PXE boot as the first boot option, as shown in Figure 25.
+
+![Set boot priority for PXE boot](images\surface-deploymdt-fig25.png "Set boot priority for PXE boot")
+
+*Figure 25. Setting boot priority for PXE boot*
+
+On a properly configured Surface device, simply turn on the device and press Enter when you are prompted to boot from the network. The fully automated MDT deployment process will then take over and perform the following tasks:
+
+* The MDT boot media will be loaded to your Surface device via the network
+* The MDT boot media will use the provided credentials and rules to connect to the MDT deployment share
+* The task sequence and drivers will be automatically selected for your device via make and model information
+* The task sequence will deploy your updated Windows 10 image to the device complete with the selected drivers
+* The task sequence will join your device to the domain
+* The task sequence will install the applications you specified, Microsoft Office and Surface app
+* Windows Update will run, installing any new Windows Updates or updates for installed applications, like Microsoft Office
+* The task sequence will complete silently and log out of the device
+
+>**Note:**&nbsp;&nbsp;For Surface devices not configured to boot to the network as the first boot option, you can hold Volume Down and press Power to boot the system immediately to a USB or network device.
+
+The resulting configuration is a Surface device that is logged out and ready for an end user to enter their credentials, log on, and get right to work. The applications and drivers they need are already installed and up to date.
+
+
+
+
diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
index e562f5599b..03c803cc5c 100644
--- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
+++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
@@ -3,6 +3,7 @@ title: Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices (Surface)
 description: Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.
 ms.assetid: A281EFA3-1552-467D-8A21-EB151E58856D
 keywords: network, wireless, device, deploy, authentication, protocol
+localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index 0addf8e26a..b7dd253652 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -3,6 +3,7 @@ title: Ethernet adapters and Surface deployment (Surface)
 description: This article provides guidance and answers to help you perform a network deployment to Surface devices.
 ms.assetid: 5273C59E-6039-4E50-96B3-426BB38A64C0
 keywords: ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB
+localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
@@ -57,8 +58,7 @@ To boot a Surface device from an alternative boot device, follow these steps:
 >**Note:**&nbsp;&nbsp;In addition to an Ethernet adapter, a keyboard must also be connected to the Surface device to enter the preinstallation environment and navigate the deployment wizard.
 
  
-
-To support booting from the network in a Windows Preinstallation Environment (WinPE), such as is used in the Microsoft Deployment Toolkit and Configuration Manager, you must add drivers for the Ethernet adapter to WinPE. You can download the drivers for Surface Ethernet adapters from the Microsoft Download Center page for your specific device. For a list of the available downloads for Surface devices, see [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+For Windows 10, version 1511 and later – including the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10, version 1511 – the drivers for Microsoft Surface Ethernet Adapters are present by default. If you are using a deployment solution that uses Windows Preinstallation Environment (WinPE), like the Microsoft Deployment Toolkit, and booting from the network with PXE, ensure that your deployment solution is using the latest version of the Windows ADK.
 
 ## <a href="" id="manage-mac-addresses"></a>Manage MAC addresses with removable Ethernet adapters
 
diff --git a/devices/surface/images/surface-deploymdt-fig1.png b/devices/surface/images/surface-deploymdt-fig1.png
new file mode 100644
index 0000000000..d2fe0995a7
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig1.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig10.png b/devices/surface/images/surface-deploymdt-fig10.png
new file mode 100644
index 0000000000..96cb86b56f
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig10.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig11.png b/devices/surface/images/surface-deploymdt-fig11.png
new file mode 100644
index 0000000000..a78c147322
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig11.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig12.png b/devices/surface/images/surface-deploymdt-fig12.png
new file mode 100644
index 0000000000..6200a677ec
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig12.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig13.png b/devices/surface/images/surface-deploymdt-fig13.png
new file mode 100644
index 0000000000..c04c8f6d19
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig13.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig14.png b/devices/surface/images/surface-deploymdt-fig14.png
new file mode 100644
index 0000000000..f02bc1fdb9
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig14.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig15.png b/devices/surface/images/surface-deploymdt-fig15.png
new file mode 100644
index 0000000000..4eb72e98cc
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig15.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig16.png b/devices/surface/images/surface-deploymdt-fig16.png
new file mode 100644
index 0000000000..0c5abc40a3
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig16.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig17.png b/devices/surface/images/surface-deploymdt-fig17.png
new file mode 100644
index 0000000000..3ccd548a70
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig17.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig18.png b/devices/surface/images/surface-deploymdt-fig18.png
new file mode 100644
index 0000000000..f510c5b884
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig18.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig19.png b/devices/surface/images/surface-deploymdt-fig19.png
new file mode 100644
index 0000000000..535a139991
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig19.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig2.png b/devices/surface/images/surface-deploymdt-fig2.png
new file mode 100644
index 0000000000..ad18f2ad58
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig2.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig20.png b/devices/surface/images/surface-deploymdt-fig20.png
new file mode 100644
index 0000000000..045801b6ac
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig20.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig21.png b/devices/surface/images/surface-deploymdt-fig21.png
new file mode 100644
index 0000000000..7660a618c8
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig21.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig22.png b/devices/surface/images/surface-deploymdt-fig22.png
new file mode 100644
index 0000000000..1852197dc7
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig22.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig23.png b/devices/surface/images/surface-deploymdt-fig23.png
new file mode 100644
index 0000000000..306a662236
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig23.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig24.png b/devices/surface/images/surface-deploymdt-fig24.png
new file mode 100644
index 0000000000..546a310733
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig24.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig25.png b/devices/surface/images/surface-deploymdt-fig25.png
new file mode 100644
index 0000000000..a58b7fba71
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig25.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig3.png b/devices/surface/images/surface-deploymdt-fig3.png
new file mode 100644
index 0000000000..7d87a1c986
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig3.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig4.png b/devices/surface/images/surface-deploymdt-fig4.png
new file mode 100644
index 0000000000..944fd37f41
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig4.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig5.png b/devices/surface/images/surface-deploymdt-fig5.png
new file mode 100644
index 0000000000..8fa0679886
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig5.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig6.png b/devices/surface/images/surface-deploymdt-fig6.png
new file mode 100644
index 0000000000..53c923be28
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig6.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig7.png b/devices/surface/images/surface-deploymdt-fig7.png
new file mode 100644
index 0000000000..48892a9ef0
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig7.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig8.png b/devices/surface/images/surface-deploymdt-fig8.png
new file mode 100644
index 0000000000..59028f2a82
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig8.png differ
diff --git a/devices/surface/images/surface-deploymdt-fig9.png b/devices/surface/images/surface-deploymdt-fig9.png
new file mode 100644
index 0000000000..6044405883
Binary files /dev/null and b/devices/surface/images/surface-deploymdt-fig9.png differ
diff --git a/devices/surface/images/surface-upgrademdt-fig1.png b/devices/surface/images/surface-upgrademdt-fig1.png
new file mode 100644
index 0000000000..094f5d700b
Binary files /dev/null and b/devices/surface/images/surface-upgrademdt-fig1.png differ
diff --git a/devices/surface/images/surface-upgrademdt-fig2.png b/devices/surface/images/surface-upgrademdt-fig2.png
new file mode 100644
index 0000000000..88ec207691
Binary files /dev/null and b/devices/surface/images/surface-upgrademdt-fig2.png differ
diff --git a/devices/surface/images/surface-upgrademdt-fig3.png b/devices/surface/images/surface-upgrademdt-fig3.png
new file mode 100644
index 0000000000..7660a618c8
Binary files /dev/null and b/devices/surface/images/surface-upgrademdt-fig3.png differ
diff --git a/devices/surface/images/surface-upgrademdt-fig4.png b/devices/surface/images/surface-upgrademdt-fig4.png
new file mode 100644
index 0000000000..1852197dc7
Binary files /dev/null and b/devices/surface/images/surface-upgrademdt-fig4.png differ
diff --git a/devices/surface/images/surface-upgrademdt-fig5.png b/devices/surface/images/surface-upgrademdt-fig5.png
new file mode 100644
index 0000000000..306a662236
Binary files /dev/null and b/devices/surface/images/surface-upgrademdt-fig5.png differ
diff --git a/devices/surface/index.md b/devices/surface/index.md
index 08b52df1e9..20b688e39b 100644
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@@ -47,42 +47,46 @@ For more information on planning for, deploying, and managing Surface devices in
 <td><p>Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT.</p></td>
 </tr>
 <tr class="even">
+<td><p>[Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)</p></td>
+<td><p>Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.</p></td>
+</tr>
+<tr class="odd">
 <td><p>[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)</p></td>
 <td><p>Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)</p></td>
 <td><p>Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)</p></td>
 <td><p>Get guidance and answers to help you perform a network deployment to Surface devices.</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)</p></td>
 <td><p>Read about the different methods you can use to manage the process of Surface Dock firmware updates.</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)</p></td>
 <td><p>Explore the available options to manage firmware and driver updates for Surface devices.</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Manage Surface UEFI settings](manage-surface-uefi-settings.md)<p></td>
 <td><p>Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Surface Data Eraser](microsoft-surface-data-eraser.md)</p></td>
 <td><p>Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)</p></td>
 <td><p>See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)</p></td>
 <td><p>Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Surface Dock Updater](surface-dock-updater.md)</p></td>
 <td><p>Get a detailed walkthrough of Microsoft Surface Dock Updater.</p></td>
 </tr>
@@ -91,6 +95,11 @@ For more information on planning for, deploying, and managing Surface devices in
 <td><p>See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization.
 </p></td>
 </tr>
+<tr class="even">
+<td><p>[Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)</p></td>
+<td><p>Find out how to perform a Windows 10 upgrade deployment to your Surface devices.</p></td>
+</tr>
+
 </tbody>
 </table>
 
diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md
index f11c5fefe8..4d2733a4ad 100644
--- a/devices/surface/manage-surface-dock-firmware-updates.md
+++ b/devices/surface/manage-surface-dock-firmware-updates.md
@@ -2,6 +2,7 @@
 title: Manage Surface Dock firmware updates (Surface)
 description: Read about the different methods you can use to manage the process of Surface Dock firmware updates.
 ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F
+localizationpriority: high
 keywords: firmware, update, install, drivers
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/devices/surface/manage-surface-pro-3-firmware-updates.md b/devices/surface/manage-surface-pro-3-firmware-updates.md
index 3bc069e706..4c308a017a 100644
--- a/devices/surface/manage-surface-pro-3-firmware-updates.md
+++ b/devices/surface/manage-surface-pro-3-firmware-updates.md
@@ -3,6 +3,7 @@ title: Manage Surface driver and firmware updates (Surface)
 description: This article describes the available options to manage firmware and driver updates for Surface devices.
 ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73
 keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB
+localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md
index e36486bfa4..7071bb2da7 100644
--- a/devices/surface/manage-surface-uefi-settings.md
+++ b/devices/surface/manage-surface-uefi-settings.md
@@ -2,6 +2,7 @@
 title: Manage Surface UEFI settings (Surface)
 description: Use Surface UEFI settings to enable or disable devices or components, configure security settings, and adjust Surface device boot settings. 
 keywords: firmware, security, features, configure, hardware
+localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 1fde46555c..b379604c7c 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -2,6 +2,7 @@
 title: Microsoft Surface Data Eraser (Surface)
 description: Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.
 ms.assetid: 8DD3F9FE-5458-4467-BE26-E9200341CF10
+localizationpriority: high
 keywords: tool, USB, data, erase
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index 3a37d4c81c..c7b442925d 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -2,6 +2,7 @@
 title: Microsoft Surface Deployment Accelerator (Surface)
 description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
 ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4
+localizationpriority: high
 keywords: deploy, install, tool
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 016c7ddfbd..c2113bd72b 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -2,6 +2,7 @@
 title: Step by step Surface Deployment Accelerator (Surface)
 description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices.
 ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032
+localizationpriority: high
 keywords: deploy, configure
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/devices/surface/surface-diagnostic-toolkit.md b/devices/surface/surface-diagnostic-toolkit.md
index 0dc868613b..78142a380b 100644
--- a/devices/surface/surface-diagnostic-toolkit.md
+++ b/devices/surface/surface-diagnostic-toolkit.md
@@ -3,6 +3,7 @@ title: Microsoft Surface Diagnostic Toolkit (Surface)
 description: Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.
 ms.assetid: FC4C3E76-3613-4A84-A384-85FE8809BEF1
 keywords: hardware, device, tool, test, component
+localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index 4020a499aa..f9e106cf2d 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -3,6 +3,7 @@ title: Microsoft Surface Dock Updater (Surface)
 description: This article provides a detailed walkthrough of Microsoft Surface Dock Updater.
 ms.assetid: 1FEFF277-F7D1-4CB4-8898-FDFE8CBE1D5C
 keywords: install, update, firmware
+localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
new file mode 100644
index 0000000000..d44af98e0d
--- /dev/null
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -0,0 +1,226 @@
+---
+title: Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit (Surface)
+description: Find out how to perform a Windows 10 upgrade deployment to your Surface devices. 
+keywords: windows 10 surface, upgrade, customize, mdt
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: surface
+ms.sitesec: library
+author: Scottmca
+---
+
+#  Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
+
+#### Applies to
+* Surface Pro 3
+* Surface 3
+* Surface Pro 2
+* Surface Pro
+* Windows 10
+
+In addition to the traditional deployment method of reimaging devices, administrators that want to upgrade Surface devices that are running Windows 8.1 or Windows 10 have the option of deploying upgrades. By performing an upgrade deployment, Windows 10 can be applied to devices without removing users, apps, or configuration. The users of the deployed devices can simply continue using the devices with the same apps and settings that they used prior to the upgrade. The process described in this article shows how to perform a Windows 10 upgrade deployment to Surface devices.
+
+If you are not already familiar with the deployment of Windows or the Microsoft deployment tools and technologies, you should read [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) and familiarize yourself with the traditional deployment method before you proceed.
+
+#### The upgrade concept
+
+When you use the factory installation media to install Windows on a device, you are presented with two options or *installation paths* to install Windows on that device. The first of these installation paths – *clean installation* –  allows you to apply a factory image of Windows to that device, including all default settings. The second of these installation paths – *upgrade* – allows you to apply Windows to the device but retains the device’s users, apps, and settings.
+
+When you perform a Windows deployment using traditional deployment methods, you follow an installation path that is very similar to a clean installation. The primary difference between the clean installation and the traditional deployment method of *reimaging* is that with reimaging, you can apply an image that includes customizations. Microsoft deployment technologies, such as the Microsoft Deployment Toolkit (MDT), expand the capabilities of the reimaging process by modifying the image during deployment. For example, MDT is able to inject drivers for a specific hardware configuration during deployment, and with pre and post imaging scripts to perform a number of tasks, such as the installation of applications.
+
+For versions of Windows prior to Windows 10, if you wanted to install a new version of Windows on your devices and preserve the configuration of those systems, you had to perform additional steps during your deployment. For example, if you wanted to keep the data of users on the device, you had to back up user data with the User State Migration Tool (USMT) prior to the deployment and restore that data after the deployment had completed.
+
+Introduced with Windows 10 and MDT 2013 Update 1, you can use the upgrade installation path directly with Microsoft deployment technologies such as the Microsoft Deployment Toolkit (MDT). With an upgrade deployment you can use the same deployment technologies and process, but you can preserve users settings, and applications of the existing environment on the device.
+
+## Deployment tools and resources
+
+Performing an upgrade deployment of Windows 10 requires the same tools and resources that are required for a traditional reimaging deployment. You can read about the tools required, including detailed explanations and installation instructions, in [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md). To proceed with the upgrade deployment described in this article, you will need the following tools installed and configured:
+
+* [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/en-us/windows/dn475741)
+* [Windows Assessment and Deployment Kit (Windows ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#windowsadk), which includes:
+   * Deployment Image Servicing and Management (DISM)
+   * Windows Preinstallation Environment (Windows PE)
+   * Windows System Image Manager (Windows SIM)
+
+You will also need to have available the following resources:
+
+* Windows 10 installation files, such as the installation media downloaded from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx)
+   >**Note:**&nbsp;&nbsp;Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
+* [Surface firmware and drivers](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10
+* Application installation files for any applications you want to install, such as the Surface app
+
+## Prepare the upgrade deployment
+
+Before you begin the process described in this section, you need to have installed and configured the deployment tools outlined in the previous [Deployment tools and resources](#deployment-tools-and-resources) section. For instructions on how to install and configure the deployment tools, see the **Install the deployment tools** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#install-the-deployment-tools) article. You will also have needed to create a deployment share with MDT, described in the section Create a Deployment Share in the aforementioned article.
+
+### Import Windows 10 installation files
+
+Windows 10 installation files only need to be imported if you have not already done so in the deployment share. To import Windows 10 installation files, follow the steps described in the **Import Windows installation files** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#import-windows-installation-files) article.
+
+### Import Surface drivers
+In the import process example shown in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, drivers for Surface Pro 4 were imported for Windows 10. To perform an upgrade deployment of Windows 10 to Surface Pro 3, drivers for Surface Pro 3 must also be imported. To import the Surface drivers for Surface Pro 3, follow these steps:
+
+1. Download the Surface Pro 3 firmware and driver pack for Windows 10 archive file (.zip), SurfacePro3_Win10_xxxxxx.zip, from the [Surface Pro 3 download page](https://www.microsoft.com/en-US/download/details.aspx?id=38826) in the Microsoft Download Center.
+2. Extract the contents of the Surface Pro 3 firmware and driver pack archive file to a temporary folder. Keep the driver files separate from other drivers or files.
+3. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share. 
+4. If you have not already created a folder structure by operating system version, you should do so next. Under the **Windows 10 x64** folder, create a new folder for Surface Pro 3 drivers named **Surface Pro 3**. Your Out-of-Box Drivers folder should resemble the following structure:
+  * WinPE x86
+  * WinPE x64
+  * Windows 10 x64
+    * Microsoft Corporation
+      * Surface Pro 4
+      * Surface Pro 3
+5. Right-click the **Surface Pro 3** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1.
+
+  ![Import Surface Pro 3 drivers for Windows 10](images\surface-upgrademdt-fig1.png "Import Surface Pro 3 drivers for Windows 10")
+
+  *Figure 1. Import Surface Pro 3 drivers for Windows 10*
+
+6. The Import Driver Wizard displays a series of steps, as follows:
+  - **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 3 firmware and drivers in Step 1.
+  - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+  - **Progress** – While the drivers are imported, a progress bar is displayed on this page.
+  - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Drivers Wizard.
+7. Select the **Surface Pro 3** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 2.
+
+  ![Drivers for Surface Pro 3 imported and organized in the MDT deployment share](images\surface-upgrademdt-fig2.png "Drivers for Surface Pro 3 imported and organized in the MDT deployment share")
+
+  *Figure 2. Drivers for Surface Pro 3 imported and organized in the MDT deployment share*
+
+### Import applications
+
+Installation of applications in an upgrade deployment is not always necessary because the applications from the previous environment will remain on the device. (For example, in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, the deployment includes Office 365 which is not required in an upgrade deployment where the user is already using Office 365 on the device.)
+
+There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/en-us/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence.
+
+### Create the upgrade task sequence
+
+After you have all of the resources in place to perform the deployment (including the installation files, Surface drivers, and application files), the next step is to create the upgrade task sequence. This task sequence is a series of steps that will be performed on the device being upgraded that applies the new Windows environment, compatible drivers, and any applications you have specified.
+
+Create the upgrade task sequence with the following process:
+
+1. In the Deployment Workbench under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
+2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
+  - **General Settings** – Enter an identifier for the deployment task sequence in the Task Sequence ID field, a name for the deployment task sequence in the Task Sequence Name field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, and then click **Next**.
+  >**Note:**&nbsp;&nbsp;The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
+  - **Select Template** – Select **Standard Client Upgrade Task Sequence** from the drop-down menu, and then click **Next**.
+  - **Select OS** – Navigate to and select the Windows image that you imported, and then click **Next**.
+  - **Specify Product Key** – Select the product key entry that fits your organization’s licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
+  - **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
+  - **Admin Password** – Select **Use the Specified Local Administrator Password** and enter a password in the provided fields, and then click **Next**.
+  - **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
+  - **Progress** – While the task sequence is being created, a progress bar is displayed on this page.
+  - **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete New Task Sequence Wizard.
+
+After the task sequence is created, you can modify some additional settings to provide additional automation of the task sequence and require less interaction during deployment. Follow these steps to modify the task sequence:
+
+1. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
+2. Select the **Task Sequence** tab to view the steps that are included in the new task sequence.
+3. Select the **Windows Update (Pre-Application Installation)** step, located under the **State Restore** folder.
+4. Click the **Options** tab, and then clear the **Disable This Step** check box.
+5. Repeat Step 3 and Step 4 for the **Windows Update (Post-Application Installation)** step.
+6. Between the two Windows Update steps is an **Install Applications** step. Select that step and then click **Add**.
+7. Hover the mouse over **General** under the **Add** menu, and then choose **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3.
+
+  ![A new Install Application step in the deployment task sequence](images\surface-upgrademdt-fig3.png "A new Install Application step in the deployment task sequence")
+  
+  *Figure 3. A new Install Application step in the deployment task sequence*
+  
+8. On the **Properties** tab of the new **Install Application** step, enter **Install Surface App** in the **Name** field.
+9. Select **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
+10. Select **Surface App** from the list of applications, and then click **OK**.
+11. Expand the **Preinstall** folder and select the **Enable BitLocker (Offline)** step.
+12. Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu.
+13. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 4) configure the following options:
+
+  - **Name** – Set DriverGroup001
+  - **Task Sequence Variable** – DriverGroup001
+  - **Value** – Windows 10 x64\%Make%\%Model%
+
+  ![Configure a new Set Task Sequence Variable step in the deployment task sequence](images\surface-upgrademdt-fig4.png "Configure a new Set Task Sequence Variable step in the deployment task sequence")
+  
+  *Figure 4. Configure a new Set Task Sequence Variable step in the deployment task sequence*
+  
+14. Select the **Inject Drivers** step, the next step in the task sequence.
+15. On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 5) configure the following options:
+  * In the **Choose a selection profile** drop-down menu, select **Nothing**.
+  * Click the **Install all drivers from the selection profile** button.
+  
+  ![Configure the deployment task sequence to not install drivers](images\surface-upgrademdt-fig5.png "Configure the deployment task sequence to not install drivers")
+  
+  *Figure 5. Configure the deployment task sequence to not install drivers*
+
+16. Click **OK** to apply changes to the task sequence and close the task sequence properties window.
+
+Steps 11 through 15 are very important to the deployment of Surface devices. These steps instruct the task sequence to install only drivers that are organized into the correct folder using the organization for drivers from the [Import Surface drivers](#import-surface-drivers) section. 
+
+### Deployment share rules
+
+To automate the upgrade process, the rules of the MDT deployment share need to be modified to suppress prompts for information from the user. Unlike a traditional deployment, Bootstrap.ini does not need to be modified because the deployment process is not started from boot media. Similarly, boot media does not need to be imported into WDS because it will not be booted over the network with PXE.
+
+To modify the deployment share rules and suppress the Windows Deployment Wizard prompts for information, copy and paste the following text into the text box on the **Rules** tab of your deployment share properties:
+
+```
+[Settings]
+Priority=Model,Default
+Properties=MyCustomProperty
+
+[Surface Pro 4]
+SkipTaskSequence=YES
+TaskSequenceID=Win10SP4
+
+[Surface Pro 3]
+SkipTaskSequence=YES
+TaskSequenceID=Win10SP3Up
+
+[Default]
+OSInstall=Y
+SkipCapture=YES
+SkipAdminPassword=YES
+SkipProductKey=YES
+SkipComputerBackup=YES
+SkipBitLocker=YES
+SkipBDDWelcome=YES
+SkipUserData=YES
+UserDataLocation=AUTO
+SkipApplications=YES
+SkipPackageDisplay=YES
+SkipComputerName=YES
+SkipDomainMembership=YES
+JoinDomain=contoso.com
+DomainAdmin=MDT
+DomainAdminDomain=contoso
+DomainAdminPassword=P@ssw0rd
+SkipLocaleSelection=YES
+KeyboardLocale=en-US
+UserLocale=en-US
+UILanguage=en-US
+SkipTimeZone=YES
+TimeZoneName=Pacific Standard Time
+UserID=MDTUser
+UserDomain=STNDeployServer
+UserPassword=P@ssw0rd
+SkipSummary=YES
+SkipFinalSummary=YES
+FinishAction=LOGOFF
+```
+
+
+
+For more information about the rules configured by this text, see the **Configure deployment share rules** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#configure-deployment-share-rules) article.
+
+### Update deployment share
+
+To update the deployment share, right-click the deployment share in the Deployment Workbench and click **Update Deployment Share**, then proceed through the Update Deployment Share Wizard. See the **Update and import updated MDT boot media** section of the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#update-and-import-updated-mdt-boot-media) article for detailed steps.
+
+### Run the upgrade deployment
+
+Unlike a traditional deployment, the upgrade task sequence must be launched from within the Windows environment that will be upgraded. This requires that a user on the device to be upgraded navigate to the deployment share over the network and launch a script, LiteTouch.vbs. This script is the same script that displays the Windows Deployment Wizard in Windows PE in a traditional deployment. In this scenario, Litetouch.vbs will run within Windows. To perform the upgrade task sequence and deploy the upgrade to Windows 10 follow these steps:
+
+1. Browse to the network location of your deployment share in File Explorer.
+2. Navigate to the **Scripts** folder, locate **LiteTouch.vbs**, and then double-click **LiteTouch.vbs** to start the Windows Deployment Wizard.
+3. Enter your credentials when prompted.
+4. The upgrade task sequence for Surface Pro 3 devices will automatically start when the model of the device is detected and determined to match the deployment share rules.
+5. The upgrade process will occur automatically and without user interaction.
+
+The task sequence will automatically install the drivers for Surface Pro 3 and the Surface app, and will perform any outstanding Windows Updates. When it completes, it will log out and be ready for the user to log on with the credentials they have always used for this device.
diff --git a/education/TOC.md b/education/TOC.md
new file mode 100644
index 0000000000..06913f7aef
--- /dev/null
+++ b/education/TOC.md
@@ -0,0 +1 @@
+# [Index](index.md)
\ No newline at end of file
diff --git a/education/index.md b/education/index.md
new file mode 100644
index 0000000000..beccdc8994
--- /dev/null
+++ b/education/index.md
@@ -0,0 +1 @@
+# Index test file for Open Publishing
\ No newline at end of file
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index fa7c285458..b88d81df41 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -1,13 +1,20 @@
 # [Windows 10 for education](index.md)
 ## [Change history for Windows 10 for Education](change-history-edu.md)
-## [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
-## [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
+## [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
+## [Setup options for Windows 10](set-up-windows-10.md)
+### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
+### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
+### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
+### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
 ## [Get Minecraft Education Edition](get-minecraft-for-education.md)
 ### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
 ### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
-## [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md)
-### [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md)
-### [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md)
-### [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) 
+## [Take tests in Windows 10 ](take-tests-in-windows-10.md)
+### [Set up Take a Test on a single PC ](take-a-test-single-pc.md)
+### [Set up Take a Test on multiple PCs ](take-a-test-multiple-pcs.md)
+### [Take a Test app technical reference ](take-a-test-app-technical.md)
+## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
 ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
-## [Chromebook migration guide](chromebook-migration-guide.md)
\ No newline at end of file
+## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
+## [Chromebook migration guide](chromebook-migration-guide.md)
+
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index bde12a2f2b..0d1c19f506 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -12,6 +12,26 @@ author: jdeckerMS
 
 This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
 
+
+## RELEASE: Windows 10, version 1607
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: 
+
+- [Set up Windows 10](set-up-windows-10.md)
+- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
+- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
+- [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
+
+
+## July 2016
+
+
+| New or changed topic | Description|
+| --- | --- |
+| [Windows 10 editions for education customers](windows-editions-for-education-customers.md)  | New |
+|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New |
+
+
+
 ## June 2016
 
 | New or changed topic | Description |
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
new file mode 100644
index 0000000000..dcfe03beba
--- /dev/null
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -0,0 +1,1854 @@
+---
+title: Deploy Windows 10 in a school district (Windows 10)
+description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices.
+keywords: configure, tools, device, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: edu
+ms.sitesec: library
+author: craigash
+---
+
+# Deploy Windows 10 in a school district
+
+**Applies to**
+
+- Windows 10
+
+
+This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft System Center Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
+
+## Prepare for district deployment
+
+Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
+
+>**Note**&nbsp;&nbsp;This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management).
+
+### Plan a typical district configuration
+
+As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
+
+![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide")
+
+*Figure 1. Typical district configuration for this guide*
+
+A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses.
+
+![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide")
+
+*Figure 2. Typical school configuration for this guide*
+
+Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses.
+
+![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school")
+
+*Figure 3. Typical classroom configuration in a school*
+
+This district configuration has the following characteristics:
+
+* It contains one or more admin devices.
+* It contains two or more schools.
+* Each school contains two or more classrooms.
+* Each classroom contains one teacher device.
+* The classrooms connect to each other through multiple subnets.
+* All devices in each classroom connect to a single subnet.
+* All devices have high-speed, persistent connections to each other and to the Internet.
+* All teachers and students have access to Windows Store or Windows Store for Business.
+* You install a 64-bit version of Windows 10 on the admin device.
+* You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
+* You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device.
+  >**Note**&nbsp;&nbsp;In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
+* The devices use Azure AD in Office 365 Education for identity management.
+* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/).
+* Use [Intune](https://docs.microsoft.com/en-us/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](https://technet.microsoft.com/en-us/library/cc725828.aspx) to manage devices.
+* Each device supports a one-student-per-device or multiple-students-per-device scenario.
+* The devices can be a mixture of different make, model, and processor architecture (32-bit or 64-bit) or be identical.
+* To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment (PXE) boot.
+* The devices can be a mixture of different Windows 10 editions, such as Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education.
+
+Use these characteristics at a minimum as you deploy your schools. If your district deployment is less complex, you may want to review the guidance in [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school).
+
+>**Note**&nbsp;&nbsp;This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution.
+
+Office 365 Education allows:
+
+* Students and faculty to use Microsoft Office Online to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser.
+* Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students.
+* Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, the administration, and faculty.
+* Teachers to employ Sway to create interactive educational digital storytelling.
+* Students and faculty to use email and calendars, with mailboxes up to 50 GB per user.
+* Faculty to use advanced email features like email archiving and legal hold capabilities.
+* Faculty to help prevent unauthorized users from accessing documents and email by using Microsoft Azure Rights Management.
+* Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center.
+* Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business.
+* Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business.
+* Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites.
+* Students and faculty to use Office 365 Video to manage videos.
+* Students and faculty to use Yammer to collaborate through private social networking.
+* Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices).
+
+For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
+
+### How to configure a district
+
+Now that you have the plan (blueprint) for your district and individual schools and classrooms, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge.
+
+The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
+
+You can use MDT as a stand-alone tool or integrate it with System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments.
+
+This guide focuses on LTI deployments to deploy the reference device. You can use ZTI deployments with System Center Configuration Manager or LTI deployments to deploy the reference images to your faculty and student devices. If you want to only use MDT, see [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school).
+
+MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices.
+
+LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
+
+The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
+
+ZTI performs fully automated deployments using System Center Configuration Manager and MDT. Although you could use System Center Configuration Manager by itself, using System Center Configuration Manager with MDT provides an easier process for deploying operating systems. MDT works with the operating system deployment feature in System Center Configuration Manager.
+
+The configuration process requires the following devices:
+
+* **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the System Center Configuration Manager Console on this device.
+* **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices.
+  You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/en-us/windows/view-all).
+* **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
+* **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them.
+
+The high-level process for deploying and configuring devices within individual classrooms, individual schools, and the district as a whole is as follows and illustrated in Figure 4:
+
+1. Prepare the admin device for use, which includes installing the Windows ADK, MDT, and the Configuration Manager console.
+
+2. On the admin device, create and configure the Office 365 Education subscription that you will use for the district’s classrooms.
+
+3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration).
+
+4. On the admin device, create and configure a Windows Store for Business portal.
+
+5. On the admin device, prepare for management of the Windows 10 devices after deployment.
+
+6. On the reference devices, deploy Windows 10 and the Windows desktop apps on the device, and then capture the reference image from the devices.
+
+7. Import the captured reference images into MDT or System Center Configuration Manager.
+
+8. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
+
+9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration.
+
+![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works")
+
+*Figure 4. How district configuration works*
+
+Each step illustrated in Figure 4 directly corresponds to the remaining high-level sections in this guide.
+
+#### Summary
+
+In this district, you looked at the final configuration of your individual classrooms, individual schools, and the district as a whole upon completion of this guide. You also learned the high-level steps for deploying the faculty and student devices in your district.
+
+## Select deployment and management methods
+
+Now that you know what a typical district looks like and how to configure the devices in your district, you need to make a few decisions. You must select the methods you’ll use to deploy Windows 10 to the faculty and student devices in your district. Next, you must select the method you’ll use to manage configuration settings for your users and devices. Finally, you must select the method you’ll use to manage Windows desktop apps, Windows Store apps, and software updates.
+
+### Typical deployment and management scenarios
+
+Before you select the deployment and management methods, you need to review the typical deployment and management scenarios (the cloud-centric scenario and the on-premises and cloud scenario). Table 1 lists the scenario feature and the corresponding products and technologies for that feature in each scenario.
+
+|Scenario feature |Cloud-centric|On-premises and cloud|
+|---|---|---|
+|Identity management | Azure AD (stand-alone or integrated with on-premises AD DS)  |  AD DS integrated with Azure AD |
+|Windows 10 deployment   | MDT only  |  System Center Configuration Manager with MDT |
+|Configuration setting management  | Intune  |  Group Policy<br/><br/>Intune|
+|App and update management |  Intune |System Center Configuration Manager<br/><br/>Intune|
+
+*Table 1. Deployment and management scenarios*
+
+These scenarios assume the need to support:
+
+* Institution-owned and personal devices.
+* AD DS domain-joined and nondomain-joined devices.
+
+Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind:
+
+* You can use Group Policy or Intune to manage configuration settings on a device but not both.
+* You can use System Center Configuration Manager or Intune to manage apps and updates on a device but not both.
+* You cannot manage multiple users on a device with Intune if the device is AD DS domain joined.
+
+Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district.
+
+### Select the deployment methods
+
+To deploy Windows 10 and your apps, you can use MDT by itself or System Center Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Method</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+
+<tr>
+<td valign="top">MDT</td>
+<td><p>MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Windows Store apps and software updates.<br/><br/>
+Select this method when you:</p>
+<ul>
+<li>Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)</li>
+<li>Don’t have an existing AD DS infrastructure.</li>
+<li>Need to manage devices regardless of where they are (on or off premises).</li>
+</ul>
+
+<p>The advantages of this method are that:</p>
+<ul>
+<li>You can deploy Windows 10 operating systems.</li>
+<li>You can manage device drivers during initial deployment.</li>
+<li>You can deploy Windows desktop apps (during initial deployment)</li>
+<li>It doesn’t require an AD DS infrastructure.</li>
+<li>It doesn’t have additional infrastructure requirements.</li>
+<li>MDT doesn’t incur additional cost: it’s a free tool.</li>
+<li>You can deploy Windows 10 operating systems to institution-owned and personal devices.</li>
+</ul>
+
+<p>The disadvantages of this method are that it:</p>
+
+<ul>
+<li>Can’t manage applications throughout entire application life cycle (by itself).</li>
+<li>Can’t manage software updates for Windows 10 and apps (by itself).</li>
+<li>Doesn’t provide antivirus and malware protection (by itself).</li>
+<li>Has limited scaling to large numbers of users and devices.</li>
+</ul>
+
+</td>
+</tr>
+
+<tr>
+<td valign="top">System Center Configuration Manager</td>
+<td><p>System Center Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use System Center Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Windows Store apps and software updates as well as provide antivirus and antimalware protection.<br/><br/>
+Select this method when you:</p>
+<ul>
+<li>Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).</li>
+<li>Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).</li>
+<li>Typically deploy Windows 10 to on-premises devices.</li>
+</ul>
+
+<p>The advantages of this method are that:</p>
+<ul>
+<li>You can deploy Windows 10 operating systems.</li>
+<li>You can manage (deploy) Windows desktop and Windows Store apps throughout entire application life cycle.</li>
+<li>You can manage software updates for Windows 10 and apps.</li>
+<li>You can manage antivirus and malware protection.</li>
+<li>It scales to large number of users and devices.</li>
+</ul>
+<p>The disadvantages of this method are that it:</p>
+<ul>
+<li>Carries an additional cost for System Center Configuration Manager server licenses (if the institution does not have System Center Configuration Manager already).</li>
+<li>Can deploy Windows 10 only to domain-joined (institution-owned devices).</li>
+<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).</li>
+</ul>
+</td>
+</tr>
+</tbody>
+</table>
+
+*Table 2. Deployment methods*
+
+Record the deployment methods you selected in Table 3.
+
+|Selection | Deployment method|
+|--------- | -----------------|
+|   |MDT by itself |
+|   |System Center Configuration Manager and MDT|
+
+*Table 3. Deployment methods selected*
+
+### Select the configuration setting management methods
+
+If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, maintaining an identical configuration on every device will become virtually impossible as the number of devices in the district increases.
+
+For a district, there are many ways to manage the configuration setting for users and devices. Table 4 lists the methods that this guide describes and recommends. Use this information to determine which combination of configuration setting management methods is right for your institution.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Method</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+
+<tr>
+<td valign="top">Group Policy</td>
+<td><p>Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.<br/><br/>
+Select this method when you:</p>
+
+<ul>
+<li>Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).</li>
+<li>Want more granular control of device and user settings.</li>
+<li>Have an existing AD DS infrastructure.</li>
+<li>Typically manage on-premises devices.</li>
+<li>Can manage a required setting only by using Group Policy.</li>
+</ul>
+
+<p>The advantages of this method include:</p>
+<ul>
+<li>No cost beyond the AD DS infrastructure.</li>
+<li>A larger number of settings (compared to Intune).</li>
+</ul>
+
+<p>The disadvantages of this method are that it:</p>
+<ul>
+<li>Can only manage domain-joined (institution-owned devices).</li>
+<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).</li>
+<li>Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).</li>
+<li>Has rudimentary app management capabilities.</li>
+<li>Cannot deploy Windows 10 operating systems.</li>
+</ul>
+</td>
+</tr>
+<tr>
+<td valign="top">Intune</td>
+<td><p>Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br/><br/>
+Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with System Center Configuration Manager is unavailable.<br/><br/>
+Select this method when you:</p>
+
+<ul>
+<li>Want to manage institution-owned and personal devices (does not require that the device be domain joined).</li>
+<li>Don’t need granular control over device and user settings (compared to Group Policy).</li>
+<li>Don’t have an existing AD DS infrastructure.</li>
+<li>Need to manage devices regardless of where they are (on or off premises).</li>
+<li>Want to provide application management for the entire application life cycle.</li>
+<li>Can manage a required setting only by using Intune.</li>
+</ul>
+
+<p>The advantages of this method are that:</p>
+<ul>
+<li>You can manage institution-owned and personal devices.</li>
+<li>It doesn’t require that devices be domain joined.</li>
+<li>It doesn’t require any on-premises infrastructure.</li>
+<li>It can manage devices regardless of their location (on or off premises).</li>
+</ul>
+<p>The disadvantages of this method are that it:</p>
+<ul>
+<li>Carries an additional cost for Intune subscription licenses.</li>
+<li>Doesn’t offer granular control over device and user settings (compared to Group Policy).</li>
+<li>Cannot deploy Windows 10 operating systems.</li>
+</ul>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+*Table 4. Configuration setting management methods*
+
+Record the configuration setting management methods you selected in Table 5. Although you can use both Group Policy and Intune to manage devices, to manage a device, you must choose either Group Policy or Intune (but not both).
+
+|Selection |Configuration setting management method |
+|----------|--------------|
+|   |Group Policy  |
+|   |Intune   |
+
+*Table 5. Configuration setting management methods selected*
+
+#### Select the app and update management products
+
+For a district, there are many ways to manage apps and software updates. Table 6 lists the products that this guide describes and recommends. Although you could manage updates by using [Windows Updates or Windows Server Update Services (WSUS)](https://technet.microsoft.com/en-us/windowsserver/bb332157.aspx), you still need to use System Center Configuration Manager or Intune to manage apps. Therefore, it only makes sense to use one or both of these tools for update management.
+
+Use the information in Table 6 to determine which combination of app and update management products is right for your district.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Selection</th>
+<th align="left">Management method</th>
+</tr>
+</thead>
+<tbody>
+
+<tr>
+<td valign="top">System Center Configuration Manager</td>
+<td><p>System Center Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.<br/><br/>System Center Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using System Center Configuration Manager. You can also manage Windows desktop and Windows Store applications.<br/><br/>Select this method when you:</p>
+<ul>
+<li>Selected System Center Configuration Manager to deploy Windows 10.</li>
+<li>Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).</li>
+<li>Want to manage AD DS domain-joined devices.</li>
+<li>Have an existing AD DS infrastructure.</li>
+<li>Typically manage on-premises devices.</li>
+<li>Want to deploy operating systems.</li>
+<li>Want to provide application management for the entire application life cycle.</li>
+</ul>
+
+<p>The advantages of this method are that:</p>
+<ul>
+<li>You can deploy Windows 10 operating systems.</li>
+<li>You can manage applications throughout the entire application life cycle.</li>
+<li>You can manage software updates for Windows 10 and apps.</li>
+<li>You can manage antivirus and malware protection.</li>
+<li>It scales to large numbers of users and devices.</li>
+</ul>
+<p>The disadvantages of this method are that it:</p>
+<ul>
+<li>Carries an additional cost for System Center Configuration Manager server licenses (if the institution does not have System Center Configuration Manager already).</li>
+<li>Carries an additional cost for Windows Server licenses and the corresponding server hardware.</li>
+<li>Can only manage domain-joined (institution-owned devices).</li>
+<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).</li>
+<li>Typically manages on-premises devices (unless devices through VPN or DirectAccess).</li>
+</ul>
+</td>
+</tr>
+
+<tr>
+<td valign="top">Intune</td>
+<td><p>Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br/><br/>
+Select this method when you:</p>
+<ul>
+<li>Selected MDT only to deploy Windows 10.</li>
+<li>Want to manage institution-owned and personal devices that are not domain joined.</li>
+<li>Want to manage Azure AD domain-joined devices.</li>
+<li>Need to manage devices regardless of where they are (on or off premises).</li>
+<li>Want to provide application management for the entire application life cycle.</li>
+</ul>
+<p>The advantages of this method are that:</p>
+<ul>
+<li>You can manage institution-owned and personal devices.</li>
+<li>It doesn’t require that devices be domain joined.</li>
+<li>It doesn’t require on-premises infrastructure.</li>
+<li>It can manage devices regardless of their location (on or off premises).</li>
+<li>You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).</li>
+</ul>
+<p>The disadvantages of this method are that it:</p>
+<ul>
+<li>Carries an additional cost for Intune subscription licenses.</li>
+<li>Cannot deploy Windows 10 operating systems.</li>
+</ul>
+</td>
+</tr>
+
+<tr>
+<td valign="top">System Center Configuration Manager and Intune (hybrid)</td>
+<td><p>System Center Configuration Manager and Intune together extend System Center Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both System Center Configuration Manager and Intune.<br/><br/>
+System Center Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using System Center Configuration Manager, and you can manage Windows desktop and Windows Store applications for both institution-owned and personal devices.<br/><br/>
+Select this method when you:</p>
+<ul>
+<li>Selected System Center Configuration Manager to deploy Windows 10.</li>
+<li>Want to manage institution-owned and personal devices (does not require that the device be domain joined).</li>
+<li>Want to manage domain-joined devices.</li>
+<li>Want to manage Azure AD domain-joined devices.</li>
+<li>Have an existing AD DS infrastructure.</li>
+<li>Want to manage devices regardless of their connectivity.</li>
+<li>Want to deploy operating systems.</li>
+<li>Want to provide application management for the entire application life cycle.</li>
+</ul>
+<p>The advantages of this method are that:</p>
+<ul>
+<li>You can deploy operating systems.</li>
+<li>You can manage applications throughout the entire application life cycle.</li>
+<li>You can scale to large numbers of users and devices.</li>
+<li>You can support institution-owned and personal devices.</li>
+<li>It doesn’t require that devices be domain joined.</li>
+<li>It can manage devices regardless of their location (on or off premises).</li>
+</ul>
+<p>The disadvantages of this method are that it:</p>
+<ul>
+<li>Carries an additional cost for System Center Configuration Manager server licenses (if the institution does not have System Center Configuration Manager already).</li>
+<li>Carries an additional cost for Windows Server licenses and the corresponding server hardware.</li>
+<li>Carries an additional cost for Intune subscription licenses.</li>
+<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).</li>
+</ul>
+</td>
+</tr>
+
+</tbody>
+</table>
+
+*Table 6. App and update management products*
+
+Record the app and update management methods that you selected in Table 7.
+
+|Selection | Management method|
+|----------|------------------|
+|   |System Center Configuration Manager by itself|
+|   |Intune by itself|
+|   |System Center Configuration Manager and Intune (hybrid mode)|
+
+*Table 7. App and update management methods selected*
+
+#### Summary
+In this section, you selected the methods that you will use to deploy Windows 10 to the faculty and student devices in your district. You selected the methods that you will use to manage configuration settings. Finally, you selected the methods that you will use to manage Windows desktop apps, Windows Store apps, and software updates.
+
+## Prepare the admin device
+
+Now, you’re ready to prepare the admin device for use in the district. This process includes installing the Windows ADK, installing MDT, creating the MDT deployment share, installing the Configuration Manager console, and configuring Configuration Manager console integration.
+
+### Install the Windows ADK
+
+The first step in preparing the admin device is to install the Windows ADK. The Windows ADK contains the deployment tools that MDT uses, including the Windows Preinstallation Environment (Windows PE), the Windows User State Migration Tool (USMT), and Deployment Image Servicing and Management.
+
+When you install the Windows ADK on the admin device, select the following features:
+* Deployment Tools
+* Windows PE
+* USMT
+
+For more information about installing the Windows ADK, see [Step 2-2: Install Windows ADK](https://technet.microsoft.com/en-us/library/dn781086.aspx#InstallWindowsADK).
+
+### Install MDT
+
+Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment. It is a free tool available directly from Microsoft.
+You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems.
+
+>**Note**&nbsp;&nbsp;If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32-bit versions of the operating system.
+
+For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT).
+
+Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices.
+
+### Create a deployment share
+
+MDT includes the Deployment Workbench, a graphical UI that you can use to manage MDT deployment shares. A *deployment share* is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT *deployment media*).
+
+For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](https://technet.microsoft.com/en-us/library/dn781086.aspx#CreateMDTDeployShare).
+
+### Install the Configuration Manager console
+
+>**Note**&nbsp;&nbsp;If you selected System Center Configuration Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next.
+
+You can use System Center Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Windows Store apps, and software updates. To manage System Center Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage System Center Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install System Center Configuration Manager primary site servers.
+
+For more information about how to install the Configuration Manager console, see [Install System Center Configuration Manager consoles](https://technet.microsoft.com/en-us/library/mt590197.aspx#bkmk_InstallConsole).
+
+### Configure MDT integration with the Configuration Manager console
+
+>**Note**&nbsp;&nbsp;If you selected MDT only to deploy Windows 10 and your apps (and not System Center Configuration Manager) in the [Select the deployment methods](#select-the-deployment-methods) section, then skip this section and continue to the next.
+
+You can use MDT with System Center Configuration Manager to make ZTI operating system deployment easier. To configure MDT integration with System Center Configuration Manager, run the Configure ConfigMgr Integration Wizard. This wizard is installed when you install MDT.
+
+In addition to the admin device, run the Configure ConfigMgr Integration Wizard on each device that runs the Configuration Manager console to ensure that all Configuration Manager console installation can use the power of MDT–System Center Configuration Manager integration.
+
+For more information, see [Enable Configuration Manager Console Integration for Configuration Manager](https://technet.microsoft.com/en-us/library/dn759415.aspx#EnableConfigurationManagerConsoleIntegrationforConfigurationManager).
+
+#### Summary
+
+In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in the [Select the deployment methods](#select-the-deployment-methods) section). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console.
+
+## Create and configure Office 365
+
+Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. They also use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business.
+
+As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](https://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx).
+
+### Select the appropriate Office 365 Education license plan
+
+Complete the following steps to select the appropriate Office 365 Education license plan for your school:
+
+1. Determine the number of faculty members and students who will use the classroom. Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan.</li>
+
+2. Determine the faculty members and students who need to install Microsoft Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 8 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
+
+    |Plan  |Advantages  |Disadvantages |
+    |----- |----------- |------------- |
+    |Office 365 Education |<ul><li>Less expensive than Office 365 ProPlus</li><li>Can be run from any device</li><li>No installation necessary</li></ul> | <ul><li>Must have an Internet connection to use it</li><li>Does not support all the features found in Office 365 ProPlus</li></ul> |
+    |Office 365 ProPlus |<ul><li>Only requires an Internet connection every 30 days (for activation)</li><li>Supports the full set of Office features</li><li>Can be installed on five devices per user (there is no limit to the number of devices on which you can run Office apps online)</li></ul> |<ul><li>Requires installation</li><li>More expensive than Office 365 Education</li></ul>|
+
+    *Table 8. Comparison of standard and Office 365 ProPlus plans*
+
+    The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
+
+3. Determine whether students or faculty need Azure Rights Management.
+
+    You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management Documentation](https://docs.microsoft.com/en-us/rights-management/).
+
+4. Record the Office 365 Education license plans needed for the classroom in Table 9.
+
+    |Quantity |Plan |
+    |---------|-----|
+    |   |Office 365 Education for students|
+    |   |Office 365 Education for faculty|
+    |   |Azure Rights Management for students|
+    |   |Azure Rights Management for faculty|
+
+    *Table 9. Office 365 Education license plans needed for the classroom*
+
+You will use the Office 365 Education license plan information you record in Table 9 in [Create user accounts in Office 365](#create-user-accounts-in-office-365) later in this guide.
+
+### Create a new Office 365 Education subscription
+
+To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions.
+
+>**Note**&nbsp;&nbsp;If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Create user accounts in Office 365](#create-user-accounts-in-office-365).
+
+#### To create a new Office 365 subscription
+
+1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar.
+   >**Note**&nbsp;&nbsp;If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods:
+      <ul><li>In Microsoft Edge, open the Microsoft Edge app (press Ctrl+Shift+P, or click or tap **More actions**), and then click or tap **New InPrivate window**.<li>In Internet Explorer 11, open Internet Explorer 11 (press Ctrl+Shift+P, or click or tap **Settings**), click or tap **Safety**, and then click or tap **InPrivate Browsing**.</li></ul>
+
+
+2. On the **Get started** page, in **Enter your school email address**, type your school email address, and then click **Sign up**.
+
+   You will receive an email in your school email account. 
+3. Click the hyperlink in the email in your school email account.
+
+4. On the **One last thing** page, complete your user information, and then click **Start**.
+
+
+The wizard creates your new Office 365 Education subscription, and you’re automatically signed in as the administrative user you specified when you created the subscription.
+
+### Add domains and subdomains
+
+Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains.
+
+#### To add additional domains and subdomains
+
+1. In the Office 365 admin center, in the list view, click **DOMAINS**.
+
+2. In the details pane, above the list of domains, on the menu bar, click **Add domain**.
+
+3. In the Add a New Domain in Office 365 Wizard, on the **Verify domain** wizard page, click **Let’s get started**.
+
+4. On the **Verify domain** wizard page, in **Enter a domain you already own**, type your domain name, and then click **Next**.
+
+5. Sign in to your domain name management provider (for example, Network Solutions or GoDaddy), and then complete the steps for your provider.
+
+6. Repeat these steps for each domain and subdomain you want faculty and students to use for your institution.
+
+### Configure automatic tenant join
+
+To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
+
+>**Note**&nbsp;&nbsp;By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush).
+
+Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
+
+* If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant.
+* If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it.
+
+You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365.
+
+>**Note**&nbsp;&nbsp;You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
+
+By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+
+|Action |Windows PowerShell command|
+|-------|--------------------------|
+|Enable   |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true` |
+|Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`  |
+
+*Table 10. Windows PowerShell commands to enable or disable automatic tenant join*
+
+>**Note**&nbsp;&nbsp;If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
+
+### Disable automatic licensing
+
+To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval.
+
+>**Note**&nbsp;&nbsp;By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
+
+Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+
+|Action |Windows PowerShell command|
+|-------|--------------------------|
+|Enable |`Set-MsolCompanySettings -AllowAdHocSubscriptions $true` |
+|Disable|`Set-MsolCompanySettings -AllowAdHocSubscriptions $false`|
+
+*Table 11. Windows PowerShell commands to enable or disable automatic licensing*
+
+### Enable Azure AD Premium
+
+When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory, the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD-integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium.
+
+Educational institutions can obtain Azure AD Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access).
+
+The following Azure AD Premium features are not in Azure AD Basic:
+
+* Allow designated users to manage group membership
+* Dynamic group membership based on user metadata
+* Azure multifactor authentication (MFA; see [What is Azure Multi-Factor Authentication](https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication/))
+* Identify cloud apps that your users run
+* Self-service recovery of BitLocker
+* Add local administrator accounts to Windows 10 devices
+* Azure AD Connect health monitoring
+* Extended reporting capabilities
+
+You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users.
+
+You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process.
+
+For more information about:
+
+* Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/).
+* How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3).
+
+#### Summary
+
+You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365.
+
+## Select an Office 365 user account–creation method
+
+Now that you have an Office 365 subscription, you must determine how you’ll create your Office 365 user accounts. Use one of the following methods to make your decision:
+
+* Method 1: Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain.
+* Method 2: Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain.
+
+### Method 1: Automatic synchronization between AD DS and Azure AD
+
+In this method, you have an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
+
+>**Note**&nbsp;&nbsp;Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx).
+
+![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD")
+
+*Figure 5. Automatic synchronization between AD DS and Azure AD*
+
+For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section later in this guide.
+
+### Method 2: Bulk import into Azure AD from a .csv file
+
+In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
+
+![Bulk import into Azure AD from other sources](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources")
+
+*Figure 6. Bulk import into Azure AD from other sources*
+
+To implement this method, perform the following steps:
+
+1. Export the student information from the source.
+
+   Put the student information in the format the bulk-import feature requires.
+2. Bulk-import the student information into Azure AD.
+
+   For more information about how to perform this step, see the [Bulk-import user and group accounts in Office 365](#bulk-import-user-and-group-accounts-in-office-365) section.
+
+#### Summary
+
+In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
+
+## Integrate on-premises AD DS with Azure AD
+
+You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
+
+>**Note**&nbsp;&nbsp;If your institution does not have an on-premises AD DS domain, you can skip this section.
+
+### Select a synchronization model
+
+Before you deploy AD DS and Azure AD synchronization, determine where you want to deploy the server that runs Azure AD Connect.
+
+You can deploy the Azure AD Connect tool:
+
+- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server.
+
+  ![Azure AD Connect on premises](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises")
+
+  *Figure 7. Azure AD Connect on premises*
+
+- **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
+
+  ![Azure AD Connect in Azure](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure")
+
+  *Figure 8. Azure AD Connect in Azure*
+
+This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/en-us/library/dn635310.aspx).
+
+### Deploy Azure AD Connect on premises
+
+In this synchronization model (illustrated in Figure 7), you run Azure AD Connect on premises on a physical device or in a VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD and includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution.
+
+#### To deploy AD DS and Azure AD synchronization
+
+1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/).
+
+2. In the VM or on the physical device that will run Azure AD Connect, sign in with a domain administrator account.
+
+3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect).
+
+4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure sync features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features).
+
+Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
+
+### Verify synchronization
+
+Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console.
+
+#### To verify AD DS and Azure AD synchronization
+
+1. Open https://portal.office.com in your web browser.
+
+2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365.
+
+3. In the list view, expand USERS, and then click **Active Users**.
+
+4. In the details pane, view the list of users.
+
+   The list of users should mirror the users in AD DS.
+5. In the list view, click **GROUPS**.
+
+6. In the details pane, view the list of security groups.
+
+   The list of users should mirror the security groups in AD DS.
+7. In the details pane, double-click one of the security groups.
+
+   The list of security group members should mirror the group membership for the corresponding security group in AD DS.
+8. Close the browser.
+
+Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
+
+#### Summary
+
+In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly.
+
+## Bulk-import user and group accounts into AD DS
+
+You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS.
+
+>**Note**&nbsp;&nbsp;If your institution doesn’t have an on-premises AD DS domain, you can skip this section.
+
+### Select the bulk import method
+
+Several methods are available to bulk-import user accounts into AD DS domains. Table 12 lists the methods that the Windows Server operating system supports natively. In addition, you can use partner solutions to bulk-import user and group accounts into AD DS.
+
+|Method |Description and reason to select this method |
+|-------|---------------------------------------------|
+|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx).|
+|Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+
+*Table 12. AD DS bulk-import account methods*
+
+### Create a source file that contains the user and group accounts
+
+After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 13 lists the source file format for the bulk import methods.
+
+|Method |Source file format |
+|-------|-------------------|
+|Ldifde.exe |Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript |VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).|
+|Windows PowerShell |Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
+
+*Table 13. Source file format for each bulk import method*
+
+### Import the user accounts into AD DS
+
+With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method.
+
+>**Note**&nbsp;&nbsp;Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. 
+
+For more information about how to import user accounts into AD DS by using:
+
+* Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).
+* VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).
+* Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
+
+#### Summary
+
+In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts into AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
+
+## Bulk-import user and group accounts into Office 365
+
+You can bulk-import user and group accounts directly into Office 365, reducing the time and effort required to create users. First, you bulk-import the user accounts into Office 365. Then, you create the security groups for your institution. Finally, you create the email distribution groups your institution requires.
+
+### Create user accounts in Office 365
+
+Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom.
+
+>**Note**&nbsp;&nbsp;If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+
+You can use the Office 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users).
+
+The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 9. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
+
+For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365 - Admin help](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
+
+>**Note**&nbsp;&nbsp;If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
+
+The email accounts are assigned temporary passwords on creation. You must communicate these temporary passwords to your users before they can sign in to Office 365.
+
+### Create Office 365 security groups
+
+Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources.
+
+>**Note**&nbsp;&nbsp;If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+
+For information about creating security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
+
+You can add and remove users from security groups at any time.
+
+>**Note**&nbsp;&nbsp;Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may have to sign out, and then sign in again for the change to take effect.
+
+### Create email distribution groups
+
+Microsoft Exchange Online uses an email distribution group as a single email recipient for multiple users. For example, you could create an email distribution group that contains all students. Then, you could send a message to the email distribution group instead of individually addressing the message to each student.
+
+You can create email distribution groups based on job role (such as teacher, administration, or student) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group.
+
+>**Note**&nbsp;&nbsp;Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps. 
+
+
+For information about creating email distribution groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
+
+#### Summary
+
+You have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
+
+## Assign user licenses for Azure AD Premium
+
+If you enabled Azure AD Premium in the [Enable Azure AD Premium](#enable-azure-ad-premium) section, you must now assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users.
+
+For more information about assigning user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
+
+## Create and configure a Windows Store for Business portal
+
+Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can:
+
+* Find and acquire Windows Store apps.
+* Manage apps, app licenses, and updates.
+* Distribute apps to your users.
+
+
+For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview).
+
+This section shows you how to create a Windows Store for Business portal and configure it for your school.
+
+### Create and configure your Windows Store for Business portal
+
+To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator.
+
+#### To create and configure a Windows Store for Business portal
+
+1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar.
+
+2. On the **Windows Store for Business** page, click **Sign in with an organizational account**.
+
+3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
+
+4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**.
+
+5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**.
+
+After you create the Windows Store for Business portal, configure it by using the commands in the **Settings** menu listed in Table 14. Depending on your institution, you may (or may not) need to change these settings to further customize your portal. 
+
+|Menu selection|What can you do in this menu|
+|--------------|----------------------------|
+|Account information |Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Management Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).|
+|Device Guard signing |Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).|
+|LOB publishers |Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).|
+|Management tools |Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).|
+|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see the “Licensing model: online and offline licenses” section in [Apps in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).|
+|Permissions |Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).|
+|Private store |Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).|
+
+*Table 14. Menu selections to configure Windows Store for Business settings*
+
+### Find, acquire, and distribute apps in the portal
+
+Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this from the **Inventory** page in Windows Store for Business.
+
+>**Note**&nbsp;&nbsp;Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business.
+
+You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users to install the apps.
+
+For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business).
+
+#### Summary
+
+At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users.
+
+## Plan for deployment
+
+You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process.
+
+### Select the operating systems
+
+Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of:
+
+* New devices or refreshing existing devices, you will completely replace the existing operating system on a device with Windows 10.
+* Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10.
+
+
+Depending on your school’s requirements, you may need any combination of the following Windows 10 editions:
+
+- **Windows 10 Pro.** Use this operating system to:
+  * Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro.
+  * Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration.
+
+- **Windows 10 Education.** Use this operating system to:
+  * Upgrade institution-owned devices to Windows 10 Education.
+  * Deploy new instances of Windows 10 Education so that new devices have a known configuration.
+
+>**Note**&nbsp;&nbsp;Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades).
+
+For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+
+One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
+
+>**Note**&nbsp;&nbsp;On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
+
+Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture.
+
+### Select an image approach
+
+A key operating system image decision is whether to use a thin or thick image. *Thin images* contain only the operating system, and MDT installs the necessary device drivers and apps after the operating system has been installed. *Thick images* contain the operating system, “core” apps (such as Office), and device drivers. With thick images, MDT installs any device drivers and apps not included in the thick image after the operating system has been installed.
+
+The advantage to a thin image is that the final deployment configuration is dynamic: you can easily change the configuration without having to capture another image. The disadvantage of a thin image is that it takes longer to complete the deployment.
+
+The advantage of a thick image is that the deployment takes less time than it would for a thin image. The disadvantage of a thick image is that you need to capture a new image each time you want to make a change to the operating system, apps, or other software in the image.
+
+This guide discusses thick image deployment. For information about thin image deployments, see [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school).
+
+### Select a method to initiate deployment
+The LTI deployment process is highly automated: it requires minimal information to deploy or upgrade Windows 10. The ZTI deployment process is fully automated, but you must manually initiate it. To do so, use the method listed in Table 15 that best meets the needs of your institution.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Method</th>
+<th align="left">Description and reason to select this method</th>
+
+</tr>
+</thead>
+<tbody>
+
+<tr>
+<td valign="top">Windows Deployment Services</td>
+<td><p>This method:</p>
+<ul>
+<li>Uses diskless booting to initiate LTI and ZTI deployments.</li>
+<li>Works only with devices that support PXE boot.</li>
+<li>Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.</li>
+<li>Deploys images more slowly than when you use local media.</li>
+<li>Requires that you deploy a Windows Deployment Services server.</li>
+</ul>
+<br/>Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
+</td>
+</tr>
+
+<tr>
+<td valign="top">Bootable media</td>
+<td><p>This method:</p>
+<ul>
+<li>Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.</li>
+<li>Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.</li>
+<li>Deploys images more slowly than when using local media.</li>
+<li>Requires no additional infrastructure.</li>
+</ul>
+<br/>Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
+</td>
+</tr>
+
+<tr>
+<td valign="top">Deployment media</td>
+<td><p>This method:</p>
+<ul>
+<li>Initiates LTI or ZTI deployment by booting from a local USB hard disk.</li>
+<li>Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.</li>
+<li>Deploys images more quickly than network-based methods do.</li>
+<li>Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).</li>
+</ul>
+<br/>Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk.
+</td>
+</tr>
+
+</tbody>
+</table>
+
+*Table 15. Methods to initiate LTI and ZTI deployments*
+
+#### Summary
+At the end of this section, you should know the Windows 10 editions and processor architecture that you want to deploy (and will import later in the process). You also determined whether you want to use thin or thick images. Finally, you selected the method for initiating your LTI or ZTI deployment. Now, you can prepare for Windows 10 deployment.
+
+## Prepare for deployment
+
+Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and System Center Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Windows Store apps, and device drivers.
+
+### Configure the MDT deployment share
+
+The first step in preparing for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 16 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 16.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task</th>
+<th align="left">Description</th>
+
+</tr>
+</thead>
+<tbody>
+
+
+<tr>
+<td valign="top">1. Import operating systems</td>
+<td>Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).</td>
+</tr>
+
+<tr>
+<td valign="top">2. Import device drivers</td>
+<td>Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.<br/><br/>
+Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench).
+</td>
+</tr>
+
+<tr>
+<td valign="top">3. Create MDT applications for Windows Store apps</td>
+<td>Create an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using <i>sideloading</i>, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.<br/><br/>
+<p>Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files by performing one of the following tasks:</p>
+<ul>
+<li>For offline-licensed apps, download the .appx files from the Windows Store for Business.</li>
+<li>For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.</li>
+</ul>
+<br/>If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business.<br/><br/>
+If you have Intune or System Center Configuration Manager, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using System Center Configuration Manager](#deploy-and-manage-apps-by-using-system-center-configuration-manager) sections. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps.<br/><br/>
+In addition, you must prepare your environment for sideloading Windows Store apps. For more information about how to:<br/><br/>
+<ul>
+<li>Prepare your environment for sideloading, see [Try it out: sideload Windows Store apps](https://technet.microsoft.com/en-us/windows/jj874388.aspx).</li>
+<li>Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).</li>
+</ul>
+
+</td>
+</tr>
+
+<tr>
+<td valign="top">4. Create MDT applications for Windows desktop apps</td>
+<td>You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.<br/><br/>
+To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx).<br/><br/>
+If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
+<br/><br/>
+**Note**&nbsp;&nbsp;You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) section.
+
+For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx).
+
+</td>
+</tr>
+
+<tr>
+<td valign="top">5. Create task sequences</td>
+<td><p>You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:</p>
+<ul>
+<li>Deploy 64-bit Windows 10 Education to devices.</li>
+<li>Deploy 32-bit Windows 10 Education to devices.</li>
+<li>Upgrade existing devices to 64-bit Windows 10 Education.</li>
+<li>Upgrade existing devices to 32-bit Windows 10 Education.</li>
+</ul>
+<br/>Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
+
+</td>
+</tr>
+
+<tr>
+<td valign="top">6. Update the deployment share</td>
+<td>Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.<br/><br/>
+For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).
+
+</td>
+</tr>
+
+
+</tbody>
+</table>
+
+*Table 16. Tasks to configure the MDT deployment share*
+
+### Configure System Center Configuration Manager
+
+>**Note**&nbsp;&nbsp;If you have already configured your System Center Configuration Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section.
+
+Before you can use System Center Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure System Center Configuration Manager to support the operating system deployment feature. If you don’t have an existing System Center Configuration Manager infrastructure, you will need to deploy a new infrastructure. 
+
+Deploying a new System Center Configuration Manager infrastructure is beyond the scope of this guide, but the following resources can help you deploy a new System Center Configuration Manager infrastructure:
+
+* [Get ready for System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt608540.aspx)
+* [Start using System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt608544.aspx)
+
+
+#### To configure an existing System Center Configuration Manager infrastructure for operating system deployment
+
+1. Perform any necessary infrastructure remediation.
+
+    Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627936.aspx).
+2. Add the Windows PE boot images, Windows 10 operating systems, and other content.
+
+    You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you will use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard.
+
+    You can add this content by using System Center Configuration Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager).
+3. Add device drivers.
+
+    You must add device drivers for the different device types in your district. For example, if you have a mixture of Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you must have the device drivers for each device.
+
+    Create a System Center Configuration Manager driver package for each device type in your district. For more information, see [Manage drivers in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627934.aspx).
+4. Add Windows apps.
+
+    Install the Windows apps (Windows desktop and Windows Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that include Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Windows Store apps after you deploy Windows 10 because you cannot capture Windows Store apps in a reference image. Windows Store apps target users, not devices.
+
+    Create a System Center Configuration Manager application for each Windows desktop or Windows Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627959.aspx).
+
+### Configure Window Deployment Services for MDT
+
+You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target devices. These boot images can be Windows PE images (which you generated in step 6 in Table 16) or custom images that can deploy operating systems directly to the target devices.
+
+#### To configure Windows Deployment Services for MDT
+
+1. Set up and configure Windows Deployment Services.
+
+    Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution.
+
+    For more information about how to perform this step, see the following resources:
+
+    * [Windows Deployment Services Overview](https://technet.microsoft.com/library/hh831764.aspx)
+    * The Windows Deployment Services Help file, included in Windows Deployment Services
+    * [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx)
+
+2. Add LTI boot images (Windows PE images) to Windows Deployment Services.
+    
+    The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the deployment share’s Boot subfolder.
+    
+    For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/en-us/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices).
+
+### Configure Window Deployment Services for System Center Configuration Manager
+
+>**Note**&nbsp;&nbsp;If you have already configured your System Center Configuration Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next.
+
+You can use Windows Deployment Services in conjunction with System Center Configuration to automatically initiate boot images on target devices. These boot images are Windows PE images that you use to boot the target devices, and then initiate Windows 10, app, and device driver deployment.
+
+#### To configure Windows Deployment Services for System Center Configuration Manager
+
+1. Set up and configure Windows Deployment Services.
+    
+    Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution.
+    
+    For more information about how to perform this step, see the following resources:
+    * [Windows Deployment Services Overview](https://technet.microsoft.com/library/hh831764.aspx)
+    * The Windows Deployment Services Help file, included in Windows Deployment Services
+    * [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx)
+
+2. Configure a distribution point to accept PXE requests in System Center Configuration Manager.
+
+    To support PXE boot requests, you install the PXE service point site system role. Then, you must configure one or more distribution points to respond to PXE boot request.
+    For more information about how to perform this step, see [Install site system roles for System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt704036.aspx), [Use PXE to deploy Windows over the network with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627940.aspx), and [Configuring distribution points to accept PXE requests](https://technet.microsoft.com/en-us/library/mt627944.aspx#BKMK_PXEDistributionPoint).
+3.	Configure the appropriate boot images (Windows PE images) to deploy from the PXE-enabled distribution point.
+    
+    Before a device can start a boot image from a PXE-enabled distribution point, you must change the properties of the boot image to enable PXE booting. Typically, you create this boot image when you created your MDT task sequence in the Configuration Manager console.
+    
+    For more information about how to perform this step, see [Configure a boot image to deploy from a PXE-enabled distribution point](https://technet.microsoft.com/en-us/library/mt627946.aspx#BKMK_BootImagePXE) and [Manage boot images with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627946.aspx).
+
+#### Summary
+
+Your MDT deployment share and System Center Configuration Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You have set up and configured Windows Deployment Services for MDT and for System Center Configuration Manager. You have also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and System Center Configuration Manager). Now, you’re ready to capture the reference images for the different devices you have in your district.
+
+## Capture the reference image
+
+The reference device is a device that you use as the template for all the other devices in your district. On this device, you install any Windows desktop apps the classroom needs. For example, install the Windows desktop apps for Office 365 ProPlus if you selected that student license plan.
+
+After you deploy Windows 10 and the desktop apps to the reference device, you capture an image of the device (the reference image). You import the reference image to an MDT deployment share or into System Center Configuration Manager. Finally, you create a task sequence to deploy the reference image to faculty and student devices.
+
+You will capture multiple reference images, one for each type of device that you have in your organization. You perform the steps in this section for each image (device) that you have in your district. Use LTI in MDT to automate the deployment and capture of the reference image.
+
+>**Note**&nbsp;&nbsp;You can use LTI in MDT or System Center Configuration Manager to automate the deployment and capture of the reference image, but this guide only discusses how to use LTI in MDT to capture the reference image.
+
+### Customize the MDT deployment share
+
+You initially configured the MDT deployment share in the [Configure the MDT deployment share](#configure-the-mdt-deployment-share) section earlier in this guide. In that section, you configured the deployment share for generic use. Now, you need to customize the deployment share to deploy the appropriate Windows 10 edition, desktop apps, and device drivers to each reference device.
+
+#### To customize the MDT deployment share
+
+1. Create a task sequence to deploy the appropriate Windows 10 edition.
+
+    A task sequence can deploy only one Windows 10 edition or version, which means that you must create a task sequence for each Windows 10 edition and version you selected in the [Select the operating systems](#select-the-operating-systems) section earlier in this guide. To create task sequences, use the New Task Sequence Wizard. 
+    
+    For more information, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
+2. Create an MDT application for each desktop app you want to include in your reference image.
+
+    You create MDT applications by using the New Application Wizard in the Deployment Workbench. As part of creating the MDT application, specify the command-line parameters used to install the app without user intervention (unattended installation). For more information, see [Create a New Application in the Deployment Workbench](http://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+3. Customize the task sequence to install the MDT applications that you created in step 2.
+
+    You can add an **Install Application** task sequence step to your task sequence. Then, you can customize the **Install Application** task sequence step to install a specific app, which automatically installs the app with no user interaction required when your run the task sequence.
+    
+    You need to add an **Install Application** task sequence step for each app you want to include in your reference image. For more information, see [Customize Application Installation in Task Sequences](http://technet.microsoft.com/en-us/library/dn759415.aspx#CustomizeApplicationInstallationinTaskSequences).
+4. Create a selection profile that contains the drivers for the device.
+
+    A *selection profile* lets you select specific device drivers. For example, if you want to deploy the device drivers for a Surface Pro 4 device, you can create a selection profile that contains only the Surface Pro 4 device drivers.
+    
+    First, in the Out-of-Box Drivers node in the Deployment Workbench, create a folder that will contain your device drivers. Next, import the device drivers into the folder you just created. Finally, create the selection profile and specify the folder that contains the device drivers. For more information, see the following resources:
+
+    * [Create Folders to Organize Device Drivers for LTI Deployments](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateFolderstoOrganizeDeviceDriversforLTIDeployments)
+    * [Create Selection Profiles to Select the Device Drivers for LTI Deployments](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateSelectionProfilestoSelecttheDeviceDriversforLTIDeployments)
+
+5. Customize the task sequence to use the selection profile that you created in step 4.
+
+    You can customize the **Inject Driver** task sequence step in the **Preinstall** task sequence group in your task sequence to deploy only the device drivers in the selection profile. For more information, see [Configure Task Sequences to Deploy Device Drivers in Selection Profiles for LTI Deployments](https://technet.microsoft.com/en-us/library/dn759415.aspx#ConfigureTaskSequencestoDeployDeviceDriversinSelectionProfilesforLTIDeployments).
+
+### Capture reference image
+
+To capture the reference image, run the LTI task sequence that you created in the previous section. The LTI task sequence will allow you to specify a storage location and file name for the .wim file, which contains the captured image.
+
+Use the Deployment Wizard to deploy Windows 10, your apps, and device drivers to the device, and then capture the .wim file. The LTI deployment process is almost fully automated: you provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
+
+>**Note**&nbsp;&nbsp;To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section of [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx#Anchor_6).
+
+In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
+
+#### To deploy Windows 10
+
+1. **Initiate the LTI deployment process.** Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide.
+
+2. **Complete the Deployment Wizard.** For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” section in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Anchor_5).
+
+### Import reference image
+
+After you have captured the reference image (.wim file), import the image into the MDT deployment share or into System Center Configuration Manager (depending on which method you selected to perform Windows 10 deployments). You will deploy the reference image to the student and faculty devices in your district.
+
+Both the Deployment Workbench and the Configuration Manager console have wizards that help you import the reference image. After you import the reference image, you need to create a task sequence that will deploy the reference image.
+
+For more information about how to import the reference image into:
+
+* An MDT deployment share, see [Import a Previously Captured Image of a Reference Computer](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportaPreviouslyCapturedImageofaReferenceComputer).
+* System Center Configuration Manager, see [Manage operating system images with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627939.aspx) and [Customize operating system images with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627938.aspx).
+
+### Create a task sequence to deploy the reference image
+
+You created an LTI task sequence in the Deployment Workbench earlier in this process to deploy Windows 10 and your desktop apps to the reference device. Now that you have captured and imported your reference image, you need to create a tasks sequence to deploy it.
+
+As you might expect, both the Deployment Workbench and the Configuration Manager console have wizards that help you create a starting task sequence. After you create your task sequence, in most instances you will need to customize it to deploy additional apps, device drivers, and other software.
+
+For more information about how to create a task sequence in the:
+
+* Deployment Workbench for a deployment share, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
+* Configuration Manager console, see [Create a task sequence to install an operating system in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627927.aspx).
+
+####Summary
+In this section, you customized the MDT deployment share to deploy Windows 10 and desktop apps to one or more reference devices by creating and customizing MDT applications, device drivers, and applications. Next, you ran the task sequence, which deploys Windows 10, deploys your apps, deploys the appropriate device drivers, and captures an image of the reference device. Then, you imported the captured reference image into a deployment share or System Center Configuration Manager. Finally, you created a task sequence to deploy your captured reference image to faculty and student devices. At this point in the process, you’re ready to deploy Windows 10 and your apps to your devices. 
+
+## Prepare for device management
+
+Before you deploy Windows 10 in your district, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant.
+
+You also want to deploy apps and software updates after you deploy Windows 10. You need to manage apps and updates by using System Center Configuration Manager, Intune, or a combination of both (hybrid model).
+
+### Select Microsoft-recommended settings
+
+Microsoft has several recommended settings for educational institutions. Table 17 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 17 and evaluate their relevancy to your institution.
+
+>**Note**&nbsp;&nbsp;The settings for Intune in Table 17 also apply to the System Center Configuration Manager and Intune management (hybrid) method.
+
+Use the information in Table 17 to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings.
+
+<table>
+<colgroup>
+<col width="75%" />
+<col width="25%" />
+
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Recommendation</th>
+<th align="left">Description</th>
+
+</tr>
+</thead>
+<tbody>
+
+<tr>
+<td valign="top">Use of Microsoft accounts</td>
+<td>You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br/><br/>
+
+**Note**&nbsp;&nbsp;Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.<br/><br/>
+**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.<br/><br/>
+**Intune.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
+
+</td>
+</tr>
+
+<tr>
+<td valign="top">Restrict the local administrator accounts on the devices</td>
+<td>Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.<br/><br/>
+**Group Policy.** Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.<br/><br/>
+**Intune.** Not available.
+
+</td>
+</tr>
+
+<tr>
+<td valign="top">Manage the built-in administrator account created during device deployment</td>
+<td>When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.<br/><br/>
+**Group Policy.** To rename the built-in Administrator account, use the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx).<br/><br/>
+**Intune.** Not available.
+
+</td>
+</tr>
+
+<tr>
+<td valign="top">Control Windows Store access</td>
+<td>You can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.<br/><br/>
+**Group Policy.** To disable the Windows Store app, use the **Turn off the Store Application** group policy setting. To prevent Windows Store apps from receiving updates, use the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).<br/><br/>
+**Intune.** To enable or disable Windows Store access, use the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration policy**.
+
+</td>
+</tr>
+
+<tr>
+<td valign="top">Use of Remote Desktop connections to devices</td>
+<td>Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.<br/><br/>
+**Group Policy.** To enable or disable Remote Desktop connections to devices, use the **Allow Users to connect remotely using Remote Desktop** setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.<br/><br/>
+**Intune.** Not available.
+
+</td>
+</tr>
+
+
+<tr>
+<td valign="top">Use of camera</td>
+<td>A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.<br/><br/>
+**Group Policy.** Not available.<br/><br/>
+**Intune.** To enable or disable the camera, use the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+
+</td>
+</tr>
+
+<tr>
+<td valign="top">Use of audio recording</td>
+<td>Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.<br/><br/>
+**Group Policy.** To disable the Sound Recorder app, use the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894.aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx).<br/><br/>
+**Intune.** To enable or disable audio recording, use the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy.
+
+</td>
+</tr>
+
+<tr>
+<td valign="top">Use of screen capture</td>
+<td>Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.<br/><br/>
+**Group Policy.** Not available.<br/><br/>
+**Intune.** To enable or disable screen capture, use the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy.
+
+</td>
+</tr>
+
+<tr>
+<td valign="top">Use of location services</td>
+<td>Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.<br/><br/>
+**Group Policy.** To enable or disable location services, use the **Turn off location** group policy setting in User Configuration\Windows Components\Location and Sensors.<br/><br/>
+**Intune.** To enable or disable location services, use the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+
+</td>
+</tr>
+
+<tr>
+<td valign="top">Changing wallpaper</td>
+<td>Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices.<br/><br/>
+**Group Policy.** To configure the wallpaper, use the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.<br/><br/>
+**Intune.** Not available.
+
+</td>
+</tr>
+
+</tbody>
+</table>
+<br/>
+*Table 17. Recommended settings for educational institutions*
+
+### Configure settings by using Group Policy
+
+Now, you’re ready to use Group Policy to configure settings. The steps in this section assume that you have an AD DS infrastructure. Here, you configure the Group Policy settings you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+
+For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/en-us/library/cc754948.aspx).
+
+#### To configure Group Policy settings
+
+1. Create a Group Policy object (GPO) to contain your Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/en-us/library/cc738830.aspx).
+
+2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/en-us/library/cc739902.aspx).
+
+3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/en-us/library/cc738954.aspx).
+
+### Configure settings by using Intune
+
+Now, you’re ready to use Intune to configure settings. The steps in this section assume that you have an Office 365 subscription. Here, you configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+
+For more information about Intune, see [Microsoft Intune Documentation](https://docs.microsoft.com/en-us/intune/).
+
+#### To configure Intune settings
+
+1. Add Intune to your Office 365 subscription by completing the steps in [Manage Intune licenses](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4).
+
+2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/get-ready-to-enroll-devices-in-microsoft-intune).
+
+3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
+
+4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/manage-windows-pcs-with-microsoft-intune).
+
+### Deploy and manage apps by using Intune
+
+If you selected to deploy and manage apps by using System Center Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using System Center Configuration Manager](#deploy-and-manage-apps-by-using-system-center-configuration-manager) section.
+
+You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages.
+
+For more information about how to configure Intune to manage your apps, see the following resources:
+
+- [Add apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/add-apps)
+- [Deploy apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/deploy-apps)
+- [Update apps using Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/update-apps-using-microsoft-intune)
+- [Protect apps and data with Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/protect-apps-and-data-with-microsoft-intune)
+- [Help protect your data with full or selective wipe using Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/use-remote-wipe-to-help-protect-data-using-microsoft-intune)
+
+### Deploy and manage apps by using System Center Configuration Manager
+
+You can use System Center Configuration Manager to deploy Windows Store and Windows desktop apps. System Center Configuration Manager allows you to create a System Center Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, Windows 10 Mobile, iOS, or Android devices) by using *deployment types*. You can think of a System Center Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
+
+For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, Windows 10 Mobile, iOS, and Android. You can deploy the one application to multiple device types.
+
+>**Note**&nbsp;&nbsp;When you configure System Center Configuration Manager and Intune in a hybrid model, you deploy apps by using System Center Configuration manager as described in this section.
+
+System Center Configuration Manager helps you manage apps by monitoring app installation. You can determine how many of your devices have a specific app installed. Finally, you can allow users to install apps at their discretion or make apps mandatory.
+
+For more information about how to configure System Center Configuration Manager to deploy and manage your apps, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627959.aspx).
+
+### Manage updates by using Intune
+
+If you selected to manage updates by using System Center Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Manage updates by using System Center Configuration Manager](#manage-updates-by-using-system-center-configuration-manager) section.
+
+To help ensure that your users have the most current features and security protection, keep Windows 10 and your apps current with updates. To configure Windows 10 and app updates, use the **Updates** workspace in Intune.
+
+>**Note**&nbsp;&nbsp;You can only manage updates (including antivirus and antimalware updates) for Windows 10 desktop operating systems (not Windows 10 Mobile, iOS, or Android).
+
+For more information about how to configure Intune to manage updates and malware protection, see the following resources:
+
+- [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
+- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
+
+### Manage updates by using System Center Configuration Manager
+
+To ensure that your users have the most current features and security protection, use the software updates feature in System Center Configuration Manager to manage updates. The software updates feature works in conjunction with WSUS to manage updates for Windows 10 devices.
+
+You configure the software updates feature to manage updates for specific versions of Windows and apps. Then, the software updates feature obtains the updates from Windows Updates by using the WSUS server in your environment. This integration provides greater granularity of control over updates and more specific targeting of updates to users and devices (compared to WSUS alone or Intune alone), which allows you to ensure that the right user or device gets the right updates.
+
+>**Note**&nbsp;&nbsp;When you configure System Center Configuration Manager and Intune in a hybrid model, you  use System Center Configuration manager to manage updates as described in this section.
+
+For more information about how to configure System Center Configuration Manager to manage Windows 10 and app updates, see [Deploy and manage software updates in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt634340.aspx).
+
+#### Summary
+
+In this section, you prepared your institution for device management. You identified the configuration settings that you want to use to manage your users and devices. You configured Group Policy or Intune to manage these configuration settings. You configured Intune or System Center Configuration Manager to manage your apps. Finally, you configured Intune or System Center Configuration Manager to manage software updates for Windows 10 and your apps.
+
+## Deploy Windows 10 to devices
+
+You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows 7 to Windows 10. 
+
+### Prepare for deployment
+
+Prior to deployment of Windows 10, complete the tasks in Table 18. Most of these tasks are already complete, but use this step to make sure.
+
+|Task|   |
+|----|----|
+|1. |Ensure that the target devices have sufficient system resources to run Windows 10.|
+|2. |Identify the necessary devices drivers, and then import them into the MDT deployment share or System Center Configuration Manager.|
+|3. |For each Windows Store and Windows desktop app, create an MDT application or System Center Configuration Manager application.|
+|4. |Notify the students and faculty about the deployment.|
+
+*Table 18. Deployment preparation checklist*
+
+### Perform the deployment
+
+Use the Deployment Wizard to deploy Windows 10. With the LTI deployment process, you provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
+
+>**Note**&nbsp;&nbsp;To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx#Anchor_6).
+
+
+In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
+
+#### To use LTI to deploy Windows 10
+
+1. **Initiate the LTI deployment process.** Initiate the LTI deployment process by booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide.
+
+2. **Complete the Deployment Wizard.** For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” section of [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Anchor_5).
+
+#### To use ZTI to deploy Windows 10
+
+1.	**Initiate the ZTI deployment process.** Initiate the ZTI deployment process by booting over the network (PXE boot) or from local media. You selected the method for initiating the ZTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide.
+
+### Set up printers
+
+After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to [Verify deployment](#verify-deployment).
+
+>**Note**&nbsp;&nbsp;If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to [Verify deployment](#verify-deployment).
+
+#### To set up printers
+
+1. Review the printer manufacturer’s instructions for installing the printer drivers.
+
+2. On the admin device, download the printer drivers.
+
+3. Copy the printer drivers to a USB drive.
+
+4. On a device, use the same account you used to set up Windows 10 in the [Prepare for deployment](#prepare-for-deployment) section to log on to the device.
+
+5. Plug the USB drive into the device.
+
+6. Follow the printer manufacturer’s instructions to install the printer drivers from the USB drive.
+
+7. Verify that the printer drivers were installed correctly by printing a test page.
+
+8. Complete steps 1–8 for each printer.
+
+### Verify deployment
+
+As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify that:
+
+* The device can connect to the Internet and view the appropriate web content in Microsoft Edge.
+* Windows Update is active and current with software updates.
+* Windows Defender is active and current with malware signatures.
+* The SmartScreen Filter is active.
+* All Windows Store apps are properly installed and updated.
+* All Windows desktop apps are properly installed and updated.
+* Printers are properly configured.
+
+When you have verified that the first device is properly configured, you can move to the next device and perform the same steps.
+
+#### Summary
+
+You prepared the devices for deployment by verifying that they have adequate system resources and that the resources in the devices have corresponding Windows 10 device drivers. You performed device deployment over the network or by using local MDT media. Next, you configured the appropriate printers on the devices. Finally, you verified that the devices are properly configured and ready for use.
+
+## Maintain Windows devices and Office 365
+
+After the initial deployment, you need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule:
+
+- **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware.
+- **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students.
+- **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration.
+
+Table 19 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks.
+
+<table>
+<colgroup>
+<col width="10%" />
+<col width="10%" />
+<col width="10%" />
+<col width="70%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task and resources</th>
+<th align="left">Monthly</th>
+<th align="left">New semester or academic year</th>
+<th align="left">As required</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>Verify that Windows Update is active and current with operating system and software updates.<br/><br/>
+For more information about completing this task when you have:
+<ul>
+<li>Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).</li>
+<li>Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).</li>
+<li>WSUS, see [Windows Server Update Services](https://msdn.microsoft.com/en-us/library/bb332157.aspx).</li>
+<li>Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in [Windows 10 help](https://support.microsoft.com/en-us/products/windows?os=windows-10).</li>
+</ul>
+</td>
+<td>x</td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Verify that Windows Defender is active and current with malware signatures.<br/><br/>
+For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/en-us/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02) and [Updating Windows Defender](https://support.microsoft.com/en-us/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).
+</td>
+<td>x</td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.<br/><br/>
+For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/en-us/help/17228/windows-protect-my-pc-from-viruses).
+</td>
+<td>x</td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Download and approve updates for Windows 10, apps, device driver, and other software.<br/><br/>
+For more information, see:
+<ul>
+<li>[Manage updates by using Intune](#manage-updates-by-using-intune)</li>
+<li>[Manage updates by using System Center Configuration Manager](#manage-updates-by-using-system-center-configuration-manager)</li>
+</ul>
+</td>
+<td>x</td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).<br/><br/>
+For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing).
+</td>
+<td></td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Refresh the operating system and apps on devices.<br/><br/>
+For more information about completing this task, see the following resources:
+<ul>
+<li>[Prepare for deployment](#prepare-for-deployment)</li>
+<li>[Capture the reference image](#capture-the-reference-image)</li>
+<li>[Deploy Windows 10 to devices](#deploy-windows-10-to-devices)</li>
+</ul>
+</td>
+<td></td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.<br/><br/>
+For more information, see:
+<ul>
+<li>[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)</li>
+<li>[Deploy and manage apps by using System Center Configuration Manager](#deploy-and-manage-apps-by-using-system-center-configuration-manager)</li>
+</ul>
+</td>
+<td></td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Install new or update existing Windows Store apps used in the curriculum.<br/><br/>
+Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download.<br/><br/>
+You can also deploy Windows Store apps directly to devices by using Intune, System Center Configuration Manager, or both in a hybrid configuration. For more information, see:
+<ul>
+<li>[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)</li>
+<li>[Deploy and manage apps by using System Center Configuration Manager](#deploy-and-manage-apps-by-using-system-center-configuration-manager)</li>
+</ul>
+</td>
+<td></td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).<br/><br/>
+For more information about how to:
+<ul>
+<li>Remove unnecessary user accounts, see [Active Directory Administrative Center](https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/adac/active-directory-administrative-center).</li>
+<li>Remove licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).</li>
+</ul>
+</td>
+<td></td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+
+<tr>
+<td>Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).<br/><br/>
+For more information about how to:
+<ul>
+<li>Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds).</li>
+<li>Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).</li>
+</ul>
+</td>
+<td></td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).<br/><br/>
+For more information about how to:
+<ul>
+<li>Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e).</li>
+<li>Remove licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).</li>
+</ul>
+</td>
+<td></td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).<br/><br/>
+For more information about how to:
+<ul>
+<li>Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).</li>
+<li>Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).</li>
+</ul>
+</td>
+<td></td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Create or modify security groups, and manage group membership in Office 365.<br/><br/>
+For more information about how to:
+<ul>
+<li>Create or modify security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).</li>
+<li>Manage group membership, see [Manage Group membership in the Office 365 admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).</li>
+</ul>
+</td>
+<td></td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.<br/><br/>
+For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](https://technet.microsoft.com/library/bb124513.aspx) and [Create, edit, or delete a security group](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB).
+</td>
+<td></td>
+<td>x</td>
+<td>x</td>
+</tr>
+
+<tr>
+<td>Install new student devices.<br/><br/>
+Follow the same steps you followed in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.
+</td>
+<td></td>
+<td></td>
+<td>x</td>
+</tr>
+
+</tbody>
+</table>
+<br/>
+
+*Table 19. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
+
+#### Summary
+
+You have now identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your district and individual school configuration should match the typical school configuration you saw in the [Plan a typical district configuration](#plan-a-typical-district-configuration) section. By performing these maintenance tasks, you help ensure that your district as a whole stays secure and is configured as you specified. 
+
+## Related topics
+
+* [Try it out: Windows 10 deployment (for educational institutions)](https://technet.microsoft.com/en-us/windows/mt574244.aspx)
+* [Try it out: Windows 10 in the classroom](https://technet.microsoft.com/en-us/windows/mt574243.aspx)
+* [Chromebook migration guide](https://technet.microsoft.com/edu/windows/chromebook-migration-guide)
+* [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school)
+* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723345)
+* [Deploy a custom Windows 10 Start menu layout for a school (video)](https://technet.microsoft.com/en-us/windows/mt723346)
+* [Manage Windows 10 updates and upgrades in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723347)
+* [Reprovision devices at the end of the school year (video)](https://technet.microsoft.com/en-us/windows/mt723344)
+* [Use MDT to deploy Windows 10 in a school (video)](https://technet.microsoft.com/en-us/windows/mt723343)
+* [Use Windows Store for Business in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723348)
\ No newline at end of file
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
new file mode 100644
index 0000000000..28792bb055
--- /dev/null
+++ b/education/windows/edu-deployment-recommendations.md
@@ -0,0 +1,127 @@
+---
+title: Deployment recommendations for school IT administrators
+description: Provides guidance on ways to customize the OS privacy settings, as well as some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
+keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school"]
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: CelesteDG
+---
+
+# Deployment recommendations for school IT administrators
+**Applies to:**
+
+-   Windows 10
+
+
+Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, as well as some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](http://go.microsoft.com/fwlink/?LinkId=809305).
+
+Here are some best practices and specific privacy settings we’d like you to be aware of.
+
+## Deployment best practices
+
+Keep these best practices in mind when deploying any edition of Windows 10 in schools or districts:
+* A Microsoft account is only intended for consumer services. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, and so on. For schools, consider using mobile device management (MDM) or Group Policy to block students from adding a Microsoft account as a secondary account.
+
+* If schools allow the use of personal accounts by their students to access personal services, schools should be aware that these accounts belong to individuals, not the school.
+* IT administrators, school officials, and teachers should also consider ratings when picking apps from the Windows Store.
+
+## Windows 10 Contacts privacy settings
+
+If you’re an IT administrator who deploys Windows 10 in a school or district, we recommend that you review these deployment resources to make informed decisions about how you can configure telemetry for your school or district:
+* [Configure Windows telemetry in your organization](http://go.microsoft.com/fwlink/?LinkId=817241) - Describes the types of telemetry we gather and the ways you can manage this data.
+* [Manage connections from Windows operating system components to Microsoft services](http://go.microsoft.com/fwlink/?LinkId=817240) - Learn about network connections that Windows components make to Microsoft and also the privacy settings (such as location, camera, messaging, and more) that affect data that is shared with either Microsoft or apps and how you can manage this data.
+
+In particular, the **Contacts** area in the **Settings** > **Privacy** section lets you choose which apps can access a student’s contacts list. By default, this setting is turned on.
+
+To change the setting, you can:
+* [Turn off access to contacts for all apps](#turn-off-access-to-contacts-for-all-apps)
+* [Choose the apps that you want to allow access to contacts](#choose-the-apps-that-you-want-to-allow-access-to-contacts)
+
+### Turn off access to contacts for all apps
+To turn off access to contacts for all apps on individual Windows devices:
+1. On the computer, go to **Settings** and select **Privacy**.
+
+   ![Privacy settings](images/settings-privacy-marked.png)
+
+2. Under the list of **Privacy** areas, select **Contacts**.
+
+   ![Contacts privacy settings](images/privacy-contacts-marked.png)
+
+3. Turn off **Let apps access my contacts**.
+
+For IT-managed Windows devices, you can use a Group Policy to turn off the setting. To do this:
+1. Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**.
+2. Set the **Select a setting** box to **Force Deny**.
+
+### Choose the apps that you want to allow access to contacts
+If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off.
+
+![Choose apps with access to contacts](images/settings-contacts-app-marked.png)
+
+The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts.
+
+To allow only certain apps to have access to contacts, you can:
+* Configure each app individually using the **Settings** > **Contacts** option in the Windows UI
+* Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce.
+
+   ![App privacy Group Policy](images/app-privacy-group-policy.png)
+
+## Skype and Xbox settings
+
+Skype Preview (a Universal Windows Platform [UWP] preview app) and Xbox are preinstalled as part of Windows 10.
+
+The Skype app replaces the integration of Skype features into Skype video and Messaging apps on Windows PCs and large tablets. The Skype app provides all these features in one place and lets users have a single place to manage both their chat and voice conversations so they can take better advantage of their screen. For information about the new Skype UWP app preview, see this [FAQ](http://go.microsoft.com/fwlink/?LinkId=821441).
+
+With the Xbox app, students can use their Xbox profiles to play and make progress on their games using their Windows-based device. They can also unlock achievements and show off to their friends with game clips and screenshots. The Xbox app requires a Microsoft account, which is a personal account.
+
+Both Skype and Xbox include searchable directories that let students find other people to connect to. The online privacy and security settings for Skype and Xbox are not manageable through Group Policy so we recommend that school IT administrators and school officials let parents and students know about these searchable directories.
+
+If the school allows the use of personal or Microsoft account in addition to organization accounts, we also recommend that IT administrators inform parents and students that they can optionally remove any identifying information from the directories by:
+* [Managing the user profile](#managing-the-user-profile)
+* [Deleting the account if the user name is part of the identifying information](#delete-an-account-if-username-is-identifying)
+
+### Managing the user profile
+#### Skype
+Skype uses the user’s contact details to deliver important information about the account and it also lets friends find each other on Skype.
+
+To manage and edit your profile in the Skype UWP app, follow these steps:
+1.	In the Skype UWP app, select the user profile icon  ![Skype profile icon](images/skype-profile-icon.png)  to go to the user’s profile page.
+2.	In the **Accounts** section, select **Manage** for the Skype account that you want to change. This will take you to the online Skype portal.
+3.	In the online Skype portal, scroll down to the Account details section. In Settings and preferences, select Edit profile.
+The profile page includes these sections:
+	 * Profile completeness
+   * Personal information
+   * Contact details
+4. Review the information in each section and click **Edit** to change the information being shared.
+5.	If you do not wish your name to be included, replace the fields with **XXX**.
+6.	To change your profile picture, simply click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
+
+   ![Skype profile icon](images/skype-manage-profile-pic.png)
+
+   * To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**).
+   * You can also change the visibility of your profile picture between public (everyone) or your contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only**.
+
+#### Xbox
+A user’s Xbox friends and their friends’ friends can see their real name and profile. By default, the Xbox privacy settings enforce that no personal identifying information of a minor is shared on the Xbox Live network, although adults in the child’s family can change these default settings to allow it to be more permissive.
+
+To learn more about how families can manage security and privacy settings on Xbox, see this [Xbox article on security](http://go.microsoft.com/fwlink/?LinkId=821445).
+
+
+### Delete an account if username is identifying
+If you want to delete either (or both) the Skype and the Xbox accounts, here’s how to do it.
+
+#### Skype
+To delete a Skype account, you can follow the instructions here: [How do I close my Skype account?](http://go.microsoft.com/fwlink/?LinkId=816515)
+
+If you need help deleting the account, you can contact Skype customer service by going to the [Skype support request page](http://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you’ve signed in, you can:
+1.	Select a help topic (**Account and Password**)
+2.	Select a related problem (**Deleting an account**)
+3.	Click **Next**.
+4.	Select a contact method to get answers to your questions.
+
+
+#### Xbox
+To delete an Xbox account, you can follow the instructions here: [How to delete your Microsoft account and personal information associated with it](http://go.microsoft.com/fwlink/?LinkId=816521).
+
+## Related topics
+[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
diff --git a/education/windows/images/ICDstart-option.PNG b/education/windows/images/ICDstart-option.PNG
new file mode 100644
index 0000000000..1ba49bb261
Binary files /dev/null and b/education/windows/images/ICDstart-option.PNG differ
diff --git a/education/windows/images/app-privacy-group-policy.png b/education/windows/images/app-privacy-group-policy.png
new file mode 100644
index 0000000000..96a5f0380a
Binary files /dev/null and b/education/windows/images/app-privacy-group-policy.png differ
diff --git a/education/windows/images/checkmark.png b/education/windows/images/checkmark.png
new file mode 100644
index 0000000000..f9f04cd6bd
Binary files /dev/null and b/education/windows/images/checkmark.png differ
diff --git a/education/windows/images/choose-package-icd.png b/education/windows/images/choose-package-icd.png
new file mode 100644
index 0000000000..2bf7a18648
Binary files /dev/null and b/education/windows/images/choose-package-icd.png differ
diff --git a/education/windows/images/connect-ad.png b/education/windows/images/connect-ad.png
new file mode 100644
index 0000000000..4da67e8cdd
Binary files /dev/null and b/education/windows/images/connect-ad.png differ
diff --git a/education/windows/images/crossmark.png b/education/windows/images/crossmark.png
new file mode 100644
index 0000000000..69432ff71c
Binary files /dev/null and b/education/windows/images/crossmark.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig1.png b/education/windows/images/edu-districtdeploy-fig1.png
new file mode 100644
index 0000000000..a9ed962f95
Binary files /dev/null and b/education/windows/images/edu-districtdeploy-fig1.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig2.png b/education/windows/images/edu-districtdeploy-fig2.png
new file mode 100644
index 0000000000..3838c18153
Binary files /dev/null and b/education/windows/images/edu-districtdeploy-fig2.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig3.png b/education/windows/images/edu-districtdeploy-fig3.png
new file mode 100644
index 0000000000..0227f8dbaa
Binary files /dev/null and b/education/windows/images/edu-districtdeploy-fig3.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig4.png b/education/windows/images/edu-districtdeploy-fig4.png
new file mode 100644
index 0000000000..c55ee20d47
Binary files /dev/null and b/education/windows/images/edu-districtdeploy-fig4.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig5.png b/education/windows/images/edu-districtdeploy-fig5.png
new file mode 100644
index 0000000000..09552a448a
Binary files /dev/null and b/education/windows/images/edu-districtdeploy-fig5.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig6.png b/education/windows/images/edu-districtdeploy-fig6.png
new file mode 100644
index 0000000000..550386f1ce
Binary files /dev/null and b/education/windows/images/edu-districtdeploy-fig6.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig7.png b/education/windows/images/edu-districtdeploy-fig7.png
new file mode 100644
index 0000000000..09552a448a
Binary files /dev/null and b/education/windows/images/edu-districtdeploy-fig7.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig8.png b/education/windows/images/edu-districtdeploy-fig8.png
new file mode 100644
index 0000000000..8e7581007a
Binary files /dev/null and b/education/windows/images/edu-districtdeploy-fig8.png differ
diff --git a/education/windows/images/icd-adv-shared-pc.PNG b/education/windows/images/icd-adv-shared-pc.PNG
new file mode 100644
index 0000000000..a8da5fa78a
Binary files /dev/null and b/education/windows/images/icd-adv-shared-pc.PNG differ
diff --git a/education/windows/images/icd-school-adv-edit.png b/education/windows/images/icd-school-adv-edit.png
new file mode 100644
index 0000000000..16843cc010
Binary files /dev/null and b/education/windows/images/icd-school-adv-edit.png differ
diff --git a/education/windows/images/icd-school.PNG b/education/windows/images/icd-school.PNG
new file mode 100644
index 0000000000..e6a944a193
Binary files /dev/null and b/education/windows/images/icd-school.PNG differ
diff --git a/education/windows/images/icd-simple.PNG b/education/windows/images/icd-simple.PNG
new file mode 100644
index 0000000000..7ae8a1728b
Binary files /dev/null and b/education/windows/images/icd-simple.PNG differ
diff --git a/education/windows/images/icdbrowse.png b/education/windows/images/icdbrowse.png
new file mode 100644
index 0000000000..53c91074c7
Binary files /dev/null and b/education/windows/images/icdbrowse.png differ
diff --git a/education/windows/images/privacy-contacts-marked.png b/education/windows/images/privacy-contacts-marked.png
new file mode 100644
index 0000000000..54a3116408
Binary files /dev/null and b/education/windows/images/privacy-contacts-marked.png differ
diff --git a/education/windows/images/settings-contacts-app-marked.png b/education/windows/images/settings-contacts-app-marked.png
new file mode 100644
index 0000000000..94523f1b36
Binary files /dev/null and b/education/windows/images/settings-contacts-app-marked.png differ
diff --git a/education/windows/images/settings-privacy-marked.png b/education/windows/images/settings-privacy-marked.png
new file mode 100644
index 0000000000..513e9b1afc
Binary files /dev/null and b/education/windows/images/settings-privacy-marked.png differ
diff --git a/education/windows/images/setup-options.png b/education/windows/images/setup-options.png
new file mode 100644
index 0000000000..07d29576a0
Binary files /dev/null and b/education/windows/images/setup-options.png differ
diff --git a/education/windows/images/skype-manage-profile-pic.png b/education/windows/images/skype-manage-profile-pic.png
new file mode 100644
index 0000000000..4133ac9c60
Binary files /dev/null and b/education/windows/images/skype-manage-profile-pic.png differ
diff --git a/education/windows/images/skype-profile-icon.png b/education/windows/images/skype-profile-icon.png
new file mode 100644
index 0000000000..7ccaaea693
Binary files /dev/null and b/education/windows/images/skype-profile-icon.png differ
diff --git a/education/windows/images/uwp-dependencies.PNG b/education/windows/images/uwp-dependencies.PNG
new file mode 100644
index 0000000000..4e2563169f
Binary files /dev/null and b/education/windows/images/uwp-dependencies.PNG differ
diff --git a/education/windows/images/uwp-family.PNG b/education/windows/images/uwp-family.PNG
new file mode 100644
index 0000000000..bec731eec4
Binary files /dev/null and b/education/windows/images/uwp-family.PNG differ
diff --git a/education/windows/images/uwp-license.PNG b/education/windows/images/uwp-license.PNG
new file mode 100644
index 0000000000..ccb5cf7cf4
Binary files /dev/null and b/education/windows/images/uwp-license.PNG differ
diff --git a/education/windows/index.md b/education/windows/index.md
index 7d914b1ed4..6e20c83aae 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -17,11 +17,13 @@ author: jdeckerMS
 
 |Topic |Description |
 |------|------------|
-| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | Learn how the Set up School PCs app works and how to use it.  |
-| [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md) | See the changes that the Set up School PCs app makes to a PC.  |
+| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education.  |
+| [Provisioning options for Windows 10](set-up-windows-10.md) | Learn about your options for setting up Windows 10.  |
 | [Get Minecraft Education Edition](get-minecraft-for-education.md) | Learn how to get early access to **Minecraft Education Edition**. |
 | [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 |
-| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. |
+| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. |
+| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in a school. |
+| [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) |Learn how to deploy Windows 10 in a school district.|
 | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. |
 
 ## Related topics
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 16ad861b5d..6fdf7e3da3 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -9,15 +9,14 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Technical reference for the Set up School PCs app (Preview)
+# Technical reference for the Set up School PCs app 
 **Applies to:**
 
--   Windows 10 Insider Preview 
+-   Windows 10 
 
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
 
-The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic.
+The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607.  **Set up School PCs** also configures school-specific settings and policies, described in this topic.
 
 If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription.  You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. 
 
@@ -91,7 +90,6 @@ The **Set up School PCs** app produces a specialized provisioning package that m
 
 - Saving content locally to the PC is disabled. This prevents data loss by forcing students to save to the cloud.
 - A custom Start layout and sign in background image are set.
-- Prohibits Microsoft Accounts (MSAs) from being created.
 - Prohibits unlocking the PC to developer mode.
 - Prohibits untrusted Windows Store apps from being installed.
 - Prohibits students from removing MDM.
@@ -243,7 +241,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m
 </tr> 
 <tr> <td colspan="2"> <p> <strong>Windows Settings</strong> > <strong>Security Settings</strong> > <strong>Local Policies</strong> > <strong>Security Options</strong></p> </td> 
 </tr> 
-<tr><td><p>Accounts: Block Microsoft accounts</p></td><td><p>Enabled</p></td></tr>
+<tr><td><p>Accounts: Block Microsoft accounts</p><p>**Note** Microsoft accounts can still be used in apps.</p></td><td><p>Enabled</p></td></tr>
 <tr> <td> <p> Interactive logon: Do not display last user name </p> </td> <td> <p> Enabled</p> </td>
 </tr> 
 <tr> <td> <p> Interactive logon: Sign-in last interactive user automatically after a system-initiated restart</p> </td> <td> <p> Disabled</p> </td> 
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
new file mode 100644
index 0000000000..90829321ad
--- /dev/null
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -0,0 +1,93 @@
+---
+title: Set up student PCs to join domain
+description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
+keywords: ["shared cart", "shared PC", "school"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Set up student PCs to join domain
+**Applies to:**
+
+-   Windows 10  
+
+If your school uses Active Directory, use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package that will configure a PC for student use that is joined to the Active Directory domain. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 
+
+## Create the provisioning package
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Provision school devices**. 
+
+  ![Provision school devices](images/icdstart-option.png)
+
+3. Name your project and click **Finish**. The screens for school provisioning will walk you through the following steps.
+
+   ![Wizard for school provisioning](images/icd-school.png)
+
+4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
+
+5. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
+    - Home to Education
+    - Pro to Education
+    - Pro to Enterprise
+    - Enterprise to Education
+ 
+6. Click **Set up network**.
+
+7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
+
+8. Click **Enroll into Active Directory**.
+
+9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
+
+    > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
+      - Use a least-privileged domain account to join the device to the domain.
+      - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
+      - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
+
+10. Click **Set up school settings**.
+
+11. Toggle **Yes** or **No** to configure the PC for shared use. 
+
+12. (Optional) Toggle **Yes** or **No** to configure the PC for secure testing. If you select **Yes**, you must also enter the test account to be used and the URL for the test. If you don't configure the test account and URL in this provisioning package, you can do so after the PC is configured; for more information, see [Take tests in Windows 10](take-tests-in-windows-10.md).
+
+10. Click **Finish**.
+
+11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
+
+12. Click **Create**.
+
+13. You will see the file path for your provisioning package (by default, %windir%\Users\*your alias*\Windows Imaging and Configuration Designer (WICD)\*Project name*). Copy the provisioning package to a USB drive.
+
+> **Important**  When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+## Apply package
+
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package-icd.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+When you see the progress ring, you can remove the USB drive.
+
+    
+
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
new file mode 100644
index 0000000000..9d3f8be882
--- /dev/null
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -0,0 +1,217 @@
+---
+title: Provision student PCs with apps
+description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
+keywords: ["shared cart", "shared PC", "school"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Provision student PCs with apps
+**Applies to:**
+
+-   Windows 10  
+
+
+This topic explains how to create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. 
+
+If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Add apps to a provisioning package](#add-apps-to-a-provisioning-package). If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md), and then follow the steps in [Create a provisioning package to add apps after initial setup](#create-a-provisioning-package-to-add-apps-after-initial-setup).
+
+## Add apps to a provisioning package
+
+1. Follow the steps to [create the provisioning package](set-up-students-pcs-to-join-domain.md#create-the-provisioning-package). 
+
+2. On the **Finish** page, select **Switch to advanced editor**.
+
+  ![Switch to advanced editor](images/icd-school-adv-edit.png)
+
+**Next steps**
+- [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
+- [Add a universal app to your package](#add-a-universal-app-to-your-package)
+- [Build your package](#build-your-package)
+- [Apply the provisioning package to a PC](#apply-package)
+
+
+## Create a provisioning package to add apps after initial setup
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Advanced provisioning**.
+
+  ![ICD start options](images/icdstart-option.png)  
+  
+3. Name your project and click **Next**.
+
+3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.  
+
+**Next steps**
+- [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
+- [Add a universal app to your package](#add-a-universal-app-to-your-package)
+- [Build your package](#build-your-package)
+- [Apply the provisioning package to a PC](#apply-package)
+
+
+## Add a desktop app to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. 
+
+2. Add all the files required for the app install, including the data files and the installer.
+
+3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the msiexec /quiet option. 
+
+> **Note**: If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703295%28v=vs.85%29.aspx). 
+
+**Next steps**
+- (optional) [Add a universal app to your package](#add-a-universal-app-to-your-package)
+- [Build your package](#build-your-package)
+- [Apply the provisioning package to a PC](#apply-package)
+
+## Add a universal app to your package
+
+Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. 
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. 
+
+2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page.
+
+    ![details for offline app package](images/uwp-family.png)
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. 
+
+    ![required frameworks for offline app package](images/uwp-dependencies.png)
+
+5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page.
+
+    ![generate license for offline app](images/uwp-license.png)
+
+[Learn more about distributing offline apps from the Windows Store for Business.](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps)
+
+> **Note:** Removing a provisioning package will not remove any apps installed by device context in that provisioning package.
+
+**Next steps**
+- (optional) [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
+- [Build your package](#build-your-package)
+- [Apply the provisioning package to a PC](#apply-package)
+
+## Build your package
+
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+
+2. Read the warning that project files may contain sensitive information, and click **OK**.
+> **Important**  When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+10. Set a value for **Package Version**.
+
+    **Tip**  
+    You can make changes to existing packages and change the version number to update previously applied packages.
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+        **Important**  
+        We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+    -   Shared network folder
+
+    -   SharePoint site
+
+    -   Removable media (USB/SD)
+
+   
+**Next step**
+- [Apply the provisioning package to a PC](#apply-package)
+
+## Apply package 
+
+**During initial setup, from a USB drive**
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+6. Read and accept the Microsoft Software License Terms.  
+
+    ![Sign in](images/license-terms.png)
+    
+7. Select **Use Express settings**.
+
+    ![Get going fast](images/express-settings.png)
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+    ![Who owns this PC?](images/who-owns-pc.png)
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+    ![Connect to Azure AD](images/connect-aad.png)
+
+10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+    ![Sign in](images/sign-in-prov.png)
+
+    
+**After setup, from a USB drive, network folder, or SharePoint site**
+
+On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and select the package to install. 
+
+![add a package option](images/package.png)
+
+
+
+## Learn more
+
+-  [Develop Universal Windows Education apps](https://msdn.microsoft.com/windows/uwp/apps-for-education/index)
+
+-   [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
+
+-   Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+-   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
+ 
+
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
new file mode 100644
index 0000000000..fe7767a997
--- /dev/null
+++ b/education/windows/set-up-windows-10.md
@@ -0,0 +1,37 @@
+---
+title: Provisioning options for Windows 10
+description: Decide which option for setting up Windows 10 is right for you.
+keywords: shared cart, shared PC, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+author: jdeckerMS
+---
+
+# Provisioning options for Windows 10
+**Applies to:**
+
+-   Windows 10 
+
+You have two tools to choose from to set up PCs for your classroom: **Set up School PCs** app and the **Provision school devices** option in Windows Imaging and Configuration Designer (ICD). Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account). The following diagram compares the tools.
+
+![Which tool to use to set up Windows 10](images/setup-options.png)
+
+
+## In this section
+
+- [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
+- [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
+- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
+- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
+
+
+## Related topics
+
+[Take tests in Windows 10](take-tests-in-windows-10.md)
+
+[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
+
+
+
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index d10f638e00..7e3ed9ca0b 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -9,13 +9,12 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Take a Test app technical reference (Preview)
+# Take a Test app technical reference 
 **Applies to:**
 
--   Windows 10 Insider Preview 
+-   Windows 10 
 
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
 
 Take a Test is an app that locks down the PC and displays an online assessment web page.   
 
@@ -32,7 +31,9 @@ When running above the lock screen:
 
 - The hardware print screen button is disabled 
 
-- Content within the app will show up as black in screen capturing/sharing software Copy/paste is disabled 
+- Content within the app will show up as black in screen capturing/sharing software 
+
+- System clipboard is cleared 
 
 - Web apps can query the processes currently running in the user’s device
 
@@ -79,5 +80,7 @@ When Take a Test is running, the following functionality is available to student
     - Alt+F4 (**Take a Test** will restart if the student is using a dedicated test account)
 
 
+## Learn more
 
+[Take a Test API](https://msdn.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api)
 
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index d0d6052781..0110e7d52c 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -9,14 +9,12 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Set up Take a Test on multiple PCs (Preview)
+# Set up Take a Test on multiple PCs 
 **Applies to:**
 
--   Windows 10 Insider Preview  
+-   Windows 10  
 
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
-
 Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
 - A Microsoft Edge browser window opens, showing just the test and nothing else.
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index fece24bac1..7c05de544c 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -9,14 +9,12 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Set up Take a Test on a single PC (Preview)
+# Set up Take a Test on a single PC 
 **Applies to:**
 
--   Windows 10 Insider Preview  
+-   Windows 10  
 
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
-
 The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
 - A Microsoft Edge browser window opens, showing just the test and nothing else.
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index c0de33cc5b..6bf51bf7b2 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -9,14 +9,12 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Take tests in Windows 10 (Preview)
+# Take tests in Windows 10 
 **Applies to:**
 
--   Windows 10 Insider Preview  
+-   Windows 10   
 
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
-
 Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
 - **Take a Test** shows just the test and nothing else.
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 97f0a04fcb..788c6dd819 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -9,13 +9,12 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Use the Set up School PCs app (Preview)
+# Use the Set up School PCs app 
 **Applies to:**
 
--   Windows 10 Insider Preview  
+-   Windows 10   
 
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
 
 Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
 
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
new file mode 100644
index 0000000000..9eccc9be96
--- /dev/null
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -0,0 +1,54 @@
+---
+title: Windows 10 editions for education customers
+description: Provides an overview of the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions.
+keywords: Windows 10 Pro Education, Windows 10 Education, Windows 10 editions, education customers
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+author: CelesteDG
+---
+
+# Windows 10 editions for education customers
+**Applies to:**
+
+-   Windows 10
+
+Windows 10 Anniversary Update (Windows 10, version 1607) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](http://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](http://go.microsoft.com/fwlink/?LinkId=822620).
+
+Windows 10, version 1607 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](http://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](http://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information about Windows 10, version 1607 on [windows.com](http://www.windows.com/).
+
+Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
+
+## Windows 10 Pro Education
+
+Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings, including the removal of Cortana<sup>1</sup>. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](http://go.microsoft.com/fwlink/?LinkId=822627).
+
+Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future).
+
+Existing devices running Windows 10 Pro, currently activated with the original OEM digital product key and purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future), will upgrade automatically to Windows 10 Pro Education as part of the Windows 10, version 1607 installation.
+
+Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), available at a later date.
+
+Customers that deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](http://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](http://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
+
+## Windows 10 Education
+
+Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings, including the removal of Cortana<sup>1</sup>. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](http://go.microsoft.com/fwlink/?LinkId=822627).
+
+Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you do not have access to Windows 10 Education, contact your Microsoft representative or see more information [here](http://go.microsoft.com/fwlink/?LinkId=822628).
+
+Customers that deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](http://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](http://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
+
+For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
+
+## Related topics
+* [Windows deployment for education](http://aka.ms/edudeploy)
+* [Windows 10 upgrade paths](http://go.microsoft.com/fwlink/?LinkId=822787)
+* [Volume Activation for Windows 10](http://go.microsoft.com/fwlink/?LinkId=822788)
+* [Plan for volume activation](http://go.microsoft.com/fwlink/?LinkId=822789)
+
+
+
+
+<sup>1</sup> <small>Cortana available in select markets; experience may vary by region and device.  Cortana is disabled in the Windows 10 Pro Education and Windows 10 Education editions.</small>
diff --git a/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md b/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md
index bea4eef51e..724ad604c8 100644
--- a/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md
+++ b/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md
@@ -81,6 +81,7 @@ UE-V settings location templates cannot be created from virtualized applications
 -   Windows operating system files that are located in %Systemroot%
 
 If registry keys and files that are stored in excluded locations are required to synchronize application settings, you can manually add the locations to the settings location template during the template creation process.
+However, only changes to the HKEY\_CURRENT\_USER hive will be sync-ed.
 
 ### Replace the default Microsoft templates
 
diff --git a/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md b/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md
index 04136b1e89..d0fe551e08 100644
--- a/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md
+++ b/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md
@@ -49,7 +49,8 @@ The UE-V Generator excludes locations, which commonly store application software
 
 -   Windows operating system files that are located in %Systemroot%, which requires administrator rights and might require to set a UAC agreement
 
-If registry keys and files that are stored in these locations are required to synchronize application settings, you can manually add the excluded locations to the settings location template during the template creation process.
+If registry keys and files that are stored in these locations are required to synchronize application settings, you can manually add the excluded locations to the settings location template during the template creation process
+ (except for registry entries in the HKEY\_LOCAL\_MACHINE hive).
 
 ## <a href="" id="edit"></a>Edit Settings Location Templates with the UE-V Generator
 
diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md
index a6d2e9d108..d75bd0ebe8 100644
--- a/windows/deploy/TOC.md
+++ b/windows/deploy/TOC.md
@@ -1,5 +1,15 @@
 # [Deploy Windows 10](index.md)
 ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+## [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md)
+### [Upgrade Analytics architecture](upgrade-analytics-architecture.md)
+### [Upgrade Analytics requirements](upgrade-analytics-requirements.md)
+### [Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
+### [Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
+### [Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md)
+#### [Prepare your environment](upgrade-analytics-prepare-your-environment.md)
+#### [Resolve application and driver issues](upgrade-analytics-resolve-issues.md)
+#### [Deploy Windows](upgrade-analytics-deploy-windows.md)
+### [Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
 ## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
 ### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
 #### [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
@@ -37,8 +47,10 @@
 ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
 ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
 ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+## [Provisioning packages for Windows 10](provisioning-packages.md)
+### [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
+### [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md)
 ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
-## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)
 ## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md)
 ## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md)
 ## [Volume Activation [client]](volume-activation-windows-10.md)
diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md
index dbf9a5a617..cd91b2b614 100644
--- a/windows/deploy/activate-using-active-directory-based-activation-client.md
+++ b/windows/deploy/activate-using-active-directory-based-activation-client.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: greg-lindsay
+localizationpriority: medium
 ---
 
 # Activate using Active Directory-based activation
diff --git a/windows/deploy/activate-using-key-management-service-vamt.md b/windows/deploy/activate-using-key-management-service-vamt.md
index 9681860156..3fc787f902 100644
--- a/windows/deploy/activate-using-key-management-service-vamt.md
+++ b/windows/deploy/activate-using-key-management-service-vamt.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Activate using Key Management Service
diff --git a/windows/deploy/activate-windows-10-clients-vamt.md b/windows/deploy/activate-windows-10-clients-vamt.md
index 2d77f355dc..c110f8233c 100644
--- a/windows/deploy/activate-windows-10-clients-vamt.md
+++ b/windows/deploy/activate-windows-10-clients-vamt.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Activate clients running Windows 10
diff --git a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md
index 39133a9d8c..bcf9e7aa13 100644
--- a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: medium
 ---
 # Appendix: Information sent to Microsoft during activation
 **Applies to**
diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md
index 3276e429b0..3d0e742f97 100644
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@@ -11,6 +11,19 @@ author: greg-lindsay
 # Change history for Deploy Windows 10
 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## RELEASE: Windows 10, version 1607
+
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: 
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [Provision PCs with apps and certificates for initial deployment](provision-pcs-with-apps-and-certificates.md)
+- [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
+
+## July 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) | New |
+
 ## June 2016
 | New or changed topic | Description |
 |----------------------|-------------|
@@ -39,12 +52,3 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc
 - [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
 - [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
 - [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
index e5c6db8bda..61bc2e47c8 100644
--- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
@@ -59,6 +59,8 @@ All four of the roles specified above can be hosted on the same computer or each
     ```
     Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount
     ```
+    Verify that "The operation completed successfully" is displayed. Note: To view currently mounted images, type **dism /get-MountedWiminfo**. 
+
 5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of **\\\PXE-1\TFTPRoot**:
 
     ```
@@ -66,7 +68,7 @@ All four of the roles specified above can be hosted on the same computer or each
     y:
     md boot
     ```
-6. Copy the PXE boot files from the mounted directory to the \Boot folder. For example:
+6. Copy the PXE boot files from the mounted directory to the \boot folder. For example:
 
     ```
     copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot
@@ -76,11 +78,16 @@ All four of the roles specified above can be hosted on the same computer or each
     ```
     copy C:\winpe_amd64\media\boot\boot.sdi y:\boot
     ```
-8.  Copy the bootable Windows PE image (boot.wim) to the \Boot folder.
+8.  Copy the bootable Windows PE image (boot.wim) to the \boot folder.
 
     ```
     copy C:\winpe_amd64\media\sources\boot.wim y:\boot
     ```
+9. (Optional) Copy true type fonts to the \boot folder
+
+    ```
+    copy C:\winpe_amd64\media\Boot\Fonts y:\boot\Fonts
+    ```
 
 ## Step 2: Configure boot settings and copy the BCD file
 
@@ -93,29 +100,37 @@ All four of the roles specified above can be hosted on the same computer or each
 
     ```
     bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options"
-    bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice partition=C:
-    bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \winpe_amd64\media\boot\boot.sdi
+    bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot
+    bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \boot\boot.sdi
+    bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader
     ```
+    The last command will return a GUID, for example:
+    ```
+    The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created. 
+    ```
+    Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with your GUID.
+
 3.  Create a new boot application entry for the Windows PE image:
 
     ```
-    bcdedit /store c:\BCD /set {GUID1} device ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} 
+    bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} 
     bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe 
-    bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} 
+    bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} 
     bcdedit /store c:\BCD /set {GUID1} systemroot \windows
     bcdedit /store c:\BCD /set {GUID1} detecthal Yes
     bcdedit /store c:\BCD /set {GUID1} winpe Yes
     ```
-4.  Configure BOOTMGR settings:
+4.  Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID):
 
     ```
+    bcdedit /store c:\BCD /create {bootmgr} /d "boot manager"
     bcdedit /store c:\BCD /set {bootmgr} timeout 30 
     bcdedit /store c:\BCD -displayorder {GUID1} -addlast
     ```
 5.  Copy the BCD file to your TFTP server:
 
     ```
-    copy c:\BCD \\PXE-1\TFTPRoot\Boot
+    copy c:\BCD \\PXE-1\TFTPRoot\boot\BCD
     ```
 
 Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store &lt;BCD file location&gt; /enum all. See the following example. Note: Your GUID will be different than the one shown below.
@@ -151,10 +166,11 @@ ramdisksdipath          \boot\boot.sdi
 
 The following summarizes the PXE client boot process.
 
-1.  A client is directed by DHCP options 066 and 067 to download boot\\wdsnbp.com from the TFTP server.
-2.  Wdsnbp.com validates the DHCP/PXE response packet and then the client downloads boot\\pxeboot.com.
-3.  Pxeboot.com requires the client to press the F12 key to initiate a PXE boot.
-4.  The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD.
+>The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](https://technet.microsoft.com/en-us/library/cc732351.aspx).
+
+1.  A client is directed by DHCP options 066 and 067 to download boot\\PXEboot.n12 from the TFTP server.
+2.  PXEboot.n12 immediately begins a network boot.
+3.  The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD.
 5.  Bootmgr.exe reads the BCD operating system entries and downloads boot\\boot.sdi and the Windows PE image (boot\\boot.wim). Optional files that can also be downloaded include true type fonts (boot\\Fonts\\wgl4\_boot.ttf) and the hibernation state file (\\hiberfil.sys) if these files are present.
 6.  Bootmgr.exe starts Windows PE by calling winload.exe within the Windows PE image.
 7.  Windows PE loads, a command prompt opens and wpeinit.exe is run to initialize Windows PE.
diff --git a/windows/deploy/images/ICD.png b/windows/deploy/images/ICD.png
new file mode 100644
index 0000000000..9cfcb845df
Binary files /dev/null and b/windows/deploy/images/ICD.png differ
diff --git a/windows/deploy/images/ICDstart-option.PNG b/windows/deploy/images/ICDstart-option.PNG
new file mode 100644
index 0000000000..1ba49bb261
Binary files /dev/null and b/windows/deploy/images/ICDstart-option.PNG differ
diff --git a/windows/deploy/images/adk-install.png b/windows/deploy/images/adk-install.png
new file mode 100644
index 0000000000..c087d3bae5
Binary files /dev/null and b/windows/deploy/images/adk-install.png differ
diff --git a/windows/deploy/images/check_blu.png b/windows/deploy/images/check_blu.png
new file mode 100644
index 0000000000..d5c703760f
Binary files /dev/null and b/windows/deploy/images/check_blu.png differ
diff --git a/windows/deploy/images/checkmark.png b/windows/deploy/images/checkmark.png
index 04cc421e12..f9f04cd6bd 100644
Binary files a/windows/deploy/images/checkmark.png and b/windows/deploy/images/checkmark.png differ
diff --git a/windows/deploy/images/choose-package.png b/windows/deploy/images/choose-package.png
new file mode 100644
index 0000000000..2bf7a18648
Binary files /dev/null and b/windows/deploy/images/choose-package.png differ
diff --git a/windows/deploy/images/connect-aad.png b/windows/deploy/images/connect-aad.png
new file mode 100644
index 0000000000..8583866165
Binary files /dev/null and b/windows/deploy/images/connect-aad.png differ
diff --git a/windows/deploy/images/crossmark.png b/windows/deploy/images/crossmark.png
index 2b267dc802..69432ff71c 100644
Binary files a/windows/deploy/images/crossmark.png and b/windows/deploy/images/crossmark.png differ
diff --git a/windows/deploy/images/express-settings.png b/windows/deploy/images/express-settings.png
new file mode 100644
index 0000000000..99e9c4825a
Binary files /dev/null and b/windows/deploy/images/express-settings.png differ
diff --git a/windows/deploy/images/icd-simple-edit.png b/windows/deploy/images/icd-simple-edit.png
new file mode 100644
index 0000000000..3608dc18f3
Binary files /dev/null and b/windows/deploy/images/icd-simple-edit.png differ
diff --git a/windows/deploy/images/icd-simple.PNG b/windows/deploy/images/icd-simple.PNG
new file mode 100644
index 0000000000..7ae8a1728b
Binary files /dev/null and b/windows/deploy/images/icd-simple.PNG differ
diff --git a/windows/deploy/images/license-terms.png b/windows/deploy/images/license-terms.png
new file mode 100644
index 0000000000..8dd34b0a18
Binary files /dev/null and b/windows/deploy/images/license-terms.png differ
diff --git a/windows/deploy/images/oobe.jpg b/windows/deploy/images/oobe.jpg
new file mode 100644
index 0000000000..53a5dab6bf
Binary files /dev/null and b/windows/deploy/images/oobe.jpg differ
diff --git a/windows/deploy/images/package.png b/windows/deploy/images/package.png
new file mode 100644
index 0000000000..f5e975e3e9
Binary files /dev/null and b/windows/deploy/images/package.png differ
diff --git a/windows/deploy/images/prov.jpg b/windows/deploy/images/prov.jpg
new file mode 100644
index 0000000000..1593ccb36b
Binary files /dev/null and b/windows/deploy/images/prov.jpg differ
diff --git a/windows/deploy/images/setupmsg.jpg b/windows/deploy/images/setupmsg.jpg
new file mode 100644
index 0000000000..12935483c5
Binary files /dev/null and b/windows/deploy/images/setupmsg.jpg differ
diff --git a/windows/deploy/images/sign-in-prov.png b/windows/deploy/images/sign-in-prov.png
new file mode 100644
index 0000000000..55c9276203
Binary files /dev/null and b/windows/deploy/images/sign-in-prov.png differ
diff --git a/windows/deploy/images/trust-package.png b/windows/deploy/images/trust-package.png
new file mode 100644
index 0000000000..8a293ea4da
Binary files /dev/null and b/windows/deploy/images/trust-package.png differ
diff --git a/windows/deploy/images/upgrade-analytics-apps-known-issues.png b/windows/deploy/images/upgrade-analytics-apps-known-issues.png
new file mode 100644
index 0000000000..ec99ac92cf
Binary files /dev/null and b/windows/deploy/images/upgrade-analytics-apps-known-issues.png differ
diff --git a/windows/deploy/images/upgrade-analytics-apps-no-known-issues.png b/windows/deploy/images/upgrade-analytics-apps-no-known-issues.png
new file mode 100644
index 0000000000..9fb09ffd65
Binary files /dev/null and b/windows/deploy/images/upgrade-analytics-apps-no-known-issues.png differ
diff --git a/windows/deploy/images/upgrade-analytics-architecture.png b/windows/deploy/images/upgrade-analytics-architecture.png
new file mode 100644
index 0000000000..93d3acba0b
Binary files /dev/null and b/windows/deploy/images/upgrade-analytics-architecture.png differ
diff --git a/windows/deploy/images/upgrade-analytics-deploy-eligible.png b/windows/deploy/images/upgrade-analytics-deploy-eligible.png
new file mode 100644
index 0000000000..8da91cebc4
Binary files /dev/null and b/windows/deploy/images/upgrade-analytics-deploy-eligible.png differ
diff --git a/windows/deploy/images/upgrade-analytics-drivers-known.png b/windows/deploy/images/upgrade-analytics-drivers-known.png
new file mode 100644
index 0000000000..35d61f87c7
Binary files /dev/null and b/windows/deploy/images/upgrade-analytics-drivers-known.png differ
diff --git a/windows/deploy/images/upgrade-analytics-overview.png b/windows/deploy/images/upgrade-analytics-overview.png
new file mode 100644
index 0000000000..ba02ee0a8c
Binary files /dev/null and b/windows/deploy/images/upgrade-analytics-overview.png differ
diff --git a/windows/deploy/images/upgrade-analytics-pilot.png b/windows/deploy/images/upgrade-analytics-pilot.png
new file mode 100644
index 0000000000..1c1de328ea
Binary files /dev/null and b/windows/deploy/images/upgrade-analytics-pilot.png differ
diff --git a/windows/deploy/images/upgrade-analytics-prioritize.png b/windows/deploy/images/upgrade-analytics-prioritize.png
new file mode 100644
index 0000000000..d6227694c1
Binary files /dev/null and b/windows/deploy/images/upgrade-analytics-prioritize.png differ
diff --git a/windows/deploy/images/upgrade-analytics-telemetry.png b/windows/deploy/images/upgrade-analytics-telemetry.png
new file mode 100644
index 0000000000..bf60935616
Binary files /dev/null and b/windows/deploy/images/upgrade-analytics-telemetry.png differ
diff --git a/windows/deploy/images/uwp-dependencies.PNG b/windows/deploy/images/uwp-dependencies.PNG
new file mode 100644
index 0000000000..4e2563169f
Binary files /dev/null and b/windows/deploy/images/uwp-dependencies.PNG differ
diff --git a/windows/deploy/images/uwp-family.PNG b/windows/deploy/images/uwp-family.PNG
new file mode 100644
index 0000000000..bec731eec4
Binary files /dev/null and b/windows/deploy/images/uwp-family.PNG differ
diff --git a/windows/deploy/images/uwp-license.PNG b/windows/deploy/images/uwp-license.PNG
new file mode 100644
index 0000000000..ccb5cf7cf4
Binary files /dev/null and b/windows/deploy/images/uwp-license.PNG differ
diff --git a/windows/deploy/images/who-owns-pc.png b/windows/deploy/images/who-owns-pc.png
new file mode 100644
index 0000000000..d3ce1def8d
Binary files /dev/null and b/windows/deploy/images/who-owns-pc.png differ
diff --git a/windows/deploy/index.md b/windows/deploy/index.md
index d4254111b1..504b8b4dc8 100644
--- a/windows/deploy/index.md
+++ b/windows/deploy/index.md
@@ -15,21 +15,23 @@ Learn about deploying Windows 10 for IT professionals.
 
 |Topic |Description |
 |------|------------|
-|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
 |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
+|[Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) |With Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
 |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. |
 |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
 |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
 |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
+| [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) | Create a provisioning package to apply commonly used settings to a PC running Windows 10. |
+|  [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) | Create a provisioning package to add apps and certificates to a PC running Windows 10. |
 |[Windows 10 upgrade paths](windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. |
 |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. |
 |[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
 |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md) |Sideload line-of-business apps in Windows 10. |
 |[Volume Activation [client]](volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. |
 |[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
+|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
 
 ## Related topics
 - [Windows 10 and Windows 10 Mobile](../index.md)
diff --git a/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md b/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md
new file mode 100644
index 0000000000..d2688e82f5
--- /dev/null
+++ b/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md
@@ -0,0 +1,57 @@
+---
+title: Manage Windows upgrades with Upgrade Analytics (Windows 10)
+description: Provides an overview of the process of managing Windows upgrades with Upgrade Analytics.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Manage Windows upgrades with Upgrade Analytics
+
+Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
+
+With the release of Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released.  
+
+Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. 
+
+With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+
+Use Upgrade Analytics to get:
+
+-   A visual workflow that guides you from pilot to production
+
+-   Detailed computer and application inventory
+
+-   Powerful computer level search and drill-downs
+
+-   Guidance and insights into application and driver compatibility issues, with suggested fixes
+
+-   Data driven application rationalization tools
+
+-   Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+
+-   Data export to commonly used software deployment tools, including System Center Configuration Manager
+
+The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
+
+**Important**  For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+
+- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
+
+- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+
+- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](http://go.microsoft.com/fwlink/?LinkID=822965)
+
+##**Related topics**
+
+[Upgrade Analytics architecture](upgrade-analytics-architecture.md)
+
+[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
+
+[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
+
+[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
+
+[Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md)
+
+[Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
+
diff --git a/windows/deploy/monitor-activation-client.md b/windows/deploy/monitor-activation-client.md
index 26c8257cc3..5b49e544c2 100644
--- a/windows/deploy/monitor-activation-client.md
+++ b/windows/deploy/monitor-activation-client.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: greg-lindsay
+localizationpriority: medium
 ---
 
 # Monitor activation
diff --git a/windows/deploy/plan-for-volume-activation-client.md b/windows/deploy/plan-for-volume-activation-client.md
index d5ed360f3e..3e4a114155 100644
--- a/windows/deploy/plan-for-volume-activation-client.md
+++ b/windows/deploy/plan-for-volume-activation-client.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Plan for volume activation
diff --git a/windows/deploy/provision-pcs-for-initial-deployment.md b/windows/deploy/provision-pcs-for-initial-deployment.md
new file mode 100644
index 0000000000..d3692b2073
--- /dev/null
+++ b/windows/deploy/provision-pcs-for-initial-deployment.md
@@ -0,0 +1,133 @@
+---
+title: Provision PCs with common settings (Windows 10)
+description: Create a provisioning package to apply common settings to a PC running Windows 10. 
+ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
+keywords: ["runtime provisioning", "provisioning package"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Provision PCs with common settings for initial deployment (simple provisioning)
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.
+
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. 
+
+## Advantages
+-   You can configure new devices without reimaging.
+
+-   Works on both mobile and desktop devices.
+
+-   No network connectivity required.
+
+-   Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md)
+
+## What does simple provisioning do?
+
+In a simple provisioning package, you can configure:
+
+- Device name
+- Upgraded product edition
+- Wi-Fi network 
+- Active Directory enrollment
+- Local administrator account 
+
+Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md). 
+
+> [!TIP]
+> Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
+
+![open advanced editor](images/icd-simple-edit.png)
+
+## Create the provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Simple provisioning**.
+
+  ![ICD start options](images/icdstart-option.png)   
+
+3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps.
+
+  ![ICD simple provisioning](images/icd-simple.png)
+
+4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
+
+5. (*Optional*) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
+    - Pro to Education
+    - Pro to Enterprise
+    - Enterprise to Education
+   
+6. Click **Set up network**.
+
+7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
+
+8. Click **Enroll into Active Directory**.
+
+9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (*Optional*) Enter a user name and password to create a local administrator account.
+
+    > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
+      - Use a least-privileged domain account to join the device to the domain.
+      - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
+      - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
+
+10. Click **Finish**.
+
+11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
+
+12. Click **Create**.
+
+> [!IMPORTANT]
+> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+## Apply package
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+
+
+## Learn more
+-   [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
+
+-   Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+-   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/provision-pcs-with-apps-and-certificates.md b/windows/deploy/provision-pcs-with-apps-and-certificates.md
new file mode 100644
index 0000000000..936f1b6f73
--- /dev/null
+++ b/windows/deploy/provision-pcs-with-apps-and-certificates.md
@@ -0,0 +1,227 @@
+---
+title: Provision PCs with apps and certificates (Windows 10)
+description: Create a provisioning package to apply settings to a PC running Windows 10. 
+ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
+keywords: ["runtime provisioning", "provisioning package"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Provision PCs with apps and certificates for initial deployment (advanced provisioning)
+
+
+**Applies to**
+
+- Windows 10
+
+
+This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. 
+
+## Advantages
+-   You can configure new devices without reimaging.
+
+-   Works on both mobile and desktop devices.
+
+-   No network connectivity required.
+
+-   Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md)
+
+## Create the provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Advanced provisioning**.
+
+  ![ICD start options](images/icdstart-option.png)  
+  
+3. Name your project and click **Next**.
+
+3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.  
+
+
+### Add a desktop app to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. 
+
+2. Add all the files required for the app install, including the data files and the installer.
+
+3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. 
+
+> [!NOTE]
+> If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/library/windows/hardware/mt703295%28v=vs.85%29.aspx). 
+
+
+### Add a universal app to your package
+
+Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. 
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. 
+
+2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page.
+
+    ![details for offline app package](images/uwp-family.png)
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. 
+
+    ![required frameworks for offline app package](images/uwp-dependencies.png)
+
+5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page.
+
+    ![generate license for offline app](images/uwp-license.png)
+
+[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md)
+
+> [!NOTE]
+> Removing a provisioning package will not remove any apps installed by device context in that provisioning package.
+
+
+
+### Add a certificate to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. 
+
+2. Enter a **CertificateName** and then click **Add**. 
+
+2. Enter the **CertificatePassword**. 
+
+3. For **CertificatePath**, browse and select the certificate to be used. 
+
+4. Set **ExportCertificate** to **False**.
+
+5. For **KeyLocation**, select **Software only**. 
+
+
+### Add other settings to your package 
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+### Build your package
+
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+
+2. Read the warning that project files may contain sensitive information, and click **OK**.
+> **Important**  When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+10. Set a value for **Package Version**.
+
+    > [!TIP]  
+    > You can make changes to existing packages and change the version number to update previously applied packages.
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+        **Important**  
+        We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+    -   Shared network folder
+
+    -   SharePoint site
+
+    -   Removable media (USB/SD)
+
+    -   Email
+
+    -   USB tether (mobile only)
+
+    -   NFC (mobile only)
+
+
+
+## Apply package
+
+### During initial setup, from a USB drive
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+6. Read and accept the Microsoft Software License Terms.  
+
+    ![Sign in](images/license-terms.png)
+    
+7. Select **Use Express settings**.
+
+    ![Get going fast](images/express-settings.png)
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+    ![Who owns this PC?](images/who-owns-pc.png)
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+    ![Connect to Azure AD](images/connect-aad.png)
+
+10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+    ![Sign in](images/sign-in-prov.png)
+    
+
+### After setup, from a USB drive, network folder, or SharePoint site
+
+On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and select the package to install. 
+
+![add a package option](images/package.png)
+
+## Learn more
+-   [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
+
+-   Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+-   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
+ 
+
+
+
+
+
diff --git a/windows/deploy/provisioning-packages.md b/windows/deploy/provisioning-packages.md
new file mode 100644
index 0000000000..4630340ba6
--- /dev/null
+++ b/windows/deploy/provisioning-packages.md
@@ -0,0 +1,141 @@
+---
+title: Provisioning packages (Windows 10)
+description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: mobile
+author: jdeckerMS
+---
+
+# Provisioning packages for Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. 
+
+With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+
+Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
+
+## New in Windows 10, Version 1607
+
+The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios. 
+
+![Configuration Designer options](images/icd.png)
+
+Windows ICD in Windows 10, Version 1607, supports the following scenarios for IT administrators:
+
+* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. 
+
+    > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md)
+
+* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. 
+
+    > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](provision-pcs-with-apps-and-certificates.md)
+
+* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: 
+
+    * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) 
+    * AirWatch (password-string based enrollment) 
+    * Mobile Iron (password-string based enrollment) 
+    * Other MDMs (cert-based enrollment) 
+
+> [!NOTE]
+> Windows ICD in Windows 10, Version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index).
+
+## Benefits of provisioning packages
+
+
+Provisioning packages let you:
+
+-   Quickly configure a new device without going through the process of installing a new image.
+
+-   Save time by configuring multiple devices using one provisioning package.
+
+-   Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure.
+
+-   Set up a device without the device having network connectivity.
+
+Provisioning packages can be:
+
+-   Installed using removable media such as an SD card or USB flash drive.
+
+-   Attached to an email.
+
+-   Downloaded from a network share.
+
+## What you can configure
+
+
+The following table provides some examples of what can be configured using provisioning packages.
+
+| Customization options    | Examples                                                                                      |
+|--------------------------|-----------------------------------------------------------------------------------------------|
+| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters |
+| Applications             | Windows apps, line-of-business applications                                                   |
+| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\*                       |
+| Certificates             | Root certification authority (CA), client certificates                                        |
+| Connectivity profiles    | Wi-Fi, proxy settings, Email                                                                  |
+| Enterprise policies      | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
+| Data assets              | Documents, music, videos, pictures                                                            |
+| Start menu customization | Start menu layout, application pinning                                                        |
+| Other                    | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on           |
+\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices.
+ 
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+## Creating a provisioning package
+
+
+With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must [install the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
+
+When you run ADKsetup.exe for Windows 10, version 1607, select the following feature from the **Select the features you want to install** dialog box:
+
+-   **Configuration Designer**
+
+![Choose Configuration Designer](images/adk-install.png)
+
+> [!NOTE]
+> In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features.
+
+After you install Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
+
+## Applying a provisioning package to a device
+
+
+Provisioning packages can be applied both during image deployment and during runtime. For information on how to apply a provisioning package to a Windows 10-based device, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
+
+## Learn more
+
+
+[Windows 10: Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533708)
+
+## Related topics
+
+- [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md)
+- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
+- [Set up a shared or guest PC with Windows 10](../manage/set-up-shared-or-guest-pc.md)
+- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
+- [Set up a device for anyone to use (kiosk mode)](../manage/set-up-a-device-for-anyone-to-use.md)
+- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](../manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain)
+
+
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/troubleshoot-upgrade-analytics.md b/windows/deploy/troubleshoot-upgrade-analytics.md
new file mode 100644
index 0000000000..b6c6f5d87b
--- /dev/null
+++ b/windows/deploy/troubleshoot-upgrade-analytics.md
@@ -0,0 +1,33 @@
+---
+title: Troubleshoot Upgrade Analytics (Windows 10)
+description: Provides troubleshooting information for Upgrade Analytics.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Troubleshoot Upgrade Analytics
+
+If you’re having issues seeing data in Upgrade Analytics after running the Upgrade Analytics Deployment script, make sure it completes successfully without any errors. Check the output of the script in the command window and/or log UA_dateTime_machineName.txt to ensure all steps were completed successfully. In addition, we recommend that you wait at least 48 hours before checking OMS for data after the script first completes without reporting any error. 
+
+If you still don’t see data in Upgrade Analytics, follow these steps:
+
+1.  Download and extract UpgradeAnalytics.zip. Ensure the “Diagnostics” folder is included.
+
+2.  Edit the script as described in [Run the Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script).
+
+3.  Check that isVerboseLogging is set to $true.
+
+4.  Run the script again. Log files will be saved to the directory specified in the script.
+
+5.  Open a support case with Microsoft Support through your regular channel and provide this information.
+
+## Disable Upgrade Analytics
+
+If you want to stop using Upgrade Analytics and stop sending telemetry data to Microsoft, follow these steps:
+
+1.  Unsubscribe from the Upgrade Analytics solution in the OMS portal.
+
+2.  Disable the Customer Experience Improvement Program on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to Security.
+
+3.  Delete the CommercialDataOptin key in *HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection*
+
diff --git a/windows/deploy/upgrade-analytics-architecture.md b/windows/deploy/upgrade-analytics-architecture.md
new file mode 100644
index 0000000000..bdd9d88b62
--- /dev/null
+++ b/windows/deploy/upgrade-analytics-architecture.md
@@ -0,0 +1,34 @@
+---
+title: Upgrade Analytics architecture (Windows 10)
+description: Describes Upgrade Analytics architecture.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Upgrade Analytics architecture
+
+Microsoft analyzes system, application, and driver telemetry data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Analytics components work together in a typical installation. 
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE 
+<img src="media/image1.png" width="624" height="401" />
+-->
+
+![Upgrade Analytics architecture](images/upgrade-analytics-architecture.png)
+
+After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Analytics, telemetry data is analyzed by the Upgrade Analytics Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Analytics solution (5) to plan and manage Windows upgrades.
+
+For more information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+
+[Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
+
+[Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+
+[Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](http://go.microsoft.com/fwlink/?LinkID=822965)
+
+##**Related topics**
+
+[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
+
+[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
+
+[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
diff --git a/windows/deploy/upgrade-analytics-deploy-windows.md b/windows/deploy/upgrade-analytics-deploy-windows.md
new file mode 100644
index 0000000000..18ee3ac68d
--- /dev/null
+++ b/windows/deploy/upgrade-analytics-deploy-windows.md
@@ -0,0 +1,26 @@
+---
+title: Upgrade Analytics - Get a list of computers that are upgrade-ready (Windows 10)
+description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Analytics.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Upgrade Analytics - Get a list of computers that are upgrade ready
+
+All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready.
+
+The blades in the **Deploy** section are:
+
+## Deploy eligible computers
+
+Computers grouped by deployment decision are listed.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image9.png" width="195" height="316" />
+-->
+
+![Deploy eligible computers](images/upgrade-analytics-deploy-eligible.png)
+
+Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers.
+
+>**Important**<br> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md
new file mode 100644
index 0000000000..cb5931f6ba
--- /dev/null
+++ b/windows/deploy/upgrade-analytics-get-started.md
@@ -0,0 +1,161 @@
+---
+title: Get started with Upgrade Analytics (Windows 10)
+description: Explains how to get started with Upgrade Analytics.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Get started with Upgrade Analytics
+
+Use Upgrade Analytics to plan and manage your upgrade project end to end. After you’ve established communications between user computers and Microsoft, Upgrade Analytics collects computer, application, and driver data for analysis. We use this data to identify compatibility issues that can block your upgrade and suggest fixes that are known to Microsoft.
+
+For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+
+- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
+
+- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+
+- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](http://go.microsoft.com/fwlink/?LinkID=822965)
+
+
+This topic explains how to obtain and set up Upgrade Analytics components. If you haven’t done so already, see [Upgrade Analytics requirements](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements) for information about requirements for using Upgrade Analytics.
+
+To configure Upgrade Analytics, you’ll need to:
+
+-   Add the Upgrade Analytics solution to a workspace in the Operations Management Suite portal
+
+-   Establish communications and enable data sharing between your organization and Microsoft
+
+Each task is explained in detail in the following sections.
+
+
+## Add Upgrade Analytics to Operations Management Suite
+
+Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
+
+If you are already using OMS, you’ll find Upgrade Analytics in the Solutions Gallery. Select the **Upgrade Analytics** tile in the gallery and then click **Add** on the solution's details page. Upgrade Analytics is now visible in your workspace.
+
+If you are not using OMS:
+
+1.  Go to the [Upgrade Analytics website](http://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process.
+
+2.  Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+
+3.  Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
+
+4.  If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
+
+    > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
+
+1.  To add the Upgrade Analytics solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Analytics** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Analytics.
+
+2.  Click the **Upgrade Analytics** tile to configure the solution. The **Settings Dashboard** opens.
+
+## Enable data sharing between your organization and Upgrade Analytics
+
+After you’ve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, complete the following tasks to establish communication and enable data sharing between user computers, Microsoft secure data centers, and Upgrade Analytics.
+
+## Generate your commercial ID key 
+
+Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. Generate your commercial ID key in OMS and then deploy it to user computers.
+
+1.  On the Settings Dashboard, navigate to the **Windows telemetry** panel.
+
+    ![upgrade-analytics-telemetry](images/upgrade-analytics-telemetry.png)
+
+2. On the Windows telemetry panel, copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Analytics deployment script later so it can be deployed to user computers.
+
+    >**Important**<br> Regenerate a commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again.
+
+## Subscribe to Upgrade Analytics
+
+For Upgrade Analytics to receive and display upgrade readiness data from Microsoft, subscribe your OMS workspace to Upgrade Analytics.
+
+1.  On the **Windows telemetry** panel, click **Subscribe**. The button changes to **Unsubscribe**. Unsubscribe from the Upgrade Analytics solution if you no longer want to receive upgrade-readiness information from Microsoft. Note that user computer data will continue to be shared with Microsoft for as long as the opt-in keys are set on user computers and the proxy allows the traffic.
+
+1.  Click **Overview** on the Settings Dashboard to return to your OMS workspace portal. The Upgrade Analytics tile now displays summary data. Click the tile to open Upgrade Analytics.
+
+## Whitelist select endpoints
+
+To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
+
+Note: The compatibility update KB runs under the computer’s system account and does not support user authenticated proxies.
+
+| **Endpoint**  | **Function**  |
+|---------------------------------------------------------|-----------|
+| `https://v10.vortex-win.data.microsoft.com/collect/v1`                                                                                                                             | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint.             |
+| `https://settings-win.data.microsoft.com/settings`                                                                                                                                 | Enables the compatibility update KB to send data to Microsoft.                                                                       |
+| `http://go.microsoft.com/fwlink/?LinkID=544713`<br>`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended`                                        | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
+| `https://vortex.data.microsoft.com/health/keepalive` <br>`https://settings.data.microsoft.com/qos` <br>`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | These endpoints are used to validate that user computers are sharing data with Microsoft.                                            |
+
+## Deploy the compatibility update and related KBs
+
+The compatibility update KB scans your computers and enables application usage tracking. If you don’t already have these KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
+
+| **Operating System** | **KBs** |
+|----------------------|-----------------------------------------------------------------------------|
+| Windows 8.1          | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2976978><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513.   |
+| Windows 7 SP1        | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513. |
+
+IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
+
+### Automate data collection
+
+To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
+
+-   Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
+
+-   Schedule the Upgrade Analytics deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. Computers are re-scanned only when the compatibility KBs are updated, so if your inventory changes significantly between KB releases you won’t see the changes in Upgrade Analytics until you run the script again.
+
+-   Schedule monthly user computer scans to view monthly active computer and usage information.
+
+## Run the Upgrade Analytics deployment script
+
+To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the Upgrade Analytics deployment script, developed by Microsoft.
+
+The Upgrade Analytics deployment script does the following:
+
+1.  Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
+
+2.  Verifies that user computers can send data to Microsoft.
+
+3.  Checks whether the computer has a pending restart.  
+
+4.  Verifies that the latest version of KB package 10.0.x is installed (requires 10.0.14348 or subsequent releases).
+
+5.  If enabled, turns on verbose mode for troubleshooting.
+
+6.  Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
+
+7.  If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
+
+To run the Upgrade Analytics deployment script:
+
+1.  Download the [Upgrade Analytics deployment script](http://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. The files in the Diagnostics folder are necessary only if you plan to run the script in troubleshooting mode.
+
+2.  Edit the following parameters in RunConfig.bat:
+
+    1.  Provide a storage location for log information. Example: %SystemDrive%\\UADiagnostics
+
+    2.  You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory.
+
+    3.  Input your commercial ID key.
+
+    4.  By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
+
+        > *logMode = 0 log to console only*
+>
+        > *logMode = 1 log to file and console*
+>
+        > *logMode = 2 log to file only*
+
+3.  For troubleshooting, set isVerboseLogging to $true to generate log information that can help with diagnosing issues. By default, isVerboseLogging is set to $false. Ensure the Diagnostics folder is installed in the same directory as the script to use this mode.
+
+4.  Notify users if they need to restart their computers. By default, this is set to off.
+
+5.  After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
+
+## Seeing data from computers in Upgrade Analytics
+
+After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Analytics. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Analytics. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers.
+
diff --git a/windows/deploy/upgrade-analytics-prepare-your-environment.md b/windows/deploy/upgrade-analytics-prepare-your-environment.md
new file mode 100644
index 0000000000..a73829de5b
--- /dev/null
+++ b/windows/deploy/upgrade-analytics-prepare-your-environment.md
@@ -0,0 +1,116 @@
+---
+title: Upgrade Analytics - Prepare your environment (Windows 10)
+description: Describes how to prepare your environment so that you can use Upgrade Analytics to manage Windows upgrades.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Upgrade Analytics - Prepare your environment
+
+This section of the Upgrade Analytics workflow reports your computer and application inventory and lists computers that you can use in a pilot with no known issues or with fixable driver issues. Additionally, you can determine the priority level of applications to indicate which applications the team should focus on to get them upgrade ready.
+
+The blades in the **Prepare your environment** section are:
+
+## Upgrade overview
+
+Displays the total count of computers sharing data with Microsoft and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
+
+Check this blade for data refresh status, including the date and time of the most recent data update and whether user changes are reflected. If a user change is pending when changing the upgrade assessment or importance level of an application or driver, **Data refresh pending** is displayed in orange. User changes are processed once every 24 hours and read **Up to date** in green when there are no pending changes.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image3.png" width="214" height="345" />
+-->
+
+![Upgrade overview](images/upgrade-analytics-overview.png)
+
+Select **Total computers** for a list of computers and details about them, including:
+
+-   Computer ID and computer name
+
+-   Computer manufacturer
+
+-   Computer model
+
+-   Operating system version and build
+
+-   Count of system requirement, application, and driver issues per computer
+
+-   Upgrade assessment based on analysis of computer telemetry data
+
+-   Upgrade decision status
+
+Select **Total applications** for a list of applications discovered on user computers and details about them, including:
+
+-   Application vendor
+
+-   Application version
+
+-   Count of computers the application is installed on
+
+-   Count of computers that opened the application at least once in the past 30 days
+
+-   Percentage of computers in your total computer inventory that opened the application in the past 30 days
+
+-   Issues detected, if any
+
+-   Upgrade assessment based on analysis of application data
+   
+-   Roll up level
+
+## Run a pilot
+
+Computers with no known issues and computers with fixable driver issues are listed, grouped by upgrade assessment. We recommend that you use these computers to test the impact of upgrading.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image4.png" width="203" height="326" />
+-->
+
+![Run a pilot](images/upgrade-analytics-pilot.png)
+
+Before you start your pilot project, be sure to review upgrade assessment and guidance details, explained in more detail in the table below.
+
+| Upgrade assessment    | Action required before or after upgrade pilot? | Issue    | What it means   | Guidance      |
+|-----------------------|------------------------------------------------|----------|-----------------|---------------|
+| No known issues                                 | No                                             | None                                             | Computers will upgrade seamlessly.<br>                                                                                                                                         | OK to use as-is in pilot.                                                                                                                                                                                                                                                                                                                 |
+| OK to pilot, fixed during upgrade               | No, for awareness only                         | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot.                                                                                                                                                                                                                                                                                                                 |
+| OK to pilot with new driver from Windows Update | Yes                                            | Driver will not migrate to new OS                | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update.                    | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update. <br><br>If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading. <br> <br> |
+
+Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file.
+
+>**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
+
+See [Plan for Windows 10 deployment](http://technet.microsoft.com/itpro/windows/plan/index) for more information about ways to deploy Windows in your organization. Read about [how Microsoft IT deployed Windows as an in-place upgrade](https://www.microsoft.com/itshowcase/Article/Content/668/Deploying-Windows-10-at-Microsoft-as-an-inplace-upgrade) for best practices using the in-place upgrade method.
+
+## Prioritize applications
+
+Applications are listed, grouped by importance level. Prioritizing your applications allows you to identify the ones that you will focus on preparing for upgrade.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image5.png" width="213" height="345" />
+-->
+
+![Prioritize applications](images/upgrade-analytics-prioritize.png)
+
+Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them.
+
+To change an application’s importance level:
+
+1.  Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level. Select **Table** to view the list in a table.
+
+2.  Select **User changes** to enable user input.
+
+3.  Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list.
+
+4.  Click **Save** when finished.
+
+Importance levels include:
+
+| Importance level   | When to use it   | Recommendation   |
+|--------------------|------------------|------------------|
+| Low install count  | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]<br><br>Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.<br> | Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. <br><br>                                                                                                                                                                                                 |
+| Not reviewed       | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you change the importance level.<br><br>These applications are also marked as **Not reviewed** in the **UpgradeDecision** column. <br>                                                                                                                                              | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.                                                                                                                                                                      |
+| Business critical  | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**. <br><br>                                                                                                                                                                    | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**. <br> |
+| Important          | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**.                                                                                                                                                                          | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**. <br>         |
+| Ignore             | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**. <br>                                  | Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing.<br><br>You may also want to change the application’s status to **Not reviewed** or **Ready to upgrade** in the **UpgradeDecision** column. <br>                                                                           |
+| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.<br>                                                                                                                                                                                 | As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.<br><br>Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**. <br>                                               |
+
diff --git a/windows/deploy/upgrade-analytics-release-notes.md b/windows/deploy/upgrade-analytics-release-notes.md
new file mode 100644
index 0000000000..dd1959b0e1
--- /dev/null
+++ b/windows/deploy/upgrade-analytics-release-notes.md
@@ -0,0 +1,5 @@
+---
+title: Upgrade Analytics release notes (Windows 10)
+description: Provides tips and limitations about Upgrade Analytics.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements
+---
\ No newline at end of file
diff --git a/windows/deploy/upgrade-analytics-requirements.md b/windows/deploy/upgrade-analytics-requirements.md
new file mode 100644
index 0000000000..58fb28d579
--- /dev/null
+++ b/windows/deploy/upgrade-analytics-requirements.md
@@ -0,0 +1,88 @@
+---
+title: Upgrade Analytics requirements (Windows 10)
+description: Provides requirements for Upgrade Analytics.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Upgrade Analytics requirements
+
+This article introduces concepts and steps needed to get up and running with Upgrade Analytics. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Analytics.
+
+## Supported upgrade paths 
+
+To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows telemetry, Upgrade Analytics performs a full inventory of computers so that you can see which version of Windows is installed on each computer.
+
+The compatibility update KB that sends telemetry data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Analytics cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
+
+<!--With Windows 10, edition 1607, the compatibility update KB is installed automatically.-->
+
+If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
+
+Note: Upgrade Analytics is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Analytics insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance.
+
+See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements.
+
+## Operations Management Suite
+
+Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+
+If you’re already using OMS, you’ll find Upgrade Analytics in the Solutions Gallery. Click the Upgrade Analytics tile in the gallery and then click Add on the solution’s details page. Upgrade Analytics is now visible in your workspace.
+
+If you are not using OMS, go to \[link to new Upgrade Analytics Web page on Microsoft.com\] and select **Upgrade Analytics Service** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Analytics solution to it.
+
+Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+
+## Telemetry and data sharing 
+
+After you’ve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Analytics.
+
+See \[link to Steve May’s PDF doc when it’s published\] for more information about what user computer data Upgrade Analytics collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
+
+**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
+
+`https://v10.vortex-win.data.microsoft.com/collect/v1`
+
+`https://settings-win.data.microsoft.com/settings`
+
+`https://vortex.data.microsoft.com/health/keepalive`
+
+`https://settings.data.microsoft.com/qos`
+
+`http://go.microsoft.com/fwlink/?LinkID=544713`
+
+`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended`
+
+>**Note** The compatibility update KB runs under the computer’s system account and does not support user authentication in this release.
+
+**Generate your commercial ID key.** Microsoft uses a unique commercial ID GUID to map data from your computers to your OMS workspace. You’ll need to generate your commercial ID key in OMS. We recommend that you save your commercial ID key as you’ll need it later.
+
+**Subscribe your OMS workspace to Upgrade Analytics.** For Upgrade Analytics to receive and display upgrade readiness data from Microsoft, you’ll need to subscribe your OMS workspace to Upgrade Analytics.
+
+**Enable telemetry and connect data sources.** To allow Upgrade Analytics to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Analytics and user computers. You’ll need to connect Upgrade Analytics to your data sources and enable telemetry to establish communication.
+
+**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you don’t already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
+
+>**Important**<br> The compatibility update and related KBs are updated frequently to include new compatibility issues as they become known to Microsoft. We recommend that you use a deployment system that allows for automatic updates of these KBs. The compatibility update KB collects inventory information from computers only when it is updated. 
+
+**Configure and deploy Upgrade Analytics deployment script.** Configure and deploy the Upgrade Analytics deployment script to user computers to finish setting up.
+
+## Important information about this release
+
+Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release.
+
+**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints.
+
+**Upgrade Analytics does not support on-premise Windows deployments.** Upgrade Analytics is built as a cloud service, which allows Upgrade Analytics to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premise.
+
+**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Analytics solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.
+
+### Tips
+
+- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items.
+
+- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in OMS, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby).
+
+## Get started
+
+See [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Analytics and getting started on your Windows upgrade project.
diff --git a/windows/deploy/upgrade-analytics-resolve-issues.md b/windows/deploy/upgrade-analytics-resolve-issues.md
new file mode 100644
index 0000000000..31bd19b03a
--- /dev/null
+++ b/windows/deploy/upgrade-analytics-resolve-issues.md
@@ -0,0 +1,122 @@
+---
+title: Upgrade Analytics - Resolve application and driver issues (Windows 10)
+description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Analytics.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Upgrade Analytics - Resolve application and driver issues
+
+This section of the Upgrade Analytics workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them.
+
+You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
+
+Upgrade decisions include:
+
+| Upgrade decision   | When to use it    | Guidance    |
+|--------------------|-------------------|-------------|
+| Not reviewed       | When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress.** <br><br> <br>                                                                                                                                                                                      | Some applications are automatically assigned upgrade decisions based on information known to Microsoft. <br><br>All drivers are marked not reviewed by default.<br><br>                                                                                                                                                                                           |
+| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.<br><br>Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**. <br><br> | Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**. <br>                                                                                                                                                                                                          |
+| Ready to upgrade   | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is.                                                                                                                                                          | Applications with no known issues or with low installation rates are marked **Ready to upgrade** by default.<br><br>Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. <br><br>All drivers are marked **Not reviewed** by default. <br> |
+| Won’t upgrade      | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination. <br><br>Use **Won’t upgrade** for computers you don’t want to upgrade. <br>                                                                                                                                                        | If, during your investigation into an application or driver, you determine that they should not be upgraded, mark them **Won’t upgrade**. <br><br>                                                                                                                                                                                                                    |
+
+The blades in the **Resolve issues** section are:
+
+## Review applications with known issues
+
+Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image6.png" width="192" height="321" />
+-->
+
+![Review applications with known issues](images/upgrade-analytics-apps-known-issues.png)
+
+To change an application's upgrade decision:
+
+1. Select **Decide upgrade readiness** to view applications with issues. 
+
+2. In the table view, sort on **UpgradeAssessment** to group applications into **Attention needed** and **Fix available**. 
+
+3. Select **User changes** to change the upgrade decision for each application.
+
+4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
+
+5. Click **Save** when finished.  
+
+IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
+
+For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible.
+
+| Upgrade Assessment | Action required prior to upgrade? | Issue     | What it means   | Guidance   |
+|--------------------|-----------------------------------|-----------|-----------------|------------|
+| Attention needed   | No                                | Application is removed during upgrade              | Compatibility issues were detected and the application will not migrate to the new operating system. <br>                                                                                                                                             | No action is required for the upgrade to proceed.                                                                                                                                                                                                                                                                                                                                         |
+| Attention needed   | Yes                               | Blocking upgrade                                   | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade. <br><br>The application may work on the new operating system.<br>                                                                       | Remove the application before upgrading, and reinstall and test on new operating system.                                                                                                                                                                                                                                                                                                  |
+| Attention needed   | No                                | Evaluate application on new OS                     | The application will migrate, but issues were detected that may impact its performance on the new operating system.                                                                                                                                     | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.<br>                                                                                                                                                                                                                                                                  |
+| Attention needed   | No                                | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade.                                                                                                                                                           | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.<br>                                                                                                                                                                                                                              |
+| Attention needed   | Yes                               | Does not work with new OS, and will block upgrade  | The application is not compatible with the new operating system and will block the upgrade.                                                                                                                                                             | Remove the application before upgrading. <br><br>A compatible version of the application may be available.<br>                                                                                                                                                                                                                                                                      |
+| Attention needed   | Yes                               | May block upgrade, test application                | Issues were detected that may interfere with the upgrade, but need to be investigated further.<br>                                                                                                                                                    | Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.<br>                                                                                                                                                                                                                         |
+| Attention needed   | Maybe                             | Multiple                                           | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. |
+
+For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft.
+
+| Upgrade Assessment | Action required prior to upgrade? | Issue    | What it means   | Guidance    |
+|--------------------|-----------------------------------|----------|-----------------|-------------|
+| Fix available      | Yes                               | Blocking upgrade, update application to newest version   | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available.   | Update the application before upgrading.                                                             |
+| Fix available      | No                                | Reinstall application after upgrading                    | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.<br> | No action is required for the upgrade to proceed. Reinstall application on the new operating system. |
+| Fix available      | Yes                               | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate.                                                                                    | Remove the application before upgrading and reinstall on the new operating system.<br>             |
+| Fix available      | Yes                               | Disk encryption blocking upgrade                         | The application’s encryption features are blocking the upgrade.                                                                                                    | Disable the encryption feature before upgrading and enable it again after upgrading.<br>           |
+
+## Review applications with no known issues
+
+Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image7.png" width="197" height="336" />
+-->
+
+![Review applications with no known issues](images/upgrade-analytics-apps-no-known-issues.png)
+
+Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
+
+Be sure to review low install count applications for any business critical or important applications that may not yet be upgrade-ready, despite their low installation rates. 
+
+To change an application's upgrade decision:
+
+1. Select **Decide upgrade readiness** to view applications with issues. Select **Table** to view the list in a table. 
+
+2. Select **User changes** to change the upgrade decision for each application.
+
+3. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
+
+4. Click **Save** when finished.  
+
+## Review drivers with known issues
+
+Drivers that won’t migrate to the new operating system are listed, grouped by availability.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image8.png" width="197" height="316" />
+-->
+
+![Review drivers with known issues](images/upgrade-analytics-drivers-known.png)
+
+Availability categories are explained in the table below.
+
+| Driver availability   | Action required before or after upgrade? | What it means  | Guidance     |
+|-----------------------|------------------------------------------|----------------|--------------|
+| Available in-box                         | No, for awareness only                   | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system.<br>                         | No action is required for the upgrade to proceed.                                                                                                                     |
+| Import from Windows Update               | Yes                                      | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update.<br>                                                   | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading. <br> |
+| Available in-box and from Windows Update | Yes                                      | The currently installed version of a driver won’t migrate to the new operating system. <br><br>Although a new driver is installed during upgrade, a newer version is available from Windows Update. <br> | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading. <br> |
+| Check with vendor                        | Yes                                      | The driver won’t migrate to the new operating system and we are unable to locate a compatible version. <br>                                                                                                  | Check with the independent hardware vendor (IHV) who manufactures the driver for a solution.                                                                          |
+
+To change a driver’s upgrade decision:
+
+1.  Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table.
+
+2.  Select **User changes** to enable user input.
+
+3.  Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list.
+
+4.  Click **Save** when finished.
+
diff --git a/windows/deploy/use-the-volume-activation-management-tool-client.md b/windows/deploy/use-the-volume-activation-management-tool-client.md
index 1e4f5c32b2..6eed17adf5 100644
--- a/windows/deploy/use-the-volume-activation-management-tool-client.md
+++ b/windows/deploy/use-the-volume-activation-management-tool-client.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Use the Volume Activation Management Tool
diff --git a/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md b/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
new file mode 100644
index 0000000000..0f14199f76
--- /dev/null
+++ b/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
@@ -0,0 +1,26 @@
+---
+title: Use Upgrade Analytics to manage Windows upgrades (Windows 10)
+description: Describes how to use Upgrade Analytics to manage Windows upgrades.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Use Upgrade Analytics to manage Windows upgrades
+
+This topic explains how to use the Upgrade Analytics solution to plan, manage, and deploy Windows upgrades.
+
+Based on telemetry data from user computers, Upgrade Analytics identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
+
+You and your IT team can use the Upgrade Analytics workflow to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. You can then export the list of upgrade-ready computers and start deploying Windows with confidence, knowing that you’ve addressed potential blocking issues.
+
+Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
+
+The Upgrade Analytics workflow gives you compatibility and usage information about computers, applications, and drivers and walks you through these high-level tasks. Each task is described in more detail in the topics that follow.
+
+1.  [Preparing your environment](upgrade-analytics-prepare-your-environment.md)
+
+2.  [Resolving application and driver issues](upgrade-analytics-resolve-issues.md)
+
+3.  [Identifying computers that are upgrade ready](upgrade-analytics-deploy-windows.md)
+
+
diff --git a/windows/deploy/usmt-technical-reference.md b/windows/deploy/usmt-technical-reference.md
index 17380ccbb3..6414a4386a 100644
--- a/windows/deploy/usmt-technical-reference.md
+++ b/windows/deploy/usmt-technical-reference.md
@@ -1,6 +1,6 @@
 ---
 title: User State Migration Tool (USMT) Technical Reference (Windows 10)
-description: The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
+description: The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
 ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,31 +9,29 @@ author: greg-lindsay
 ---
 
 # User State Migration Tool (USMT) Technical Reference
-The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
+The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
 
 Download the Windows ADK [from this website](http://go.microsoft.com/fwlink/p/?LinkID=526803).
 
-**Note**: USMT version 10.1.10586 supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
+**USMT support for Microsoft Office**
+>USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.<BR>
+>USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016.
 
-USMT 10.0 includes three command-line tools:
-
--   ScanState.exe
-
--   LoadState.exe
+USMT includes three command-line tools:
 
+-   ScanState.exe<BR>
+-   LoadState.exe<BR>
 -   UsmtUtils.exe
 
-USMT 10.0 also includes a set of three modifiable .xml files:
-
--   MigApp.xml
-
--   MigDocs.xml
+USMT also includes a set of three modifiable .xml files:
 
+-   MigApp.xml<BR>
+-   MigDocs.xml<BR>
 -   MigUser.xml
 
 Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
 
-USMT 10.0 tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](http://go.microsoft.com/fwlink/p/?LinkId=246564).
+USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](http://go.microsoft.com/fwlink/p/?LinkId=246564).
 
 ## In This Section
 |Topic |Description|
diff --git a/windows/deploy/volume-activation-windows-10.md b/windows/deploy/volume-activation-windows-10.md
index eda56e2651..f1bda40ad4 100644
--- a/windows/deploy/volume-activation-windows-10.md
+++ b/windows/deploy/volume-activation-windows-10.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Volume Activation for Windows 10
diff --git a/windows/deploy/windows-10-edition-upgrades.md b/windows/deploy/windows-10-edition-upgrades.md
index cbc6ee73c5..ab1e629231 100644
--- a/windows/deploy/windows-10-edition-upgrades.md
+++ b/windows/deploy/windows-10-edition-upgrades.md
@@ -17,17 +17,22 @@ author: greg-lindsay
 
 With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md).
 
-The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
+The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. 
+
+X = unsupported <BR>
+✔ (green) = supported; reboot required<BR>
+✔ (blue) = supported; no reboot required. 
+
 
 |Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise |
 |-------|-----------|-----------------|----------------|-----------------|----------------|--------|
-| Using mobile device management (MDM) |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |
-| Using a provisioning package |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |
-| Using a command-line tool |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
-| Entering a product key manually |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
+| Using mobile device management (MDM) |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |
+| Using a provisioning package |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |
+| Using a command-line tool |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
+| Entering a product key manually |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
 | Purchasing a license from the Windows Store |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |
 
-**Note**<br>Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
+>**Note**: Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
 
 ## Upgrade using mobile device management (MDM)
 - To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkID=690907).
diff --git a/windows/deploy/windows-10-upgrade-paths.md b/windows/deploy/windows-10-upgrade-paths.md
index 3d7f0d96e9..7ee695086b 100644
--- a/windows/deploy/windows-10-upgrade-paths.md
+++ b/windows/deploy/windows-10-upgrade-paths.md
@@ -1,6 +1,6 @@
 ---
 title: Windows 10 upgrade paths (Windows 10)
-description: You can upgrade to Windows 10 from a previous version of Windows, providing the upgrade path is supported.
+description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
diff --git a/windows/deploy/windows-deployment-scenarios-and-tools.md b/windows/deploy/windows-deployment-scenarios-and-tools.md
index ba4f22b7c5..a970f1b56f 100644
--- a/windows/deploy/windows-deployment-scenarios-and-tools.md
+++ b/windows/deploy/windows-deployment-scenarios-and-tools.md
@@ -328,7 +328,7 @@ For more information on UEFI, see the [UEFI firmware](http://go.microsoft.com/fw
 ## Related topics
 
 
-[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)
+
 
 [Deploy Windows To Go](deploy-windows-to-go.md)
 
diff --git a/windows/keep-secure/.vscode/settings.json b/windows/keep-secure/.vscode/settings.json
new file mode 100644
index 0000000000..96b19b0418
--- /dev/null
+++ b/windows/keep-secure/.vscode/settings.json
@@ -0,0 +1,4 @@
+// Place your settings in this file to overwrite default and user settings.
+{
+    "update.channel": "none",
+}
\ No newline at end of file
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 504f41304c..9ae5d89ffc 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -1,31 +1,43 @@
 # [Keep Windows 10 secure](index.md)
-## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)
 ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-## [Device Guard certification and compliance](device-guard-certification-and-compliance.md)
-### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
-### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
-## [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
-### [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
 ### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-### [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
-### [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
-### [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-### [Event ID 300 - Passport successfully created](passport-event-300.md)
-## [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+### [Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+### [Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+### [Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+### [Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+### [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 ## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
 ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
+## [Device Guard deployment guide](device-guard-deployment-guide.md)
+### [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+### [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
+### [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
+### [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+#### [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
+#### [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
+#### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
+#### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
+### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
 ## [Protect derived domain credentials with Credential Guard](credential-guard.md)
-## [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md)
-### [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
-#### [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
-##### [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
-##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
-##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
-#### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
-### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
-#### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)
-#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
+## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
+## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md)
+### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
+#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
+##### [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
+##### [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
+##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
+#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
+#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
+### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
+#### [Windows Information Protection (WIP) overview](wip-enterprise-overview.md)
+#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
+#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
+#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
+## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
 ## [VPN profile options](vpn-profile-options.md)
 ## [Windows security baselines](windows-security-baselines.md)
 ## [Security technologies](security-technologies.md)
@@ -679,11 +691,15 @@
 ### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
 #### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
 #### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
+#### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
 ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
+###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
 ##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
-##### [Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
 ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 #### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
 #### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)
@@ -696,12 +712,22 @@
 ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
 ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
+#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
 #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
 ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+#### [Windows Defender Offline in Windows 10](windows-defender-offline.md)
 #### [Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
+#### [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
+#### [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
+#### [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)
+#### [Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)
 #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
 ### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
 #### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)
@@ -814,7 +840,7 @@
 ###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
 ## [Enterprise security guides](windows-10-enterprise-security-guides.md)
 ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
-### [Device Guard deployment guide](device-guard-deployment-guide.md)
 ### [Microsoft Passport guide](microsoft-passport-guide.md)
 ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
 ### [Windows 10 security overview](windows-10-security-guide.md)
+## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)
diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
index 5f10d77fb7..f6ed6747d4 100644
--- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
+++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
@@ -1,51 +1,51 @@
 ---
-title: Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality (Windows 10)
-description: Add multiple apps to your enterprise data protection (EDP) allowed app list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker.
+title: Add apps to your Windows Information Protection (WIP) policy by using Microsoft Intune and custom URI functionality (Windows 10)
+description: Add apps to your Windows Information Protection (WIP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker.
 ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
-keywords: EDP, Enterprise Data Protection, protected apps, protected app list
+keywords: WIP, Enterprise Data Protection, protected apps, protected app list
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.pagetype: security
 ms.sitesec: library
 author: eross-msft
+localizationpriority: high
 ---
 
-# Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality
+# Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality
 **Applies to:**
 
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
+-   Windows 10, version 1607
+-   Windows 10 Mobile
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
 
-Add multiple apps to your enterprise data protection (EDP) allowed app list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
-
-**Important**  
+>**Important**<br>
 Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
 
-If you only want to add one app at a time, you can follow the instructions in the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic.
-
-**To add Universal Windows Platform (UWP) apps**
-
+## Add Store apps
 1.  Go to the AppLocker UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
 
-2.  Double-click **Application Control Policies**, double-click **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.<p>
-The **Automatically Generate Packaged app Rules** wizard opens, letting you create EDP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
+2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.
 
-3.  In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.<p>
-You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
+    The **Automatically Generate Packaged app Rules** wizard opens, letting you create WIP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
 
-4.  Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.<p>
-This name should be easily recognizable, such as *EDP_UniversalApps_Rules*.
+3.  In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
 
-5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.<p>
-**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.<p>
-**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+    You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
+
+4.  Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
+
+    This name should be easily recognizable, such as *WIP_StoreApps_Rules*.
+
+5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
+
+    >**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
 
 6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
 
-7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.<p>
-**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
+
+    >**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
 8.  Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
 
@@ -59,36 +59,42 @@ This name should be easily recognizable, such as *EDP_UniversalApps_Rules*.
 
 13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
 
-14. Copy the text that has a **Type** of Appx, within the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
+14. Copy the text that has a **Type** of `Appx`, within the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
 
     ```
-    <RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
+        <RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
     ```
 
 15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>
-After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
 
-**To add Classic Windows applications**
+## Add Desktop apps
+1.  Open the Local Security Policy snap-in (SecPol.msc).
 
-1.  Go to the AppLocker UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
+2.  In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.
 
-2.  Double-click **Application Control Policies**, double-click **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.<p>
-The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder.
+    The **Automatically Generate Executable Rules** wizard opens, letting you create WIP-protected app polices by analyzing the files within a specific folder.
 
-3.  In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.<p>
-You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
+3.  In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
 
-4.  Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.<p>
-This name should be easily recognizable, such as *EDP_ClassicApps_Rules*.
+    You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
 
-5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.<p>
-**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.<p>
-**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+4.  Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
+
+    This name should be easily recognizable, such as *WIP_DesktopApps_Rules*.
+
+5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
+
+    >**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
+    
+    <p>
+    >**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
 
 6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
 
-7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.<p>
-**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
+
+    >**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
 8.  Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
 
@@ -102,19 +108,20 @@ This name should be easily recognizable, such as *EDP_ClassicApps_Rules*.
 
 13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
 
-14. Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
+14. Copy the text that has a **Type** of `EXE`, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
 
     ``` 
-    <RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
+        <RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
     ```
 
-15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>
-After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
+
+    After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
 
 ##Related topics
-- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
-- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
-- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
+- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
+- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
 
 
  
diff --git a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
index fc07133c99..69108c1fcc 100644
--- a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 
 After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
diff --git a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
index f5f2edf9d6..11b782d3f8 100644
--- a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.
 
diff --git a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index 93d466aa32..0000000000
--- a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Additional Windows Defender ATP configuration settings
-description: Use the Group Policy Console to configure settings that enable sample sharing from your endpoints. These settings are used in the deep analysis feature.
-keywords: configuration settings, Windows Defender ATP configuration settings, Windows Defender Advanced Threat Protection configuration settings, group policy Management Editor, computer configuration, policies, administrative templates,
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: security
-ms.sitesec: library
-author: mjcaparas
----
-
-# Additional Windows Defender ATP configuration settings
-
-**Applies to**
-
-- Windows 10 Insider Preview Build 14332 or later
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
-
-## Configure sample collection settings with Group Policy
-1.  On your GP management machine, copy the following files from the
-    configuration package:
-
-    a.  Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
-
-    b.  Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
-
-2.  Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor**, go to **Computer configuration**.
-
-4.  Click **Policies**, then **Administrative templates**.
-
-5.  Click **Windows components** and then **Windows Advanced Threat Protection**.
-
-6.  Choose to enable or disable sample sharing from your endpoints.
-
-## Related topics
-<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
-- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
-- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
-- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/advanced-security-auditing-faq.md b/windows/keep-secure/advanced-security-auditing-faq.md
index 3bfa640035..aba6ac5414 100644
--- a/windows/keep-secure/advanced-security-auditing-faq.md
+++ b/windows/keep-secure/advanced-security-auditing-faq.md
@@ -125,7 +125,7 @@ Often it is not enough to know simply that an object such as a file or folder wa
 
 ## <a href="" id="bkmk-8"></a>How do I know when changes are made to access control settings, by whom, and what the changes were?
 
-To track access control changes on computers running Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
+To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
 -   **Audit File System** subcategory: Enable for success, failure, or success and failure
 -   **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
 -   A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor
diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
index 46dddb36a1..74189887bb 100644
--- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -14,20 +14,22 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 As a security operations team member, you can manage Windows Defender ATP alerts as part of your routine activities. Alerts will appear in queues according to their current status.
 
 To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
 
-> **Note**&nbsp;&nbsp;By default, the queues are sorted from newest to oldest.
+> [!NOTE]
+> By default, the queues are sorted from newest to oldest.
 
 The following table and screenshot demonstrate the main areas of the **Alerts queue**.
 
-![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/alertsq.png)
+![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/alertsq2.png)
 
 Highlighted area|Area name|Description
 :---|:---|:---
@@ -59,7 +61,8 @@ There are three mechanisms to pivot the queue against:
   - **30 days**
   - **6 months**
 
-  > **Note**&nbsp;&nbsp;You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon ![the sort order icon looks like two arrows on top of each other](images/sort-order-icon.png)
+  > [!NOTE]
+  > You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon ![the sort order icon looks like two arrows on top of each other](images/sort-order-icon.png)
 
 ### Related topics
 - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
index f72093bb1e..f567285c1b 100644
--- a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
 
diff --git a/windows/keep-secure/applocker-overview.md b/windows/keep-secure/applocker-overview.md
index 954c093d80..d8194a1caa 100644
--- a/windows/keep-secure/applocker-overview.md
+++ b/windows/keep-secure/applocker-overview.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..6cc5b28e2f
--- /dev/null
+++ b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,54 @@
+---
+title: Assign user access to the Windows Defender Advanced Threat Protection portal
+description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal. 
+keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Assign user access to the Windows Defender ATP portal
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Azure Active Directory
+- Office 365
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). You can assign users with one of the following levels of permissions:
+- Full access (Read and Write)
+- Read only access
+
+**Full access** <br>
+Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
+Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
+
+**Read only access** <br>
+Users with read only access can log in, view all alerts, and related information. 
+They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
+Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
+
+Use the following steps to assign security roles:
+- Preparations:
+    - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).<br> 
+    
+        > [!NOTE]
+        > You need to run the PowerShell cmdlets in an elevated command-line.
+
+- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/en-us/library/dn194123.aspx).
+- For **read and write** access, assign users to the security administrator role by using the following command:
+```text
+Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
+```
+- For **read only** access, assign users to the security reader role by using the following command:
+```text
+Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”
+```
+
+For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
diff --git a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md
index f6dcdfddf4..d70e138887 100644
--- a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md
+++ b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
 
diff --git a/windows/keep-secure/basic-firewall-policy-design.md b/windows/keep-secure/basic-firewall-policy-design.md
index 3863b0cf74..bbc34eda26 100644
--- a/windows/keep-secure/basic-firewall-policy-design.md
+++ b/windows/keep-secure/basic-firewall-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
 
diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md
index 23dc64932f..29836430fd 100644
--- a/windows/keep-secure/bitlocker-frequently-asked-questions.md
+++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md
index 18c4baf5b6..2921e55f01 100644
--- a/windows/keep-secure/bitlocker-overview.md
+++ b/windows/keep-secure/bitlocker-overview.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/keep-secure/boundary-zone-gpos.md
index 66865b93a6..550aa7e934 100644
--- a/windows/keep-secure/boundary-zone-gpos.md
+++ b/windows/keep-secure/boundary-zone-gpos.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.
 
diff --git a/windows/keep-secure/boundary-zone.md b/windows/keep-secure/boundary-zone.md
index b44e15fdc1..da0878002d 100644
--- a/windows/keep-secure/boundary-zone.md
+++ b/windows/keep-secure/boundary-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
 
@@ -60,4 +60,4 @@ The boundary zone GPO for devices running at least Windows Server 2008 should i
 
     >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
 
-**Next: **[Encryption Zone](encryption-zone.md)
+**Next:**[Encryption Zone](encryption-zone.md)
diff --git a/windows/keep-secure/certificate-based-isolation-policy-design-example.md b/windows/keep-secure/certificate-based-isolation-policy-design-example.md
index 8b5e59db2e..0c3612bef6 100644
--- a/windows/keep-secure/certificate-based-isolation-policy-design-example.md
+++ b/windows/keep-secure/certificate-based-isolation-policy-design-example.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
 
diff --git a/windows/keep-secure/certificate-based-isolation-policy-design.md b/windows/keep-secure/certificate-based-isolation-policy-design.md
index 8d0483f776..6a1a244f5c 100644
--- a/windows/keep-secure/certificate-based-isolation-policy-design.md
+++ b/windows/keep-secure/certificate-based-isolation-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
 
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 812c222e48..c8012d34ec 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -12,18 +12,45 @@ author: brianlic-msft
 # Change history for Keep Windows 10 secure
 This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## August 2016
+- [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |New |
+
+## RELEASE: Windows 10, version 1607
+
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
+
+- [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
+- [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
+- [Windows Defender Offline in Windows 10](windows-defender-offline.md)
+- [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
+- [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
+- [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
+- [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)
+- [Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)
+- [Assign user access to the Windows Defender ATP portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
+
+
 ## July 2016
 
 |New or changed topic | Description |
 |----------------------|-------------|
-|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New |
+|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New |
+|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |New |
+|[Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |New |
+|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated |
+|[Device Guard deployment guide](device-guard-deployment-guide.md) (multiple topics) | Updated |
 
 
 ## June 2016
 
 |New or changed topic | Description |
 |----------------------|-------------|
-|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. |
+|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. |
 | [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
 | [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
 | [Windows security baselines](windows-security-baselines.md) | New |
@@ -35,8 +62,8 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Changed Internet Explorer to Microsoft Edge |
 | [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. |
 | [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content |
-|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.|
-| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
+|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated info based on changes to the features and functionality.|
+| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 |
 |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New |
 
 ## April 2016
@@ -50,8 +77,8 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 
 |New or changed topic | Description |
 |----------------------|-------------|
-|[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 Technical Preview is required to manage AppLocker by using Group Policy.|
-|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Added pre-release content about how to set up and deploy enterprise data protection (EDP) in an enterprise environment.|
+|[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 is required to manage AppLocker by using Group Policy.|
+|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Added pre-release content about how to set up and deploy Windows Information Protection (WIP) in an enterprise environment.|
 
 ## February 2016
 
diff --git a/windows/keep-secure/change-rules-from-request-to-require-mode.md b/windows/keep-secure/change-rules-from-request-to-require-mode.md
index 156957d053..747345df41 100644
--- a/windows/keep-secure/change-rules-from-request-to-require-mode.md
+++ b/windows/keep-secure/change-rules-from-request-to-require-mode.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain.
 
diff --git a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md
index 979ef0e243..af8be53831 100644
--- a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md
+++ b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.
 
diff --git a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
index a3cd9303ca..5385c20f4d 100644
--- a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
 
diff --git a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
index f954a6f45e..996a84ad21 100644
--- a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
 
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
index 898aff61c0..93506e5368 100644
--- a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
 
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
index 8bf35ebe8e..aba8c91407 100644
--- a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
 
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
index 41375ddbad..4533b51003 100644
--- a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
 
diff --git a/windows/keep-secure/checklist-creating-group-policy-objects.md b/windows/keep-secure/checklist-creating-group-policy-objects.md
index b846638c4e..207e94a1a5 100644
--- a/windows/keep-secure/checklist-creating-group-policy-objects.md
+++ b/windows/keep-secure/checklist-creating-group-policy-objects.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group.
 
diff --git a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md
index 16681cba2a..bf0e277be4 100644
--- a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md
+++ b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This checklist includes tasks for creating firewall rules in your GPOs.
 
diff --git a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md
index 22b8d892c8..9187d83a88 100644
--- a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md
+++ b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This checklist includes tasks for creating outbound firewall rules in your GPOs.
 
diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
index bd5a21cdb8..febc811262 100644
--- a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
+++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.
 
diff --git a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
index f72a945895..0e170e2c53 100644
--- a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
 
@@ -26,7 +26,7 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co
 | Task | Reference |
 | - | - |
 | Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Basic Firewall Policy Design](basic-firewall-policy-design.md)<br/>[Firewall Policy Design Example](firewall-policy-design-example.md)<br/>[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| 
-| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016 Technical Preview, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016 Technical Preview, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
+| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
 | If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| 
 | Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| 
 | Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| 
diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
index 1cab0a3744..6a65e70ac2 100644
--- a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
 
diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
index a57af52e9a..1c370cc0c7 100644
--- a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
 
diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
index e4ed2e3d00..533859a661 100644
--- a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
 
diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5ee2fbe06a
--- /dev/null
+++ b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,87 @@
+---
+title: Configure an Azure Active Directory application for SIEM integration
+description: Configure an Azure Active Directory application so that it can communicate with supported SIEM tools.
+keywords: configure aad for siem integration, siem integration, application, oauth 2
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Configure an Azure Active Directory application for SIEM integration
+
+**Applies to:**
+
+- Azure Active Directory
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application  to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
+
+1. Login to the [Azure management portal](https://manage.windowsazure.com).
+
+2. Select **Active Directory**.
+
+3. Select your tenant.
+
+4. Click **Applications**, then select **Add** to create a new application.
+
+5. Click **Add an application my organization is developing**.
+
+6. Choose a client name for the application, for example, *Alert Export Client*.
+
+7. Select **WEB APPLICATION AND/OR WEB API** in the Type section.
+
+8. Assign a sign-on URL and app ID URI to the application, for example, `https://alertexportclient`.
+
+9. Confirm the request details and verify that you have successfully added the app.
+
+10. Select the application you've just created from the directory application list and click the **Configure** tab.
+
+11. Scroll down to the **keys** section and select a duration for the application key.
+
+12. Type the following URLs in the **Reply URL** field:
+
+  - `https://DataAccess-PRD.trafficmanager.net:444/api/FetchAccessTokenFromAuthCode`
+  - `https://localhost:44300/WDATPconnector`
+
+13. Click **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory.
+
+14. Open a web browser and connect to the following URL: <br>
+```text
+https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=<tenant ID>&clientSecret=1234
+```
+An Azure login page appears.
+> [!NOTE]
+> - Replace *tenant ID* with your actual tenant ID.
+> - Keep the client secret as is. This is a dummy value, but the parameter must appear.
+
+15. Sign in with the credentials of a user from your tenant.
+
+16. Click **Accept** to provide consent. Ignore the error.
+
+17. Click **Application configuration** under your tenant.
+
+18. Click **Permissions to other applications**, then select **Add application**.
+
+19. Click **All apps** from the **SHOW** field and submit.
+
+20. Click **WDATPAlertExport**, then select **+** to add the application. You should see it on the **SELECTED** panel.
+
+21. Submit your changes.
+
+22. On the **WDATPAlertExport** record, in the **Delegated Permissions** field, select **Access WDATPAlertExport**.
+
+23. Save the application changes.
+
+After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use.
+
+## Related topics
+- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..bd262bbc8a
--- /dev/null
+++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,93 @@
+---
+title: Configure HP ArcSight to consume Windows Defender ATP alerts
+description: Configure HP ArcSight to receive and consume alerts from the Windows Defender ATP portal.
+keywords: configure hp arcsight, security information and events management tools, arcsight
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Configure HP ArcSight to consume Windows Defender ATP alerts
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+You'll need to configure HP ArcSight so that it can consume Windows Defender ATP alerts.
+
+## Before you begin
+
+- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
+    - OAuth 2 Token refresh URL
+    - OAuth 2 Client ID
+    - OAuth 2 Client secret
+- Create your OAUth 2 Client properties file or get it from your Windows Defender ATP contact. For more information, see the ArcSight FlexConnector Developer's guide.
+
+  > [!NOTE]
+  > **For the authorization URL**: Append the following to the value you got from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com``` <br>
+  > **For the redirect_uri value use**: ```https://localhost:44300/wdatpconnector```
+  >
+- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
+- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet.
+- Contact the Windows Defender ATP team to get your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in the ArcSight FlexConnector Developer's guide.
+
+## Configure HP ArcSight
+The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
+
+1. Copy the *wdatp-connector.jsonparser.properties* file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
+
+2. Save the *wdatp-connector.properties* file into a folder of your choosing.
+
+3. Open an elevated command-line:
+
+    a. Go to **Start** and type **cmd**.
+
+    b. Right-click **Command prompt** and select **Run as administrator**.
+
+4. Enter the following command and press **Enter**: ```runagentsetup.bat```. The Connector Setup pop-up window appears.
+
+5. In the form fill in the following required fields with these values:
+    >[!NOTE]
+    >All other values in the form are optional and can be left blank.
+    
+    <table>
+    <tbody style="vertical-align:top;">
+    <tr>
+    <th>Field</th>
+    <th>Value</th>
+    </tr>
+    <tr>
+    <td>Configuration File</td>
+    <td>Type in the name of the client property file. It must match the client property file.</td>
+    </tr>
+    <td>Events URL</td>
+    <td>`https://DataAccess-PRD.trafficmanager.net:444/api/alerts`</td>
+    <tr>
+    <td>Authentication Type</td>
+    <td>OAuth 2</td>
+    </tr>
+    <td>OAuth 2 Client Properties file</td>
+    <td>Select *wdatp-connector.properties*.</td>
+    <tr>
+    <td>Refresh Token</td>
+    <td>Paste the refresh token that your Windows Defender ATP contact provided, or run the `restutil` tool to get it.</td>
+    </tr>
+    </tr>
+    </table>
+6. Select **Next**, then **Save**.
+
+7. Run the connector. You can choose to run in Service mode or Application mode.
+
+8. In the HP ArcSight console, create a **Windows Defender ATP** channel with intervals and properties suitable to your enterprise needs. Windows Defender ATP alerts will appear as discrete events, with “Microsoft” as the vendor and “Windows Defender ATP” as the device name.  
+
+## Related topics
+- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-authentication-methods.md b/windows/keep-secure/configure-authentication-methods.md
index c637681093..cee5bff4da 100644
--- a/windows/keep-secure/configure-authentication-methods.md
+++ b/windows/keep-secure/configure-authentication-methods.md
@@ -14,7 +14,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.
 
diff --git a/windows/keep-secure/configure-data-protection-quick-mode-settings.md b/windows/keep-secure/configure-data-protection-quick-mode-settings.md
index 1b0e5489ab..4c7f4c94ea 100644
--- a/windows/keep-secure/configure-data-protection-quick-mode-settings.md
+++ b/windows/keep-secure/configure-data-protection-quick-mode-settings.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.
 
diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..535be7d761
--- /dev/null
+++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,120 @@
+---
+title: Configure Windows Defender ATP endpoints using Group Policy
+description: Use Group Policy to deploy the configuration package on endpoints so that they are onboarded to the service.
+keywords: configure endpoints using group policy, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, group policy
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Configure endpoints using Group Policy
+
+**Applies to:**
+
+- Group Policy
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+> [!NOTE]
+> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
+
+## Onboard endpoints
+1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a.  Click **Endpoint Management** on the **Navigation pane**.
+
+    b.  Select **Group Policy**, click **Download package** and save the .zip file.
+
+2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
+
+3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+
+4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
+
+5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
+
+6. In the  **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
+
+7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
+
+8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
+
+9. Click **OK** and close any open GPMC windows.
+
+## Additional Windows Defender ATP configuration settings
+For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
+
+You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
+
+### Configure sample collection settings
+1.  On your GP management machine, copy the following files from the
+    configuration package:
+
+    a.  Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
+
+    b.  Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
+
+2.  Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor**, go to **Computer configuration**.
+
+4.  Click **Policies**, then **Administrative templates**.
+
+5.  Click **Windows components** and then **Windows Advanced Threat Protection**.
+
+6.  Choose to enable or disable sample sharing from your endpoints.
+
+>[!NOTE]
+> If you don't set a value, the default value is to enable sample collection.
+
+### Offboard endpoints
+For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+
+> [!NOTE]
+> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
+
+1.	Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a. Click **Endpoint Management** on the **Navigation pane**.
+
+    b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
+
+2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
+
+3.	Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+
+4.	In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
+
+5.	Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
+
+6.	In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
+
+7.	Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
+
+8.	Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared  *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.
+
+9.	Click **OK** and close any open GPMC windows.
+
+## Monitor endpoint configuration
+With Group Policy there isn’t an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools.
+
+## Monitor endpoints using the portal
+1.	Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
+2.	Click **Machines view**.
+3.	Verify that endpoints are appearing.
+
+> [!NOTE]
+> It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
+
+
+## Related topics
+- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..14be889faa
--- /dev/null
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,96 @@
+---
+title: Configure Windows Defender ATP endpoints using Mobile Device Management tools
+description: Use Mobile Device Management tools to deploy the configuration package on endpoints so that they are onboarded to the service.
+keywords: configure endpoints using mdm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, mdm
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Configure endpoints using Mobile Device Management tools
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. 
+
+For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
+
+## Configure endpoints using Microsoft Intune
+
+For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
+
+### Onboard and monitor endpoints 
+
+1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+ 
+    a.  Click **Endpoint Management** on the **Navigation pane**.
+
+    b.  Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
+
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named  *WindowsDefenderATP.onboarding*.
+
+3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
+
+Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
+- Onboarding
+- Health Status for onboarded machines
+- Configuration for onboarded machines
+
+Policy | OMA-URI | Type | Value | Description
+:---|:---|:---|:---|:---
+Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file |  Onboarding
+Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE |  Windows Defender ATP service is running
+ | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
+  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
+ Configuration for onboarded machines  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled 
+ 
+
+> [!NOTE]
+> The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
+
+### Offboard and monitor endpoints
+
+For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+
+> [!NOTE]
+> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
+
+1.	Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a. Click **Endpoint Management** on the **Navigation pane**.
+    
+    b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
+    
+2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
+
+3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). 
+
+Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to:
+- Offboarding
+- Health Status for offboarded machines
+- Configuration for offboarded machines
+
+Policy | OMA-URI | Type | Value | Description
+:---|:---|:---|:---|:---
+Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding 
+ Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
+  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
+
+> [!NOTE]
+> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
+
+
+## Related topics
+- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) 
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..1d009b3943
--- /dev/null
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,136 @@
+---
+title: Configure Windows Defender ATP endpoints using System Center Configuration Manager
+description: Use System Center Configuration Manager to deploy the configuration package on endpoints so that they are onboarded to the service.
+keywords: configure endpoints using sccm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Configure endpoints using System Center Configuration Manager
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- System Center 2012 Configuration Manager or later versions
+
+<span id="sccm1606"/>
+## Configure endpoints using System Center Configuration Manager (current branch) version 1606
+System Center Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
+
+<span id="sccm1602"/>
+## Configure endpoints using System Center Configuration Manager earlier versions
+You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
+
+- System Center 2012 Configuration Manager
+- System Center 2012 R2 Configuration Manager
+- System Center Configuration Manager (current branch), version 1511
+- System Center Configuration Manager (current branch), version 1602
+
+### Onboard endpoints
+
+1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a. Click **Endpoint Management** on the **Navigation pane**.
+
+    b. Select **System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
+
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
+
+3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
+
+4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
+
+    a. Choose a predefined device collection to deploy the package to.
+
+### Configure sample collection settings
+For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
+
+You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on an endpoint.
+This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure they’re complaint.
+
+The configuration is set through the following registry key entry:
+
+```text
+Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
+Name: "AllowSampleCollection"
+Value: 0 or 1
+```
+Where:<br>
+Key type is a D-WORD. <br>
+Possible values are:
+- 0 - doesn't allow sample sharing  from this endpoint
+- 1 - allows sharing of all file types from this endpoint
+
+The default value in case the registry key doesn’t exist is 1.
+
+For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx).
+
+
+### Offboard endpoints
+
+For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+
+> [!NOTE]
+> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
+
+1.	Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a. Click **Endpoint Management** on the **Navigation pane**.
+
+    b. Under **Endpoint offboarding** section, select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
+
+2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
+
+3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
+
+4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
+
+    a. Choose a predefined device collection to deploy the package to.
+
+### Monitor endpoint configuration
+Monitoring with SCCM consists of two parts:
+
+1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
+
+2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service).
+
+**To confirm the configuration package has been correctly deployed:**
+
+1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
+
+2. Click **Overview** and then **Deployments**.
+
+3. Click on the deployment with the package name.
+
+4. Review the status indicators under **Completion Statistics** and **Content Status**.
+
+If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to  troubleshoot the endpoints. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
+
+![SCCM showing successful deployment with no errors](images/sccm-deployment.png)
+
+**Check that the endpoints are compliant with the Windows Defender ATP service:**<br>
+You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment.
+
+This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines.
+
+Monitor the following registry key entry:
+```
+Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
+Name: “OnboardingState”
+Value: “1”
+```
+For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx).
+
+## Related topics
+- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..1e740f14b3
--- /dev/null
+++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,113 @@
+---
+title: Configure Windows Defender ATP endpoints using a local script
+description: Use a local script to deploy the configuration package on endpoints so that they are onboarded to the service.
+keywords: configure endpoints using a local script, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Configure endpoints using a local script
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
+
+## Onboard endpoints
+1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a.  Click **Endpoint Management** on the **Navigation pane**.
+
+    b.  Select **Local Script**, click **Download package** and save the .zip file.
+
+
+2.  Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
+
+3.  Open an elevated command-line prompt on the endpoint and run the script:
+
+    a.  Go to **Start** and type **cmd**.
+
+    b.  Right-click **Command prompt** and select **Run as administrator**.
+
+    ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
+
+4.  Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd*
+
+5.  Press the **Enter** key or click **OK**.
+
+For for information on how you can manually validate that the endpoint is compliant and correctly reports telemetry see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
+
+## Configure sample collection settings
+For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
+
+You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file.  
+
+The configuration is set through the following registry key entry:
+
+```text
+Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
+Name: "AllowSampleCollection"
+Value: 0 or 1
+```
+Where:<br>
+Name type is a D-WORD. <br>
+Possible values are:
+- 0 - doesn't allow sample sharing  from this endpoint
+- 1 - allows sharing of all file types from this endpoint
+
+The default value in case the registry key doesn’t exist is 1.
+
+
+## Offboard endpoints
+For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+
+> [!NOTE]
+> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
+
+1.	Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a. Click **Endpoint Management** on the **Navigation pane**.
+
+    b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
+
+2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
+
+3.  Open an elevated command-line prompt on the endpoint and run the script:
+
+    a.  Go to **Start** and type **cmd**.
+
+    b.  Right-click **Command prompt** and select **Run as administrator**.
+
+    ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
+
+4.  Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*
+
+5.  Press the **Enter** key or click **OK**.
+
+## Monitor endpoint configuration
+You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running.
+
+Monitoring can also be done directly on the portal, or by using the different deployment tools.
+
+### Monitor endpoints using the portal
+1.	Go to the Windows Defender ATP portal.
+
+2.	Click **Machines view**.
+
+3.	Verify that endpoints are appearing.
+
+
+## Related topics
+- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
index aede6f38ed..bd69be41b4 100644
--- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -1,104 +1,38 @@
 ---
 title: Configure Windows Defender ATP endpoints
-description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service.
-keywords: configure endpoints, client onboarding, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager
+description: Configure endpoints so that they are onboarded to the service.
+keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: iaanw
+author: mjcaparas
 ---
 
 # Configure Windows Defender ATP endpoints
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization. 
 
-You can use a Group Policy (GP) configuration package, a System Center Configuration Manager (SCCM) package, or an automated script to configure endpoints.
+Windows Defender ATP supports the following deployment tools and methods:
 
-## Configure with Group Policy
-Using the GP configuration package ensures your endpoints will be correctly configured to report to the Windows Defender ATP service.
+- Group Policy
+- System Center Configuration Manager
+- Mobile Device Management (including Microsoft Intune)
+- Local script
 
-> **Note**&nbsp;&nbsp;To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. The endpoints must be running Windows 10 Insider Preview Build 14332 or later.
-
-1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
-
-    a.  Click **Client onboarding** on the **Navigation pane**.
-
-    b.  Select **Group Policy**, click **Download package** and save the .zip file.
-
-2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
-
-3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
-
-4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
-
-5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
-
-6. In the  **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
-
-7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
-
-8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
-
-9. Click **OK** and close any open GPMC windows.
-
-For additional settings, see the [Additional configuration settings section](additional-configuration-windows-defender-advanced-threat-protection.md).
-
-
-## Configure with System Center Configuration Manager
-
-1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
-
-    a. Click **Client onboarding** on the **Navigation pane**.
-
-    b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file.
-
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
-
-3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
-
-4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
-
-    a. Choose a predefined device collection to deploy the package to.
-
-
-## Configure endpoints individually with an automated script
-<a name="manual"></a>
-You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
-
-
-1.  Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
-
-    a.  Click **Client onboarding** on the **Navigation pane**.
-
-    b.  Select **Local Script**, click **Download package** and save the .zip file.
-
-
-2.  Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
-
-3.  Open an elevated command-line prompt on the endpoint and run the script:
-
-    a.  Click **Start** and type **cmd**.
-
-    b.  Right-click **Command prompt** and select **Run as administrator**.
-
-    ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
-
-4.  Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`*
-
-5.  Press the **Enter** key or click **OK**.
-
-See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
-
-## Related topics
-<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
-- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
-- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
-- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+## In this section
+Topic | Description
+:---|:---
+[Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on endpoints.
+[Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints.
+[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Managment tools or Microsoft Intune to deploy the configuration package on endpoints.
+[Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints.
diff --git a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
index a3687db1b5..0251ff4352 100644
--- a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
+++ b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.
 
diff --git a/windows/keep-secure/configure-key-exchange-main-mode-settings.md b/windows/keep-secure/configure-key-exchange-main-mode-settings.md
index 097d29b877..dd11e2d12d 100644
--- a/windows/keep-secure/configure-key-exchange-main-mode-settings.md
+++ b/windows/keep-secure/configure-key-exchange-main-mode-settings.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.
 
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index e0564e8606..bc045d449a 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Configure Windows Defender ATP endpoint proxy and Internet connection settings
 description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
-keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, web proxy auto detect, wpad, netsh, winhttp, proxy server
+keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -15,171 +15,92 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
 
 The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.
 
 The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
 
-- Configure Web Proxy Auto Detect (WPAD) settings and configure Windows to automatically detect the proxy server
+- Configure the proxy server manually using a static proxy
 
-- Configure the proxy server manually using Netsh
+## Configure the proxy server manually using a static proxy
+Configure a static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
 
-## Configure Web Proxy Auto Detect (WPAD) settings and proxy server
+The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
 
-Configure WPAD in the environment and configure Windows to automatically detect the proxy server through Policy or the local Windows settings.
-
-Enable the **Automatically detect settings** option in the Windows Proxy settings so that WinHTTP can use the WPAD feature to locate a proxy server.
-
-1. Click **Start** and select **Settings**.
-
-2. Click **Network & Internet**.
-
-3. Select **Proxy**.
-
-4. Verify that the **Automatically detect settings** option is set to On.
-
-    ![Image showing the proxy settings configuration page](images/proxy-settings.png)
-
-5. If the **Use setup script** or **Manual proxy setup** options are enabled then you will need to [configure proxy settings manually by using Netsh](#configure-proxy-server-manually-using-netsh) method for WinHTTP to discover the appropriate proxy settings and connect.
-
-## Configure the proxy server manually using Netsh
-
-If **Use setup script** or **Manual proxy setup** settings are configured in the Windows Proxy setting, then endpoints will not be discovered by WinHTTP.
-Use Netsh to configure the proxy settings to enable connectivity.
-
-You can configure the endpoint by using any of these methods:
-
-- Importing the configured proxy settings to WinHTTP
-- Configuring the proxy settings manually to WinHTTP
-
-After configuring the endpoints, you'll need to verify that the correct proxy settings were applied.
-
-**Import the configured proxy settings to WinHTTP**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-    a.  Click **Start** and type **cmd**.
-
-    b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command and press **Enter**:
-
- ```text
- netsh winhttp import proxy source=ie
- ```
- An output showing the applied WinHTTP proxy settings is displayed.
-
-
- **Configure the proxy settings manually to WinHTTP**
-
- 1.  Open an elevated command-line prompt on the endpoint:
-
-    a.  Click **Start** and type **cmd**.
-
-    b.  Right-click **Command prompt** and select **Run as administrator**.
-
- 2. Enter the following command and press **Enter**:
-
- ```text
- proxy [proxy-server=] ProxyServerName:PortNumber
- ```
-    Replace *ProxyServerName* with the fully qualified domain name of the proxy server.
-
-    Replace *PortNumber* with the port number that you want to configure the proxy server with.
-
- An output showing the applied WinHTTP proxy settings is displayed.
-
-
-**Verify that the correct proxy settings were applied**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-    a.  Click **Start** and type **cmd**.
-
-    b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command and press **Enter**:
+The registry key that this policy sets can be found at:
+```HKLM\Software\Policies\Microsoft\Windows\DataCollection              TelemetryProxyServer```
 
+The policy and the registry key takes the following string format:
+```text
+<server name or ip>:<port>
 ```
-netsh winhttp show proxy
-```
+For example: 10.0.0.6:8080
 
-For more information on how to use Netsh see, [Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP)](https://technet.microsoft.com/en-us/library/cc731131(v=ws.10).aspx)     
+If the static proxy settings are configured after onboarding, then you must restart the PC to apply the proxy settings.
 
 ## Enable access to Windows Defender ATP service URLs in the proxy server
 
 If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
 
-- us.vortex-win.data.microsoft.com  
-- eu.vortex-win.data.microsoft.com
-- sevillegwcus.microsoft.com
-- sevillegweus.microsoft.com
-- sevillegwweu.microsoft.com
-- sevillegwneu.microsoft.com
-- www.microsoft.com
-- crl.microsoft.com
-- \*.blob.core.windows.net
+Primary Domain Controller | .Microsoft.com DNS record
+:---|:---
+ Central US | winatp-gw-cus.microsoft.com <br> us.vortex-win.data.microsoft.com <br> crl.microsoft.com <br>*.blob.core.windows.net
+ East US (2)| winatp-gw-eus.microsoft.com <br> us.vortex-win.data.microsoft.com <br> crl.microsoft.com <br>*.blob.core.windows.net
+ West Europe | winatp-gw-weu.microsoft.com <br> eu.vortex-win.data.microsoft.com <br> crl.microsoft.com <br>*.blob.core.windows.net
+ North Europe | winatp-gw-neu.microsoft.com <br> eu.vortex-win.data.microsoft.com <br> crl.microsoft.com <br>*.blob.core.windows.net
+
+ <br>
+ If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP  sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
 
-If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP  sensor is connecting from system context, make sure anonymous traffic is permitted to the above listed URLs.
 
 ## Verify client connectivity to Windows Defender ATP service URLs
 
 Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
 
-1. Download the connectivity verification tools to the PC where Windows Defender ATP sensor is running on:
+1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Windows Defender ATP sensor is running on.
 
-    - [Download PsTools Suite](https://technet.microsoft.com/en-us/sysinternals/bb896649)
-    - [Download PortQry Command Line Port Scanner Version 2.0 utility](https://www.microsoft.com/en-us/download/details.aspx?id=17148)
+2.  Extract the contents of WDATPConnectivityAnalyzer on the endpoint.
 
-2. Extract the contents of **PsTools** and **PortQry** to a directory on the computer hard drive.
+3. Open an elevated command-line:
 
-3.  Open an elevated command-line:
-
-    a. Click **Start** and type **cmd**.
+    a. Go to **Start** and type **cmd**.
 
     b.  Right-click **Command prompt** and select **Run as administrator**.
 
 4. Enter the following command and press **Enter**:
 
     ```
-    HardDrivePath\PsExec.exe -s cmd.exe
+    HardDrivePath\WDATPConnectivityAnalyzer.cmd
     ```
-    Replace *HardDrivePath* with the path where the PsTools Suite was extracted to:
-    ![Image showing the command line](images/psexec-cmd.png)
-
-5. Enter the following command and press **Enter**:
-
+    Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example 
+    ```text
+    C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
     ```
-    HardDrivePath\portqry.exe -n us.vortex-win.data.microsoft.com -e 443 -p tcp
-    ```
-    Replace *HardDrivePath* with the path where the PortQry utility was extracted to:
-    ![Image showing the command line](images/portqry.png)
 
-6.	Verify that the output shows that the name is **resolved** and connection status is **listening**.
+5. Extract the *WDATPConnectivityAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*.
 
-7. Repeat the same steps for the remaining URLs with the following arguments:
+6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. <br><br>
+The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Windows Defender ATP  services. For example:
+  ```text
+  Testing URL : https://xxx.microsoft.com/xxx
+  1 - Default proxy: Succeeded (200)
+  2 - Proxy auto discovery (WPAD): Succeeded (200)
+  3 - Proxy disabled: Succeeded (200)
+  4 - Named proxy: Doesn't exist
+  5 - Command line proxy: Doesn't exist              
+  ```
 
-    - portqry.exe -n eu.vortex-win.data.microsoft.com -e 443 -p tcp
-    - portqry.exe -n sevillegwcus.microsoft.com -e 443 -p tcp
-    - portqry.exe -n sevillegweus.microsoft.com -e 443 -p tcp
-    - portqry.exe -n sevillegwweu.microsoft.com -e 443 -p tcp
-    - portqry.exe -n sevillegwneu.microsoft.com -e 443 -p tcp
-    - portqry.exe -n www.microsoft.com -e 80 -p tcp
-    - portqry.exe -n crl.microsoft.com -e 80 -p tcp
+If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can communicate with the tested URL properly using this connectivity method. <br><br>
 
-8. Verify that each URL shows that the name is **resolved** and the connection status is **listening**.
-
-If the any of the verification steps indicate a fail, then verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
+However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
 
 ## Related topics
-<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
 - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
-- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
-- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-s-mime.md b/windows/keep-secure/configure-s-mime.md
index 7b9906f26d..7169036152 100644
--- a/windows/keep-secure/configure-s-mime.md
+++ b/windows/keep-secure/configure-s-mime.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---
 
 
diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..9811157abe
--- /dev/null
+++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,43 @@
+---
+title: Configure security information and events management tools
+description: Configure supported security information and events management tools to receive and consume alerts.
+keywords: configure siem, security information and events management tools, splunk, arcsight
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Configure security information and events management (SIEM) tools to consume alerts
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+
+Windows Defender ATP currently supports the following SIEM tools:
+
+- Splunk
+- HP ArcSight
+
+To use either of these supported SIEM tools you'll need to:
+
+- [Configure an Azure Active Directory application for SIEM integration in your tenant](configure-aad-windows-defender-advanced-threat-protection.md)
+- Configure the supported SIEM tool:
+    - [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+    - [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+
+## In this section
+
+Topic | Description
+:---|:---
+[Configure an Azure Active Directory application](configure-aad-windows-defender-advanced-threat-protection.md)| Learn about configuring an Azure Active Directory application to integrate with supported security information and events management (SIEM) tools.
+ [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to consume Windows Defender ATP alerts.
+ [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to consume Windows Defender ATP alerts.
diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..fc3fe7916f
--- /dev/null
+++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,110 @@
+---
+title: Configure Splunk to consume Windows Defender ATP alerts
+description: Configure Splunk to receive and consume alerts from the Windows Defender ATP portal.
+keywords: configure splunk, security information and events management tools, splunk
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Configure Splunk to consume Windows Defender ATP alerts
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+You'll need to configure Splunk so that it can consume Windows Defender ATP alerts.
+
+## Before you begin
+
+- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk
+- Contact the Windows Defender ATP team to get your refresh token
+- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
+    - OAuth 2 Token refresh URL
+    - OAuth 2 Client ID
+    - OAuth 2 Client secret
+
+## Configure Splunk
+
+1. Login in to Splunk.
+
+2. Click **Search & Reporting**, then **Settings** > **Data inputs**.
+
+3. Click **REST** under **Local inputs**.
+> [!NOTE]
+> This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
+
+4. Click **New**.
+
+5. Type the following values in the required fields, then click **Save**:
+> [!NOTE]
+>All other values in the form are optional and can be left blank.
+
+  <table>
+  <tbody style="vertical-align:top;">
+  <tr>
+  <th>Field</th>
+  <th>Value</th>
+  </tr>
+  <tr>
+  <td>Endpoint URL</td>
+  <td> https://<i></i>DataAccess-PRD.trafficmanager.net:444/api/alerts</td>
+  </tr>
+  <tr>
+  <td>HTTP Method</td>
+  <td>GET</td>
+  </tr>
+  <td>Authentication Type</td>
+  <td>oauth2</td>
+  <tr>
+  <td>OAuth 2 Token Refresh URL</td>
+  <td>	Value taken from AAD application</td>
+  </tr>
+  <tr>
+  <td>OAuth 2 Client ID</td>
+  <td>Value taken from AAD application</td>
+  </tr>
+  <tr>
+  <td>OAuth 2 Client Secret</td>
+  <td>Value taken from AAD application</td>
+  </tr>
+  <tr>
+  <td>Response type</td>
+  <td>Json</td>
+  </tr>
+  <tr>
+  <td>Response Handler</td>
+  <td>JSONArrayHandler</td>
+  </tr>
+  <tr>
+  <td>Polling Interval</td>
+  <td>Number of seconds that Splunk will ping the Windows Defender ATP endpoint. Accepted values are in seconds.</td>
+  </tr>
+  <tr>
+  <td>Set sourcetype</td>
+  <td>From list</td>
+  </tr>
+  <tr>
+  <td>Source type</td>
+  <td>\_json</td>
+  </tr>
+  </tr>
+  </table>
+
+After completing these configuration steps, you can go to the Splunk dashboard and run queries.
+
+You can use the following query as an example in Splunk: <br>
+```source="rest://windows atp alerts"|spath|table*```
+
+
+## Related topics
+- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-the-windows-firewall-log.md b/windows/keep-secure/configure-the-windows-firewall-log.md
index 0784a64b85..086d294c27 100644
--- a/windows/keep-secure/configure-the-windows-firewall-log.md
+++ b/windows/keep-secure/configure-the-windows-firewall-log.md
@@ -14,7 +14,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
 
diff --git a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md
index 89b5eb68e9..3b75bc141f 100644
--- a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.
 
diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md
index b52b5f6c57..71ec31b565 100644
--- a/windows/keep-secure/configure-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/configure-windows-defender-in-windows-10.md
@@ -1,5 +1,5 @@
 ---
-title: Configure Windows Defender in Windows 10 (Windows 10)
+title: Configure and use Windows Defender in Windows 10
 description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
 ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
 ms.prod: w10
@@ -14,7 +14,9 @@ author: jasesso
 **Applies to**
 -   Windows 10
 
-IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+You can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+
+You can also enable and configure the Microsoft Active Protection Service to ensure endpoints are protected by cloud-based protection technologies.
 
 ## Configure definition updates
 
diff --git a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
index b4990058e6..057dd20255 100644
--- a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
+++ b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
 
diff --git a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md
index 0423277e45..c64746932b 100644
--- a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md
+++ b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices.
 
diff --git a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md
index 694250fe3b..0b0fc49d34 100644
--- a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md
+++ b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in.
 
@@ -47,4 +47,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr
 
 12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**.
 
-13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016 Technical Preview, then select a WMI filter that allows only those devices to read and apply the GPO.
+13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO.
diff --git a/windows/keep-secure/create-a-group-account-in-active-directory.md b/windows/keep-secure/create-a-group-account-in-active-directory.md
index 6aeb64d983..6ada08d53f 100644
--- a/windows/keep-secure/create-a-group-account-in-active-directory.md
+++ b/windows/keep-secure/create-a-group-account-in-active-directory.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console.
 
diff --git a/windows/keep-secure/create-a-group-policy-object.md b/windows/keep-secure/create-a-group-policy-object.md
index 42a0e5ae62..bdd41a37ca 100644
--- a/windows/keep-secure/create-a-group-policy-object.md
+++ b/windows/keep-secure/create-a-group-policy-object.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To create a new GPO, use the Active Directory Users and Computers MMC snap-in.
 
diff --git a/windows/keep-secure/create-an-authentication-exemption-list-rule.md b/windows/keep-secure/create-an-authentication-exemption-list-rule.md
index b0a4ec1118..e48455f5e9 100644
--- a/windows/keep-secure/create-an-authentication-exemption-list-rule.md
+++ b/windows/keep-secure/create-an-authentication-exemption-list-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.
 
diff --git a/windows/keep-secure/create-an-authentication-request-rule.md b/windows/keep-secure/create-an-authentication-request-rule.md
index 1c947f68f9..42617dc699 100644
--- a/windows/keep-secure/create-an-authentication-request-rule.md
+++ b/windows/keep-secure/create-an-authentication-request-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate.
 
diff --git a/windows/keep-secure/create-an-inbound-icmp-rule.md b/windows/keep-secure/create-an-inbound-icmp-rule.md
index f76bba3007..83983389da 100644
--- a/windows/keep-secure/create-an-inbound-icmp-rule.md
+++ b/windows/keep-secure/create-an-inbound-icmp-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
 
diff --git a/windows/keep-secure/create-an-inbound-port-rule.md b/windows/keep-secure/create-an-inbound-port-rule.md
index e2a911293f..212bf9a8fc 100644
--- a/windows/keep-secure/create-an-inbound-port-rule.md
+++ b/windows/keep-secure/create-an-inbound-port-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
 
diff --git a/windows/keep-secure/create-an-inbound-program-or-service-rule.md b/windows/keep-secure/create-an-inbound-program-or-service-rule.md
index 51524c047d..62c8e83e1b 100644
--- a/windows/keep-secure/create-an-inbound-program-or-service-rule.md
+++ b/windows/keep-secure/create-an-inbound-program-or-service-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
 
diff --git a/windows/keep-secure/create-an-outbound-port-rule.md b/windows/keep-secure/create-an-outbound-port-rule.md
index 98c85d581c..9a06f49266 100644
--- a/windows/keep-secure/create-an-outbound-port-rule.md
+++ b/windows/keep-secure/create-an-outbound-port-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
 
diff --git a/windows/keep-secure/create-an-outbound-program-or-service-rule.md b/windows/keep-secure/create-an-outbound-program-or-service-rule.md
index 342e863ffd..2e7e5c2e1e 100644
--- a/windows/keep-secure/create-an-outbound-program-or-service-rule.md
+++ b/windows/keep-secure/create-an-outbound-program-or-service-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
 
diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
new file mode 100644
index 0000000000..4f1cf1dfd9
--- /dev/null
+++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
@@ -0,0 +1,108 @@
+---
+title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10)
+description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
+keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+---
+
+# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
+
+The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.   
+
+>**Important**<br>
+If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<p>If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
+
+**To manually create an EFS DRA certificate**
+
+1.	On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
+
+2.	Run this command:
+    
+    `cipher /r:<EFSRA>`
+    
+    Where *&lt;EFSRA&gt;* is the name of the .cer and .pfx files that you want to create.
+
+3.	When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
+
+    The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
+
+    >**Important**<br> 
+    Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
+
+4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. 
+
+    >**Note**<br>
+    To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
+
+**To verify your data recovery certificate is correctly set up on a WIP client computer**
+
+1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. 
+
+2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP.
+
+3.	Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
+
+    `cipher /c <filename>`
+
+    Where *&lt;filename&gt;* is the name of the file you created in Step 1.
+
+4.	Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
+
+**To recover your data using the EFS DRA certificate in a test environment**
+
+1.	Copy your WIP-encrypted file to a location where you have admin access.
+
+2.	Install the EFSDRA.pfx file, using its password.
+
+3.	Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
+
+    `cipher /d <encryptedfile.extension>`
+    
+    Where *&lt;encryptedfile.extension&gt;* is the name of your encrypted file. For example, corporatedata.docx.
+
+**To quickly recover WIP-protected desktop data after unenrollment**<br>
+It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
+
+>**Important**<br>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. 
+
+1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
+    
+    `Robocopy “%localappdata%\Microsoft\WIP\Recovery” <“new_location”> /EFSRAW`
+
+    Where *&lt;”new_location”&gt;* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
+
+2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
+
+    `cipher.exe /D <“new_location”>`
+
+3. Have your employee sign in to the unenrolled device, and type:
+
+    `Robocopy <”new_location”> “%localappdata%\Microsoft\WIP\Recovery\Input”`
+
+4. Ask the employee to lock and unlock the device.
+
+    The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
+
+## Related topics
+- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx)
+
+- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx)
+
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
+
+- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
+
+- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)
+
+
+
diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md
index 17b58ff4b3..77a7c0ee85 100644
--- a/windows/keep-secure/create-edp-policy-using-intune.md
+++ b/windows/keep-secure/create-edp-policy-using-intune.md
@@ -1,387 +1,5 @@
 ---
 title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
 description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Create an enterprise data protection (EDP) policy using Microsoft Intune
-**Applies to:**
-
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-
-## Important note about the June service update
-We've received some great feedback from you, our Windows 10 Insider Preview customers, about our enterprise data protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing enterprise data protection policy after we release the June service update in your test environment, your existing Windows 10 enterprise data protection app rules (formerly in the **Protected Apps** area) will be removed.<p>To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing enterprise data protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules.
-
-![Microsoft Intune: Reconfigure app rules list dialog box](images/edp-intune-app-reconfig-warning.png)
-
-Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list.
- 
-## Add an EDP policy
-After you’ve installed and set up Intune for your organization, you must create an EDP-specific policy.
-
-**To add an EDP policy**
-1.  Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area.
-
-2.  Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-
-    ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png)
-
-3.  Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
-    ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-namedescription.png)
-
-## Add individual apps to your Protected App list
-During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
-
-The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Desktop app, also known as a Classic Windows application.
-
->**Important**<br>EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.<p>
-
->**Note**<br>If you want to use **File hash** or **Path** rules, instead of Publisher rules, you must follow the steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
-
-**To add a UWP app**
-
-1.  From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
-
-2.  Click **Universal App**, type the **Publisher Name** and the **Product Name** into the associated boxes, and then click **OK**. If you don't have the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
-
-    **To find the Publisher and Product name values for Microsoft Store apps without installing them**
-
-    1.  Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
-    
-        >**Note**<br>If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
-
-    2.  Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
-
-    3.  In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/*9wzdncrfhvjl*/applockerdata, where *9wzdncrfhvjl* is replaced with your ID value.
-    <p>
-    The API runs and opens a text editor with the app details.
-
-        ``` json
-        {
-          "packageIdentityName": "Microsoft.Office.OneNote",
-          "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
-        }
-        ```
-    4.  Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
-    
-    >**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
-    <p>For example:<br>
-     ``` json
-        {
-          "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
-        }
-       ```
-       
-    ![Microsoft Intune: Add a UWP app to the Protected Apps list](images/intune-addapps.png)
-
-    **To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones**
-
-    1.  If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
-    
-        >**Note**<br>Your PC and phone must be on the same wireless network.
-
-    2.  On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
-
-    3.  In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
-
-    4.  Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
-
-    5.  In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
-
-    6.  On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
-    
-    7. Start the app for which you're looking for the publisher and product name values
-
-    8.  Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
-    
-        >**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
-    <p>For example:<br>
-     ``` json
-        {
-          "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
-        }
-       ```
-
-**To add a Classic Windows application**
-
-1.  From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
-<p>A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
-
-2.  Click **Desktop App**, pick the options you want (see table), and then click **OK**.
-    <table>
-        <tr>
-            <th>Option</th>
-            <th>Manages</th>
-        </tr>
-        <tr>
-            <td>All fields left as "*"</td>
-            <td>All files signed by any publisher. (Not recommended.)</td>
-        </tr>
-        <tr>
-            <td><strong>Publisher</strong> selected</td>
-            <td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
-        </tr>
-         <tr>
-            <td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
-            <td>All files for the specified product, signed by the named publisher.</td>
-        </tr>  
-         <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>File Name</strong> selected</td>
-            <td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
-        </tr>
-         <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, Exactly</strong> selected</td>
-            <td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
-        </tr>
-         <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And above</strong> selected</td>
-            <td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
-        </tr>
-         <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And below</strong> selected</td>
-            <td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
-        </tr>                                            
-    </table>
-
-If you’re unsure about what to include for the publisher, you can run this PowerShell command:
-
-``` ps1
-Get-AppLockerFileInformation -Path "<path of the exe>"
-```
-Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
-
-In this example, you'd get the following info:
-
-``` json
-Path                                          Publisher
-----                                          ---------
-%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
-```
-Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
-
-![Microsoft Intune: Add a Classic Windows app to the Protected Apps list](images/intune-add-desktop-app.png)
-
-## Exempt apps from EDP restrictions
-If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
-
-**To exempt an UWP app**
-
-1.  Follow the **Add a UWP app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic, through to Step 11.
-
-2.  In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/StoreApp EXE`.<p>Where **edpexempt** is added as a substring, making the app exempt.
-
-3.  Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
-
-4.  Copy the text that has a **Type** of Appx, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
-
-    ``` 
-    <RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
-    ```
-    
-5.  Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
-
-**To exempt a Classic Windows application**
-
-1.  Follow the **Add a Classic Windows application app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic, through to Step 11.
-
-2.  In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/EXE`.<p>Where **edpexempt** is added as a substring, making the app exempt.
-
-3.  Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
-
-4.  Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
-
-    ``` 
-    <RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
-    ```
-
-5.  Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
-
-## Manage the EDP protection level for your enterprise data
-After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode.
-
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
-
-<table>
-    <tr>
-        <th>Mode</th>
-        <th>Description</th>
-    </tr>
-    <tr>
-        <td>Block</td>
-        <td>EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.</td>
-    </tr>
-    <tr>
-        <td>Override</td>
-        <td>EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459).</td>
-    </tr>
-    <tr>
-        <td>Silent</td>
-        <td>EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.</td>
-    </tr>
-    <tr>
-        <td>Off</td>
-        <td>EDP is turned off and doesn't help to protect or audit your data.<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.</td>
-    </tr> 
-</table>  
-
-![Microsoft Intune: Add the protection level for your Protected Apps list](images/intune-encryption-level.png)
-
-## Define your enterprise-managed identity domains
-Specify your company’s enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
-
-You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
-
-This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
-
-**To add your primary domain**
-
--   Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.<p>
-If you have multiple domains, you must separate them with the "|" character. For example, `contoso.com|fabrikam.com`.
-
-    ![Microsoft Intune: Add the primary internet domain for your enterprise identity](images/intune-primary-domain.png)
-
-## Choose where apps can access enterprise data
-After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.<p>
-There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares.  Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). 
-
->**Important**<br>
--   Every EDP policy should include policy that defines your enterprise network locations.<p>
-- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations.
-
-**To specify where your protected apps can find and send enterprise data on the network**
-
-1.  Add additional network locations your apps can access by clicking **Add**, typing a description into the **Description** box, and then choosing your location type, including:
-    <table>
-        <tr>
-            <th>Network location type</th>
-            <th>Format</th>
-            <th>Description</th>
-        </tr>
-        <tr>
-            <td>Enterprise Cloud Resources</td>
-            <td>**With proxy:**<p>contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:**<p>contoso.sharepoint.com|contoso.visualstudio.com</td>
-            <td>Specify the cloud resources to be treated as corporate and protected by EDP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example:<p>`URL <,proxy>|URL <,proxy>`<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example:<p>`URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>     
-        </tr>
-        <tr>
-            <td>Enterprise Network Domain Names</td>
-            <td>domain1.contoso.com,domain2.contoso.com</td>
-            <td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>                
-        </tr>
-        <tr>
-            <td>Enterprise Proxy Servers</td>
-            <td>domain1.contoso.com:80;<br>domain2.contoso.com:137</td>
-            <td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP.<p>This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>                
-        </tr>
-        <tr>
-            <td>Enterprise Internal Proxy Servers</td>
-            <td>proxy1.contoso.com;<br>proxy2.contoso.com</td>
-            <td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.<p>This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>                
-        </tr>
-        <tr>
-            <td>Enterprise IPv4 Range</td>
-            <td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254</td>
-            <td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
-        </tr>
-        <tr>
-            <td>Enterprise IPv6 Range</td>
-            <td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:<br>ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
-            <td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
-        </tr>
-    </table>  
-    
-    ![Microsoft Intune: Choose the primary domain and the other network locations for protected apps](images/intune-networklocation.png)
-
-2.  Add as many locations as you need, and then click **OK**.<p>The **Add or Edit Enterprise Network Locations box** closes.
-
-3.  In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.<p>After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.<p>For steps about how to create and verify an EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) DRA certificate](#create-and-verify-an-encrypting-file-system-efs-dra-certificate) section of this topic. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.<p>
-
-    ![Microsoft Intune: Specify a data recovery certificate for your policy](images/intune-data-recovery.png)
-
-### Create and verify an Encrypting File System (EFS) DRA certificate
-If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
-
->**Important**<br>
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. To add your EFS DRA certificate to your policy by using Microsoft Intune, see Step 3 in the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic.
-
-**To manually create an EFS DRA certificate**
-1.	On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
-
-2.	Run this command:
-    
-    `cipher /r:<EFSRA>`
-    
-    Where *&lt;EFSRA&gt;* is the name of the .cer and .pfx files that you want to create.
-
-3.	When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
-
-    The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
-
-    >**Important**<br> 
-    Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location.
-
-4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. 
-
-**To verify your data recovery certificate is correctly set up on an EDP client computer**
-1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP.
-
-2.	Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
-
-    `cipher /c <filename>`
-
-    Where *&lt;filename&gt;* is the name of the file you created in Step 1.
-
-3.	Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
-
-**To recover your data using the EFS DRA certificate in a test environment**
-1.	Copy your EDP-encrypted file to a location where you have admin access.
-
-2.	Install the EFSDRA.pfx file, using your password.
-
-3.	Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
-
-    `cipher /d <encryptedfile.extension>`
-    
-    Where *&lt;encryptedfile.extension&gt;* is the name of your encrypted file. For example, corporatedata.docx.
-
-## Choose your optional EDP-related settings
-After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings.
-
-**To add your optional settings**
-
-1.  Choose to set any or all of the optional EDP-related settings:
-
-    -   **Allow the user to decrypt data that was created or edited by the apps configured above.** Clicking **Yes**, or turning off this setting in Intune, lets your employees right-click to decrypt their protected app data, along with the option to decrypt data in the **Save As** box and the **Save As** file picker . Clicking **No** removes the **Decrypt** option and saves all data for protected apps as enterprise-encrypted.
-
-    -   **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone.
-
-        ![Microsoft Intune: Optional EDP settings](images/intune-edpsettings.png)
-
-2.  Click **Save Policy**.
-
-## Related topics
-- [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
-- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
-- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
-- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
-
-
-
- 
-
- 
-
-
-
-
-
+redirect_url:  https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune
+---
\ No newline at end of file
diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md
index 9fd513eda2..354503af96 100644
--- a/windows/keep-secure/create-edp-policy-using-sccm.md
+++ b/windows/keep-secure/create-edp-policy-using-sccm.md
@@ -1,541 +1,5 @@
 ---
 title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10)
 description: Configuration Manager (version 1606 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
-keywords: EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager
-**Applies to:**
-
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
--   System Center Configuration Manager (version 1605 Tech Preview or later)
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-System Center Configuration Manager (version 1605 Tech Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection mode, and how to find enterprise data on the network.
-
->**Important**<br>
-If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1605 Tech Preview or later. Editing an EDP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between EDP policies across these versions.
-
-## Add an EDP policy
-After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy.
-
-**To create a configuration item for EDP**
-
-1.  Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
-
-    ![System Center Configuration Manager, Configuration Items screen](images/edp-sccm-addpolicy.png)
-
-2.  Click the **Create Configuration Item** button.<p>
-The **Create Configuration Item Wizard** starts.
-
-    ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/edp-sccm-generalscreen.png)
-
-3.  On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
-4.  In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
-
-    -   **Settings for devices managed with the Configuration Manager client:** Windows 10
-
-        -OR-
-
-    -   **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
-
-5.  On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
-
-    ![Create Configuration Item wizard, choose the supported platforms for the policy](images/edp-sccm-supportedplat.png)
-
-6.  On the **Device Settings** screen, click **Enterprise data protection**, and then click **Next**.
-
-    ![Create Configuration Item wizard, choose the enterprise data protection settings](images/edp-sccm-devicesettings.png)
-
-The **Configure enterprise data protection settings** page appears, where you'll configure your policy for your organization.
-
-### Add app rules to your policy
-During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
-
-The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
-
->**Important**<br>
-EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. <p>Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
-
-#### Add a store app rule to your policy
-For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
-
-**To add a store app**
-
-1.	From the **App rules** area, click **Add**.
-    
-    The **Add app rule** box appears.
-
-    ![Create Configuration Item wizard, add a universal store app](images/edp-sccm-adduniversalapp.png)
-
-2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
-
-3.	Click **Allow** from the **Enterprise data protection mode** drop-down list.
-
-    Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
-
-4.	Pick **Store App** from the **Rule template** drop-down list.
-
-    The box changes to show the store app rule options.
-
-5.	Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
-
-If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
-
-**To find the Publisher and Product Name values for Store apps without installing them**
-
-1.	Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
-
-    >**Note**<br>
-    If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
-
-2.	Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
-
-3.	In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
-
-    The API runs and opens a text editor with the app details.
-
-    ``` json
-        {
-        "packageIdentityName": "Microsoft.Office.OneNote",
-        "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
-        }
-    ```
-
-4.  Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
-
-    >**Important**<br>
-    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:
-       ```json
-        {
-            "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
-        }
-        ```
-
-**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
-1.	If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
-
-    >**Note**<br>
-    Your PC and phone must be on the same wireless network.
-
-2.	On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
-
-3.	On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
-
-4.	Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
-
-5.	In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
-
-6.	On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
-
-7.	Start the app for which you're looking for the publisher and product name values.
-
-8.	Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
-
-    >**Important**<br>
-    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:
-       ```json
-        {
-            "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
-        }
-        ```
-
-#### Add a desktop app rule to your policy
-For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
-
-**To add a desktop app to your policy**
-1.	From the **App rules** area, click **Add**.
-    
-    The **Add app rule** box appears.
-
-    ![Create Configuration Item wizard, add a classic desktop app](images/edp-sccm-adddesktopapp.png)
-
-2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
-
-3.	Click **Allow** from the **Enterprise data protection mode** drop-down list.
-
-    Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
-
-4.	Pick **Desktop App** from the **Rule template** drop-down list.
-
-    The box changes to show the desktop app rule options.
-
-5.	Pick the options you want to include for the app rule (see table), and then click **OK**.
-
-    <table>
-        <tr>
-            <th>Option</th>
-            <th>Manages</th>
-        </tr>
-        <tr>
-            <td>All fields left as “*”</td>
-            <td>All files signed by any publisher. (Not recommended.)</td>
-        </tr>
-        <tr>
-            <td><strong>Publisher</strong> selected</td>
-            <td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
-        </tr>
-        <tr>
-            <td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
-            <td>All files for the specified product, signed by the named publisher.</td>
-        </tr>
-        <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>Binary name</strong> selected</td>
-            <td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
-        </tr>
-        <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, and above</strong>, selected</td>
-            <td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
-        </tr>
-        <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, And below</strong> selected</td>
-            <td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
-        </tr>
-        <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, Exactly</strong> selected</td>
-            <td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
-        </tr>
-    </table>
-
-If you’re unsure about what to include for the publisher, you can run this PowerShell command:
-
-```ps1
-Get-AppLockerFileInformation -Path "<path of the exe>"
-```
-Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
-
-In this example, you'd get the following info:
-
-``` json
-Path                   Publisher
-----                   ---------
-%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
-```
-Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
-
-#### Add an AppLocker policy file
-For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content.
-
-**To create an app rule and xml file using the AppLocker tool**
-1.	Open the Local Security Policy snap-in (SecPol.msc).
-    
-2.	In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
-
-    ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
-
-3.	Right-click in the right-hand pane, and then click **Create New Rule**.
-
-    The **Create Packaged app Rules** wizard appears.
-
-4. On the **Before You Begin** page, click **Next**.
-
-    ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png)
-
-5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
-
-    ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png)
-
-6.	On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
-
-    ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
-
-7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos.
-
-    ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
-
-8. On the updated **Publisher** page, click **Create**.
-
-    ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png)
-
-9. Review the Local Security Policy snap-in to make sure your rule is correct.
-
-    ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
-
-10.	In the left pane, right-click on **AppLocker**, and then click **Export policy**.
-
-    The **Export policy** box opens, letting you export and save your new policy as XML.
-
-    ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
-
-11.	In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
-
-    The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
-
-    **Example XML file**<br>
-    This is the XML file that AppLocker creates for Microsoft Photos.
-
-    ```xml
-     <AppLockerPolicy Version="1">
-        <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
-        <RuleCollection Type ="Msi" EnforcementMode="NotConfigured" />
-        <RuleCollection Type ="Script" EnforcementMode="NotConfigured" />
-        <RuleCollection Type ="Dll" EnforcementMode="NotConfigured" />
-        <RuleCollection Type ="Appx" EnforcementMode="NotConfigured">
-            <FilePublisherRule Id="5e0c752b-5921-4f72-8146-80ad5f582110" Name="Microsoft.Windows.Photos, version 16.526.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
-                <Conditions>
-                    <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*">
-                        <BinaryVersionRange LowSection="16.526.0.0" HighSection="*" />
-                    </FilePublisherCondition>
-                </Conditions>
-            </FilePublisherRule>
-        </RuleCollection>
-	</AppLockerPolicy>
-    ```
-12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager.
-
-**To import your Applocker policy file app rule using 1System Center Configuration Manager**
-1.	From the **App rules** area, click **Add**.
-    
-    The **Add app rule** box appears.
-
-    ![Create Configuration Item wizard, add an AppLocker policy](images/edp-sccm-addapplockerfile.png)
-
-2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*.
-
-3.	Click **Allow** from the **Enterprise data protection mode** drop-down list.
-
-    Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
-
-4.	Pick the **AppLocker policy file** from the **Rule template** drop-down list.
-
-    The box changes to let you import your AppLocker XML policy file.
-
-5. Click the ellipsis (...) to browse for your AppLocker XML file, click **Open**, and then click **OK** to close the **Add app rule** box.
-
-    The file is imported and the apps are added to your **App Rules** list.
-
-#### Exempt apps from EDP restrictions
-If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
-
-**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
-
-1.	From the **App rules** area, click **Add**.
-    
-    The **Add app rule** box appears.
-
-2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*.
-
-3.	Click **Exempt** from the **Enterprise data protection mode** drop-down list.
-
-    Be aware that when you exempt apps, they’re allowed to bypass the EDP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
-
-4.	Fill out the rest of the app rule info, based on the type of rule you’re adding:
-
-    - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
-
-    - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
-
-    - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
-
-5.	Click **OK**.
-
-### Manage the EDP-protection level for your enterprise data
-After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode.
-
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
-
-|Mode |Description |
-|-----|------------|
-|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
-|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
-|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
-|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.|
-
-![Create Configuration Item wizard, choose your EDP-protection level](images/edp-sccm-appmgmt.png)
-
-### Define your enterprise-managed identity domains
-Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies.
-
-You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
-
-**To add your corporate identity**
-
-- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
-
-    ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/edp-sccm-corp-identity.png)
-
-### Choose where apps can access enterprise data
-After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
-
-There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
-
->**Important**<br>
-- Every EDP policy should include policy that defines your enterprise network locations.
-- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations.
-
-**To define where your protected apps can find and send enterprise data on you network**
-
-1. Add additional network locations your apps can access by clicking **Add**.
-
-    The **Add or edit corporate network definition** box appears.
-
-2.	Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
-
-    ![Add or edit corporate network definition box, Add your enterprise network locations](images/edp-sccm-add-network-domain.png)
-
-    <table>
-        <tr>
-            <th>Network location type</th>
-            <th>Format</th>
-            <th>Description</th>
-        </tr>
-        <tr>
-            <td>Enterprise Cloud Resources</td>
-            <td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
-            <td>Specify the cloud resources to be treated as corporate and protected by EDP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
-        </tr>
-        <tr>
-            <td>Enterprise Network Domain Names (Required)</td>
-            <td>corp.contoso.com,region.contoso.com</td>
-            <td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>                
-        </tr>
-        <tr>
-            <td>Enterprise Proxy Servers</td>
-            <td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
-            <td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP.<p>This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
-        </tr>
-        <tr>
-            <td>Enterprise Internal Proxy Servers</td>
-            <td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
-            <td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.<p>This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>                
-        </tr>
-        <tr>
-            <td>Enterprise IPv4 Range (Required)</td>
-            <td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
-            <td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
-        </tr>
-        <tr>
-            <td>Enterprise IPv6 Range</td>
-            <td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
-            <td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
-        </tr>
-        <tr>
-            <td>Neutral Resources</td>
-            <td>sts.contoso.com,sts.contoso2.com</td>
-            <td>Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
-        </tr>           
-    </table>
-
-3.	Add as many locations as you need, and then click **OK**.
-
-    The **Add or edit corporate network definition** box closes.
-
-4.	Decide if you want to Windows to look for additional network settings.
-
-    ![Create Configuration Item wizard, Add whether to search for additional network settings](images/edp-sccm-optsettings.png)
-
-        - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
-
-        - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
-
-        - **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
-
-5.	In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
-
-    After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. 
-    
-    For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
-
-    ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/edp-sccm-dra.png)
-
-#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP
-If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
-
->**Important**<br>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy.
-
-**To manually create an EFS DRA certificate**
-1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
-2. Run this command:
-    
-    `cipher /r:<EFSDRA>`<br>Where `<EFSDRA>` is the name of the .cer and .pfx files that you want to create.
-
-3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
-
-    The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. 
-
-    **Important**<br>Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location.
-
-4.	Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic.
-
-**To verify your data recovery certificate is correctly set up on an EDP client computer**
-1.	Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP.
-
-2.	Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
-
-    `cipher /c <filename>`<br>Where `<filename>` is the name of the file you created in Step 1.
-
-3.	Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
-
-**To recover your data using the EFS DRA certificate in a test environment**
-1.	Copy your EDP-encrypted file to a location where you have admin access.
-
-2.	Install the EFSDRA.pfx file, using your password.
-
-3.	Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
-
-    `cipher /d <encryptedfile.extension>`<br>Where `<encryptedfile.extension>` is the name of your encrypted file. For example, corporatedata.docx.
-
-### Choose your optional EDP-related settings
-After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings.
-
-![Create Configuration Item wizard, Choose any additional, optional settings](images/edp-sccm-additionalsettings.png)
-
-**To set your optional settings**
-1.	Choose to set any or all of the optional settings:
-
-    - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
-    
-        - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. 
-	
-        - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
-
-    - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are:
-	
-        - **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked.
-	
-        - **No, or not configured.**  Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked.
-
-    - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
-
-	    - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
-
-	    - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
-
-    - **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from enterprise data protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
-
-        - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
-        
-        - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
-
-2. After you pick all of the settings you want to include, click **Summary**.
-
-### Review your configuration choices in the Summary screen
-After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
-
-**To view the Summary screen**
-- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
-
-    ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/edp-sccm-summaryscreen.png)
- 
-    A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
-
-
-## Deploy the EDP policy
-After you’ve created your EDP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
-- [Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=708224)
-- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708225)
-- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226)
-
-## Related topics
-- [System Center Configuration Manager and Endpoint Protection (Version 1606)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
-- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623)
-- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)
\ No newline at end of file
+redirect_url:  https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-sccm
+---
\ No newline at end of file
diff --git a/windows/keep-secure/create-inbound-rules-to-support-rpc.md b/windows/keep-secure/create-inbound-rules-to-support-rpc.md
index 0ba04d529e..a7cf60c649 100644
--- a/windows/keep-secure/create-inbound-rules-to-support-rpc.md
+++ b/windows/keep-secure/create-inbound-rules-to-support-rpc.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
 
diff --git a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
index 760968b092..edd007a4f0 100644
--- a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
+++ b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
@@ -1,119 +1,5 @@
 ---
 title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10)
 description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
-ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
-keywords: EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune
-**Applies to:**
-
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
-
-## Create your VPN policy using Microsoft Intune
-Follow these steps to create the VPN policy you want to use with EDP.
-
-**To create your VPN policy**
-
-1.  Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
-
-2.  Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-
-    ![Microsoft Intune: Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png)
-
-3.  Type *EdpModeID* into the **Name** box, along with an optional description for your policy into the **Description** box.
-
-    ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png)
-
-4.  In the **VPN Settings** area, type the following info:
-
-    -   **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable.
-
-    -   **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**.
-
-    -   **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable.
-
-    -   **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN).
-
-        ![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png)
-
-5.  In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.<p>
-It's your choice whether you check the box to **Remember the user credentials at each logon**.
-
-    ![Microsoft Intune: Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png)
-
-6.  You can leave the rest of the default or blank settings, and then click **Save Policy**.
-
-## Deploy your VPN policy using Microsoft Intune
-After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your enterprise data protection (EDP) policy.
-
-**To deploy your VPN policy**
-
-1.  On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
-
-2.  In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
-The added people move to the **Selected Groups** list on the right-hand pane.
-
-    ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png)
-
-3.  After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
-The policy is deployed to the selected users' devices.
-
-## Link your EDP and VPN policies and deploy the custom configuration policy
-The final step to making your VPN configuration work with EDP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EdpModeID** setting, and then deploying the policy to the same group you deployed your EDP and VPN policies
-
-**To link your VPN policy**
-
-1.  Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
-
-2.  Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-
-    ![Microsoft Intune: Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png)
-
-3.  Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
-    ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-edpmodeid.png)
-
-4.  In the **OMA-URI Settings** area, click **Add** to add your **EdpModeID** info.
-
-5.  In the **OMA-URI Settings** area, type the following info:
-
-    -   **Setting name.** Type **EdpModeID** as the name.
-
-    -   **Data type.** Pick the **String** data type.
-
-    -   **OMA-URI.** Type `./Vendor/MSFT/VPNv2/<your_edp_policy_name>/EdpModeId`, replacing *&lt;your\_edp\_policy\_name&gt;* with the name you gave to your EDP policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EdpModeId`.
-
-    -   **Value.** Your fully-qualified domain that should be used by the OMA-URI setting.
-
-        ![Microsoft Intune: Fill in the OMA-URI Settings for the EdpModeID setting](images/intune-vpn-omaurisettings.png)
-
-6.  Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**
-
-
- **To deploy your linked policy**
-
-1.  On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
-
-2.  In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane.
-
-3.  After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices.
-
- 
-
- 
-
-
-
-
-
+redirect_url:  https://technet.microsoft.com/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune
+---
\ No newline at end of file
diff --git a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
new file mode 100644
index 0000000000..90c3dffb25
--- /dev/null
+++ b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
@@ -0,0 +1,114 @@
+---
+title: Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune (Windows 10)
+description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
+ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
+keywords: WIP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
+
+## Create your VPN policy using Microsoft Intune
+Follow these steps to create the VPN policy you want to use with WIP.
+
+**To create your VPN policy**
+
+1.  Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
+
+2.  Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+
+    ![Microsoft Intune: Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png)
+
+3.  Type *WIPModeID* into the **Name** box, along with an optional description for your policy into the **Description** box.
+
+    ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png)
+
+4.  In the **VPN Settings** area, type the following info:
+
+    -   **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable.
+
+    -   **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**.
+
+    -   **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable.
+
+    -   **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN).
+
+        ![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png)
+
+5.  In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.<p>
+It's your choice whether you check the box to **Remember the user credentials at each logon**.
+
+    ![Microsoft Intune: Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png)
+
+6.  You can leave the rest of the default or blank settings, and then click **Save Policy**.
+
+## Deploy your VPN policy using Microsoft Intune
+After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
+
+**To deploy your VPN policy**
+
+1.  On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
+
+2.  In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
+The added people move to the **Selected Groups** list on the right-hand pane.
+
+    ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png)
+
+3.  After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
+The policy is deployed to the selected users' devices.
+
+## Link your WIP and VPN policies and deploy the custom configuration policy
+The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **WIPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies
+
+**To link your VPN policy**
+
+1.  Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
+
+2.  Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+
+    ![Microsoft Intune: Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png)
+
+3.  Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+    ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-wipmodeid.png)
+
+4.  In the **OMA-URI Settings** area, click **Add** to add your **WIPModeID** info.
+
+5.  In the **OMA-URI Settings** area, type the following info:
+
+    -   **Setting name.** Type **WIPModeID** as the name.
+
+    -   **Data type.** Pick the **String** data type.
+
+    -   **OMA-URI.** Type `./Vendor/MSFT/VPNv2/<your_wip_policy_name>/WIPModeId`, replacing *&lt;your\_wip\_policy\_name&gt;* with the name you gave to your WIP policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/WIPModeId`.
+
+    -   **Value.** Your fully-qualified domain that should be used by the OMA-URI setting.
+
+        ![Microsoft Intune: Fill in the OMA-URI Settings for the WIPModeID setting](images/intune-vpn-omaurisettings.png)
+
+6.  Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**
+
+
+ **To deploy your linked policy**
+
+1.  On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
+
+2.  In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane.
+
+3.  After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices.
+
+
+
+
+
diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md
new file mode 100644
index 0000000000..4a8a8e9052
--- /dev/null
+++ b/windows/keep-secure/create-wip-policy-using-intune.md
@@ -0,0 +1,472 @@
+---
+title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
+description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Create a Windows Information Protection (WIP) policy using Microsoft Intune
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
+
+## Important note about the June service update for Insider Preview
+We've received some great feedback from you, our Windows 10 Insider Preview customers, about our Windows Information Protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing Windows Information Protection policy after we release the June service update in your test environment, your existing Windows 10 Windows Information Protection app rules (formerly in the **Protected Apps** area) will be removed.<p>To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing Windows Information Protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules.
+
+![Microsoft Intune: Reconfigure app rules list dialog box](images/wip-intune-app-reconfig-warning.png)
+
+Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list.
+ 
+## Add a WIP policy
+After you’ve set up Intune for your organization, you must create a WIP-specific policy.
+
+**To add a WIP policy**
+1.  Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area.
+
+2.  Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+
+    ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png)
+
+3.  Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+    ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png)
+
+### Add app rules to your policy
+During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+
+The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
+
+>**Important**<br>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+
+>**Note**<br>
+If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+
+#### Add a store app rule to your policy
+For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
+
+**To add a store app**
+1.	From the **App Rules** area, click **Add**.
+
+    The **Add App Rule** box appears.
+
+    ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png)
+
+2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
+
+3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
+
+4.	Pick **Store App** from the **Rule template** drop-down list.
+
+    The box changes to show the store app rule options.
+
+5.	Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
+
+If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
+
+**To find the Publisher and Product Name values for Store apps without installing them**
+1.	Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
+
+    >**Note**<br>
+    If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+
+2.	Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+
+3.	In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
+
+    The API runs and opens a text editor with the app details.
+
+    ```json
+    {
+        "packageIdentityName": "Microsoft.Office.OneNote",
+        "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+    }
+    ```
+
+4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
+
+    >**Important**<br>
+    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<p>For example:
+        
+    ```json
+        {
+            "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+        }
+    ```
+
+**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
+1.	If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
+
+    >**Note**<br>Your PC and phone must be on the same wireless network.
+
+2.	On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+
+3.	In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+
+4.	Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+
+5.	In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+
+6.	On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+
+7.	Start the app for which you're looking for the publisher and product name values.
+
+8.	Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+
+    >**Important**<br>
+    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<p>For example:<br>
+    
+    ``` json
+        {
+	       "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+	    }
+    ```
+
+#### Add a desktop app rule to your policy
+For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
+
+**To add a desktop app**
+1.	From the **App Rules** area, click **Add**.
+
+    The **Add App Rule** box appears.
+
+        ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png)
+
+2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
+
+3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
+
+4.	Pick **Desktop App** from the **Rule template** drop-down list.
+
+    The box changes to show the store app rule options.
+
+5. Pick the options you want to include for the app rule (see table), and then click **OK**.
+
+    <table>
+        <tr>
+            <th>Option</th>
+            <th>Manages</th>
+        </tr>
+        <tr>
+            <td>All fields left as “*”</td>
+            <td>All files signed by any publisher. (Not recommended.)</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong> selected</td>
+            <td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
+            <td>All files for the specified product, signed by the named publisher.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>Binary name</strong> selected</td>
+            <td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, and above</strong>, selected</td>
+            <td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, And below</strong> selected</td>
+            <td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, Exactly</strong> selected</td>
+            <td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>
+    </table>
+
+If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+
+```ps1
+    Get-AppLockerFileInformation -Path "<path of the exe>"
+```
+Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
+
+In this example, you'd get the following info:
+
+``` json
+    Path                   Publisher
+    ----                   ---------
+    %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
+```
+Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
+
+#### Add an AppLocker policy file
+For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
+
+**To create an app rule and xml file using the AppLocker tool**
+1.	Open the Local Security Policy snap-in (SecPol.msc).
+    
+2.	In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
+
+    ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
+
+3.	Right-click in the right-hand pane, and then click **Create New Rule**.
+
+    The **Create Packaged app Rules** wizard appears.
+
+4. On the **Before You Begin** page, click **Next**.
+
+    ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png)
+
+5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
+
+    ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png)
+
+6.	On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
+
+    ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
+
+7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos.
+
+    ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
+
+8. On the updated **Publisher** page, click **Create**.
+
+    ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png)
+
+9. Review the Local Security Policy snap-in to make sure your rule is correct.
+
+    ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
+
+10.	In the left pane, right-click on **AppLocker**, and then click **Export policy**.
+
+    The **Export policy** box opens, letting you export and save your new policy as XML.
+
+    ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
+
+11.	In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
+
+    The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
+
+    **Example XML file**<br>
+    This is the XML file that AppLocker creates for Microsoft Photos.
+
+    ```xml
+     <AppLockerPolicy Version="1">
+        <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
+        <RuleCollection Type ="Msi" EnforcementMode="NotConfigured" />
+        <RuleCollection Type ="Script" EnforcementMode="NotConfigured" />
+        <RuleCollection Type ="Dll" EnforcementMode="NotConfigured" />
+        <RuleCollection Type ="Appx" EnforcementMode="NotConfigured">
+            <FilePublisherRule Id="5e0c752b-5921-4f72-8146-80ad5f582110" Name="Microsoft.Windows.Photos, version 16.526.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
+                <Conditions>
+                    <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*">
+                        <BinaryVersionRange LowSection="16.526.0.0" HighSection="*" />
+                    </FilePublisherCondition>
+                </Conditions>
+            </FilePublisherRule>
+        </RuleCollection>
+	</AppLockerPolicy>
+    ```
+12.	After you’ve created your XML file, you need to import it by using Microsoft Intune.
+
+**To import your Applocker policy file app rule using Microsoft Intune**
+1.	From the **App Rules** area, click **Add**.
+    
+    The **Add App Rule** box appears.
+
+        ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png)
+
+2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*.
+
+3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
+
+4.	Pick **AppLocker policy file** from the **Rule template** drop-down list.
+
+    The box changes to let you import your AppLocker XML policy file.
+
+5.	Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box.
+
+    The file is imported and the apps are added to your **App Rules** list.
+
+#### Exempt apps from WIP restrictions
+If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
+
+**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
+1.	From the **App Rules** area, click **Add**.
+    
+    The **Add App Rule** box appears.
+
+2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*.
+
+3.	Click **Exempt** from the **Windows Information Protection mode** drop-down list.
+
+    Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
+
+4.	Fill out the rest of the app rule info, based on the type of rule you’re adding:
+
+    - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
+
+    - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
+
+    - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
+
+5.	Click **OK**.
+
+### Manage the WIP protection mode for your enterprise data
+After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
+
+We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
+
+|Mode |Description |
+|-----|------------|
+|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
+|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.|
+
+![Microsoft Intune, Set the protection mode for your data](images/intune-protection-mode.png)
+
+### Define your enterprise-managed corporate identity
+Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
+
+You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+
+**To add your corporate identity**
+- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
+
+    ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png)
+
+### Choose where apps can access enterprise data
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
+
+There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+
+>**Important**
+- Every WIP policy should include policy that defines your enterprise network locations.
+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+
+**To define where your protected apps can find and send enterprise data on you network**
+
+1. Add additional network locations your apps can access by clicking **Add**.
+
+    The **Add or edit corporate network definition** box appears.
+
+2.	Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
+
+    ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png)
+<p>
+    <table>
+            <tr>
+                <th>Network location type</th>
+                <th>Format</th>
+                <th>Description</th>
+            </tr>
+            <tr>
+                <td>Enterprise Cloud Resources</td>
+                <td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
+                <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
+            </tr>
+            <tr>
+                <td>Enterprise Network Domain Names (Required)</td>
+                <td>corp.contoso.com,region.contoso.com</td>
+                <td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>                
+            </tr>
+            <tr>
+                <td>Enterprise Proxy Servers</td>
+                <td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
+                <td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.<p>This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
+            </tr>
+            <tr>
+                <td>Enterprise Internal Proxy Servers</td>
+                <td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
+                <td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.<p>This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>                
+            </tr>
+            <tr>
+                <td>Enterprise IPv4 Range (Required, if not using IPv6)</td>
+                <td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
+                <td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
+            </tr>
+            <tr>
+                <td>Enterprise IPv6 Range (Required, if not using IPv4)</td>
+                <td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
+                <td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
+            </tr>
+            <tr>
+                <td>Neutral Resources</td>
+                <td>sts.contoso.com,sts.contoso2.com</td>
+                <td>Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
+            </tr>           
+        </table>
+
+3.	Add as many locations as you need, and then click **OK**.
+
+    The **Add corporate network definition** box closes.
+
+4. Decide if you want to Windows to look for additional network settings:
+
+    - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+
+	- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+
+	- **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+
+5.	In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+
+       ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png)
+
+    After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
+
+    For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
+
+### Choose your optional WIP-related settings
+After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
+
+![Microsoft Intune, Choose any additional, optional settings](images/intune-optional-settings.png)
+
+**To set your optional settings**
+1.	Choose to set any or all of the optional settings:
+
+    - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
+    
+        - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. 
+	
+        - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
+
+    - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
+	
+        - **Yes (recommended).** Turns on the feature and provides the additional protection.
+	
+        - **No, or not configured.**  Doesn't enable this feature.
+
+    - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+
+        - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
+        
+        - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
+
+    - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
+
+	    - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
+
+	    - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
+
+    - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files or in the **Start** menu, on top of the tiles for your unenlightened protected apps. The options are:
+
+    	- **Yes (recommended).** Allows the Windows Information Protection icon overlay to appear for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
+
+	    - **No, or not configured.** Stops the Windows Information Protection icon overlay from appearing for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
+
+2. Click **Save Policy**.
+
+## Related topics
+- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
+- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
+- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
\ No newline at end of file
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
new file mode 100644
index 0000000000..3fcee10aba
--- /dev/null
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -0,0 +1,505 @@
+---
+title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10)
+description: Configuration Manager (version 1606 or later) helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+-   System Center Configuration Manager
+
+System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
+
+>**Important**<br>
+If you previously created a WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies.
+
+## Add a WIP policy
+After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
+
+**To create a configuration item for WIP**
+
+1.  Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
+
+    ![System Center Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png)
+
+2.  Click the **Create Configuration Item** button.<p>
+The **Create Configuration Item Wizard** starts.
+
+    ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-sccm-generalscreen.png)
+
+3.  On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+4.  In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
+
+    -   **Settings for devices managed with the Configuration Manager client:** Windows 10
+
+        -OR-
+
+    -   **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
+
+5.  On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
+
+    ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-sccm-supportedplat.png)
+
+6.  On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
+
+    ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-sccm-devicesettings.png)
+
+The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
+
+### Add app rules to your policy
+During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+
+The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
+
+>**Important**<br>
+WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. <p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+
+#### Add a store app rule to your policy
+For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
+
+**To add a store app**
+
+1.	From the **App rules** area, click **Add**.
+    
+    The **Add app rule** box appears.
+
+    ![Create Configuration Item wizard, add a universal store app](images/wip-sccm-adduniversalapp.png)
+
+2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
+
+3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+
+4.	Pick **Store App** from the **Rule template** drop-down list.
+
+    The box changes to show the store app rule options.
+
+5.	Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
+
+If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
+
+**To find the Publisher and Product Name values for Store apps without installing them**
+
+1.	Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+
+    >**Note**<br>
+    If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
+
+2.	Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+
+3.	In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
+
+    The API runs and opens a text editor with the app details.
+
+    ``` json
+        {
+        "packageIdentityName": "Microsoft.Office.OneNote",
+        "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+        }
+    ```
+
+4.  Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
+
+    >**Important**<br>
+    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<p>
+    
+    ```json
+        {
+            "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+        }
+    ```
+
+**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
+1.	If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
+
+    >**Note**<br>
+    Your PC and phone must be on the same wireless network.
+
+2.	On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+
+3.	On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+
+4.	Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+
+5.	In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+
+6.	On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+
+7.	Start the app for which you're looking for the publisher and product name values.
+
+8.	Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+
+    >**Important**<br>
+    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<p>
+
+    ```json
+        {
+            "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+        }
+    ```
+
+#### Add a desktop app rule to your policy
+For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
+
+**To add a desktop app to your policy**
+1.	From the **App rules** area, click **Add**.
+    
+    The **Add app rule** box appears.
+
+    ![Create Configuration Item wizard, add a classic desktop app](images/wip-sccm-adddesktopapp.png)
+
+2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
+
+3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+
+4.	Pick **Desktop App** from the **Rule template** drop-down list.
+
+    The box changes to show the desktop app rule options.
+
+5.	Pick the options you want to include for the app rule (see table), and then click **OK**.
+
+    <table>
+        <tr>
+            <th>Option</th>
+            <th>Manages</th>
+        </tr>
+        <tr>
+            <td>All fields left as “*”</td>
+            <td>All files signed by any publisher. (Not recommended.)</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong> selected</td>
+            <td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
+            <td>All files for the specified product, signed by the named publisher.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>Binary name</strong> selected</td>
+            <td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, and above</strong>, selected</td>
+            <td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, And below</strong> selected</td>
+            <td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, Exactly</strong> selected</td>
+            <td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>
+    </table>
+
+If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+
+```ps1
+Get-AppLockerFileInformation -Path "<path of the exe>"
+```
+Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
+
+In this example, you'd get the following info:
+
+``` json
+Path                   Publisher
+----                   ---------
+%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
+```
+Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
+
+#### Add an AppLocker policy file
+For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
+
+**To create an app rule and xml file using the AppLocker tool**
+1.	Open the Local Security Policy snap-in (SecPol.msc).
+    
+2.	In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
+
+    ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
+
+3.	Right-click in the right-hand pane, and then click **Create New Rule**.
+
+    The **Create Packaged app Rules** wizard appears.
+
+4. On the **Before You Begin** page, click **Next**.
+
+    ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png)
+
+5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
+
+    ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png)
+
+6.	On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
+
+    ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
+
+7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos.
+
+    ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
+
+8. On the updated **Publisher** page, click **Create**.
+
+    ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png)
+
+9. Review the Local Security Policy snap-in to make sure your rule is correct.
+
+    ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
+
+10.	In the left pane, right-click on **AppLocker**, and then click **Export policy**.
+
+    The **Export policy** box opens, letting you export and save your new policy as XML.
+
+    ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
+
+11.	In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
+
+    The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
+
+    **Example XML file**<br>
+    This is the XML file that AppLocker creates for Microsoft Photos.
+
+    ```xml
+     <AppLockerPolicy Version="1">
+        <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
+        <RuleCollection Type ="Msi" EnforcementMode="NotConfigured" />
+        <RuleCollection Type ="Script" EnforcementMode="NotConfigured" />
+        <RuleCollection Type ="Dll" EnforcementMode="NotConfigured" />
+        <RuleCollection Type ="Appx" EnforcementMode="NotConfigured">
+            <FilePublisherRule Id="5e0c752b-5921-4f72-8146-80ad5f582110" Name="Microsoft.Windows.Photos, version 16.526.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
+                <Conditions>
+                    <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*">
+                        <BinaryVersionRange LowSection="16.526.0.0" HighSection="*" />
+                    </FilePublisherCondition>
+                </Conditions>
+            </FilePublisherRule>
+        </RuleCollection>
+	</AppLockerPolicy>
+    ```
+12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager.
+
+**To import your Applocker policy file app rule using System Center Configuration Manager**
+1.	From the **App rules** area, click **Add**.
+    
+    The **Add app rule** box appears.
+
+    ![Create Configuration Item wizard, add an AppLocker policy](images/wip-sccm-addapplockerfile.png)
+
+2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*.
+
+3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+
+4.	Pick the **AppLocker policy file** from the **Rule template** drop-down list.
+
+    The box changes to let you import your AppLocker XML policy file.
+
+5. Click the ellipsis (...) to browse for your AppLocker XML file, click **Open**, and then click **OK** to close the **Add app rule** box.
+
+    The file is imported and the apps are added to your **App Rules** list.
+
+#### Exempt apps from WIP restrictions
+If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
+
+**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
+
+1.	From the **App rules** area, click **Add**.
+    
+    The **Add app rule** box appears.
+
+2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*.
+
+3.	Click **Exempt** from the **Windows Information Protection mode** drop-down list.
+
+    Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
+
+4.	Fill out the rest of the app rule info, based on the type of rule you’re adding:
+
+    - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
+
+    - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
+
+    - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
+
+5.	Click **OK**.
+
+### Manage the WIP-protection level for your enterprise data
+After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
+
+We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
+
+|Mode |Description |
+|-----|------------|
+|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
+|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.|
+
+![Create Configuration Item wizard, choose your WIP-protection level](images/wip-sccm-appmgmt.png)
+
+### Define your enterprise-managed identity domains
+Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
+
+You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+
+**To add your corporate identity**
+
+- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
+
+    ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-sccm-corp-identity.png)
+
+### Choose where apps can access enterprise data
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
+
+There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+
+>**Important**<br>
+- Every WIP policy should include policy that defines your enterprise network locations.
+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+
+**To define where your protected apps can find and send enterprise data on you network**
+
+1. Add additional network locations your apps can access by clicking **Add**.
+
+    The **Add or edit corporate network definition** box appears.
+
+2.	Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
+
+    ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-sccm-add-network-domain.png)
+
+    <table>
+        <tr>
+            <th>Network location type</th>
+            <th>Format</th>
+            <th>Description</th>
+        </tr>
+        <tr>
+            <td>Enterprise Cloud Resources</td>
+            <td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
+            <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
+        </tr>
+        <tr>
+            <td>Enterprise Network Domain Names (Required)</td>
+            <td>corp.contoso.com,region.contoso.com</td>
+            <td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>                
+        </tr>
+        <tr>
+            <td>Enterprise Proxy Servers</td>
+            <td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
+            <td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.<p>This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
+        </tr>
+        <tr>
+            <td>Enterprise Internal Proxy Servers</td>
+            <td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
+            <td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.<p>This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>                
+        </tr>
+        <tr>
+            <td>Enterprise IPv4 Range (Required)</td>
+            <td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
+            <td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
+        </tr>
+        <tr>
+            <td>Enterprise IPv6 Range</td>
+            <td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
+            <td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
+        </tr>
+        <tr>
+            <td>Neutral Resources</td>
+            <td>sts.contoso.com,sts.contoso2.com</td>
+            <td>Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
+        </tr>           
+    </table>
+
+3.	Add as many locations as you need, and then click **OK**.
+
+    The **Add or edit corporate network definition** box closes.
+
+4.	Decide if you want to Windows to look for additional network settings.
+
+    ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png)
+
+        - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+
+        - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+
+        - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+
+5.	In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+    
+    ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-sccm-dra.png)
+
+    After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. 
+    
+    For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
+
+### Choose your optional WIP-related settings
+After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
+
+![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-sccm-additionalsettings.png)
+
+**To set your optional settings**
+1.	Choose to set any or all of the optional settings:
+
+    - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
+    
+        - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. 
+	
+        - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
+
+    - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
+	
+        - **Yes (recommended).** Turns on the feature and provides the additional protection.
+	
+        - **No, or not configured.**  Doesn't enable this feature.
+
+    - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
+
+	    - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
+
+	    - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
+
+    - **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+
+        - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
+        
+        - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
+
+2. After you pick all of the settings you want to include, click **Summary**.
+
+### Review your configuration choices in the Summary screen
+After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
+
+**To view the Summary screen**
+- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
+
+    ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-sccm-summaryscreen.png)
+ 
+    A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
+
+
+## Deploy the WIP policy
+After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
+- [Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=708224)
+- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708225)
+- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226)
+
+## Related topics
+- [System Center Configuration Manager and Endpoint Protection (Version 1606)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
+- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623)
+- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)
\ No newline at end of file
diff --git a/windows/keep-secure/create-wmi-filters-for-the-gpo.md b/windows/keep-secure/create-wmi-filters-for-the-gpo.md
index f4b066d3e1..3cbb5be9a5 100644
--- a/windows/keep-secure/create-wmi-filters-for-the-gpo.md
+++ b/windows/keep-secure/create-wmi-filters-for-the-gpo.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device.
 
diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
index a1b2db57b3..6d70cbad2b 100644
--- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
+++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
@@ -1,112 +1,5 @@
 ---
 title: Create a Device Guard code integrity policy based on a reference device (Windows 10)
-description: To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device.
-ms.assetid: 6C94B14E-E2CE-4F6C-8939-4B375406E825
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
 ---
 
-# Create a Device Guard code integrity policy based on a reference device
-**Applies to**
--   Windows 10
-
-To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device.
-
-## <a href="" id="create-a-device-guard-code-integrity-policy-based-on--a-reference-device"></a>Create a Device Guard code integrity policy based on a reference device
-
-To create a code integrity policy, you'll first need to create a reference image that includes the signed applications you want to run on your protected devices. For information on how to sign applications, see [Getting apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md).
-> **Note:**  Before creating a code integrity policy, make sure your reference device is clean of viruses and malware.
- 
-**To create a code integrity policy based on a reference device**
-
-1.  On your reference device, start PowerShell as an administrator.
-2.  In PowerShell, initialize variables by typing:
-    ``` syntax
-    $CIPolicyPath=$env:userprofile+"\Desktop\"
-    $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"
-    $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"
-    ```
-3.  Scan your device for installed applications and create a new code integrity policy by typing:
-    ``` syntax
-    New-CIPolicy -Level <RuleLevel> -FilePath $InitialCIPolicy -UserPEs -Fallback Hash 3> Warningslog.txt
-    ```
-    Where *&lt;RuleLevel&gt;* can be set to any of the following options:
-    <table>
-    <colgroup>
-    <col width="50%" />
-    <col width="50%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Rule level</th>
-    <th align="left">Description</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>Hash</p></td>
-    <td align="left"><p>Specifies individual hash values for each discovered app. Each time an app is updated the hash value will change and you will need to update your policy.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>FileName</p></td>
-    <td align="left"><p>Currently unsupported.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>SignedVersion</p></td>
-    <td align="left"><p>Currently unsupported.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>Publisher</p></td>
-    <td align="left"><p>This level is a combination of the PCA certificate and the common name (CN) on the leaf certificate. When a PCA certificate is used to sign apps from multiple companies (such as VeriSign), this rule level allows you to trust the PCA certificate but only for the company whose name is on the leaf certificate.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>FilePublisher</p></td>
-    <td align="left"><p>Currently unsupported.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>LeafCertificate</p></td>
-    <td align="left"><p>Adds trusted signers at the individual signing certificate level. When an app is updated, the hash value is modified but the signing certificate stays the same. You will only need to update your policy if the signing certificate for an app changes.</p>
-    <div class="alert">
-    <strong>Note</strong>  Leaf certificates have much shorter validity periods than PCA certificates. You will need to update your policy if a certificate expires.
-    </div>
-    <div>
-     
-    </div></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>PcaCertificate</p></td>
-    <td align="left"><p>Adds the highest certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, as the scan does not validate anything above the presented signature by going online or checking local root stores.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>RootCertificate</p></td>
-    <td align="left"><p>Currently unsupported.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>WHQL</p></td>
-    <td align="left"><p>Currently unsupported.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>WHQLPublisher</p></td>
-    <td align="left"><p>Currently unsupported.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>WHQLFilePublisher</p></td>
-    <td align="left"><p>Currently unsupported.</p></td>
-    </tr>
-    </tbody>
-    </table>
-     
-4.  Type the following to convert the code integrity policy to a binary format:
-    ``` syntax
-    ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
-    ```
-Once you have completed these steps, the Device Guard policy binary file (DeviceGuardPolicy.bin) and original xml file (InitialScan.xml) will be available on your desktop.
->**Note:**  We recommend that you keep a copy of InitialScan.xml to use if you need to merge this code integrity policy with another policy, or update policy rule options.
- 
-## Related topics
-[Getting apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
- 
- 
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index acf87038bb..dda79a977f 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -6,13 +6,14 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 # Protect derived domain credentials with Credential Guard
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.
 
@@ -29,7 +30,8 @@ Credential Guard isolates secrets that previous versions of Windows stored in th
 
 For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
 
-Credential Guard also does not allow older variants of NTLM, unconstrained Kerberos delegation, and Kerberos authentication protocols and cipher suites when using default derived credentials, including NTLMv1, MS-CHAPv2, and weaker Kerberos encryption types, such as DES.
+Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.
+
 Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
 
 ![Credential Guard overview](images/credguard.png)
@@ -89,7 +91,7 @@ The PC must meet the following hardware and software requirements to use Credent
 <td>TPM 2.0</td>
 </tr>
 <tr>
-<td>Windows 10 version 1511</td>
+<td>Windows 10 version 1511 or later</td>
 <td>TPM 2.0 or TPM 1.2</td>
 </tr>
 </table>
@@ -108,7 +110,16 @@ The PC must meet the following hardware and software requirements to use Credent
 </tr>
 <tr class="odd">
 <td align="left"><p>Physical PC</p></td>
-<td align="left"><p>For PCs running Windows 10, you cannot run Credential Guard on a virtual machine.</p></td>
+<td align="left"><p>For PCs running Windows 10, version 1511 and Windows 10, version 1507, you cannot run Credential Guard on a virtual machine.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Virtual machine</p></td>
+<td align="left"><p>For PCs running Windows 10, version 1607, you can run Credential Guard on a Generation 2 virtual machine.</p></td>
+</tr>
+</tr>
+<tr class="even">
+<td align="left"><p>Hypervisor</p></td>
+<td align="left"><p>You must use the Windows hypervisor.</p></td>
 </tr>
 </tbody>
 </table>
@@ -138,14 +149,14 @@ If you would like to add Credential Guard to an image, you can do this by adding
 ### Add the virtualization-based security features
 
 First, you must add the virtualization-based security features. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
-> **Note:**  If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
+> [!NOTE]  
+> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
  
 **Add the virtualization-based security features by using Programs and Features**
 1.  Open the Programs and Features control panel.
 2.  Click **Turn Windows feature on or off**.
-3.  Select the **Isolated User Mode** check box.
-4.  Go to **Hyper-V** -&gt; **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
-5.  Click **OK**.
+3.  Go to **Hyper-V** -&gt; **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
+4.  Click **OK**.
 
 **Add the virtualization-based security features to an offline image by using DISM**
 1.  Open an elevated command prompt.
@@ -153,12 +164,16 @@ First, you must add the virtualization-based security features. You can do this
     ``` syntax
     dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
     ```
-3.  Add Isolated User Mode by running the following command:
-    ``` syntax
-    dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
-    ```
-> **Note:**  You can also add these features to an online image by using either DISM or Configuration Manager.
- 
+
+> [!NOTE]  
+> You can also add these features to an online image by using either DISM or Configuration Manager.
+
+
+In Windows 10, version 1607, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode:
+
+``` syntax
+dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
+```
 ### Turn on Credential Guard
 
 If you don't use Group Policy, you can enable Credential Guard by using the registry.
@@ -175,14 +190,31 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi
     -   Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it.
 4.  Close Registry Editor.
 
-> **Note:**  You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+
+> [!NOTE]  
+> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+
+**Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
+
+You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+```
+DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot
+```
  
 ### Remove Credential Guard
 
 If you have to remove Credential Guard on a PC, you need to do the following:
 
 1.  If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
-2.  Delete the following registry setting: HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
+2.  Delete the following registry settings:
+    - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
+    - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
+    - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
+
+    > [!IMPORTANT]  
+    > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
+
 3.  Delete the Credential Guard EFI variables by using bcdedit.
 
 **Delete the Credential Guard EFI variables**
@@ -202,9 +234,18 @@ If you have to remove Credential Guard on a PC, you need to do the following:
 3.  Accept the prompt to disable Credential Guard.
 4.  Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
 
-> **Note: ** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
+> [!NOTE]  
+> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
 
 For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
+
+**Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
+
+You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+```
+DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot
+```
  
 ### Check that Credential Guard is running
 
@@ -217,6 +258,12 @@ You can use System Information to ensure that Credential Guard is running on a P
     Here's an example:
     
     ![System Information](images/credguard-msinfo32.png)
+
+You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+```
+DG_Readiness_Tool_v2.0.ps1 -Ready
+```
     
 ## Considerations when using Credential Guard
 
@@ -239,6 +286,7 @@ You can use System Information to ensure that Credential Guard is running on a P
     -   Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
     -   Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
     -   You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
+    - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
 
 ### Kerberos Considerations
 
@@ -250,7 +298,7 @@ Some ways to store credentials are not protected by Credential Guard, including:
 
 -   Software that manages credentials outside of Windows feature protection
 -   Local accounts and Microsoft Accounts
--   Credential Guard does not protect the Active Directory database running on Windows Server 2016 Technical Preview domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 Technical Preview servers running Remote Desktop Gateway. If you're using a Windows Server 2016 Technical Preview server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise.
+-   Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise.
 -   Key loggers
 -   Physical attacks
 -   Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization.
@@ -288,7 +336,7 @@ Enabling compound authentication also enables Kerberos armoring, which provides
 
 ### Deploying machine certificates
 
-If the domain controllers in your organization are running Windows Server 2016 Technical Preview, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain.
+If the domain controllers in your organization are running Windows Server 2016, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain.
 If the domain controllers are running Windows Server 2012 R2, the machine certificates must be provisioned manually on each device. You can do this by creating a certificate template on the domain controller or certificate authority and deploying the machine certificates to each device.
 The same security procedures used for issuing smart cards to users should be applied to machine certificates.
 
@@ -308,7 +356,9 @@ On devices that are running Credential Guard, enroll the devices using the machi
 ``` syntax
 CertReq -EnrollCredGuardCert MachineAuthentication
 ```
-> **Note:**  You must restart the device after enrolling the machine authentication certificate.
+
+> [!NOTE]  
+> You must restart the device after enrolling the machine authentication certificate.
  
 ### Link the issuance policies to a group
 
@@ -323,6 +373,7 @@ By using an authentication policy, you can ensure that users only sign into devi
     ``` syntax
     .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:”<name of issuance policy>” –groupOU:”<Name of OU to create>” –groupName:”<name of Universal security group to create>”
     ```
+
 ### Deploy the authentication policy
 
 Before setting up the authentication policy, you should log any failed attempt to apply an authentication policy on the KDC. To do this in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
@@ -347,7 +398,9 @@ Now you can set up an authentication policy to use Credential Guard.
 14. Click **OK** to create the authentication policy.
 15. Close Active Directory Administrative Center.
 
-> **Note:**  When authentication policies in enforcement mode are deployed with Credential Guard, users will not be able to sign in using devices that do not have the machine authentication certificate provisioned. This applies to both local and remote sign in scenarios.
+
+> [!NOTE]  
+> When authentication policies in enforcement mode are deployed with Credential Guard, users will not be able to sign in using devices that do not have the machine authentication certificate provisioned. This applies to both local and remote sign in scenarios.
  
 ### Appendix: Scripts
 
@@ -541,7 +594,8 @@ write-host "There are no issuance policies which are not mapped to groups"
     }
 }
 ```
-> **Note:**  If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+> [!NOTE]  
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
  
 #### <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
 
@@ -822,7 +876,8 @@ write-host $tmp -Foreground Red
 }
 ```
 
-> **Note:**  If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+> [!NOTE]  
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
  
 ## Related topics
 
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
index 07afd4227c..e68df885fb 100644
--- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@@ -14,11 +14,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 The **Dashboard** displays a snapshot of:
 
 - The latest active alerts on your network
@@ -40,21 +41,21 @@ You can view the overall number of active ATP alerts from the last 30 days in yo
 
 Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
 
-See the [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topic for more information.
+For more information see, [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
 
-The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topics for more information.
+The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see,  [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
 
 ## Machines at risk
-This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to its label).
+This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
 
 ![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png)
 
-Click the name of the machine to see details about that machine. See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine) topic for more information.
+Click the name of the machine to see details about that machine. For more information see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine).
 
-You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) topic for more information.
+You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
 
 ## Status
-The **Status** tile informs you if the service is active and running and the specific number of machines (endpoints) reporting to Windows Defender ATP.
+The **Status** tile informs you if the service is active and running and the unique number of machines (endpoints) reporting over the past 30 days.
 
 ![The Status tile shows an overall indicator of the service and the total number of machines reporting to the service](images/status-tile.png)
 
@@ -66,7 +67,7 @@ The **Machines reporting** tile shows a bar graph that represents the number of
 ## Machines with active malware detections
 The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender.
 
-Active malware is defined as threats that are actively executing at the time of detection.
+Active malware is defined as threats that were actively executing at the time of detection.
 
 Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days.
 
@@ -84,7 +85,8 @@ Threats are considered "active" if there is a very high probability that the mal
 
 Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
 
-> **Note**&nbsp;&nbsp;The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> [!NOTE]
+> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
 
 ### Related topics
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
index a5d2bec8ce..4a509cf46a 100644
--- a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -14,13 +14,15 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
-> **Note**&nbsp;&nbsp;This document covers the information specific to the Windows Defender ATP service. Other data shared and stored by Windows Defender and Windows 10 is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See the [Windows 10 privacy FAQ for more information](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq).
+> [!NOTE]
+> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See also [Windows 10 privacy FAQ](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq) for more information.
 
 ## What data does Windows Defender ATP collect?
 
@@ -28,7 +30,7 @@ Microsoft will collect and store information from your configured endpoints in a
 
 Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version).
 
-Microsoft stores this data in a Microsoft Azure security-specific data store, and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
+Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
 
 Microsoft uses this data to:
 - Proactively identify indicators of attack (IOAs) in your organization
@@ -39,10 +41,10 @@ Microsoft does not mine your data for advertising or for any other purpose other
 
 ## Do I have the flexibility to select where to store my data?
 
-Data for this new service is stored in Microsoft Azure datacenters in the United States and European Union based on the geolocation properties. Subject to the relevant preview program you may be able to specify your preferred geolocation when you onboard to the service. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations in which your data will reside. Microsoft will not transfer the data from the specified geolocation except in specific circumstances during the preview stage.
+When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
 
 ## Is my data isolated from other customer data?
-Yes. The new cloud service provides appropriate segregation at a number of levels, such as isolation of files, configurations, and telemetry data. Aside from data access authentication, simply keeping different data appropriately segregated provides well-recognized protection.
+Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. 
 
 ## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?
 
@@ -58,18 +60,14 @@ Additionally, Microsoft conducts background verification checks of certain opera
 No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
 
 ## How long will Microsoft store my data? What is Microsoft’s data retention policy?
-Your data privacy is one of Microsoft's key commitments for the cloud. For this service, at contract termination or expiration, your data will be erased from Microsoft’s systems to make it unrecoverable after 90 days (from contract termination or expiration).
+**At service onboarding**<br>
+You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs.
+
+**At contract termination or expiration**<br>
+Your data will be kept for a period of at least 90 days, during which it will be available to you. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
+
 
 ## Can Microsoft help us maintain regulatory compliance?
 Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsoft’s compliance standards.
 By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.
 
-## Is there a difference between how Microsoft handles data for the preview programs and for General Availability?
-Subject to the preview program you are in, you could be asked to choose to store your data in a datacenter either in Europe or United States. Your data will not be copied or moved outside of the datacenter you choose, except in the following specific circumstance:
-
-1.	You choose Europe as your datacenter, and
-2.	You [submit a file for deep analysis](investigate-files-windows-defender-advanced-threat-protection.md#submit-files-for-analysis).
-
-In this circumstance, the submitted file will be sent to the US deep analysis laboratory. The results of the analysis will be stored in the European datacenter, and the file and data will be deleted from the US deep analysis laboratory and datacenter.
-
-This is a temporary measure as we work to integrate our deep analysis capabilities into the European datacenter. If you have any concerns or questions about submitting files for deep analysis and you are using a European datacenter, or if you’d like to be updated as to when the European deep analysis lab is online, email [winatp@microsoft.com](mailto:winatp@microsoft.com).
diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..2ad4b75d16
--- /dev/null
+++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,32 @@
+---
+title: Windows Defender compatibility
+description: Learn about how Windows Defender works with Windows Defender ATP.
+keywords: windows defender compatibility, defender, windows defender atp
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+---
+
+# Windows Defender compatibility
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+The Windows Defender Advanced Threat Protection agent depends on Windows Defender for some capabilities such as file scanning.
+
+If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender on that endpoint will enter into passive mode.
+
+Windows Defender will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
+
+The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options.
+
+For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
diff --git a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
new file mode 100644
index 0000000000..2a41a2d649
--- /dev/null
+++ b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
@@ -0,0 +1,328 @@
+---
+title: Deploy catalog files to support code integrity policies (Windows 10)
+description: This article describes how to deploy catalog files to support code integrity policies, one of the main features that are part of Device Guard in Windows 10. 
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Deploy catalog files to support code integrity policies
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+Catalog files can be important in your deployment of code integrity polices if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create code integrity policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.
+
+For more description of catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files) in "Requirements and deployment planning guidelines for Device Guard." 
+
+## Create catalog files
+
+The creation of a catalog file is a necessary step for adding an unsigned application to a code integrity policy.
+
+To create a catalog file, you use a tool called **Package Inspector**. You must also have a code integrity policy deployed in audit mode on the computer on which you run Package Inspector, because Package Inspector does not always detect installation files that have been removed from the computer during the installation process.
+
+> **Note**&nbsp;&nbsp;When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, *\*-Contoso.cat* is used as the example naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see [Inventory catalog files with System Center Configuration Manager](#inventory-catalog-files-with-system-center-configuration-manager), later in this topic.
+
+1.  Be sure that a code integrity policy is currently deployed in audit mode on the computer on which you will run Package Inspector.
+
+    Package Inspector does not always detect installation files that have been removed from the computer during the installation process. To ensure that these binaries are also trusted, deploy a code integrity policy in audit mode. You can use the code integrity policy that you created and audited in [Create a code integrity policy from a golden computer](deploy-code-integrity-policies-steps.md#create-a-code-integrity-policy-from-a-golden-computer) and [Audit code integrity policies](deploy-code-integrity-policies-steps.md#audit-code-integrity-policies).
+
+    > **Note**&nbsp;&nbsp;This process should **not** be performed on a system with an enforced Device Guard policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.
+
+2.  Start Package Inspector, and then start scanning a local drive, for example, drive C:
+
+    ` PackageInspector.exe Start C:`
+
+    > **Note**&nbsp;&nbsp;Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer.
+    
+3.  Copy the installation media to the local drive (typically drive C).
+
+    By copying the installation media to the local drive, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future code integrity policy may trust the application to run but not to be installed.
+
+4.  Install the application. Install it to the same drive that the application installer is located on (the drive you are scanning). Also, while Package Inspector is running, do not run any installations or updates that you don't want to capture in the catalog.
+
+    > **Important**&nbsp;&nbsp;Every binary that is run while Package Inspector is running will be captured in the catalog. Ensure that only trusted applications are run during this time. 
+
+5.  Start the application.
+
+6.  Ensure that product updates are installed, and downloadable content associated with the application is downloaded.
+
+7.  Close and reopen the application. 
+
+    This step is necessary to ensure that the scan has captured all binaries.
+    
+8.  As appropriate, with Package Inspector still running, repeat the process for another application that you want in the catalog. Copy the installation media to the local drive, install the application, ensure it is updated, and then close and reopen the application.
+
+9. When you have confirmed that the previous steps are complete, use the following commands to generate the catalog and definition files on your computer's desktop. The filenames used in these example commands are **LOBApp-Contoso.cat** (catalog file) and **LOBApp.cdf** (definition file)—substitute different filenames as appropriate. 
+
+    For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:.  
+
+    ` $ExamplePath=$env:userprofile+"\Desktop"`
+
+    ` $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
+
+    ` $CatDefName=$ExamplePath+"\LOBApp.cdf"`
+
+    ` PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
+
+> **Note**&nbsp;&nbsp;Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values.
+
+When finished, the files will be saved to your desktop. You can double-click the \*.cat file to see its contents, and you can view the \*.cdf file with a text editor. 
+
+To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be added to the code integrity policy, and the catalog file can be distributed to the individual client computers. 
+
+For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtool.exe).
+
+For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](deploy-code-integrity-policies-steps.md#add-a-catalog-signing-certificate-to-a-code-integrity-policy).
+
+## Catalog signing with SignTool.exe
+
+In this section, you sign a catalog file you generated by using PackageInspector.exe, as described in the previous section, [Create catalog files](#create-catalog-files). In this example, you need the following:
+
+-   SignTool.exe, found in the Windows software development kit (SDK—Windows 7 or later)
+
+-   The catalog file that you generated in the [Create catalog files](#create-catalog-files) section, or another catalog file that you have created
+
+-   An internal certification authority (CA) code signing certificate or purchased code signing certificate
+
+If you do not have a code signing certificate, see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) for a walkthrough of how to create one. That topic uses an example certificate name of **ContosoDGSigningCert**, and the procedure that follows uses that example certificate name to sign the catalog file that you created in [Create catalog files](#create-catalog-files), earlier in this topic. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate. 
+
+To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session.
+
+1.  Initialize the variables that will be used:
+
+    ` $ExamplePath=$env:userprofile+"\Desktop"`
+    
+    ` $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
+
+    > **Note**&nbsp;&nbsp;This example specifies the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, update the *$ExamplePath* and *$CatFileName* variables with the correct information.
+
+2.  Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. This example uses the certificate name from [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+
+3.  Sign the catalog file with Signtool.exe:
+
+    ` <path to signtool.exe> sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName`
+
+    > **Note**&nbsp;&nbsp;The *&lt;Path to signtool.exe&gt;* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file.
+
+    > **Note**&nbsp;&nbsp;For additional information about Signtool.exe and all additional switches, visit the [MSDN Sign Tool page](https://msdn.microsoft.com/library/8s9b9yaz(v=vs.110).aspx).
+    
+4.  Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
+
+    ![Digital Signature list in file Properties](images/dg-fig12-verifysigning.png)
+
+    Figure 1. Verify that the signing certificate exists
+
+5.  Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.
+
+    For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as System Center Configuration Manager. Doing this also simplifies the management of catalog versions.
+
+## Add a catalog signing certificate to a code integrity policy
+
+After the catalog file is signed, add the signing certificate to a code integrity policy, as described in the following steps.
+
+<!-- All options below need to be confirmed. -->
+
+1.  If you have not already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect.
+
+2.  If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a code integrity policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
+
+    ` New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs`
+
+    > **Note**&nbsp;&nbsp;Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity.
+
+3.  Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the code integrity policy, filling in the correct path and filenames for *<policypath>* and *<certpath>*:
+
+    ` Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User `
+
+If you used step 2 to create a new code integrity policy, and want information about merging policies together, see [Merge code integrity policies](deploy-code-integrity-policies-steps.md#merge-code-integrity-policies).  
+
+## Deploy catalog files with Group Policy
+
+To simplify the management of catalog files, you can use Group Policy preferences to deploy catalog files to the appropriate computers in your organization. The following process walks you through the deployment of a signed catalog file called **LOBApp-Contoso.cat** to a test OU called DG Enabled PCs with a GPO called **Contoso DG Catalog File GPO Test**.
+
+> **Note**&nbsp;&nbsp;This walkthrough requires that you have previously created a signed catalog file and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a catalog file, see [Create catalog files](#create-catalog-files), earlier in this topic. Also, before you begin testing of a catalog file with the code integrity policy it supports, review [Add a catalog signing certificate to a code integrity policy](#add-a-catalog-signing-certificate-to-a-code-integrity-policy).
+
+**To deploy a catalog file with Group Policy:**
+
+1.  From either a domain controller or a client computer that has Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC) by running **GPMC.MSC** or by searching for Group Policy Management.
+
+2.  Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 2.
+
+    > **Note**&nbsp;&nbsp;You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+
+   ![Group Policy Management, create a GPO](images/dg-fig13-createnewgpo.png)
+
+   Figure 2. Create a new GPO
+
+3.  Give the new GPO a name, for example, **Contoso DG Catalog File GPO Test**, or any name you prefer.
+
+4.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
+
+5.  Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 3.
+
+    ![Group Policy Management Editor, New File](images/dg-fig14-createnewfile.png)
+
+    Figure 3. Create a new file
+
+6.  Configure the catalog file share.
+
+    To use this setting to provide consistent deployment of your catalog file (in this example, LOBApp-Contoso.cat), the source file should be on a share that is accessible to the computer account of every deployed computer. This example uses a share (on a computer running Windows 10) called \\\\Contoso-Win10\\Share. The catalog file being deployed is copied to this share.
+
+7.  To keep versions consistent, in the **New File Properties** dialog box (Figure 4), select **Replace** from the **Action** list so that the newest version is always used.
+
+    ![File Properties, Replace option](images/dg-fig15-setnewfileprops.png)
+
+    Figure 4. Set the new file properties
+
+8.  In the **Source file(s)** box, type the name of your accessible share, with the catalog file name included (for example, \\\\Contoso-Win10\\share\\LOBApp-Contoso.cat).
+
+9.  In the **Destination File** box, type a path and file name, for example:
+
+    **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\LOBApp-Contoso.cat**
+
+    For the catalog file name, use the name of the catalog you are deploying.
+
+10. On the **Common** tab of the **New File Properties** dialog box, select the **Remove this item when it is no longer applied** option. Doing this ensures that the catalog file is removed from every system, in case you ever need to stop trusting this application.
+
+11. Click **OK** to complete file creation.
+
+12. Close the Group Policy Management Editor, and then update the policy on the test computer running Windows 10, by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} on the computer running Windows 10.
+
+Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate code integrity policy, as described in [Add a catalog signing certificate to a code integrity policy](#add-a-catalog-signing-certificate-to-a-code-integrity-policy).
+
+## Deploy catalog files with System Center Configuration Manager
+
+As an alternative to Group Policy, you can use System Center Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, System Center Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
+
+> **Note**&nbsp;&nbsp;The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
+
+1.  Open the Configuration Manager console, and select the Software Library workspace.
+
+2.  Navigate to Overview\\Application Management, right-click **Packages**, and then click **Create Package**.
+
+3.  Name the package, set your organization as the manufacturer, and select an appropriate version number.
+
+    ![Create Package and Program Wizard](images/dg-fig16-specifyinfo.png)
+
+    Figure 5. Specify information about the new package
+
+4.  Click **Next**, and then select **Standard program** as the program type.
+
+5.  On the **Standard Program** page, select a name, and then set the **Command Line** property to **XCopy \\\\Shares\\CatalogShare C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} /H /K /E /Y**.
+
+6.  On the **Standard Program** page, select the following options (Figure 6):
+
+    -   In **Name**, type a name such as **Contoso Catalog File Copy Program**.
+
+    -   In **Command line**, browse to the program location.
+
+    -   In **Startup folder**, type **C:\\Windows\\System32**.
+
+    -   From the **Run** list, select **Hidden**.
+
+    -   From the **Program can run** list, select **Whether or not a user is logged on**.
+
+    -   From the **Drive mode** list, select **Runs with UNC name**.
+
+    ![Standard Program page of wizard](images/dg-fig17-specifyinfo.png)
+
+    Figure 6. Specify information about the standard program
+
+7.  Accept the defaults for the rest of the wizard, and then close the wizard.
+
+After you create the deployment package, deploy it to a collection so that the clients will receive the catalog files. In this example, you deploy the package you just created to a test collection:
+
+1.  In the Software Library workspace, navigate to Overview\\Application Management\\Packages, right-click the catalog file package, and then click **Deploy**.
+
+2.  On the **General** page, select the test collection to which the catalog files will be deployed, and then click **Next**.
+
+3.  On the **Content** page, click **Add** to select the distribution point that will serve content to the selected collection, and then click **Next**.
+
+4.  On the **Deployment Settings** page, select **Required** in the **Purpose** box.
+
+5.  On the **Scheduling** page, click **New**.
+
+6.  In the **Assignment Schedule** dialog box, select **Assign immediately after this event**, set the value to **As soon as possible**, and then click **OK**.
+
+7.  On the **Scheduling** page, click **Next**.
+
+8.  On the **User Experience** page (Figure 7), set the following options, and then click **Next**:
+
+    -   Select the **Software installation** check box.
+
+    -   Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box.
+
+    ![Deploy Software Wizard, User Experience page](images/dg-fig18-specifyux.png)
+
+    Figure 7. Specify the user experience
+
+9.  On the **Distribution Points** page, in the **Deployment options** box, select **Run program from distribution point**, and then click **Next**.
+
+10. On the **Summary** page, review the selections, and then click **Next**.
+
+11. Close the wizard.
+
+Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate code integrity policy, as described in [Add a catalog signing certificate to a code integrity policy](#add-a-catalog-signing-certificate-to-a-code-integrity-policy).
+
+## Inventory catalog files with System Center Configuration Manager
+
+When catalog files have been deployed to the computers within your environment, whether by using Group Policy or System Center Configuration Manager, you can inventory them with the software inventory feature of System Center Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
+
+> **Note**&nbsp;&nbsp;A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
+
+1.  Open the Configuration Manager console, and select the Administration workspace.
+
+2.  Navigate to **Overview\\Client Settings**, right-click **Client Settings**, and then click **Create Custom Client Device Settings**.
+
+3.  Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8.
+
+    ![Create Custom Client Device Settings](images/dg-fig19-customsettings.png)
+
+    Figure 8. Select custom settings
+
+4.  In the navigation pane, click **Software Inventory**, and then click **Set Types**, as shown in Figure 9.
+
+    ![Software Inventory settings for devices](images/dg-fig20-setsoftwareinv.png)
+
+    Figure 9. Set the software inventory
+
+5.  In the **Configure Client Setting** dialog box, click the **Start** button to open the **Inventories File Properties** dialog box.
+
+6.  In the **Name** box, type a name such as **\*Contoso.cat**, and then click **Set**.
+
+    > **Note**&nbsp;&nbsp;When typing the name, follow your naming convention for catalog files.
+
+7.  In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10.
+
+    ![Path Properties, specifying a path](images/dg-fig21-pathproperties.png)
+
+    Figure 10. Set the path properties
+
+8.  Click **OK**.
+
+9.  Now that you have created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files.
+
+At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in System Center Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
+
+1.  Open the Configuration Manager console, and select the Assets and Compliance workspace.
+
+2.  Navigate to Overview\\Devices, and search for the device on which you want to view the inventoried files.
+
+3.  Right-click the computer, point to **Start**, and then click **Resource Explorer**.
+
+4.  In Resource Explorer, navigate to Software\\File Details to view the inventoried catalog files.
+
+> **Note**&nbsp;&nbsp;If nothing is displayed in this view, navigate to Software\\Last Software Scan in Resource Explorer to verify that the client has recently completed a software inventory scan.
+
+## Related topics
+
+- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+
+- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
+
+- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+
diff --git a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
new file mode 100644
index 0000000000..40242549af
--- /dev/null
+++ b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
@@ -0,0 +1,109 @@
+---
+title: Deploy code integrity policies - policy rules and file rules (Windows 10)
+description: This article provides information about two elements in code integrity policies, called policy rules and file rules. Code integrity policies are part of Device Guard in Windows 10. 
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Deploy code integrity policies: policy rules and file rules
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see:
+- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) in "Introduction to Device Guard: virtualization-based security and code integrity policies."
+- [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Device Guard."
+
+If you already understand the basics of code integrity policy and want procedures for creating, auditing, and merging code integrity policies, see [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md).
+
+This topic includes the following sections:
+
+- [Overview of the process of creating code integrity policies](#overview-of-the-process-of-creating-code-integrity-policies): Helps familiarize you with the process described in this and related topics.
+- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy.
+- [Code integrity file rule levels](#code-integrity-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted.
+
+## Overview of the process of creating code integrity policies
+
+A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+
+> **Note**&nbsp;&nbsp;Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies.
+
+Optionally, code integrity policies can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
+
+If you plan to use an internal CA to sign catalog files or code integrity policies, see the steps in [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md). 
+
+## Code integrity policy rules
+
+Code integrity policies include *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy. You can modify these options in a new or existing code integrity policy. (For information about *file rules*, which specify the level at which applications will be identified and trusted, see the next section, [Code integrity file rule levels](#code-integrity-file-rule-levels).)
+
+To modify the policy rule options of an existing code integrity policy, use the [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) Windows PowerShell cmdlet. Note the following examples of how to use this cmdlet to add and remove a rule option on an existing code integrity policy:
+
+-   To enable UMCI, add rule option 0 to an existing policy by running the following command:
+
+    ` Set-RuleOption -FilePath <Path to policy> -Option 0`
+
+-   To disable UMCI on an existing code integrity policy, delete rule option 0 by running the following command:
+
+    ` Set-RuleOption -FilePath <Path to policy> -Option 0 -Delete`
+
+You can set several rule options within a code integrity policy. To display a list of rule options, you can type **Set-
+RuleOption -Help** in a Windows PowerShell session. Table 2 describes each rule option. 
+
+> **Note**&nbsp;&nbsp;**Enabled:Audit Mode** is an important rule option. We recommend that you use this option for a period of time with all new code integrity policies, because it allows you to test them before you enforce them. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. To expand the policy so that (when enforced) it will allow these applications, you can use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy.
+
+> The mode—audit mode or enforced mode—is set by including or deleting **Enabled:Audit Mode** in the code integrity policy. When this option is deleted, the policy runs in enforced mode.
+
+**Table 2. Code integrity policy - policy rule options**
+
+| Rule option | Description |
+|------------ | ----------- |
+| **0 Enabled:UMCI** | Code integrity policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
+| **1 Enabled:Boot Menu Protection** | This option is not currently supported. |
+| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
+| **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the code integrity policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To begin enforcing a code integrity policy, delete this option. |
+| **4 Disabled:Flight Signing** | If enabled, code integrity policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. |
+| **5 Enabled:Inherent Default Policy** | This option is not currently supported. |
+| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
+| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. |
+| **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. |
+| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all code integrity policies. Setting this rule option allows the F8 menu to appear to physically present users. |
+| **10 Enabled:Boot Audit on Failure** | Used when the code integrity policy is in enforcement mode. When a driver fails during startup, the code integrity policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
+
+## Code integrity file rule levels
+
+File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as fine-tuned as the hash of each binary or as general as a CA certificate. You specify file rule levels both when you create a new code integrity policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, code integrity policies combine their file rules, so that any application that would be allowed by either of the original policies will be allowed by the combined policy. 
+
+Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Device Guard deployment scenario.
+
+<!-- Need to confirm these updated table rows:
+    | **SignedVersion** | This combines the publisher rule with a version number. This option allows anything from the specified publisher, with a version at or above the specified version number, to run. |
+    | **FilePublisher** | This is a combination of the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
+--> 
+
+Table 3. Code integrity policy - file rule levels
+
+| Rule level | Description |
+|----------- | ----------- |
+| **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
+| **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. |
+| **SignedVersion** | This combines the publisher rule with a version number. This option allows anything from the specified publisher, with a version at or above the specified version number, to run. |
+| **Publisher** | This is a combination of the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. This rule level allows organizations to trust a certificate from a major CA (such as Symantec), but only if the leaf certificate is from a specific company (such as Intel, for device drivers). |
+| **FilePublisher** | This is a combination of the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
+| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than CA certificates, so additional administrative overhead is associated with updating the code integrity policy when these certificates expire. |
+| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, because the scan does not validate anything beyond the certificates included in the provided signature (it does not go online or check local root stores). |
+| **RootCertificate** | Currently unsupported. |
+| **WHQL** | Trusts binaries if they have been validated and signed by WHQL. This is primarily for kernel binaries. |
+| **WHQLPublisher** | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. |
+| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. |
+
+> **Note**&nbsp;&nbsp;When you create code integrity policies with the [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) cmdlet, you can specify a primary file rule level by including the **–Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **–Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
+
+## Related topics
+
+- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats)
+- [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
+
diff --git a/windows/keep-secure/deploy-code-integrity-policies-steps.md b/windows/keep-secure/deploy-code-integrity-policies-steps.md
new file mode 100644
index 0000000000..2febd90862
--- /dev/null
+++ b/windows/keep-secure/deploy-code-integrity-policies-steps.md
@@ -0,0 +1,385 @@
+---
+title: Deploy code integrity policies - steps (Windows 10)
+description: This article describes how to deploy code integrity policies, one of the main features that are part of Device Guard in Windows 10. 
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Deploy code integrity policies: steps
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+For an overview of the process described in the following procedures, see [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md). To understand how the deployment of code integrity policies fits with other steps in the Device Guard deployment process, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+
+## Create a code integrity policy from a golden computer
+
+The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents.
+
+> **Note**&nbsp;&nbsp;Before you begin this procedure, ensure that the reference PC is clean of viruses or malware. Each piece of installed software should be validated as trustworthy before you create this policy. Also, be sure that any software that you would like to be scanned is installed on the system before you create the code integrity policy.
+
+To create a code integrity policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
+
+1.  Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created:
+
+    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+
+    ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+
+2.  Use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a new code integrity policy by scanning the system for installed applications:
+
+    ` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt `
+
+    > **Notes**
+    
+    > - By specifying the *–UserPEs* parameter, rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. If you do not specify this parameter, to enable UMCI, use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) as shown in the following command:<br>**Set-RuleOption -FilePath $InitialCIPolicy -Option 0** 
+
+    > - You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
+
+    > - To specify that the code integrity policy scan only a specific drive, include the *–ScanPath* parameter followed by a path. Without this parameter, the entire system is scanned.
+    
+    > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
+
+3.  Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the code integrity policy to a binary format:
+
+    ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
+
+After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
+
+> **Note**&nbsp;&nbsp;We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies).
+
+We recommend that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the next section, [Audit code integrity policies](#audit-code-integrity-policies).
+
+## Audit code integrity policies
+
+When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies.
+
+> **Note**&nbsp;&nbsp;Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
+
+**To audit a code integrity policy with local policy:**
+
+1.  Find a *.bin policy file that you have created, for example, the DeviceGuardPolicy.bin file that resulted from the steps in the earlier section, [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Copy the file to C:\\Windows\\System32\\CodeIntegrity.
+
+2.  On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
+
+    > **Notes**
+    
+    > - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a code integrity policy that allows viruses or malware to run.
+    
+    > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.
+    
+3.  Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
+
+    > **Notes**
+    
+    > - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access.
+
+    > - Any policy you select here is converted to SIPolicy.p7b when it is deployed to the individual computers.
+
+    > - You might have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped onto the computers running Windows 10. We recommend that you make your code integrity policy names friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository.
+
+   ![Group Policy called Deploy Code Integrity Policy](images/dg-fig22-deploycode.png)
+
+   Figure 1. Deploy your code integrity policy
+
+4.  Restart the reference system for the code integrity policy to take effect.
+
+5.  Use the system as you normally would, and monitor code integrity events in the event log. While in audit mode, any exception to the deployed code integrity policy will be logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log, as shown in Figure 2.
+
+   ![Event showing exception to code integrity policy](images/dg-fig23-exceptionstocode.png)
+
+   Figure 2. Exceptions to the deployed code integrity policy
+
+   You will be reviewing the exceptions that appear in the event log, and making a list of any applications that should be allowed to run in your environment.
+   
+6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your code integrity policy, this is a good time to create it. For information, see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md).   
+
+Now that you have a code integrity policy deployed in audit mode, you can capture any audit information that appears in the event log. This is described in the next section.
+
+## Create a code integrity policy that captures audit information from the event log
+
+Use the following procedure after you have been running a computer with a code integrity policy in audit mode for a period of time. When you are ready to capture the needed policy information from the event log (so that you can later merge that information into the original code integrity policy), complete the following steps. 
+
+<!-- Watch the phrase "later step in this procedure" in step 1, in case the organization of the procedures changes. -->
+
+1.  Review the audit information in the event log. From the code integrity policy exceptions that you see, make a list of any applications that should be allowed to run in your environment, and decide on the file rule level that should be used to trust these applications.
+
+    Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of them. For information about file rule levels, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in "Deploy code integrity policies: policy rules and file rules."
+    
+    Your event log might also contain exceptions for applications that you eventually want your code integrity policy to block. If these appear, make a list of these also, for a later step in this procedure.
+
+2.  In an elevated Windows PowerShell session, initialize the variables that will be used. The example filename shown here is **DeviceGuardAuditPolicy.xml**:
+
+    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+    ` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
+
+3.  Use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to generate a new code integrity policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
+
+    ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`
+
+    > **Note**&nbsp;&nbsp;When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
+
+4.  Find and review the Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
+
+    - Any applications that were caught as exceptions, but should be allowed to run in your environment. These are applications that should be in the .xml file. Leave these as-is in the file.
+    
+    - Any applications that actually should not be allowed to run in your environment. Edit these out of the .xml file. If they remain in the .xml file, and the information in the file is merged into your existing code integrity policy, the policy will treat the applications as trusted, and allow them to run. 
+
+You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the next section, [Merge code integrity policies](#merge-code-integrity-policies).
+
+> **Note**&nbsp;&nbsp;You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
+
+## Merge code integrity policies
+
+When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
+
+> **Note**&nbsp;&nbsp;The following example uses the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine.
+
+To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session:
+
+1.  Initialize the variables that will be used:
+
+    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+
+    ` $AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
+
+    ` $MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"`
+
+    ` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
+
+    > **Note**&nbsp;&nbsp;The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly.
+
+2.  Use [Merge-CIPolicy](https://technet.microsoft.com/library/mt634485.aspx) to merge two policies and create a new code integrity policy:
+
+    ` Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy`
+
+3.  Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the merged code integrity policy to binary format:
+
+    ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin `
+
+Now that you have created a new code integrity policy (for example, called **NewDeviceGuardPolicy.bin**), you can deploy the policy to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see the [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy) section.
+
+## Enforce code integrity policies
+
+Every code integrity policy is created with audit mode enabled. After you have successfully deployed and tested a code integrity policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session:
+
+> **Note**&nbsp;&nbsp;Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic.
+
+1.  Initialize the variables that will be used:
+
+    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" `
+
+    ` $EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"`
+
+    ` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
+
+    > **Note**&nbsp;&nbsp;The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
+
+2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the code integrity policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
+
+    To ensure that these options are enabled in a policy, use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) as shown in the following commands. You can run these commands even if you're not sure whether options 9 and 10 are already enabled—if so, the commands have no effect.
+    
+    ` Set-RuleOption -FilePath $InitialCIPolicy -Option 9`
+    
+    ` Set-RuleOption -FilePath $InitialCIPolicy -Option 10`
+
+3.  Copy the initial file to maintain an original copy:
+
+    ` copy $InitialCIPolicy $EnforcedCIPolicy`
+
+4.  Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to delete the audit mode rule option:
+
+    ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
+
+    > **Note**&nbsp;&nbsp;To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy.
+
+5.  Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the new code integrity policy to binary format:
+
+    ` ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin`
+
+Now that this policy is in enforced mode, you can deploy it to your test computers. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy). You can also use other client management software to deploy and manage the policy.
+
+## Signing code integrity policies with SignTool.exe
+
+Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, we recommend that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section.
+
+Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) to create one with your on-premises CA. 
+
+Before signing code integrity policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Code integrity policy rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-policy-rules) in "Deploy code integrity policies: policy rules and file rules."
+
+> **Note**&nbsp;&nbsp;Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers.
+
+To sign a code integrity policy with SignTool.exe, you need the following components:
+
+-   SignTool.exe, found in the Windows SDK (Windows 7 or later)
+
+-   The binary format of the code integrity policy that you generated in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section or another code integrity policy that you have created
+
+-   An internal CA code signing certificate or a purchased code signing certificate
+
+If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) section for instructions on how to create one. If you use an alternate certificate or code integrity policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing code integrity policy, copy each of the following commands into an elevated Windows PowerShell session:
+
+1.  Initialize the variables that will be used:
+
+    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+    
+    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+    
+    ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+
+    > **Note**&nbsp;&nbsp;This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
+
+2.  Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+
+3.  Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
+
+4.  Navigate to your desktop as the working directory:
+
+    ` cd $env:USERPROFILE\Desktop `
+
+5.  Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add an update signer certificate to the code integrity policy:
+
+    ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User –Update`
+
+   > **Notes**&nbsp;&nbsp;*&lt;Path to exported .cer certificate&gt;* should be the full path to the certificate that you exported in step 3.
+   
+   > Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code-integrity-policies-within-windows) section.
+
+6.  Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to remove the unsigned policy rule option:
+
+    ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
+
+7.  Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the policy to binary format:
+
+    ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
+
+8.  Sign the code integrity policy by using SignTool.exe:
+
+    ` <Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
+
+    > **Note**&nbsp;&nbsp;The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
+
+9.  Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy).
+
+## Disable unsigned code integrity policies
+
+There may come a time when an administrator wants to disable a code integrity policy. For unsigned code integrity policies, this process is simple. Depending on how the code integrity policy was deployed, unsigned policies can be disabled in one of two ways. If a code integrity policy was manually enabled and copied to the code integrity folder location, simply delete the file and restart the computer. The following locations can contain executing code integrity policies:
+
+-   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
+
+-   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
+
+If the code integrity policy was deployed by using Group Policy, the GPO that is currently enabling and deploying the policy must be set to disabled. Then, the code integrity policy will be disabled on the next computer restart.
+
+## Disable signed code integrity policies within Windows
+
+Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed code integrity policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed code integrity policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps.
+
+> **Note**&nbsp;&nbsp;For reference, signed code integrity policies should be replaced and removed from the following locations:
+
+-   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
+
+-   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
+
+
+1.  Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
+
+    > **Note**&nbsp;&nbsp;To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
+
+2.  Restart the client computer.
+
+3.  Verify that the new signed policy exists on the client.
+
+    > **Note**&nbsp;&nbsp;If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
+
+4.  Delete the new policy.
+
+5.  Restart the client computer.
+
+If the signed code integrity policy has been deployed using by using Group Policy, you must complete the following steps:
+
+1.  Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
+
+    > **Note**&nbsp;&nbsp;To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
+
+2.  Restart the client computer.
+
+3.  Verify that the new signed policy exists on the client.
+
+    > **Note**&nbsp;&nbsp;If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
+
+4.  Set the GPO to disabled.
+
+5.  Delete the new policy.
+
+6.  Restart the client computer.
+
+## Disable signed code integrity policies within the BIOS
+
+There may be a time when signed code integrity policies cause a boot failure. Because code integrity policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed code integrity policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
+
+-   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
+
+-   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
+
+## Deploy and manage code integrity policies with Group Policy
+
+Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
+
+> **Note**&nbsp;&nbsp;This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic.
+
+> **Note**&nbsp;&nbsp;Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment.
+
+To deploy and manage a code integrity policy with Group Policy:
+
+1.  On a domain controller on a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** or searching for “Group Policy Management” in Windows Search.
+
+2.  Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 3.
+
+    > **Note**&nbsp;&nbsp;You can use any OU name. Also, security group filtering is an option when you consider different ways of combining code integrity policies (or keeping them separate), as discussed in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+
+   ![Group Policy Management, create a GPO](images/dg-fig24-creategpo.png)
+
+   Figure 3. Create a GPO
+
+3.  Name new GPO **Contoso GPO Test**. This example uses Contoso GPO Test as the name of the GPO. You can choose any name that you prefer for this example.
+
+4.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
+
+5.  In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Code Integrity Policy** and then click **Edit**.
+
+    ![Edit the group policy for code integrity](images/dg-fig25-editcode.png)
+
+    Figure 4. Edit the group policy for code integrity
+
+6.  In the **Display Code Integrity Policy** dialog box, select the **Enabled** option, and then specify the code integrity policy deployment path.
+
+   In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5.
+
+    > **Note**&nbsp;&nbsp;The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
+
+   ![Group Policy called Deploy Code Integrity Policy](images/dg-fig26-enablecode.png)
+
+   Figure 5. Enable the code integrity policy
+
+    > **Note**&nbsp;&nbsp;You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
+
+7.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section.
+
+## Related topics
+
+[Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+
+[Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
+
diff --git a/windows/keep-secure/deploy-device-guard-deploy-code-integrity-policies.md b/windows/keep-secure/deploy-device-guard-deploy-code-integrity-policies.md
new file mode 100644
index 0000000000..17169f4a98
--- /dev/null
+++ b/windows/keep-secure/deploy-device-guard-deploy-code-integrity-policies.md
@@ -0,0 +1,31 @@
+---
+title: Deploy Device Guard - deploy code integrity policies (Windows 10)
+description: This article, and the articles it links to, describe how to create code integrity policies, one of the main features that are part of Device Guard in Windows 10. 
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Deploy Device Guard: deploy code integrity policies
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+This section includes the following topics:
+
+- [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
+- [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
+- [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
+- [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
+
+To increase the protection for devices that meet certain hardware requirements, you can use virtualization-based security (VBS) with your code integrity policies.
+- For requirements, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard) in "Requirements and deployment planning guidelines for Device Guard."
+- For steps, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
+
+## Related topics
+
+[Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+
diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
new file mode 100644
index 0000000000..c0fea04744
--- /dev/null
+++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
@@ -0,0 +1,271 @@
+---
+title: Deploy Device Guard - enable virtualization-based security (Windows 10)
+description: This article describes how to enable virtualization-based security, one of the main features that are part of Device Guard in Windows 10. 
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Deploy Device Guard: enable virtualization-based security
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+Hardware-based security features, also called virtualization-based security or VBS, make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are three steps to configure hardware-based security features in Device Guard:
+
+1.  **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
+
+2.  **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. For details, see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
+
+3.  **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. For more information, see the following sections in this topic:
+
+    - [Enable Unified Extensible Firmware Interface Secure Boot](#enable-unified-extensible-firmware-interface-secure-boot)
+    - [Enable virtualization-based security for kernel-mode code integrity](#enable-virtualization-based-security-for-kernel-mode-code-integrity)
+
+For information about enabling Credential Guard, see [Protect derived domain credentials with Credential Guard](credential-guard.md).
+
+## Windows feature requirements for virtualization-based security
+
+In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must enable certain operating system features before you can enable VBS:
+
+- With Windows 10, version 1607 or Windows Server 2016:<br> 
+Hyper-V Hypervisor  (shown in Figure 1).
+
+- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br> 
+Hyper-V Hypervisor and Isolated User Mode (not shown).
+
+> **Note**&nbsp;&nbsp;You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, see [Protect derived domain credentials with Credential Guard](credential-guard.md).
+ 
+![Turn Windows features on or off](images/dg-fig1-enableos.png)
+
+Figure 1. Enable operating system feature for VBS
+
+After you enable the feature or features, you can configure any additional hardware-based security features you want. The following sections provide more information:
+- [Enable Unified Extensible Firmware Interface Secure Boot](#enable-unified-extensible-firmware-interface-secure-boot)
+- [Enable virtualization-based security for kernel-mode code integrity](#enable-virtualization-based-security-for-kernel-mode-code-integrity)
+
+## Enable Unified Extensible Firmware Interface Secure Boot
+
+Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10.
+
+> **Note**&nbsp;&nbsp;There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include input/output memory management units (IOMMUs). Protection against driver-based attacks is provided only on systems that have IOMMUs and that have DMA protection enabled. For more information about how IOMMUs help protect against DMA attacks, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+
+1.  Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
+
+2.  Set the **EnableVirtualizationBasedSecurity DWORD** value to **1**.
+
+3.  Set the **RequirePlatformSecurityFeatures DWORD** value as appropriate:
+
+    | **With Windows 10, version 1607, <br>or Windows Server 2016** | **With an earlier version of Windows 10, <br>or Windows Server 2016 Technical Preview 5 or earlier** |
+    | ---------------- | ---------------- |
+    | **1** enables the **Secure Boot** option<br>**3** enables the **Secure Boot and DMA protection** option | **1** enables the **Secure Boot** option<br>**2** enables the **Secure Boot and DMA protection** option |
+
+4.  Restart the client computer.
+
+Unfortunately, it would be time consuming to perform these steps manually on every protected computer in your enterprise. Group Policy offers a much simpler way to deploy UEFI Secure Boot to your organization. This example creates a test organizational unit (OU) called *DG Enabled PCs*. If you want, you can instead link the policy to an existing OU, and then scope the GPO by using appropriately named computer security groups.
+
+> **Note**&nbsp;&nbsp;We recommend that you test-enable this feature on a group of test computers before you deploy it to users' computers.
+
+### Use Group Policy to deploy Secure Boot
+
+1.  To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
+
+    ![Group Policy Management, create a GPO](images/dg-fig2-createou.png)
+
+    Figure 5. Create a new OU-linked GPO
+
+2.  Give the new GPO a name, for example, **Contoso Secure Boot GPO Test**, or any name you prefer. Ideally, the name will align with your existing GPO naming convention.
+
+3.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
+
+4.  Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
+
+    ![Edit the group policy for Virtualization Based Security](images/dg-fig3-enablevbs.png)
+
+    Figure 6. Enable VBS
+
+5.  Select the **Enabled** button, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list.
+
+    ![Group Policy, Turn On Virtualization Based Security](images/device-guard-gp.png)
+
+    Figure 7. Enable Secure Boot (in Windows 10, version 1607)
+
+    > **Note**&nbsp;&nbsp;Device Guard Secure Boot is maximized when combined with DMA protection. If your hardware contains the IOMMUs required for DMA protection, be sure to select the **Secure Boot and DMA Protection** platform security level. If your hardware does not contain IOMMUs, there are several mitigations provided by leveraging Secure Boot without DMA Protection.
+
+6.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. After you configure this setting, UEFI Secure Boot will be enabled upon restart.
+
+7.  Check the test computer’s event log for Device Guard GPOs.
+
+    Processed Device Guard policies are logged in event viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
+
+## Enable virtualization-based security for kernel-mode code integrity
+
+Before you begin this process, verify that the desired computer meets the hardware requirements for VBS found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), and enable the Windows features discussed in the [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security) section. When validated, you can enable virtualization-based protection of KMCI in one of two ways: manual configuration of the appropriate registry subkeys and Group Policy deployment.
+
+> **Note**&nbsp;&nbsp;All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable this feature on a group of test computers before you enable it on users' computers.
+
+**To configure virtualization-based protection of KMCI manually:**
+
+1.  Navigate to the appropriate registry subkey: 
+
+    - With Windows 10, version 1607, or Windows Server 2016:<br>**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios**
+    
+    - With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br>**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard**
+
+2.  Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**.
+
+3.  Restart the client computer.
+
+It would be time consuming to perform these steps manually on every protected computer in your enterprise. Instead, use Group Policy to deploy virtualization-based protection of KMCI. This example creates a test OU called *DG Enabled PCs*, which you will use to link the GPO. If you prefer to link the policy to an existing OU rather than create a test OU and scope the policy by using appropriately named computer security groups, that is another option.
+
+> **Note**&nbsp;&nbsp;We recommend that you test-enable this feature on a group of test computers before you deploy it to users' computers. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.
+
+**To use Group Policy to configure VBS of KMCI:**
+
+1.  Create a new GPO: Right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
+
+    ![Group Policy Management, create a GPO](images/dg-fig5-createnewou.png)
+
+    Figure 2. Create a new OU-linked GPO
+
+2.  Give the new GPO a name, for example, **Contoso VBS CI Protection GPO Test**, or any name you prefer. Ideally, the name will align with your existing GPO naming convention.
+
+3.  Open the Group Policy Management Editor: Right-click the new GPO, and then click **Edit**.
+
+4.  Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
+
+    ![Edit the group policy for Virtualization Based Security](images/dg-fig6-enablevbs.png)
+
+    Figure 3. Enable VBS
+
+5.  Select the **Enabled** button, and then for **Virtualization Based Protection of Code Integrity**, select the appropriate option:
+
+    - With Windows 10, version 1607 or Windows Server 2016, choose an enabled option:<br>For an initial deployment or test deployment, we recommend **Enabled without UEFI lock**.<br>When your deployment is stable in your environment, we recommend changing to **Enabled with UEFI lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
+
+    - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br>Select the **Enable Virtualization Based Protection of Code Integrity** check box.
+
+    ![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png)
+
+    Figure 4. Enable VBS of KMCI (in Windows 10, version 1607)
+
+6.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. With this setting configured, the VBS of the KMCI will take effect upon restart.
+
+7.  Check the test client event log for Device Guard GPOs.
+
+    Processed Device Guard policies are logged in event viewer under **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy has been successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
+
+**Validate enabled Device Guard hardware-based security features**
+
+Windows 10 and Windows Server 2016 and later have a WMI class for Device Guard–related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
+
+` Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard`
+
+> **Note**&nbsp;&nbsp;The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10.
+
+The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. For detailed information about what each property means, refer to Table 1.
+
+Table 1. Win32\_DeviceGuard properties
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left"><strong>Properties</strong></th>
+<th align="left"><strong>Description</strong></th>
+<th align="left"><strong>Valid values</strong></th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><strong>AvailableSecurityProperties</strong></td>
+<td align="left">This field helps to enumerate and report state on the relevant security properties for Device Guard.</td>
+<td align="left"><ul>
+<li><p><strong>0.</strong> If present, no relevant properties exist on the device.</p></li>
+<li><p><strong>1.</strong> If present, hypervisor support is available.</p></li>
+<li><p><strong>2.</strong> If present, Secure Boot is available.</p></li>
+<li><p><strong>3.</strong> If present, DMA protection is available.</p></li>
+<li><p><strong>4.</strong> If present, Secure Memory Overwrite is available.</p></li>
+<li><p><strong>5.</strong> If present, NX protections are available.</p></li>
+<li><p><strong>6.</strong> If present, SMM mitigations are available.</p></li>
+</ul>
+<p><strong>Note</strong>: 4, 5, and 6 were added as of Windows 10, version 1607.</p>
+</td>
+</tr>
+<tr class="even">
+<td align="left"><strong>InstanceIdentifier</strong></td>
+<td align="left">A string that is unique to a particular device.</td>
+<td align="left">Determined by WMI.</td>
+</tr>
+<tr class="odd">
+<td align="left"><strong>RequiredSecurityProperties</strong></td>
+<td align="left">This field describes the required security properties to enable virtualization-based security.</td>
+<td align="left"><ul>
+<li><p><strong>0.</strong> Nothing is required.</p></li>
+<li><p><strong>1.</strong> If present, hypervisor support is needed.</p></li>
+<li><p><strong>2.</strong> If present, Secure Boot is needed.</p></li>
+<li><p><strong>3.</strong> If present, DMA protection is needed.</p></li>
+<li><p><strong>4.</strong> If present, Secure Memory Overwrite is needed.</p></li>
+<li><p><strong>5.</strong> If present, NX protections are needed.</p></li>
+<li><p><strong>6.</strong> If present, SMM mitigations are needed.</p></li>
+</ul>
+<p><strong>Note</strong>: 4, 5, and 6 were added as of Windows 10, version 1607.</p>
+</td>
+</tr>
+<tr class="even">
+<td align="left"><strong>SecurityServicesConfigured</strong></td>
+<td align="left">This field indicates whether the Credential Guard or HVCI service has been configured.</td>
+<td align="left"><ul>
+<li><p><strong>0.</strong> No services configured.</p></li>
+<li><p><strong>1.</strong> If present, Credential Guard is configured.</p></li>
+<li><p><strong>2.</strong> If present, HVCI is configured.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><strong>SecurityServicesRunning</strong></td>
+<td align="left">This field indicates whether the Credential Guard or HVCI service is running.</td>
+<td align="left"><ul>
+<li><p><strong>0.</strong> No services running.</p></li>
+<li><p><strong>1.</strong> If present, Credential Guard is running.</p></li>
+<li><p><strong>2.</strong> If present, HVCI is running.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><strong>Version</strong></td>
+<td align="left">This field lists the version of this WMI class.</td>
+<td align="left">The only valid value now is <strong>1.0</strong>.</td>
+</tr>
+<tr class="odd">
+<td align="left"><strong>VirtualizationBasedSecurityStatus</strong></td>
+<td align="left">This field indicates whether VBS is enabled and running.</td>
+<td align="left"><ul>
+<li><p><strong>0.</strong> VBS is not enabled.</p></li>
+<li><p><strong>1.</strong> VBS is enabled but not running.</p></li>
+<li><p><strong>2.</strong> VBS is enabled and running.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><strong>PSComputerName</strong></td>
+<td align="left">This field lists the computer name.</td>
+<td align="left">All valid values for computer name.</td>
+</tr>
+</tbody>
+</table>
+
+Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 11.
+
+![Device Guard properties in the System Summary](images/dg-fig11-dgproperties.png)
+
+Figure 11. Device Guard properties in the System Summary
+
+## Related topics
+
+- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+
+- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md
index 7b23a44cf2..c9528077e0 100644
--- a/windows/keep-secure/deploy-edp-policy-using-intune.md
+++ b/windows/keep-secure/deploy-edp-policy-using-intune.md
@@ -1,50 +1,5 @@
 ---
 title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
 description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices.
-ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
-keywords: EDP, Enterprise Data Protection, Intune
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Deploy your enterprise data protection (EDP) policy using Microsoft Intune
-**Applies to:**
-
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
-
-**To deploy your EDP policy**
-
-1.  On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
-
-    ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png)
-
-2.  In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
-The added people move to the **Selected Groups** list on the right-hand pane.
-
-    ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png)
-
-3.  After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
-The policy is deployed to the selected users' devices.
-
-## Related topics
-- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
--[Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
-- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
-- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/deploy-wip-policy-using-intune
+---
\ No newline at end of file
diff --git a/windows/keep-secure/deploy-wip-policy-using-intune.md b/windows/keep-secure/deploy-wip-policy-using-intune.md
new file mode 100644
index 0000000000..075fba2473
--- /dev/null
+++ b/windows/keep-secure/deploy-wip-policy-using-intune.md
@@ -0,0 +1,40 @@
+---
+title: Deploy your Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
+description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
+ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Deploy your Windows Information Protection (WIP) policy using Microsoft Intune
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
+
+**To deploy your WIP policy**
+
+1.  On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
+
+    ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png)
+
+2.  In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
+The added people move to the **Selected Groups** list on the right-hand pane.
+
+    ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png)
+
+3.  After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
+The policy is deployed to the selected users' devices.
+
+## Related topics
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
+- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
+- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
\ No newline at end of file
diff --git a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md
index 144252b206..df45d7bcb2 100644
--- a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices.
 
diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md
index 8bbd75608d..01ed85051c 100644
--- a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md
+++ b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status.
 
diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md
index 6ac463047e..566a6df4da 100644
--- a/windows/keep-secure/device-guard-certification-and-compliance.md
+++ b/windows/keep-secure/device-guard-certification-and-compliance.md
@@ -1,107 +1,4 @@
 ---
 title: Device Guard certification and compliance (Windows 10)
-description: Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications.
-ms.assetid: 94167ECA-AB08-431D-95E5-7A363F42C7E3
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: brianlic-msft
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
 ---
-# Device Guard certification and compliance
-**Applies to**
--   Windows 10
-
-Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.
-Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
-For details on how to implement Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
-## Why use Device Guard
-With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise.
-Device Guard also helps protect against [zero day attacks](http://go.microsoft.com/fwlink/p/?linkid=534209) and works to combat the challenges of [polymorphic viruses](http://go.microsoft.com/fwlink/p/?LinkId=534210).
-
-### Advantages to using Device Guard
-
-You can take advantage of the benefits of Device Guard, based on what you turn on and use:
--   Helps provide strong malware protection with enterprise manageability
--   Helps provide the most advanced malware protection ever offered on the Windows platform
--   Offers improved tamper resistance
-
-## How Device Guard works
-
-Device Guard restricts the Windows 10 operating system to only running code that’s signed by trusted signers, as defined by your Code Integrity policy through specific hardware and security configurations, including:
--   User Mode Code Integrity (UMCI)
--   New kernel code integrity rules (including the new Windows Hardware Quality Labs (WHQL) signing constraints)
--   Secure Boot with database (db/dbx) restrictions
--   Virtualization-based security to help protect system memory and kernel mode apps and drivers from possible tampering.
--   Optional: Trusted Platform Module (TPM) 1.2 or 2.0
-Device Guard works with your image-building process, so you can turn the virtualization-based security feature on for capable devices, configure your Code Integrity policy, and set any other operating system settings you require for Windows 10. After that, Device Guard works to help protect your devices:
-1.  Your device starts up using Universal Extensible Firmware Interface (UEFI) Secure Boot, so that boot kits can’t run and so that Windows 10 starts before anything else.
-2.  After securely starting up the Windows boot components, Windows 10 can start the Hyper-V virtualization-based security services, including Kernel Mode Code Integrity. These services help protect the system core (kernel), privileged drivers, and system defenses, like anti-malware solutions, by preventing malware from running early in the boot process, or in kernel after startup.
-3.  Device Guard uses UMCI to make sure that anything that runs in User mode, such as a service, a Universal Windows Platform (UWP) app, or a Classic Windows application is trusted, allowing only trusted binaries to run.
-4.  At the same time that Windows 10 starts up, so too does the trusted platform module (TPM). TPM provides an isolated hardware component that helps protect sensitive information, such as user credentials and certificates.
-## Required hardware and software
-The following table shows the hardware and software you need to install and configure to implement Device Guard.
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Requirement</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Windows 10 Enterprise</p></td>
-<td align="left"><p>The PC must be running Windows 10 Enterprise.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>UEFI firmware version 2.3.1 or higher with UEFI Secure Boot and Platform Secure Boot</p></td>
-<td align="left"><p>UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity, also known as Platform Secure Boot must be supported. You can validate it against the following Windows Hardware Compatibility Program requirements:</p>
-<ul>
-<li><p>[System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)</p></li>
-<li><p>[System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby)</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Virtualization extensions</p></td>
-<td align="left"><p>The following virtualization extensions are required to support virtualization-based security:</p>
-<ul>
-<li>Intel VT-x or AMD-V</li>
-<li>Second Level Address Translation</li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Firmware lock</p></td>
-<td align="left"><ul>
-<li><p>The firmware setup should be locked to prevent other operating systems from starting and to prevent changes to the UEFI settings.</p></li>
-<li><p>Work with your hardware manufacturer to ensure that the devices are Device Guard ready</p></li>
-<li><p>You should require a firmware password or higher authentication to change firmware settings.</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>x64 architecture</p></td>
-<td align="left"><p>The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>A VT-d or AMD-Vi IOMMU (Input/output memory management unit)</p></td>
-<td align="left"><p>In Windows 10, an IOMMU enhances system resiliency against memory attacks.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Secure firmware update process</p></td>
-<td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.</p><p>Device Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Signed processor microcode updates</p></td>
-<td align="left"><p>If the processor supports it, you must require signed microcode updates.</p></td>
-</tr>
-</tbody>
-</table>
- 
-## Related topics
-[Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
-[Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
- 
- 
diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md
index 90d7c6aa3a..602bfdf4e3 100644
--- a/windows/keep-secure/device-guard-deployment-guide.md
+++ b/windows/keep-secure/device-guard-deployment-guide.md
@@ -5,1162 +5,50 @@ ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.pagetype: security, devices
-author: challum
+localizationpriority: high
+author: brianlic-msft
 ---
 
 # Device Guard deployment guide
 
 **Applies to**
--   Windows 10
+-   Windows 10
+-   Windows Server 2016
 
-Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. Windows 10 employs Device Guard as well as code integrity and advanced hardware features such as CPU virtualization extensions, Trusted Platform Module, and second-level address translation to offer comprehensive modern security to its users. This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them.
+Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Device Guard can use the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
 
-## Introduction to Device Guard
+This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them. It includes:
 
-Today’s security threat landscape is more aggressive than ever before. Modern malicious attacks are focused on revenue generation, intellectual property theft, and targeted system degradation, which results in financial loss. Many of these modern attackers are sponsored by nation states with unknown motives and large cyber terrorism budgets. These threats can enter a company through something as simple as an email message and can permanently damage its reputation for securing its software assets, as well as having significant financial impact. Windows 10 introduces several new security features that help mitigate a large percentage of today’s known threats.
+- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
 
-It is estimated that more than 300,000 new malware variants are discovered daily. Unfortunately, companies currently use an ancient method to discover this infectious software and prevent its use. In fact, current PCs trust everything that runs until malware signatures determine whether a threat exists; then, the antimalware software attempts to clean the PC, often after the malicious software’s effect has already been noticed. This signature-based system focuses on reacting to an infection and ensuring that the particular infection does not happen again. In this model, the system that drives malware detection relies on the discovery of malicious software; only then can a signature be provided to the client to remediate it, which implies that a computer must be infected first. The time between the detection of the malware and a client being issued a signature could mean the difference between losing data and staying safe.
+- [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
 
-In addition to antimalware solutions, there are some “whitelisting” technologies available, including AppLocker. These technologies perform single instance, or blanket-allow or blanket-deny rules for running applications. Although this is more preventative than signature-based detection, it requires significant ongoing maintenance. In Windows 10, these applications are most effective when they are deployed alongside Microsoft Device Guard.
+- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
 
-Device Guard breaks the current model of detection first-block later, and allows only trusted applications to run, period. This methodology is consistent with the successful prevention strategy for mobile phone security. With Device Guard, Microsoft has changed how the Windows operating system handles untrusted applications, which makes its defenses difficult for malware to penetrate. This new prevention versus detection model provides Windows clients with the necessary security for modern threats and, when implemented, makes most of today’s threats completely obsolete from day one.
+- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
 
-Device Guard's features revolutionize the Windows operating system’s security by taking advantage of new virtualization-based security (VBS) options and the trust-nothing mobile device operating system model, which makes its defenses much more difficult for malware to penetrate. By using configurable code integrity policies, organizations are able to choose exactly which applications are allowed to run in their environment. Configurable code integrity is not limited to Windows Store applications and can be used with existing unsigned or signed Win32 applications, without the requirement that the application be repackaged. In addition, configurable code integrity can be deployed as an individual feature if organizations don’t possess the required hardware for Device Guard. Along with code integrity, Windows 10 leverages advanced hardware features such as CPU virtualization extensions, input/output memory management units (IOMMUs), Trusted Platform Module (TPM), and second-level address translation (SLAT) to offer comprehensive modern security to its users. Device Guard deployed with configurable code integrity and Credential Guard will be among the most impactful client-side security deployments an organization can implement today. In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as Credential Guard and AppLocker.
+    - [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
 
-## Device Guard overview
-Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features revolutionize the Windows operating system’s security by taking advantage of new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called *configurable code integrity*, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines—exactly what has made mobile phone security so successful. In addition, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing provides organizations with a way to trust individual third-party applications. Device Guard—with configurable code integrity, Credential Guard, and AppLocker—is the most complete security defense that any Microsoft product has ever been able to offer a Windows client.
+    - [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
 
-Advanced hardware features such as CPU virtualization extensions, IOMMUs, and SLAT, drive these new client security offerings. By integrating these hardware features further into the core operating system, Windows 10 leverages them in new ways. For example, the same type 1 hypervisor technology that is used to run virtual machines in Microsoft Hyper-V is used to isolate core Windows services into a virtualization-based, protected container. This is just one example of how Windows 10 integrates advanced hardware features deeper into the operating system to offer comprehensive modern security to its users. These hardware features are now available in consumer and enterprise PC markets and are discussed in detail in the [Hardware considerations](#hardware-considerations) section.
+    - [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
 
-Along with these new features, some components of Device Guard are existing tools or technologies that have been included in this strategic security offering to provide customers with the most secure Windows operating system possible. Device Guard is intended as a set of client security features to be used in conjunction with the other threat-resistance features available in the Windows operating system, some of which are mentioned in this guide. In addition to an overview of each feature, this guide walks you through the configuration and deployment of them.
+    - [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
 
-**Configurable code integrity**
-
-The Windows operating system consists of two operating modes: user mode and kernel mode. The base of the operating system runs within the kernel mode, which is where the Windows operating system directly interfaces with hardware resources. User mode is primarily responsible for running applications and brokering information to and from the kernel mode for hardware resource requests. For example, when an application that is running in user mode needs additional memory, the user mode process must request the resources from kernel mode, not directly from RAM.
-
-Code integrity is the component of the Windows operating system that verifies that the code Windows is running is trusted and safe. Like the operating system, Windows code integrity also contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been used in recent versions of the Windows operating system to protect the kernel mode from running unsigned drivers. Although effective, drivers are not the only route that malware can take to penetrate the kernel mode space of the operating system. In Windows 10, however, Microsoft has raised the standard for kernel mode code out of the box as well as provided enterprises with a way to set their own UMCI and KMCI standards. Beginning with the Code Integrity service itself and continuing through the policies a Windows client uses to verify that an application should be allowed to run, Microsoft has made Windows 10 more secure than any previous Windows release. Historically, UMCI has been available only in Windows RT and on Windows Phone devices, which has made it difficult for these devices to be infected with viruses and malware. In Windows 10, these same successful UMCI standards are available.
-
-Historically, most malware has been unsigned. By simply deploying code integrity policies, organizations will immediately protect themselves against unsigned malware, which is estimated to be responsible for more than 95 percent of current attacks. By using code integrity policies, an enterprise can select exactly which binaries are allowed to run in both user mode and kernel mode, from the signer to the hash level. When completely enforced, it makes user mode in Windows function like a mobile phone, by allowing only specific applications or specific signatures to be trusted and run. This feature alone fundamentally changes the security in an enterprise. This additional security is not limited to Windows apps and does not require that an application be rewritten to be compatible with your existing, unsigned applications. You can implement configurable code integrity without enabling Device Guard, but it is intended to run in conjunction with Device Guard when supported hardware is available. For more information about how to configure, deploy, and manage code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
-
-**Hardware security features and virtualization-based security**
-
-The Device Guard core functionality and protection start at the hardware level. Devices that have processors equipped with SLAT technologies and virtualization extensions, such as Intel Virtualization Technology (VT-x) and AMD-V, will be able to take advantage of virtualization-based security (VBS) features that enhance Windows security. Device Guard leverages VBS to isolate core Windows services that are critical to the security and integrity of the operating system. This isolation removes the vulnerability of these services from both the user and kernel modes and acts as an impenetrable barrier for most malware used today. One of these isolated services, called the Windows Code Integrity service, drives the Device Guard kernel mode configurable code integrity feature. This prevents code that has penetrated the kernel mode operations from compromising the code integrity service.
-Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the virtualization container that hosts the Windows security services, such as code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#device-guard-with-credential-guard) section. For information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-credential-guard) section.
-
-**Device Guard with AppLocker**
-
-Although AppLocker is not considered a new Device Guard feature, it complements Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
-
->**Note:**  One example in which Device Guard functionality needs AppLocker supplementation is when your organization would like to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule.
-AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, Microsoft recommends that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
-
-**Device Guard with Credential Guard**
-
-Although Credential Guard is not a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against credential theft. Similar to virtualization-based protection of kernel mode code integrity, Credential Guard leverages hypervisor technology to protect domain credentials. This mitigation is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. For information about how to deploy Credential Guard to your Windows 10 Enterprise clients, see the [Enable Credential Guard](#enable-cg) section. In addition to the client-side enablement of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. Refer to the [Credential Guard](credential-guard.md) documentation for guidance on these additional mitigations.
-
-**Unified manageability**
-
-You can easily manage Device Guard features by using the familiar enterprise and client-management tools that IT pros use every day. Use the following management tools to enable and manage Device Guard:
-
--   **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simple to implement Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files. For more information about catalog files, see the [Catalog files](#catalog-files) section.
--   **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features, as well as provide version control. For more information about how to deploy catalog files by using System Center Configuration Manager, see the [Deploy catalog files with System Center Configuration Manager](#deploy-cat-sccm) section.
--   **Microsoft Intune**. In a future release of Microsoft Intune, organizations will be able to leverage Intune for deployment and management of code integrity policies and catalog files.
--   **Windows PowerShell**. Windows PowerShell is primarily used to create and service code integrity policies. These policies represent the most powerful component of Device Guard. For a step-by-step walkthrough of how to create, audit, service, enforce, and deploy code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
-
-These options provide the same experience you are used to in order to manage your existing enterprise management solutions. For more information about how to manage and deploy Device Guard hardware and code integrity features in your organization, see the [Device Guard deployment](#dg-deployment) section.
-
-## Plan for Device Guard
-
-In this section, you will learn about the following topics:
-
--   [Approach enterprise code integrity deployment](#approach-enterprise-code-integrity-deployment). Device Guard deployment in your organization requires a planned approach. In this section, you get high-level recommendations for how to approach enterprise code integrity deployment in your organization.
--   [Device Guard deployment scenarios](#device-guard-deployment-scenarios). When you plan for Device Guard deployment, Microsoft recommends that you categorize each device in your organization into a deployment scenario. These scenarios will provide a roadmap for your Device Guard deployment.
--   [Code signing adoption](#code-signing-adoption). Code signing is important to the security that Device Guard provides. This section outlines the options for code signing and the benefits and disadvantages of each method.
--   [Hardware considerations](#hardware-considerations). Several Device Guard features require advanced hardware. This section outlines the requirements for each of those features and what to look for during your next hardware refresh.
-
-## Approach enterprise code integrity deployment
-
-Enterprises that want to consider Device Guard should not expect deployment to their entire organization overnight. Device Guard implementation requires that you plan for both end-user and IT pro impact. In addition, the deployment of Device Guard features to your enterprise requires a planned, phased approach to ensure that end-user systems are fully capable and ready to enforce these new security restrictions. Perform the following high-level tasks to approach the deployment of Device Guard to your enterprise:
-
-1.  **Group devices into similar functions**. Categorize machines into the groups described in the [Device Guard deployment scenarios](#device-guard-deployment-scenarios) section. This begins the roadmap for your Device Guard deployment and provides groups of easier and more difficult implementations. From there, assess the quantity of necessary Device Guard policies. The easiest solution is to lock down your entire enterprise, but it might not fit your individual departments’ needs.
-
-    To discover an appropriate number of policies for your organization, try to separate the defined groups into departments or roles. Then ask some questions: What software does each department or role need to do their job? Should they be able to install and run other departments’ software? Do we need to create a base code integrity policy that aligns with our application catalog? Should users be able to install any application or only choose from an “allowed” list? Do we allow users to use their own peripheral devices? These questions will help you discover the number of necessary policies for your organization. Finally, try to focus on which people or departments would require an additional level of privileges. For example, should department x be able to install and run application xyz, even though no other department does? If the answer is yes and justifiable, you will need a secondary code integrity policy for that group. If not, you will likely be able to merge several policies to simplify management. For more information about configurable code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
-
-2.  **Create code integrity policies from “golden” PCs**. After you create the groups of devices, you can create code integrity policies to align with those groups, similar to the way you would manage corporate images. When you have separated these groups and set up golden PCs that mimic the software and hardware those individual groups require, create code integrity policies from each of them. After you create these, you can merge these code integrity policies to create a master policy, or you can manage and deploy them individually. For step-by-step instructions about how to create code integrity policies, see the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) section.
-
-3.  **Audit and merge code integrity policies**. Microsoft recommends that you test code integrity policies in audit mode before you enforce them. Audit mode allows administrators to run the code integrity policy on a system but not actually block anything. Rather than not allowing applications to run, events are logged with each exception to the policy. This way, you can easily highlight any issues that were not discovered during the initial scan. You can create additional code integrity policies by using the audit events and merge them into the existing policy. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section.
-
-4.  **Assess LOB applications that are currently unsigned, and create a catalog file for them**. Catalog files allow organizations to sign applications that do not currently possess digitally signed binaries or applications that a customer would want to add a secondary signature to. These applications can be in-house applications or from third parties, and the process does not require any repackaging of the application. When you create code integrity policies at a rule level above hash values, you will not discover unsigned applications. To include these applications in your code integrity policies, simply create, sign, and deploy a catalog file. For information about catalog files, see the [Catalog files](#catalog-files) section.
-
-5.  **Enable desired hardware security features**. Each type of device found in the [Device Guard deployment scenarios](#device-guard-deployment-scenarios) section takes advantage of different software and hardware integrity configurations. You should assess hardware-based security features separately from code integrity policies because they provide complementary functionality. For information about how to configure Device Guard hardware-based security features, see the [Configure hardware-based security features](#configure-hardware-based-security-features) section.
-
-6.  **Deploy code integrity policies and catalog files**. After you have created and signed the necessary catalog files and created and audited code integrity policies, you are ready to deploy them in phases. Microsoft strongly recommends that you deploy these components to a test group of users, even after your IT organization has tested and vetted them. This provides a final quality control validation before you deploy the catalog files and policies more broadly. For information about how to deploy catalog files with Group Policy, see the [Deploy catalog files with Group Policy](#deploy-catalog-files-with-group-policy) section. For additional information about how to deploy code integrity policies, see the [Deploy code integrity policies with Group Policy](#deploy-code-integrity-policies-with-group-policy) section.
-
-## Device Guard deployment scenarios
-
-To help simplify the deployment of Device Guard to your organization, Microsoft recommends that you group devices into the deployment scenarios described in this section. Device Guard is not a feature that organizations will just simply “turn on”; rather, it typically requires a phased implementation approach. To see where these scenarios fit into an overall Device Guard deployment approach, see the [Approach to enterprise code integrity deployment](#approach-to-enterprise-code-integrity-deployment) section.
-
-**Fixed-workload devices**
-
-The lists of approved applications on fixed-workload devices rarely change as they perform the same tasks day after day. Examples of such devices include kiosks, point-of-sale systems, and call center PCs. These devices could easily employ the full capabilities of Device Guard and would require little management or policy modification. Device Guard implementation to these devices is painless and requires little ongoing administration. With Device Guard fully implemented, users are able to run only those applications that the IT department installs, manages, and trusts.
-Device Guard components that are applicable to fixed-workload devices include:
-
--   KMCI VBS protection
--   Enforced UMCI policy
-
-**Fully managed devices**
-
-Fully managed devices are those for which the IT department restricts the software that is installed and run on them, but allows users to request installation of additional software or provides a list of approved software in an application catalog. Examples of such devices include locked-down, company-owned desktops and laptops. With these devices, establish an initial baseline code integrity policy and enforce the code integrity policy. The IT department manages the policies and updates the devices when new applications are approved or are provided in the System Center Configuration Manager catalog.
-Device Guard components that are applicable to fully managed devices include:
-
--   KMCI VBS protection
--   Enforced UMCI policy
-
-In this scenario, an application list is provided and trusted, and the trust policy is constantly re-evaluated when a user requests a new application. When an application is trusted across all of these devices, new user requests for that application do not require a policy update (alignment with application catalog). In addition, you can couple this with an onboarding process for new applications that you should add to the central application catalog. Initial implementation of Device Guard to fully managed devices is simple but does require more administrative overhead to manage trusted signatures of newly requested and approved applications.
-
-**Lightly managed devices**
-
-Lightly managed devices are company-owned machines over which users have full control, which includes what is installed on them. These devices run the organization’s antivirus solution and client management tools but are not restricted by software request or compliance policies.
-
-Device Guard components that are applicable to lightly managed devices include:
-
--   KMCI VBS protection
--   UMCI policy in Audit mode
-
-**Bring Your Own Device**
-
-Device Guard is not a good way to manage devices in a Bring Your Own Device (BYOD) model. When employees are allowed to bring their own devices, the management of user-mode applications on them can make it difficult for users to use their own devices when they are not at work. In addition, Device Guard functionality is difficult to maintain from an administrative perspective. For devices in this group, explore alternate hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune.
-
-## Code signing adoption
-
-Code signing is crucial to the successful implementation of configurable code integrity policies. These policies can trust the signing certificates from both independent software vendors and customers. In Windows 10, all Windows Store applications are signed. Also, you can easily trust any other signed application by adding the signing certificate to the code integrity policy.
-For unsigned applications, customers have multiple options for signing them so that code integrity policies can trust them. The first option is traditional embedded code signing. Organizations that have in-house development teams can incorporate binary code signing into their application development process, and then simply add the signing certificate to their code integrity policies. The second option for signing unsigned applications is to use catalog files. In Windows 10, customers have the ability to create catalog files as they monitor the installation and initial run of an application. For more information about signing existing unsigned LOB applications or third-party applications, see the [Existing line-of-business applications](#existing-line-of-business-applications) section.
-
-### Existing line-of-business applications
-
-Until now, existing LOB applications were difficult to trust if they were signed by a source other than the Windows Store or not signed at all. With Windows 10, signing your existing LOB and third-party unsigned applications is simplified. This new signing method does not require that applications be repackaged in any way. With catalog files, administrators can sign these unsigned applications simply by monitoring for an installation and initial startup. By using this monitoring information, an administrator can generate a catalog file. Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated every time an application is updated and therefore require an updated catalog file. For simplified administration, consider incorporating embedded code signing into your application development process. For more information about how to generate catalog files, see the [Catalog files](#catalog-files) section.
-
->**Note:**  Catalog files are lists of individual binaries’ hash values. If the scanned application is updated, you will need to create a new catalog file. That said, binary signing is still highly recommended for any future applications so that no catalog files are needed.
- 
-When you create a catalog file, you must sign it by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. When signed, code integrity policies can trust the signer or signing certificate of those files. For information about catalog file signing, see the [Catalog files](#catalog-files) section.
-
-**Application development**
-
-Although in-house applications can be signed after packaging by using catalog files, Microsoft strongly recommends that embedded code signing be incorporated into your application development process. When signing applications, simply add the code signing certificate used to sign your applications to your code integrity policy. This ensures that your code integrity policy will trust any future application that is signed with that certificate. Embedding code signing into any in-house application development process is beneficial to your IT organization as you implement code integrity policies.
-
-## Hardware considerations
-
-Careful consideration about which hardware vendor and specific models to purchase during your next hardware refresh is vitally important to the success of your organization’s Device Guard implementation efforts. In alignment with your current hardware life cycle, consider the process that is discussed in the [Approach enterprise code integrity deployment](#approach-enterprise-code-integrity-deployment) section when you determine the appropriate order of hardware replacement in your organization. Device Guard should be deployed in phases; therefore, you have time to methodically plan for its implementation.
-
-Different hardware features are required to implement the various features of Device Guard. There will likely be some individual features that you will be able to enable with your current hardware and some that you will not. However, for organizations that want to implement Device Guard in its entirety, several advanced hardware features will be required. For additional details about the hardware features that are required for Device Guard components, see the following table.
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Requirement</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Windows 10 Enterprise</p></td>
-<td align="left"><p>The PC must be running Windows 10 Enterprise.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>UEFI firmware version 2.3.1 or higher with UEFI Secure Boot and Platform Secure Boot</p></td>
-<td align="left"><p>UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity, also known as Platform Secure Boot must be supported. You can validate it against the following Windows Hardware Compatibility Program requirements:</p>
-<ul>
-<li><p>[System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)</p></li>
-<li><p>[System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby)</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Virtualization extensions</p></td>
-<td align="left"><p>The following virtualization extensions are required to support virtualization-based security:</p>
-<ul>
-<li>Intel VT-x or AMD-V</li>
-<li>Second Level Address Translation</li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Firmware lock</p></td>
-<td align="left"><ul>
-<li><p>The firmware setup should be locked to prevent other operating systems from starting and to prevent changes to the UEFI settings.</p></li>
-<li><p>Work with your hardware manufacturer to ensure that the devices are Device Guard ready.</p></li>
-<li><p>You should require a firmware password or higher authentication to change firmware settings.</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>x64 architecture</p></td>
-<td align="left"><p>The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>A VT-d or AMD-Vi IOMMU (Input/output memory management unit)</p></td>
-<td align="left"><p>In Windows 10, an IOMMU enhances system resiliency against memory attacks.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Secure firmware update process</p></td>
-<td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.</p><p>Device Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Signed processor microcode updates</p></td>
-<td align="left"><p>If the processor supports it, you must require signed microcode updates.</p></td>
-</tr>
-</tbody>
-</table>
-
-## Device Guard deployment
-
-In this section, you learn about the following topics:
-
--   [Configure hardware-based security features](#configure-hardware-based-security-features). This section explains how to enable the hardware-based security features in Device Guard. Also, you verify that the features are enabled by using both Windows Management Infrastructure (WMI) and Msinfo32.exe.
--   [Catalog files](#catalog-files). In this section, you create, sign, and deploy catalog files. You deploy the catalog files by using both Group Policy and System Center Configuration Manager. Also, you use System Center Configuration Manager to inventory the deployed catalog files for reporting purposes.
--   [Code integrity policies](#code-integrity-policies). This section provides information on how to create, audit, service, merge, deploy, and remove signed and unsigned configurable code integrity policies.
-
-## Configure hardware-based security features
-
-Hardware-based security features make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are three steps to configure hardware-based security features in Device Guard:
-
-1.  **Verify that hardware requirements are met and enabled**. Verify that your client machines possess the necessary hardware to run these features. A list of hardware requirements for the hardware-based security features is available in the [Hardware considerations](#hardware-considerations) section.
-2.  **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. For details on which Windows features are needed, see the [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security) section.
-3.  **Enable desired features**. When the necessary hardware and Windows features have been enabled, you are ready to enable the desired hardware-based security features. For UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable-unified-extensible-interface-secure-boot) section. For information about how to enable VBS protection of the KMCI service, see the [Enable virtualization-based protection of kernel mode code integrity](#enable-virtualbased) section. Finally, for information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-credential-guard) section.
-
-### Windows feature requirements for virtualization-based security
-
-In addition to the hardware requirements found in the [Hardware considerations](#hardware-considerations) section, you must enable certain operating system features before you can enable VBS: Microsoft Hyper-V and isolated user mode (shown in Figure 1).
-
->**Note:**  You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, refer to the [Credential Guard documentation](http://go.microsoft.com/fwlink/p/?LinkId=624529).
- 
-![figure 1](images/dg-fig1-enableos.png)
-
-Figure 1. Enable operating system features for VBS
-
-After you enable these features, you can configure any hardware-based security features you want. For information about how to enable virtualization-based protection of kernel-mode code integrity, see the [Enable virtualization-based protection of kernel-mode code integrity](#enable-virtualization-based-protection-of-kernel-mode-code-integrity) section. For information about how to enable UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable-unified-extensible-interface-secure-boot) section. Finally, for additional information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-credential-guard) section.
-
-### Enable Unified Extensible Firmware Interface Secure Boot
-
-Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in the [Hardware considerations](#hardware-considerations) section. There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10:
-
->**Note:**  There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include DMA protection (IOMMU) technologies. Without the presence of IOMMUs and with DMA protection disabled, customers will lose protection from driver-based attacks.
-
-1.  Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
-2.  Set the **EnableVirtualizationBasedSecurity DWORD** value to **1**.
-3.  Set the **RequirePlatformSecurityFeatures DWORD** value as appropriate:
-
-    -   Set this value to **1** to enable the **Secure Boot** option.
-    -   Set this value to **2** to enable the **Secure Boot with DMA Protection** option.
-
-4.  Restart the client machine.
-
-Unfortunately, it would be time consuming to perform these steps manually on every protected machine in your enterprise. Group Policy offers a much simpler way to deploy UEFI Secure Boot to your organization. This example creates a test organizational unit (OU) called *DG Enabled PCs*. If you prefer to link the policy to an existing OU, and then scope the GPO by using appropriately named computer security groups, you can certainly do so.
-
->**Note:**  Microsoft recommends that you test-enable this feature on a group of test machines before you deploy it to machines that are currently deployed to users.
-
-**Use Group Policy to deploy Secure Boot**
-
-<a href="" id="bkmk-depsecureboot"></a>
-
-1.  To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
-
-    ![figure 2](images/dg-fig2-createou.png)
-
-    Figure 2. Create a new OU-linked GPO
-
-2.  Name the new GPO **Contoso Secure Boot GPO Test**. This example uses *Contoso Secure Boot GPO Test* as the name of the GPO. You can choose any name for this example. Ideally, the name would align with your existing GPO naming convention.
-
-3.  To open the Group Policy Management Editor, right-click the new GPO, and then click **Edit**.
-
-4.  Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Then, right-click **Turn On Virtualization Based Security**, and then click **Edit**.
-
-    ![figure 3](images/dg-fig3-enablevbs.png)
-
-    Figure 3. Enable VBS
-
-5.  Select the **Enabled** option, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list.
-
-    ![figure 4](images/device-guard-gp.png)
-
-    Figure 4. Enable Secure Boot
-
-    >**Note:**  Device Guard Secure Boot is maximized when combined with DMA protection. If your hardware contains the IOMMUs required for DMA protection, be sure to select the **Secure Boot and DMA Protection** platform security level. If your hardware does not contain IOMMU, there are several mitigations provided by leveraging Secure Boot without DMA Protection.
-     
-6.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. After you configure this setting, UEFI Secure Boot will be enabled upon restart.
-
-7.  Check the test computer’s event log for Device Guard GPOs.
-    
-    Processed Device Guard policies are logged in event viewer at Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
-
-### Enable virtualization-based security of kernel-mode code integrity
-
-Before you begin this process, verify that the desired computer meets the hardware requirements for VBS found in the [Hardware considerations](#hardware-considerations) section, and enable the Windows features discussed in the [Virtualization-based security Windows feature requirements](#virtualization-based-security-windows-featurerrequirements) section. When validated, you can enable virtualization-based protection of KMCI in one of two ways: manual configuration of the appropriate registry subkeys and Group Policy deployment.
-
->**Note:**  All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. Microsoft recommends that you enable this feature on a group of test machines before you enable it on deployed machines.
-
-To configure virtualization-based protection of KMCI manually:
-
-1.  Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
-2.  Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**.
-3.  Restart the client computer.
-
-It would be time consuming to perform these steps manually on every protected machine in your enterprise. Instead, use Group Policy to deploy virtualization-based protection of KMCI. This example creates a test OU called *DG Enabled PCs*, which you will use to link the GPO. If you prefer to link the policy to an existing OU rather than create a test OU and scope the policy by using appropriately named computer security groups, that is another option.
-
->**Note:**  Microsoft recommends that you test-enable this feature on a group of test computers before you deploy it to machines that are currently deployed to users. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.
-
-To use Group Policy to configure VBS of KMCI:
-
-1.  Create a new GPO: Right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
-
-    ![figure 5](images/dg-fig5-createnewou.png)
-
-    Figure 5. Create a new OU-linked GPO
-
-2.  Name the new GPO **Contoso VBS CI Protection GPO Test**.
-
-    This example uses *Contoso VBS CI Protection GPO Test* as the name of the GPO. You can choose any name you prefer for this example. Ideally, this name would align with your existing GPO naming convention.
-
-3.  Open the Group Policy Management Editor: Right-click the new GPO, and then click **Edit**.
-
-4.  Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Then, right-click **Turn On Virtualization Based Security**, and then click **Edit**.
-
-    ![figure 6](images/dg-fig6-enablevbs.png)
-
-    Figure 6. Enable VBS
-
-5.  Select the **Enabled** option, and then select the **Enable Virtualization Based Protection of Code Integrity** check box.
-
-    ![figure 7](images/dg-fig7-enablevbsofkmci.png)
-
-    Figure 7. Enable VBS of KMCI
-
-6.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. With this setting configured, the VBS of the KMCI will take effect upon restart.
-
-7.  Check the test client event log for Device Guard GPOs.
-
-    Processed Device Guard policies are logged in event viewer under Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational. When the **Turn On Virtualization Based Security** policy has been successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
-
-### Enable Credential Guard
-
-Credential Guard provides an additional layer of credential protection specifically for domain users by storing the credentials within the virtualized container, away from both the kernel and user mode operating system. This makes it difficult for even a compromised system to obtain access to the credentials. In addition to the client-side enablement of Credential Guard, you can deploy additional mitigations at both the Certification Authority and domain controller level to prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future.
-
-Before you begin this process, verify that the desired system meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and that you have enabled the Windows features laid out in the [Virtualization-based security Windows feature requirements](#virtualization-based-security-windows-feature-requirements) section. When validated, you can enable Credential Guard manually, by configuring the appropriate registry subkeys, or through Group Policy deployment.
-
-To configure VBS of Credential Guard manually:
-
-1.  Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa** registry subkey.
-2.  Set the **LsaCfgFlags DWORD** value to **1**.
-3.  Restart the client computer.
-
-To avoid spending an unnecessary amount of time in manual deployments, use Group Policy to deploy Credential Guard to your organization. This example creates a test OU called *DG Enabled PCs*. To enable Credential Guard, you can link to any OU, and then scope the GPO’s application by using security groups.
-
->**Note:**  Microsoft recommends that you enable Credential Guard before you join a machine to the domain to ensure that all credentials are properly protected. Setting the appropriate registry subkeys during your imaging process would be ideal to achieve this protection.
-
-To use Group Policy to enable Credential Guard:
-
-1.  Create a new GPO: right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here** .
-
-    ![figure 8](images/dg-fig8-createoulinked.png)
-
-    Figure 8. Create a new OU-linked GPO
-
-2.  Name the new GPO **Contoso Credential Guard GPO Test**.
-
-    This example uses *Contoso Credential Guard GPO Test* as the name of the GPO. You can choose any name you prefer for this example. Ideally, this name would align with your existing GPO naming convention.
-
-3.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-
-4.  Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
-
-    ![figure 9](images/dg-fig9-enablevbs.png)
-
-    Figure 9. Enable VBS
-
-5.  Select the **Enabled** option, and then select the **Enable Credential Guard** check box.
-
-    ![figure 10](images/dg-fig10-enablecredentialguard.png)
-
-    Figure 10. Enable Credential Guard
-
-6.  Close Group Policy Management Editor, and then restart the Windows 10 test computer.
-
-    >**Note:**  The default platform security level is **Secure Boot**. If IOMMUs are available within the protected machines, it is recommended that you select **Secure Boot and DMA Protection** to maximize the mitigations that are available through Credential Guard.
-
-7.  Check the test client event log for Device Guard GPOs.
-
->**Note**  All processed Device Guard policies are logged in event viewer under Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational.
- 
-For additional information about how Credential Guard works as well as additional configuration options, please refer to the [Credential Guard documentation](http://go.microsoft.com/fwlink/p/?LinkId=624529).
-
-**Validate enabled Device Guard hardware-based security features**
-
-Windows 10 and Windows Server 2016 and later have a WMI class for Device Guard–related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
-
-`Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard`
-
->**Note:**  The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10.
-
-The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. For detailed information about what each property means, refer to Table 1.
- 
-Table 1. Win32\_DeviceGuard properties
-
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left"><strong>Properties</strong></th>
-<th align="left"><strong>Description</strong></th>
-<th align="left"><strong>Valid values</strong></th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><strong>AvailableSecurityProperties</strong></td>
-<td align="left">This field helps to enumerate and report state on the relevant security properties for Device Guard.</td>
-<td align="left"><ul>
-<li><p><strong>0.</strong> If present, no relevant properties exist on the device.</p></li>
-<li><p><strong>1.</strong> If present, hypervisor support is available.</p></li>
-<li><p><strong>2.</strong> If present, Secure Boot is available.</p></li>
-<li><p><strong>3.</strong> If present, DMA protection is available.</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><strong>InstanceIdentifier</strong></td>
-<td align="left">A string that is unique to a particular device.</td>
-<td align="left">Determined by WMI.</td>
-</tr>
-<tr class="odd">
-<td align="left"><strong>RequiredSecurityProperties</strong></td>
-<td align="left">This field describes the required security properties to enable virtualization-based security.</td>
-<td align="left"><ul>
-<li><p><strong>0.</strong> Nothing is required.</p></li>
-<li><p><strong>1.</strong> If present, Secure Boot is needed.</p></li>
-<li><p><strong>2.</strong> If present, DMA protection is needed.</p></li>
-<li><p><strong>3.</strong> If present, both Secure Boot and DMA protection are needed.</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><strong>SecurityServicesConfigured</strong></td>
-<td align="left">This field indicates whether the Credential Guard or HVCI service has been configured.</td>
-<td align="left"><ul>
-<li><p><strong>0.</strong> No services configured.</p></li>
-<li><p><strong>1.</strong> If present, Credential Guard is configured.</p></li>
-<li><p><strong>2.</strong> If present, HVCI is configured.</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><strong>SecurityServicesRunning</strong></td>
-<td align="left">This field indicates whether the Credential Guard or HVCI service is running.</td>
-<td align="left"><ul>
-<li><p><strong>0.</strong> No services running.</p></li>
-<li><p><strong>1.</strong> If present, Credential Guard is running.</p></li>
-<li><p><strong>2.</strong> If present, HVCI is running.</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><strong>Version</strong></td>
-<td align="left">This field lists the version of this WMI class.</td>
-<td align="left">The only valid value now is <strong>1.0</strong>.</td>
-</tr>
-<tr class="odd">
-<td align="left"><strong>VirtualizationBasedSecurityStatus</strong></td>
-<td align="left">This field indicates whether VBS is enabled and running.</td>
-<td align="left"><ul>
-<li><p><strong>0.</strong> VBS is not enabled.</p></li>
-<li><p><strong>1.</strong> VBS is enabled but not running.</p></li>
-<li><p><strong>2.</strong> VBS is enabled and running.</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><strong>PSComputerName</strong></td>
-<td align="left">This field lists the computer name.</td>
-<td align="left">All valid values for computer name.</td>
-</tr>
-</tbody>
-</table>
-
-Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the 
-**System Summary** section, as shown in Figure 11.
-
-![figure 11](images/dg-fig11-dgproperties.png)
-
-Figure 11. Device Guard properties in the System Summary
-
-## Catalog files
-
-Enforcement of Device Guard on a system requires that every trusted application have a signature or its binary hashes added to the code integrity policy. For many organizations, this can be an issue when considering unsigned LOB applications. To avoid the requirement that organizations repackage and sign these applications, Windows 10 includes a tool called Package Inspector that monitors an installation process for any deployed and executed binary files. If the tool discovers such files, it itemizes them in a catalog file. These catalog files offer you a way to trust your existing unsigned applications, whether developed in house or by a third party, as well as trust signed applications for which you do not want to trust the signer but rather the specific application. When created, these files can be signed, the signing certificates added to your existing code integrity policies, and the catalog files themselves distributed to the clients.
-
->**Note:**  The Enterprise edition of Windows 10 or Windows Server 2016 is required to create and use catalog files.
-
-### Create catalog files
-
-The creation of catalog files is the first step to add an unsigned application to a code integrity policy. To create a catalog file, copy each of the following commands into an elevated Windows PowerShell session, and then complete the steps:
-
->**Note:**  When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, you will use *\*-Contoso.cat* as the naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see the [Inventory catalog files with System Center Configuration Manager](#inventory-catalog-files-with-system-center-configuration-manager) section.
- 
-1.  Be sure that a code integrity policy is currently running in audit mode.
-
-    Package Inspector does not always detect installation files that have been removed from the machine during the installation process. To ensure that these binaries are also trusted, the code integrity policy that you created and audited in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) and [Audit code integrity policies](#audit-code-integrity-policies) sections should be deployed, in audit mode, to the system on which you are running Package Inspector.
-
-    **Note**  
-    This process should **not** be performed on a system running an enforced Device Guard policy, only with a policy running in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.
-
-2.  Start Package Inspector, and then scan drive C:
-
-    `PackageInspector.exe Start C:`
-
-    >**Note:**  Package inspector can monitor installations on any local drive. In this example, we install the application on drive C, but any other drive can be used.
-    
-3.  Copy the installation media to drive C.
-
-    By copying the installation media to drive C, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future code integrity policy may trust the application to run but not be installed.
-
-4.  Install and launch the application.
-
-    Install the application to drive C. When the installation is finished, launch the application and ensure that any product updates are installed and any downloadable content caught during the scan. When finished, close and 
-    reopen the application once again to ensure that the scan has captured all binaries.
-    
-    >**Note:**      Every binary that is run while Package Inspector is running will be captured in the catalog. Therefore, be sure not to run additional installations or updates during the scan to minimize the risk of trusting the incorrect binaries. Alternatively, if you want to add multiple applications to a single catalog file, simply repeat the installation and run process while the current scan is running.
-     
-5.  Stop the scan, and then generate definition and catalog files. When application installation and initial setup are finished, stop the Package Inspector scan and generate the catalog and definition files on your desktop by using the following commands:
-
-    `$ExamplePath=$env:userprofile+"\Desktop"`
-    `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
-    `$CatDefName=$ExamplePath+"\LOBApp.cdf"`
-    `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
-
->**Note:**  This scan catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values.
-When finished, the files will be saved to your desktop. To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be included in the code integrity policy, and the catalog file can be distributed to the individual client machines. Catalog files can be signed by using a certificate and SignTool.exe, a free tool available in the Windows SDK. For more information about signing catalog files with SignTool.exe, see the [Catalog signing with SignTool.exe](#catalog-signing-with-signtool.exe) section.
-
-### Catalog signing with SignTool.exe
-
-Device Guard makes it easy for organizations to sign and trust existing unsigned LOB applications. In this section, you sign a catalog file you generated in a previous section by using PackageInspector.exe. For information about how to create catalog files, see the [Create catalog files](#create-catalog-files) section. In this example, you need the following:
-
--   SignTool.exe, found in the Windows software development kit (SDK—Windows 7 or later)
--   The catalog file that you generated in the [Create catalog files](#create-catalog-files) section, or another catalog file that you have created
--   Internal certification authority (CA) code signing certificate or purchased code signing certificate
-
-If you do not have a code signing certificate, please see the [Create a Device Guard code signing certificate](#create-a-device-guard-code-signing-certificate) section for a walkthrough of how to create one. In addition to using the certificate you create in the Create a Device Guard code signing certificate section, this example signs the catalog file that you created in the [Create catalog files](#create-catalog-files) section. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate. To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session:
-
-1.  Initialize the variables that will be used:
-
-    '$ExamplePath=$env:userprofile+"\Desktop"'
-    
-    '$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"'
-
-   >**Note:**     In this example, you use the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, be sure to update the *$ExamplePath* and *$CatFileName* variables with the correct information.
-
-2.  Import the code signing certificate. Import the code signing certificate that will be used to sign the catalog file to the signing user’s personal store. In this example, you use the certificate that you created in the [Create a Device Guard code signing certificate](#create-a-device-guard-code-signing-certificate) section.
-
-3.  Sign the catalog file with Signtool.exe:
-
-    `<path to signtool.exe> sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName`
-
-   >**Note:**  The *&lt;Path to signtool.exe&gt;* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* is the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the machine on which you are attempting to sign the catalog file.
-   
-   >**Note:**  For additional information about Signtool.exe and all additional switches, visit [MSDN Sign Tool page](http://go.microsoft.com/fwlink/p/?LinkId=624163).
-     
-4.  Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 12.
-
-    ![figure 12](images/dg-fig12-verifysigning.png)
-
-    Figure 12. Verify that the signing certificate exists
-
-5.  Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.
-
-    For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, Microsoft recommends that you use Group Policy File Preferences to copy the appropriate catalog files to all desired machines or an enterprise systems management product such as System Center Configuration Manager. Doing this simplifies the management of catalog versions, as well.
-
-### Deploy catalog files with Group Policy
-
-To simplify the management of catalog files, you can use Group Policy preferences to deploy catalog files to the appropriate PCs in your organization. The following process walks you through the deployment of a signed catalog file called LOBApp-Contoso.cat to a test OU called DG Enabled PCs with a GPO called **Contoso DG Catalog File GPO Test**.
-
->**Note:**  This walkthrough requires that you have previously created a signed catalog file and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create and sign a catalog file, see the [Catalog files](#catalog-files) section.
-
-To deploy a catalog file with Group Policy:
-
-1.  From either a domain controller or a client PC that has Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC) by running **GPMC.MSC** or by searching for Group Policy Management.
-2.  Create a new GPO: right-click the DG Enabled PCs OU, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 13.
-
-   >**Note:**  The DG Enabled PCs OU is just an example of where to link the test GPO that you created in this section. You can use any OU name. Also, security group filtering is an option when you consider policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise-code-integrity-deployment) section.
-
-   ![figure 13](images/dg-fig13-createnewgpo.png)
-   
-   Figure 13. Create a new GPO
-
-3.  Name the new GPO **Contoso DG Catalog File GPO Test**.
-
-    This example uses *Contoso DG Catalog File GPO Test* as the name of the GPO. You can choose any name you prefer for this example.
-
-4.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-
-5.  Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 14.
-
-    ![figure 14](images/dg-fig14-createnewfile.png)
-
-    Figure 14. Create a new file
-
-6.  Configure the catalog file share.
-
-    To use this setting to provide consistent deployment of LOBApp-Contoso.cat, the source file should be on a share that is accessible to the computer account of every deployed machine. This example uses a share on a Windows 10 client machine called \\\\Contoso-Win10\\Share. The catalog file being deployed is copied to this share.
-
-7.  To keep versions consistent, in the **New File Properties** dialog box (Figure 15), select **Replace** from the **Action** list so that the newest version is always used.
-
-    ![figure 15](images/dg-fig15-setnewfileprops.png)
-
-    Figure 15. Set the new file properties
-
-8.  In the **Source file(s)** box, type the name of your accessible share, with the catalog file name included (for example, \\\\Contoso-Win10\\share\\LOBApp-Contoso.cat).
-
-9.  In the **Destination File** box, type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\LOBApp-Contoso.cat**.
-
-    >**Note:**  LOBApp-Contoso.cat is not a required catalog name: This name was used in the [Create catalog files](#create-catalog-files) section, and so it was used here, as well.
-     
-10. On the **Common** tab of the **New File Properties** dialog box, select the **Remove this item when it is no longer applied** option. Doing this ensures that the catalog file is removed from every system, in case you ever need to stop trusting this application.
-
-11. Click **OK** to complete file creation.
-
-12. Close the Group Policy Management Editor, and then update the policy on the test Windows 10 machine by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} on the Windows 10 machine.
-
-### Deploy catalog files with System Center Configuration Manager
-
-As an alternative to Group Policy, you can use System Center Configuration Manager to deploy catalog files to the managed machines in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, System Center Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
-
->**Note:**  The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
-
-1.  Open the Configuration Manager console, and select the Software Library workspace.
-2.  Navigate to Overview\\Application Management, right-click **Packages**, and then click **Create Package**.
-3.  Name the package, set your organization as the manufacturer, and select an appropriate version number (Figure 16).
-
-    ![figure 16](images/dg-fig16-specifyinfo.png)
-
-    Figure 16. Specify information about the new package
-
-4.  Click **Next**, and then select **Standard program** as the program type.
-5.  On the **Standard Program** page, select a name, and then set the **Command Line** property to **XCopy \\\\Shares\\CatalogShare C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} /H /K /E /Y**.
-6.  On the **Standard Program** page, select the following options (Figure 17):
-
-    -   In **Name**, type **Contoso Catalog File Copy Program**.
-    -   In **Command line**, browse to the program location.
-    -   In **Startup folder**, type **C:\\Windows\\System32**.
-    -   From the **Run** list, select **Hidden**.
-    -   From the **Program can run** list, select **Whether or not a user is logged on**.
-    -   From the **Drive mode** list, select **Runs with UNC name**.
-
-    ![figure 17](images/dg-fig17-specifyinfo.png)
-
-    Figure 17. Specify information about the standard program
-
-7.  Accept the defaults for the rest of the wizard, and then close the wizard.
-After you create the deployment package, deploy it to a collection so that the clients will receive the catalog files. In this example, you deploy the package you just created to a test collection:
-
-1.  In the Software Library workspace, navigate to Overview\\Application Management\\Packages, right-click the catalog file package, and then click **Deploy**.
-2.  On the **General** page, select the test collection to which the catalog files will be deployed, and then click **Next**.
-3.  On the **Content** page, click **Add** to select the distribution point that will serve content to the selected collection, and then click **Next**.
-4.  On the **Deployment Settings** page, select **Required** in the **Purpose** box.
-5.  On the **Scheduling** page, click **New**.
-6.  In the **Assignment Schedule** dialog box, select **Assign immediately after this event**, set the value to **As soon as possible**, and then click **OK**.
-7.  On the **Scheduling** page, click **Next**.
-8.  On the **User Experience** page (Figure 18), set the following options, and then click **Next**:
-
-    -   Select the **Software installation** check box.
-    -   Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box.
-
-    ![figure 18](images/dg-fig18-specifyux.png)
-
-    Figure 18. Specify the user experience
-
-9.  On the **Distribution Points** page, in the **Deployment options** box, select **Run program from distribution point**, and then click **Next**.
-10. On the **Summary** page, review the selections, and then click **Next**.
-11. Close the wizard.
-
-### Inventory catalog files with System Center Configuration Manager
-
-When catalog files have been deployed to the machines within your environment, whether by using Group Policy or System Center Configuration Manager, you can inventory them with the software inventory feature of System Center Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
-
->**Note:**  A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
-
-1.  Open the Configuration Manager console, and select the Administration workspace.
-2.  Navigate to **Overview\\Client Settings**, right-click **Client Settings**, and then click **Create Custom Client Device Settings**.
-3.  Name the new policy, and select the **Software Inventory** check box from the **Select and then configure the custom settings for client devices** list, as shown in Figure 19.
-
-    ![figure 19](images/dg-fig19-customsettings.png)
-
-    Figure 19. Select custom settings
-
-4.  In the navigation pane, click **Software Inventory**, and then click **Set Types**, as shown in Figure 20.
-
-    ![figure 20](images/dg-fig20-setsoftwareinv.png)
-
-    Figure 20. Set the software inventory
-
-5.  In the **Configure Client Setting** dialog box, click the **Start** button to open the **Inventories File Properties** dialog box.
-
-6.  In the **Name** box, type **\*Contoso.cat**, and then click **Set**.
-
-    >**Note:**  **\*Contoso.cat** is the naming convention used in this example. This should mimic the naming convention you use for your catalog files.
-     
-7.  In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 21.
-    
-    ![figure 21](images/dg-fig21-pathproperties.png)
-    
-    Figure 21. Set the path properties
-
-8.  Click **OK**.
-
-9.  Now that you have created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files.
-At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in System Center Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
-
-1.  Open the Configuration Manager console, and select the Assets and Compliance workspace.
-2.  Navigate to Overview\\Devices, and search for the device on which you want to view the inventoried files.
-3.  Right-click the computer, point to **Start**, and then click **Resource Explorer**.
-4.  In Resource Explorer, navigate to Software\\File Details to view the inventoried catalog files.
-
->**Note:**  If nothing is displayed in this view, navigate to Software\\Last Software Scan in Resource Explorer to verify that the client has recently completed a software inventory scan.
- 
-## Code integrity policies
-
-Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see the [Configurable code integrity](#configurable-code-integrity) section.
-
-A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden PC. Like when imaging, you can have multiple golden PCs based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom.
-
->**Note:**  Each machine can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies.
-
-Optionally, code integrity policies can align with your software catalog as well as any IT department–approved applications. One simple method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, should the applications be installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
-
->**Note:**  The following section assumes that you will deploy code integrity policies as part of your Device Guard deployment. Alternatively, configurable code integrity is available without the enablement of Device Guard.
-
-### Code integrity policy rules
-
-Code integrity policies consist of several components. The two major components, which are configurable, are called *policy rules* and *file rules*, respectively. Code integrity policy rules are options that the code integrity policy creator can specify on the policy. These options include the enablement of audit mode, UMCI, and so on. You can modify these options in a new or existing code integrity policy. File rules are the level to which the code integrity policy scan ties each binary trust. For example, the hash level is going to itemize each discovered hash on the system within the generated code integrity policy. This way, when a binary prepares to run, the code integrity service will validate its hash value against the trusted hashes found in the code integrity policy. Based on that result, the binary will or will not be allowed to run.
-
-To modify the policy rule options of an existing code integrity policy, use the **Set-RuleOption** Windows PowerShell cmdlet. Note the following examples of how to use this cmdlet to add and remove a rule option on an existing code integrity policy:
-
--   To enable UMCI, add rule option 0 to an existing policy by running the following command:
-
-    `Set-RuleOption -Option 0 -FilePath <Path to policy>`
-
--   To disable UMCI on an existing code integrity policy, remove rule option 0 by running the following command:
-
-    ` Set-RuleOption -Option 0 -FilePath <Path to policy> -Delete`
-
-You can set several rule options within a code integrity policy. Table 2 lists each rule and its high-level meaning.
-
-#### Table 2. Code integrity policy - policy rule options
-
-| Rule option | Description |
-|------------ | ----------- |
-| **0 Enabled:UMCI** | Code integrity policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
-| **1 Enabled:Boot Menu Protection** | This option is not currently supported. |
-| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
-| **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the code integrity policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To enforce a code integrity policy, remove this option. |
-| **4 Disabled:Flight Signing** | If enabled, code integrity policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. |
-| **5 Enabled:Inherent Default Policy** | This option is not currently supported. |
-| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
-| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. |
-| **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. |
-| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all code integrity policies. Setting this rule option allows the F8 menu to appear to physically present users. |
-| **10 Enabled:Boot Audit on Failure** | Used when the code integrity policy is in enforcement mode. When a driver fails during startup, the code integrity policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
-File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as low as the hash of each binary and as high as a PCA certificate. File rule levels are specified both when you create a new code integrity policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, code integrity policies combine their file rules. Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Device Guard deployment scenario.
-
-#### Table 3. Code integrity policy - file rule levels
-
-| Rule level | Description |
-|----------- | ----------- |
-| **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
-| **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. |
-| **SignedVersion** | This combines the publisher rule with a version number. This option allows anything from the specified publisher, with a version at or above the specified version number, to run. |
-| **Publisher** | This is a combination of the PCA certificate and the common name (CN) on the leaf certificate. In the scenario that a PCA certificate is used to sign multiple companies’ applications (such as VeriSign), this rule level allows organizations to trust the PCA certificate but only for the company whose name is on the leaf certificate (for example, Intel for device drivers). This level trusts a certificate with a long validity period but only when combined with a trusted leaf certificate. |
-| **FilePublisher** | This is a combination of “FileName” plus “Publisher” (PCA certificate with CN of leaf) plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
-| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than PCA certificates, so additional administrative overhead is associated with updating the code integrity policy when these certificates expire. |
-| **PcaCertificate** | Adds the highest certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, because the scan does not validate anything above the presented signature by going online or checking local root stores. |
-| **RootCertificate** | Currently unsupported. |
-| **WHQL** | Trusts binaries if they have been validated and signed by WHQL. This is primarily for kernel binaries. |
-| **WHQLPublisher** | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. |
-| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. |
-
->**Note:**  When you create code integrity policies with the **New-CIPolicy** cmdlet, you can specify a primary file rule level by including the **–Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **–Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
-
-### Create code integrity policies from golden PCs
-
-The process to create a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents.
-
->**Note:**  Before you begin this procedure, ensure that the reference PC is clean of viruses or malware. Each piece of installed software should be validated as trustworthy before you create this policy. Also, be sure that any software that you would like to be scanned is installed on the system before you create the code integrity policy.
-
-To create a code integrity policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
-
-1.  Initialize variables that you will use:
-
-    `$CIPolicyPath=$env:userprofile+"\Desktop\"`
-    `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
-    `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
-
-2.  Create a new code integrity policy by scanning the system for installed applications:
-
-    `New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt `
-
-   >**Note:**  By specifying the *–UserPEs* parameter, rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. If you do not specify this parameter, use the following command to enable UMCI:
-   
-    `Set-RuleOption -Option 0 -FilePath $InitialCIPolicy`
-   
-   >**Note:**  You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see the [Code integrity policy rules](#code-integrity-policy-rules) section.
-   
-   >**Note:**  If you would like to specify the code integrity policy scan to look only at a specific drive, you can do so by using the *–ScanPath* parameter. Without this parameter, as shown in the example, the entire system is scanned.
-
-3.  Convert the code integrity policy to a binary format:
-
-    `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
-
-After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
-
->**Note:**  Microsoft recommends that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see the [Merge code integrity policies](#merge-code-integrity-policies) section.
-
-Microsoft recommends that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the [Audit code integrity policies](#audit-code-integrity-policies) section.
-
-### Audit code integrity policies
-
-When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the Applications and Services Logs\\Microsoft\\CodeIntegrity\\Operational event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies.
-
->**Note:**  Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see the [Create an audit code integrity policy](#create-an-audit-code-integrity-policy) section for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
-
-To audit a code integrity policy with local policy:
-
-1.  Copy the DeviceGuardPolicy.bin file that you created in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) section to C:\\Windows\\System32\\CodeIntegrity.
-2.  On the system you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
-3.  Navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard, and then select **Deploy Code Integrity Policy**. Enable this setting by using the file path C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 22.
-
-   >**Note:**  *DeviceGuardPolicy.bin* is not a required policy name. This name was simply used in the [Create code integrity policies from golden PCs](#create-code-golden) section and so was used here. Also, this policy file does not need to be copied to every system. Alternatively, you can copy the code integrity policies to a file share to which all computer accounts have access.
-   
-   >**Note:**  Any policy you select here is converted to SIPolicy.p7b when it is deployed to the individual computers.
-   
-   ![figure 22](images/dg-fig22-deploycode.png)
-   
-   Figure 22. Deploy your code integrity policy
-   
-   >**Note:**     You may have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the Windows 10 computers. Microsoft recommends that you make your code integrity policies friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository.
-
-4.  Restart reference system for the code integrity policy to take effect.
-5.  Monitor the CodeIntegrity event log. While in audit mode, any exception to the deployed code integrity policy will be logged in the Applications and Services Logs\\Microsoft\\CodeIntegrity\\Operational event log, as shown in 
-Figure 23.
-
-   ![figure 23](images/dg-fig23-exceptionstocode.png)
-
-   Figure 23. Exceptions to the deployed code integrity policy
-
-6.  Validate any code integrity policy exceptions.
-
-    After you run a code integrity policy in audit mode, Microsoft recommends that each logged exception be researched and validated. In addition to discovering which application is causing the exception and ensuring that it should be added to the code integrity policy, be sure to check which file level should be used to trust each application. Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of the exceptions. For information about file rule levels and their purpose, see the [Code integrity policy rules](#code-integrity-policy-rules) section.
-
-7.  Create code integrity policy from audit events.
-
-    For information about how to create code integrity policies from audit events, see the [Create code integrity policies from golden PCs](#create-code-golden) section.
-
->**Note:**  An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it with the local machine policy.
-
-### Create an audit code integrity policy
-
-When you run code integrity policies in audit mode, validate any exceptions and determine whether you will need to add them to the code integrity policy you want to audit. Use the system as you normally would to ensure that any use exceptions are logged. When you are ready to create a code integrity policy from the auditing events, complete the following steps in an elevated Windows PowerShell session:
-
-1.  Initialize the variables that will be used:
-
-    `$CIPolicyPath=$env:userprofile+"\Desktop\"`
-    `$CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
-
-2.  Analyze audit results.
-
-    Before you create a code integrity policy from audit events, Microsoft recommends that each exception be analyzed, as discussed in steps 5 and 6 of the [Audit code integrity policies](#audit-code-integrity-policies) section.
-
-3.  Generate a new code integrity policy from logged audit events:
-
-    `New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`
-
->**Note:**  When you create policies from audit events, you should carefully consider the file rule level that you select to trust. In this example, you use the Hash rule level, which should be used as a last resort.
-After you complete these steps, the Device Guard audit policy .xml file (DeviceGuardAuditPolicy.xml) will be available on your desktop. You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the [Merge code integrity policies](#merge-code-integrity-policies) section.
-
->**Note:**  You may have noticed that you did not generate a binary version of this policy as you did in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) section. This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
-
-### Merge code integrity policies
-
-When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden PCs. Because each Windows 10 machine can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
-
->**Note:**  The following example uses the code integrity policy .xml files that you created in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) and [Audit code integrity policies](#audit-code-integrity-policies) sections. You can follow this process, however, with any two code integrity policies you would like to combine.
-
-To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session:
-
-1.  Initialize the variables that will be used:
-
-    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
-    `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
-    `$AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
-    `$MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"`
-    `    $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
-    
-    >**Note:**  The variables in this section specifically expect to find an initial policy on your desktop called InitialScan.xml and an audit code integrity policy called DeviceGuardAuditPolicy.xml. If you want to merge other code integrity policies, update the variables accordingly.
-     
-2.  Merge two policies to create a new code integrity policy:
-    
-    `Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy`
-3.  
-Convert the merged code integrity policy to binary format:
-
-    ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin `
-
-Now that you have created a new code integrity policy called NewDeviceGuardPolicy.bin, you can deploy the policy to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see the [Deploy and manage code integrity policies with Group Policy](#deploy-manage-code-gp) section.
-
-**Enforce code integrity policies**
-
-Every code integrity policy is created with audit mode enabled. After you have successfully deployed and tested a code integrity policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session:
-
->**Note:**  Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section.
-
-1.  Initialize the variables that will be used:
-
-    `$CIPolicyPath=$env:userprofile+"\Desktop\"`
-    `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" `
-    `$EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"`
-    `$CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
-
-    >**Note:**  The initial code integrity policy that this section referenced was created in the [Create code integrity polices from golden PCs](#create-code-golden) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
-     
-2.  Copy the initial file to maintain an original copy:
-
-    `cp $InitialCIPolicy $EnforcedCIPolicy`
-
-3.  Remove the audit mode rule option:
-
-    `Set-RuleOption -Option 3 -FilePath $EnforcedCIPolicy -Delete`
-
-    >**Note:**  Rather than adding an **Enforced** option, code integrity policies are implicitly enforced if no **Audit Mode Enabled** option is present.
-     
-4.  Convert the new code integrity policy to binary format:
-    
-    `ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin`
-    >**Note:**  Microsoft strongly recommends that you enable rule options 9 and 10 before you run any enforced policy for the first time. If already present in the policy, do not remove it. Doing so allows Windows to start if the code integrity policy blocks a kernel-mode driver from running and provides administrators with a pre-boot command prompt. When ready for enterprise deployment, you can remove these options.
-     
-Now that this policy has been enforced, you can deploy it to your test machines. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in the [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy) section, or through client management software by following the instructions in the section “Deploying and managing code integrity policies by using Microsoft client management solutions.”
-
-**Signing code integrity policies with SignTool.exe**
-
-Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the machine. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, Microsoft recommends that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section.
-
-Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Create a Device Guard code signing certificate](#create-a-device-guard-code-signing-certificate) to create one with your on-premises CA. Before signing code integrity policies for the first time, be sure to enable rule options 9 and 10 to leave troubleshooting options available to test administrators. When validated and ready for enterprise deployment, you can remove these options. For information about how to add rule options, see the [Code integrity policy rules](#code-integrity-policy-rules) section.
-
->**Note:**  Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of machines.
-
-To sign a code integrity policy with SignTool.exe, you need the following components:
-
--   SignTool.exe, found in the Windows SDK (Windows 7 or later)
--   The binary format of the code integrity policy that you generated in the [Create code integrity policies from golden PCs](#create-code-golden) section or another code integrity policy that you have created
--   An internal CA code signing certificate or a purchased code signing certificate
-
-If you do not have a code signing certificate, see the [Create a Device Guard code signing certificate](#create-dg-code) section for instructions on how to create one. If you use an alternate certificate or code integrity policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing code integrity policy, copy each of the following commands into an elevated 
-Windows PowerShell session:
-
-1.  Initialize the variables that will be used:
-
-    `$CIPolicyPath=$env:userprofile+"\Desktop\" $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
-
-    >**Note:**  This example uses the code integrity policy that you created in the [Create code integrity policies from golden PCs](#create-code-golden) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
-
-2.  Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing user’s personal store on the machine that will be doing the signing. In this example, you use the certificate that was created in the [Create a Device Guard code signing certificate](#create-dg-code) section.
-
-3.  Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
-
-4.  Navigate to your desktop as the working directory:
-
-    `cd $env:USERPROFILE\Desktop `
-
-5.  Add an update signer certificate to the code integrity policy:
-
-    `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User –Update`
-
-   >**Note:**  *&lt;Path to exported .cer certificate&gt;* should be the full path to the certificate that you exported in step 3.
-   
-   >**Note:**  Adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code) section.
-
-6.  Remove the unsigned policy rule option:
-
-    `Set-RuleOption -Option 6 -FilePath $InitialCIPolicy -Delete`
-
-7.  Convert the policy to binary format:
-
-    `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
-
-8.  Sign the code integrity policy by using SignTool.exe:
-
-    `<Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
-    >**Note:**  The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the machine you use to sign the policy.
-
-9.  Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see the [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy) section.
-
-### Disable unsigned code integrity policies
-
-There may come a time when an administrator wants to disable a code integrity policy. For unsigned code integrity policies, this process is simple. Depending on how the code integrity policy was deployed, unsigned policies can be disabled in one of two ways. If a code integrity policy was manually enabled and copied to the code integrity folder location, simply delete the file and restart the machine. The following locations can contain executing code integrity policies:
-
--   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
--   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
-
-If the code integrity policy was deployed by using Group Policy, the GPO that is currently enabling and deploying the policy must be set to disabled. Then, the code integrity policy will be disabled on the next computer restart.
-
-### Disable signed code integrity policies within Windows
-
-Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed code integrity policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed code integrity policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps:
-
->**Note:**  For reference, signed code integrity policies should be replaced and removed from the following locations:
-
--   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
--   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
-
-1.  Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
-
-    >**Note:**  To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
-
-2.  Restart the client computer.
-
-3.  Verify that the new signed policy exists on the client.
-
-    >**Note:**  If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
-
-4.  Delete the new policy.
-
-5.  Restart the client computer.
-
-If the signed code integrity policy has been deployed using by using Group Policy, you must complete the following steps:
-
-1.  Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
-    >**Note:**  To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
-     
-2.  Restart the client computer.
-
-3.  Verify that the new signed policy exists on the client.
-
-    >**Note:**  If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
-
-4.  Set the GPO to disabled.
-5.  Delete the new policy.
-6.  Restart the client computer.
-
-### Disable signed code integrity policies within the BIOS
-
-There may be a time when signed code integrity policies cause a boot failure. Because code integrity policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed code integrity policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
-
--   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
--   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
-
-### <a href="" id="deploy-manage-code-gp"></a>
-
-**Deploy and manage code integrity policies with Group Policy**
-
-Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
-
->**Note:**  This walkthrough requires that you have previously created a code integrity policy and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see the [Create code integrity polices from golden PCs](#create-code-integrity-polices-from-golden-pcs) section.
-
->**Note:**  Signed code integrity policies can cause boot failures when deployed. Microsoft recommends that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment.
-To deploy and manage a code integrity policy with Group Policy:
-
-1.  On a domain controller on a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** or searching for “Group Policy Management” in Windows Search.
-
-2.  Create a new GPO: right-click the DG Enabled PCs OU, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 24.
-
-    >**Note:**  The DG Enabled PCs OU is just an example of where to link the test GPO created in this section. Any OU name can be used. Also, security group filtering is an option when considering policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section.
-   
-   ![figure 24](images/dg-fig24-creategpo.png)
-   
-   Figure 24. Create a GPO
-
-3.  Name new GPO **Contoso GPO Test**. This example uses Contoso GPO Test as the name of the GPO. You can choose any name that you prefer for this example.
-
-4.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-
-5.  In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Then, right-click **Deploy Code Integrity Policy**, and then click **Edit**.
-
-    ![figure 25](images/dg-fig25-editcode.png)
-
-    Figure 25. Edit the code integration policy
-
-6.  In the **Display Code Integrity Policy** dialog box, select the **Enabled** option, and then specify the code integrity policy deployment path.
-   In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. This example copied the DeviceGuardPolicy.bin file onto the test machine and will enable this setting and use the file path C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 26.
-
-   >**Note:**  *DeviceGuardPolicy.bin* is not a required policy name: It was simply used in the [Create code integrity policies from golden PCs](#create-code-golden) section and so is used here, as well. Also, this policy file does not need to be copied to every computer. Alternatively, you can copy the code integrity policies to a file share to which the computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
-   
-   ![figure 26](images/dg-fig26-enablecode.png)
-   
-   Figure 26. Enable the code integrity policy
-   
-   >**Note:**  You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the Windows 10 client computers. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
-
-7.  Close the Group Policy Management Editor, and then restart the Windows 10 test machine. Restarting the client computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies)section.
-
-## Create a Device Guard code signing certificate
-
-To sign catalog files or code integrity policies internally, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip these steps and proceed to the sections that outline the steps to sign catalog files and code integrity policies. If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate:
-
-1.  Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
-2.  When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console.
-
-    ![figure 27](images/dg-fig27-managecerttemp.png)
-
-    Figure 27. Manage the certificate templates
-
-3.  In the navigation pane, right-click the Code Signing certificate, and then click **Duplicate Template**.
-
-4.  On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list.
-5.  On the **General** tab, specify the **Template display name** and **Template name**. This example uses **DG Catalog Signing Certificate**.
-6.  On the **Request Handling** tab, select the **Allow private key to be exported** check box.
-7.  On the **Extensions** tab, select the **Basic Constraints** check box, and then click **Edit**.
-8.  In the **Edit Basic Constraints Extension** dialog box, select the **Enable the extension** check box, as shown in Figure 28.
-    
-    ![figure 28](images/dg-fig29-enableconstraints.png)
-    
-    Figure 28. Enable constraints on the new template
-9.  
-If a certificate manager is required to approve any issued certificates, on the **Issuance Requirements** tab, select **CA certificate manager approval**.
-10. On the **Subject Name** tab, select **Supply in the request**.
-11. On the **Security** tab, verify that whatever account will be used to request the certificate has the right to enroll the certificate.
-12. Click **OK** to create the template, and then close the Certificate Template Console.
-When this certificate template has been created, you must publish it to the CA published template store. To do so, complete the following steps:
-1.  In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 29.
-
-    A list of available templates to issue appears, including the template you just created.
-    
-    ![figure 29](images/dg-fig30-selectnewcert.png)
-    
-    Figure 29. Select the new certificate template to issue
-    
-2.  Select the DG Catalog signing certificate, and then click **OK**.
-Now that the template is available to be issued, you must request one from the Windows 10 computer that you use to create and sign catalog files. To begin, open the MMC, and then complete the following steps:
-1.  In MMC, from the **File** menu, click **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**.
-2.  In the Certificates snap-in, right-click the Personal store folder, point to **All Tasks**, and then click **Request New Certificate**.
-3.  Click **Next** twice to get to the certificate selection list.
-4.  In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 30.
-    
-    ![figure 30](images/dg-fig31-getmoreinfo.png)
-    
-    Figure 30. Get more information for your code signing certificate
-5.  
-In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then click **Add**. When added, click **OK.**
-6.  Enroll and finish.
-
->**Note:**  If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client.
-
-This certificate must be installed in the user’s personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the machine on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
-
-1.  Right-click the certificate, point to **All Tasks**, and then click **Export**.
-2.  Click **Next**, and then select **Yes, export the private key**.
-3.  Choose the default settings, and then select **Export all extended properties**.
-4.  Set a password, select an export path, and then select **DGCatSigningCert.pfx** as the file name.
-When the certificate has been exported, import it into the personal store for the user who will be signing the catalog files or code integrity policies on the specific computer that will be signing them.
+- [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
 
 ## Related topics
 
-- [AppLocker overview](applocker-overview.md)
-- [Code integrity](http://go.microsoft.com/fwlink/p/?LinkId=624173)
-- [Credential guard](credential-guard.md)
-- [Driver compatibility with Device Guard in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=624843)
-- [Dropping the Hammer Down on Malware Threats with Windows 10’s Device Guard](http://go.microsoft.com/fwlink/p/?LinkId=624844)
+[AppLocker overview](applocker-overview.md)
+
+<!-- The following topic is EIGHT YEARS OLD, but I don't really see anything better out there on Code Integrity that existed before Windows 10. -->
+
+[Code integrity](https://technet.microsoft.com/library/dd348642.aspx)
+
+[Protect derived domain credentials with Credential Guard](credential-guard.md)
+
+[Driver compatibility with Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
+
+[Dropping the Hammer Down on Malware Threats with Windows 10’s Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
+
+
diff --git a/windows/keep-secure/documenting-the-zones.md b/windows/keep-secure/documenting-the-zones.md
index 88e67e80c4..9c120835e8 100644
--- a/windows/keep-secure/documenting-the-zones.md
+++ b/windows/keep-secure/documenting-the-zones.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here:
 
diff --git a/windows/keep-secure/domain-isolation-policy-design-example.md b/windows/keep-secure/domain-isolation-policy-design-example.md
index 2bfcf9cbc8..f5cc8ea0f6 100644
--- a/windows/keep-secure/domain-isolation-policy-design-example.md
+++ b/windows/keep-secure/domain-isolation-policy-design-example.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams.
 
diff --git a/windows/keep-secure/domain-isolation-policy-design.md b/windows/keep-secure/domain-isolation-policy-design.md
index da2564242b..6f15c8338f 100644
--- a/windows/keep-secure/domain-isolation-policy-design.md
+++ b/windows/keep-secure/domain-isolation-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain.
 
diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
new file mode 100644
index 0000000000..28f0292d02
--- /dev/null
+++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
@@ -0,0 +1,90 @@
+---
+title: Enable phone sign-in to PC or VPN (Windows 10)
+description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone.
+keywords: ["identity", "PIN", "biometric", "Hello"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Enable phone sign-in to PC or VPN
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.
+
+![Sign in to a device](images/phone-signin-menu.png)
+
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
+You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone.
+
+ ## Prerequisites
+ 
+ - Both phone and PC must be running Windows 10, version 1607.
+ - The PC must be running Windows 10 Pro, Enterprise, or Education
+ - Both phone and PC must have Bluetooth.
+ - The **Microsoft Authenticator** app must be installed on the phone.
+ - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
+ - The phone must be joined to Azure AD or have a work account added.
+ - The VPN configuration profile must use certificate-based authentication.
+ 
+## Set policies
+
+To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
+
+-  Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
+    - Enable **Use Windows Hello for Business**
+    - Enable **Phone Sign-in**
+- MDM: 
+    - Set **UsePassportForWork** to **True**
+    - Set **Remote\UseRemotePassport** to **True**
+
+## Configure VPN 
+
+To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows:
+
+- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate.
+- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate.
+
+## Get the app
+
+If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).
+
+[Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)
+
+
+## Related topics
+
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/enable-predefined-inbound-rules.md b/windows/keep-secure/enable-predefined-inbound-rules.md
index fe16701837..59e8325dac 100644
--- a/windows/keep-secure/enable-predefined-inbound-rules.md
+++ b/windows/keep-secure/enable-predefined-inbound-rules.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
 
diff --git a/windows/keep-secure/enable-predefined-outbound-rules.md b/windows/keep-secure/enable-predefined-outbound-rules.md
index 1691399b8a..137de67aa2 100644
--- a/windows/keep-secure/enable-predefined-outbound-rules.md
+++ b/windows/keep-secure/enable-predefined-outbound-rules.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
 
diff --git a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
new file mode 100644
index 0000000000..72171eec5e
--- /dev/null
+++ b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
@@ -0,0 +1,104 @@
+---
+title: Detect and block Potentially Unwanted Application with Windows Defender
+description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
+keywords: pua, enable, detect pua, block pua, windows defender and pua
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: detect
+ms.sitesec: library
+ms.pagetype: security
+author: dulcemv
+---
+
+# Detect and block Potentially Unwanted Application in Windows 10
+
+**Applies to:**
+
+- Windows 10
+
+You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
+
+Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
+
+Typical examples of PUA behavior include:
+*	Various types of software bundling
+*	Ad-injection into your browsers
+*	Driver and registry optimizers that detect issues, request payment to fix them, and persist
+
+These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
+
+Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
+
+##Enable PUA protection in SCCM and Intune
+
+The PUA feature is available for enterprise users who are running System Center Configuration Manager (SCCM) or Intune in their infrastructure.
+
+###Configure PUA in SCCM
+
+For SCCM users, PUA is enabled by default. See the following topics for configuration details:
+
+If you are using these versions | See these topics
+:---|:---
+System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
+System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
+
+<br>
+###Use PUA audit mode in SCCM
+
+You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.
+
+1. Open PowerShell as Administrator <br>
+
+    a.  Click **Start**, type **powershell**, and press **Enter**.
+
+    b.  Click **Windows PowerShell** to open the interface.
+    > [!NOTE]
+    > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+2. Enter the PowerShell command:
+
+  ```text
+  et-mpPreference -puaprotection 2
+  ```
+> [!NOTE]
+> PUA events are reported in the Windows Event Viewer and not in SCCM.  
+
+
+###Configure PUA in Intune
+
+ PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
+
+
+###Use PUA audit mode in Intune
+
+ You can detect PUA without blocking them from your client. Gain insights into what can be blocked.
+
+##View PUA events
+
+PUA events are reported in the Windows Event Viewer and not in SCCM or Intune. To view PUA events:
+
+1.  Open **Event Viewer**.
+2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
+3.  Double-click on **Operational**.
+4.  In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
+
+You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
+
+
+##What PUA notifications look like
+
+When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
+
+
+To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
+
+##PUA threat naming convention
+
+When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
+
+##PUA blocking conditions
+
+PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
+*	The file is being scanned from the browser
+*	The file is in the %downloads% folder
+*	Or if the file in the %temp% folder
diff --git a/windows/keep-secure/encrypted-hard-drive.md b/windows/keep-secure/encrypted-hard-drive.md
index 7de2f367e0..3bae653290 100644
--- a/windows/keep-secure/encrypted-hard-drive.md
+++ b/windows/keep-secure/encrypted-hard-drive.md
@@ -12,7 +12,8 @@ author: brianlic-msft
 # Encrypted Hard Drive
 
 **Applies to**
--   Windows 10
+- Windows 10
+- Windows Server 2016
 
 Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
 
diff --git a/windows/keep-secure/encryption-zone-gpos.md b/windows/keep-secure/encryption-zone-gpos.md
index dcb49121a4..357f2eebfc 100644
--- a/windows/keep-secure/encryption-zone-gpos.md
+++ b/windows/keep-secure/encryption-zone-gpos.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section.
 
diff --git a/windows/keep-secure/encryption-zone.md b/windows/keep-secure/encryption-zone.md
index f6fd2aacd4..7e59ef31e3 100644
--- a/windows/keep-secure/encryption-zone.md
+++ b/windows/keep-secure/encryption-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices.
 
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
index bf8d546f56..c152dca1e5 100644
--- a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
@@ -1,89 +1,5 @@
 ---
 title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10)
 description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
-ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
-keywords: EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# List of enlightened Microsoft apps for use with enterprise data protection (EDP)
-
-**Applies to:**
-
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list.
-
-## Enlightened versus unenlightened apps
-Apps can be enlightened (policy-aware) or unenlightened (policy unaware).
-
--   **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
-
--   **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
-
-    -   Windows Desktop shows it as always running in enterprise mode.
-
-    -   Windows **Save As** experiences only allow you to save your files as enterprise.
-
-## List of enlightened Microsoft apps
-Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
-
--   Microsoft Edge
-
--   Internet Explorer 11
-
--   Microsoft People
-
--   Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
-
--   Microsoft Photos
-
--   Microsoft OneDrive
-
--   Groove Music
-
--   Notepad
-
--   Microsoft Paint
-
--   Microsoft Movies & TV
-
--   Microsoft Messaging
-
-## Adding enlightened Microsoft apps to the Protected Apps list
-You can add any or all of the enlightened Microsoft apps to your Protected Apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
-
-|Product name |App info |
-|-------------|---------|
-|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.MicrosoftEdge<br>**App Type:** Universal app |
-|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** iexplore.exe<br>**App Type:** Desktop app |
-|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.People<br>**App Type:** Universal app |
-|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Word<br>**App Type:** Universal app |
-|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Excel<br>**App Type:** Universal app |
-|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.PowerPoint<br>**App Type:** Universal app |
-|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.OneNote<br>**App Type:** Universal app |
-|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app |
-|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app |
-|Microsoft OneDrive |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.microsoftskydrive<br>**App Type:** Universal app |
-|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app |
-|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** notepad.exe<br>**App Type:** Desktop app |
-|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** mspaint.exe<br>**App Type:** Desktop app |
-|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app |
-|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app |
-
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip
+---
\ No newline at end of file
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
new file mode 100644
index 0000000000..99a69f1d26
--- /dev/null
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
@@ -0,0 +1,78 @@
+---
+title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
+description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
+ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
+
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
+
+## Enlightened versus unenlightened apps
+Apps can be enlightened (policy-aware) or unenlightened (policy-unaware).
+
+-   **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
+
+-   **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
+
+    -   Windows Desktop shows it as always running in enterprise mode.
+
+    -   Windows **Save As** experiences only allow you to save your files as enterprise.
+
+## List of enlightened Microsoft apps
+Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
+
+-   Microsoft Edge
+
+-   Internet Explorer 11
+
+-   Microsoft People
+
+-   Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
+
+-   Microsoft Photos
+
+-   Microsoft OneDrive
+
+-   Groove Music
+
+-   Notepad
+
+-   Microsoft Paint
+
+-   Microsoft Movies & TV
+
+-   Microsoft Messaging
+
+## Adding enlightened Microsoft apps to the allowed apps list
+You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
+
+|Product name |App info |
+|-------------|---------|
+|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.MicrosoftEdge<br>**App Type:** Universal app |
+|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** iexplore.exe<br>**App Type:** Desktop app |
+|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.People<br>**App Type:** Universal app |
+|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Word<br>**App Type:** Universal app |
+|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Excel<br>**App Type:** Universal app |
+|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.PowerPoint<br>**App Type:** Universal app |
+|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.OneNote<br>**App Type:** Universal app |
+|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app |
+|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app |
+|Microsoft OneDrive |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.microsoftskydrive<br>**App Type:** Universal app |
+|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app |
+|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** notepad.exe<br>**App Type:** Desktop app |
+|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** mspaint.exe<br>**App Type:** Desktop app |
+|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app |
+|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app |
\ No newline at end of file
diff --git a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md
index 35a8444e6e..c7fe4f7637 100644
--- a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md
+++ b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization.
 
diff --git a/windows/keep-secure/event-4706.md b/windows/keep-secure/event-4706.md
index 3eb6bdda15..936468b4c3 100644
--- a/windows/keep-secure/event-4706.md
+++ b/windows/keep-secure/event-4706.md
@@ -127,13 +127,13 @@ This event is generated only on domain controllers.
 | 0x1   | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE                          | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A&lt;--&gt;B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A&lt;--&gt;B&lt;--&gt;C trust linkage.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | 0x2   | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY                            | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 | 0x4   | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN                      | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 0x8   | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE                       | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                   |
-| 0x10  | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION                      | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                                                                                                                                        |
-| 0x20  | TRUST\_ATTRIBUTE\_WITHIN\_FOREST                           | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x8   | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE                       | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                   |
+| 0x10  | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION                      | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                                                                                                                                        |
+| 0x20  | TRUST\_ATTRIBUTE\_WITHIN\_FOREST                           | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
 | 0x80  | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION                    | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).<br>Only evaluated on TRUST\_TYPE\_MIT                                                                                                                                                                                                                                          |
-| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST                               | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016 Technical Preview<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater.                                                                                                                                                                                                                                                                                                                                   |
+| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST                               | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater.                                                                                                                                                                                                                                                                                                                                   |
 
 -   **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust:
 
diff --git a/windows/keep-secure/event-4716.md b/windows/keep-secure/event-4716.md
index 8140c94b16..65ea86275d 100644
--- a/windows/keep-secure/event-4716.md
+++ b/windows/keep-secure/event-4716.md
@@ -127,13 +127,13 @@ This event is generated only on domain controllers.
 | 0x1   | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE                          | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A&lt;--&gt;B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A&lt;--&gt;B&lt;--&gt;C trust linkage.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | 0x2   | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY                            | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 | 0x4   | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN                      | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 0x8   | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE                       | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                   |
-| 0x10  | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION                      | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                                                                                                                                        |
-| 0x20  | TRUST\_ATTRIBUTE\_WITHIN\_FOREST                           | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x8   | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE                       | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                   |
+| 0x10  | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION                      | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                                                                                                                                        |
+| 0x20  | TRUST\_ATTRIBUTE\_WITHIN\_FOREST                           | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
 | 0x80  | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION                    | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).<br>Only evaluated on TRUST\_TYPE\_MIT                                                                                                                                                                                                                                          |
-| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST                               | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016 Technical Preview<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater.                                                                                                                                                                                                                                                                                                                                   |
+| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST                               | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater.                                                                                                                                                                                                                                                                                                                                   |
 
 -   **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust:
 
diff --git a/windows/keep-secure/event-4739.md b/windows/keep-secure/event-4739.md
index 8b692f1ea3..44897f5f13 100644
--- a/windows/keep-secure/event-4739.md
+++ b/windows/keep-secure/event-4739.md
@@ -165,14 +165,14 @@ This event generates when one of the following changes was made to local compute
 
 | Value | Identifier                                  | Domain controller operating systems that are allowed in the domain                                                                                                                                                                                                                                                                               |
 |-------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0     | DS\_BEHAVIOR\_WIN2000                       | Windows 2000 Server operating system<br>Windows Server 2003 operating system<br>Windows Server 2008 operating system<br>Windows Server 2008 R2 operating system<br>Windows Server 2012 operating system<br>Windows Server 2012 R2 operating system<br>Windows Server 2016 Technical Preview operating system |
-| 1     | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003<br>Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 Technical Preview                                                                                                                                                     |
-| 2     | DS\_BEHAVIOR\_WIN2003                       | Windows Server 2003<br>Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 Technical Preview                                                                                                                                                     |
-| 3     | DS\_BEHAVIOR\_WIN2008                       | Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 Technical Preview                                                                                                                                                                                  |
-| 4     | DS\_BEHAVIOR\_WIN2008R2                     | Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 Technical Preview                                                                                                                                                                                                               |
-| 5     | DS\_BEHAVIOR\_WIN2012                       | Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016 Technical Preview                                                                                                                                                                                                                                               |
-| 6     | DS\_BEHAVIOR\_WIN2012R2                     | Windows Server 2012 R2<br>Windows Server 2016 Technical Preview                                                                                                                                                                                                                                                                            |
-| 7     | DS\_BEHAVIOR\_WINTHRESHOLD                  | Windows Server 2016 Technical Preview                                                                                                                                                                                                                                                                                                            |
+| 0     | DS\_BEHAVIOR\_WIN2000                       | Windows 2000 Server operating system<br>Windows Server 2003 operating system<br>Windows Server 2008 operating system<br>Windows Server 2008 R2 operating system<br>Windows Server 2012 operating system<br>Windows Server 2012 R2 operating system<br>Windows Server 2016 operating system |
+| 1     | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003<br>Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016                                                                                                                                                     |
+| 2     | DS\_BEHAVIOR\_WIN2003                       | Windows Server 2003<br>Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016                                                                                                                                                     |
+| 3     | DS\_BEHAVIOR\_WIN2008                       | Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016                                                                                                                                                                                  |
+| 4     | DS\_BEHAVIOR\_WIN2008R2                     | Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016                                                                                                                                                                                                               |
+| 5     | DS\_BEHAVIOR\_WIN2012                       | Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016                                                                                                                                                                                                                                               |
+| 6     | DS\_BEHAVIOR\_WIN2012R2                     | Windows Server 2012 R2<br>Windows Server 2016                                                                                                                                                                                                                                                                            |
+| 7     | DS\_BEHAVIOR\_WINTHRESHOLD                  | Windows Server 2016                                                                                                                                                                                                                                                                                                            |
 
 -   **OEM Information** \[Type = UnicodeString\]: there is no information about this field in this document.
 
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
index 6e239a2aea..3dd165c68a 100644
--- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Review events and errors on endpoints with Event Viewer
 description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service.
-keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Advanced Threat Protection service, cannot start, broken, can't start
+keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -15,16 +15,19 @@ author: iaanw
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Event Viewer
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints.
 
 For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
 
-> **Note**&nbsp;&nbsp;It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
+> [!NOTE]
+> It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
 
 **Open Event Viewer and find the Windows Defender ATP service event log:**
 
@@ -35,7 +38,8 @@ For example, if endpoints are not appearing in the **Machines view** list, you m
 
   a.  You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
 
-    > **Note**&nbsp;&nbsp;SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+    > [!NOTE]
+	> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
 
 3.  Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
 
@@ -49,39 +53,39 @@ For example, if endpoints are not appearing in the **Machines view** list, you m
 </tr>
 <tr>
 <td>1</td>
-<td>Windows Advanced Threat Protection service started (Version ```variable```).</td>
+<td>Windows Defender Advanced Threat Protection service started (Version ```variable```).</td>
 <td>Occurs during system start up, shut down, and during onbboarding.</td>
 <td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>2</td>
-<td>Windows Advanced Threat Protection service shutdown.</td>
+<td>Windows Defender Advanced Threat Protection service shutdown.</td>
 <td>Occurs when the endpoint is shut down or offboarded.</td>
 <td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>3</td>
-<td>Windows Advanced Threat Protection service failed to start. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to start. Failure code: ```variable```.</td>
 <td>Service did not start.</td>
 <td>Review other messages to determine possible cause and troubleshooting steps.</td>
 </tr>
 <tr>
 <td>4</td>
-<td>Windows Advanced Threat Protection service contacted the server at ```variable```.</td>
-<td>variable = URL of the Windows Defender ATP processing servers.<br>
+<td>Windows Defender Advanced Threat Protection service contacted the server at ```variable```.</td>
+<td>Variable = URL of the Windows Defender ATP processing servers.<br>
 This URL will match that seen in the Firewall or network activity.</td>
 <td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
 <td>5</td>
-<td>Windows Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
-<td>variable = URL of the Windows Defender ATP processing servers.<br>
+<td>Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
+<td>Variable = URL of the Windows Defender ATP processing servers.<br>
 The service could not contact the external processing servers at that URL.</td>
 <td>Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity).</td>
 </tr>
 <tr>
 <td>6</td>
-<td>Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
+<td>Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
 <td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
 <td>Onboarding must be run before starting the service.<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
@@ -89,72 +93,66 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
 </tr>
 <tr>
 <td>7</td>
-<td>Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: ```variable```</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```.</td>
+<td>Variable = detailed error description. The endpoint did not onboard correctly and will not be reporting to the portal.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>8</td>
-<td>Windows Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+<td>Windows Defender Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```.</td>
+<td>**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues. <br><br> **During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
+ </td>
+<td>**Onboarding:** No action required. <br><br> **Offboarding:** Reboot the system.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>9</td>
-<td>Windows Advanced Threat Protection service failed to change its start type. Failure code: ```variable```</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```.</td>
+<td>**During onboarding:** The endpoint did not onboard correctly and will not be reporting to the portal. <br><br>**During offboarding:** Failed to change the service start type. The offboarding process continues. </td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>10</td>
-<td>Windows Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```.</td>
 <td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>11</td>
-<td>Windows Advanced Threat Protection service completed.</td>
+<td>Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed.</td>
 <td>The endpoint onboarded correctly.</td>
 <td>Normal operating notification; no action required.<br>
 It may take several hours for the endpoint to appear in the portal.</td>
 </tr>
 <tr>
 <td>12</td>
-<td>Windows Advanced Threat Protection failed to apply the default configuration.</td>
-<td>Service was unable to apply configuration from the processing servers.</td>
-<td>This is a server error and should resolve after a short period.</td>
+<td>Windows Defender Advanced Threat Protection failed to apply the default configuration.</td>
+<td>Service was unable to apply the default configuration.</td>
+<td>This error should resolve after a short period of time.</td>
 </tr>
 <tr>
 <td>13</td>
-<td>Service machine ID calculated: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection machine ID calculated: ```variable```.</td>
 <td>Normal operating process.</td>
 <td>Normal operating notification; no action required.</td>
 </tr>
 <tr>
-<td>14</td>
-<td>Service cannot calculate machine ID. Failure code: ```variable```</td>
-<td>Internal error.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
-</tr>
-<tr>
 <td>15</td>
-<td>Windows Advanced Threat Protection cannot start command channel with URL: ```variable```</td>
-<td>variable = URL of the Windows Defender ATP processing servers.<br>
+<td>Windows Defender Advanced Threat Protection cannot start command channel with URL: ```variable```.</td>
+<td>Variable = URL of the Windows Defender ATP processing servers.<br>
 The service could not contact the external processing servers at that URL.</td>
 <td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
 </tr>
 <tr>
 <td>17</td>
-<td>Windows Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```.</td>
 <td>An error occurred with the Windows telemetry service.</td>
-<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled)<br>
+<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>18</td>
@@ -171,44 +169,45 @@ If this error persists after a system restart, ensure all Windows updates have f
 </tr>
 <tr>
 <td>20</td>
-<td>Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```</td>
+<td>Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```.</td>
 <td>Internal error.</td>
 <td>If this error persists after a system restart, ensure all Windows updates have full installed.</td>
 </tr>
 <tr>
 <td>25</td>
-<td>Windows Advanced Threat Protection service failed to reset health status in the registry, causing the onboarding process to fail. Failure code: ```variable```</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: ```variable```.</td>
+<td>The endpoint did not onboard correctly.
+It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>26</td>
-<td>Windows Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```.</td>
 <td>The endpoint did not onboard correctly.<br>
 It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>27</td>
-<td>Windows Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```.</td>
 <td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).<br>
 Ensure real-time antimalware protection is running properly.</td>
 </tr>
 <tr>
 <td>28</td>
-<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```.</td>
 <td>An error occurred with the Windows telemetry service.</td>
 <td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>30</td>
-<td>Windows Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```.</td>
 <td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
 <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
 See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
@@ -216,24 +215,115 @@ Ensure real-time antimalware protection is running properly.</td>
 </tr>
 <tr>
 <td>31</td>
-<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```</td>
-<td>An error occurred with the Windows telemetry service.</td>
+<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```.</td>
+<td>An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.</td>
 <td>[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).</td>
 </tr>
 <tr>
+<td>32</td>
+<td>Windows Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1</td>
+<td>An error occurred during offboarding.</td>
+<td>Reboot the machine.</td>
+</tr>
+<tr>
 <td>33</td>
-<td>Windows Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```.</td>
 <td>A unique identifier is used to represent each endpoint that is reporting to the portal.<br>
 If the identifier does not persist, the same machine might appear twice in the portal.</td>
 <td>Check registry permissions on the endpoint to ensure the service can update the registry.</td>
 </tr>
 <tr>
 <td>34</td>
-<td>Windows Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```</td>
+<td>Windows Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```.</td>
 <td>An error occurred with the Windows telemetry service.</td>
 <td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
+</tr>
+<tr>
+<td>35</td>
+<td>Windows Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: ```variable```.</td>
+<td>An error occurred with the Windows telemetry service during offboarding. The offboarding process continues.
+</td>
+<td>Check for errors with the Windows telemetry service.</td>
+</tr>
+<tr>
+<td>36</td>
+<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code: ```variable```.</td>
+<td>Registering Windows Defender Advanced Threat Protection with the Connected User Experiences and Telemetry service completed successfully.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>37</td>
+<td>Windows Defender Advanced Threat Protection A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.</td>
+<td>The machine has almost used its allocated quota of the current 24-hour window. It’s about to be throttled.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>38</td>
+<td>Network connection is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
+<td>The machine is using a metered/paid network and will be contacting the server less frequently.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>39</td>
+<td>Network connection is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
+<td>The machine is not using a metered/paid connection and will contact the server as usual.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>40</td>
+<td>Battery state is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
+<td>The machine has low battery level and will contact the server less frequently.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>41</td>
+<td>Battery state is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
+<td>The machine doesn’t have low battery level and will contact the server as usual.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>42</td>
+<td>Windows Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4</td>
+<td>Internal error. The service failed to start.</td>
+<td>If this error persists, contact Support.</td>
+</tr>
+<tr>
+<td>43</td>
+<td>Windows Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5</td>
+<td>Internal error. The service failed to start.</td>
+<td>If this error persists, contact Support.</td>
+</tr>
+<tr>
+<td>44</td>
+<td>Offboarding of Windows Defender Advanced Threat Protection service completed.</td>
+<td>The service was offboarded.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>45</td>
+<td>Failed to register and to start the event trace session [%1]. Error code: %2</td>
+<td>An error occurred on service startup while creating ETW session. This caused service start-up failure.</td>
+<td>If this error persists, contact Support.</td>
+</tr>
+<tr>
+<td>46</td>
+<td>Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.</td>
+<td>An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but will not report any sensor event until the ETW session is started.</td>
+<td>Normal operating notification; no action required. The service will try to start the session every minute.</td>
+</tr>
+<tr>
+<td>47</td>
+<td>Successfully registered and started the event trace session - recovered after previous failed attempts.</td>
+<td>This event follows the previous event after successfully starting of the ETW session.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>48</td>
+<td>Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported.</td>
+<td>Failed to add a provider to ETW session. As a result, the provider events aren’t reported.</td>
+<td>Check the error code. If the error persists contact Support.</td>
 </tr>
 </tr>
 </tbody>
@@ -242,9 +332,6 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
 
 
 ## Related topics
-<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
 - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
 - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
-- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/exempt-icmp-from-authentication.md b/windows/keep-secure/exempt-icmp-from-authentication.md
index a60e483753..21100a9674 100644
--- a/windows/keep-secure/exempt-icmp-from-authentication.md
+++ b/windows/keep-secure/exempt-icmp-from-authentication.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol.
 
diff --git a/windows/keep-secure/exemption-list.md b/windows/keep-secure/exemption-list.md
index 3ebf7a465b..fc0fd3b704 100644
--- a/windows/keep-secure/exemption-list.md
+++ b/windows/keep-secure/exemption-list.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.
 
diff --git a/windows/keep-secure/firewall-gpos.md b/windows/keep-secure/firewall-gpos.md
index b264a38993..229cb2a3e0 100644
--- a/windows/keep-secure/firewall-gpos.md
+++ b/windows/keep-secure/firewall-gpos.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters.
 
diff --git a/windows/keep-secure/firewall-policy-design-example.md b/windows/keep-secure/firewall-policy-design-example.md
index 41310314aa..8dad2b48f7 100644
--- a/windows/keep-secure/firewall-policy-design-example.md
+++ b/windows/keep-secure/firewall-policy-design-example.md
@@ -13,13 +13,13 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 In this example, the fictitious company Woodgrove Bank is a financial services institution.
 
 Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows devices. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate devices host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of devices that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing.
 
-Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016 Technical Preview. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems.
+Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems.
 
 A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server.
 
@@ -60,7 +60,7 @@ Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy t
 
 -   Client devices that run Windows 10, Windows 8, or Windows 7
 
--   WGBank front-end servers that run Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them)
+-   WGBank front-end servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them)
 
 -   WGBank partner servers that run Windows Server 2008
 
diff --git a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
index 33727fc9f4..0c507fdc73 100644
--- a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed:
 
diff --git a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
index 65555cc782..67dcea5661 100644
--- a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
 
diff --git a/windows/keep-secure/gathering-information-about-your-devices.md b/windows/keep-secure/gathering-information-about-your-devices.md
index 1f3b73fa21..7f4692a95a 100644
--- a/windows/keep-secure/gathering-information-about-your-devices.md
+++ b/windows/keep-secure/gathering-information-about-your-devices.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned.
 
diff --git a/windows/keep-secure/gathering-other-relevant-information.md b/windows/keep-secure/gathering-other-relevant-information.md
index ca8d396fcb..83ee00960a 100644
--- a/windows/keep-secure/gathering-other-relevant-information.md
+++ b/windows/keep-secure/gathering-other-relevant-information.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization.
 
diff --git a/windows/keep-secure/gathering-the-information-you-need.md b/windows/keep-secure/gathering-the-information-you-need.md
index 3e8a62b0cc..a11fbf67c8 100644
--- a/windows/keep-secure/gathering-the-information-you-need.md
+++ b/windows/keep-secure/gathering-the-information-you-need.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
 
diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
index 1a19780713..fe5431ac69 100644
--- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
@@ -183,7 +183,7 @@ In Endpoint Protection, you can use the advanced scanning options to configure a
 
 ## Related topics
 
-[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
  
  
diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md
index 42e7d1cff1..88a3f076b6 100644
--- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md
+++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md
@@ -1,256 +1,4 @@
 ---
 title: Get apps to run on Device Guard-protected devices (Windows 10)
-description: Windows 10 introduces several new features and settings that when combined all equal what we're calling, Device Guard.
-ms.assetid: E62B68C3-8B9F-4842-90FC-B4EE9FF8A67E
-keywords: Package Inspector, packageinspector.exe, sign catalog file
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
 ---
-
-# Get apps to run on Device Guard-protected devices
-
-**Applies to**
--   Windows 10
-
-Windows 10 introduces several new features and settings that when combined all equal what we're calling, Device Guard. Device Guard can help to protect your enterprise devices against the accidental running of malicious apps by requiring all of your apps to be signed by a trusted entity.
-
-To use Device Guard in an enterprise, you must be able to get your existing line-of-business and Independent Software Vendor (ISV)-developed apps to run on a protected device. Unfortunately, many line-of-business apps aren't signed, and in many cases, aren't even being actively developed. Similarly, you may have unsigned software from an ISV that you want to run, or you want to run certain applications from an ISV while not trusting all applications from that ISV. As part of the Device Guard features, Windows 10 includes a new tool called Package Inspector. Package Inspector scans your unsigned apps, and creates catalog files of the installed and running binaries, which can then be signed by the Sign Tool Windows SDK utility and distributed using Group Policy so that your apps will run on Device Guard-protected devices.
-
-## What you need to run your apps on Device-Guard protected devices
-
-Before you can get your apps to run on Device Guard-protected devices, you must have:
-
--   A device running Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016 Technical Preview.
--   Determined which unsigned apps you need to include in your catalog file.
--   Created a code integrity policy for use by Device Guard.
--   A [code signing certificate](http://go.microsoft.com/fwlink/p/?LinkId=619282), created using an internal public key infrastructure (PKI).
--   [SignTool]( http://go.microsoft.com/fwlink/p/?LinkId=619283). A command-line tool that digitally signs files, verifies signatures in files, or time stamps files. The tool is installed in the \\Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path.
-
-## Create a catalog file for unsigned apps
-
-You must run Package Inspector on a device that's running a temporary Code Integrity Policy in audit mode, created explicitly for this purpose. Audit mode lets this policy catch any binaries missed by the inspection tool, but because it's audit mode, allows everything to continue running.
-> **Important:**  This temporary policy, shouldn't be used for normal business purposes.
- 
-**To create a catalog file for an existing app**
-1.  Start PowerShell as an administrator, and create your temporary policy file by typing:
-    ``` syntax
-    mkdir temp
-    New-CIPolicy -l FileName -f .\tempdeny.xml -s .\temp -u
-    ConvertFrom-CIPolicy .\tempdeny.xml .\tempdeny.bin
-    cp .\tempdeny.bin C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
-    ```
-2.  Restart your device.
-3.  Start PowerShell as an administrator, and start scanning your file system by typing:
-    ``` syntax
-    PackageInspector.exe start c:
-    ```
-    Where:
-    <table>
-    <colgroup>
-    <col width="50%" />
-    <col width="50%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Option</th>
-    <th align="left">Description</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>start &lt;<em>drive_letter</em>&gt;:</p></td>
-    <td align="left"><p>Specifies to start a scan. For example, starting to scan the C: drive.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>-path</p></td>
-    <td align="left"><p>File path to the package being inspected.</p></td>
-    </tr>
-    </tbody>
-    </table>
-     
-4.  Copy the app installation media to your C:\\ drive, and then install and run the program.
-
-    Copying the media to your local drive helps to make sure that the installer and its related files are included in your catalog file. If you miss the install files, your Code Integrity Policy might trust the app to run, but not to install. After you've installed the app, you should check for updates. If updates happen while the app is open, you should close and restart the app to make sure everything is caught during the inspection process.
-    
-    > **Note:**  Because the Package Inspector creates a log entry in the catalog for every binary laid down on the file system, we recommend that you don't run any other installations or updates during the scanning process.
-     
-5.  **Optional:** If you want to create a multi-app catalog (many apps included in a single catalog file), you can continue to run Steps 2-3 for each additional app. After you've added all of the apps you want to add, you can continue to Step 5.
-    > **Note: **  To streamline your process, we suggest:
-    -   **Actively supported and updated apps.** Create a single catalog file for each app.
-    -   **Legacy apps, non-active or not updated.** Create a single catalog file for all of your legacy apps.
-     
-6.  Stop the scanning process and create the .\\InspectedPackage.cat and InspectedPackage.cdf files for your single app in your specified location, by typing:
-    ``` syntax
-    PackageInspector.exe stop c:
-    ```
-You can also use the `scan` command in place of using both `start` and `stop` if you want to create a catalog of files that are already present on your hard drive. The `scan` command recursively scans a specified directory and includes all signable files in the catalog. You can scan a specified directory by typing:
-``` syntax
-PackageInspector.exe scan c:\<insert directory path>
-```
-The following table shows the available options for both the `scan` and `stop` commands.
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Option</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>stop &lt;<em>drive_letter</em>&gt;:</p></td>
-<td align="left"><p>Specifies that a scan of the specified location is complete, creating either a catalog or a definition file. For example, <em>C:</em></p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>scan <em>&lt;path to scan&gt;</em></p></td>
-<td align="left"><p>Specifies a directory path to scan. This command recursively scans a specified directory and includes all signable files in the catalog.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>-out</p></td>
-<td align="left"><p>Specifies what type of info should be created by the tool. You can use either <code>CAT</code> for a catalog file, <code>CDF</code> for a catalog definition file or <code>list</code> for a delimited list of files.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>-listpath</p></td>
-<td align="left"><p>Specifies the location where the installer will output the list of files for <code>-out list</code>.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>-cdfPath &lt;<em>file_name</em>&gt;</p></td>
-<td align="left"><p>Specifies where the tool should put the created .cdf file. If you use this option, you must also specify the file name.</p>
-<p>We recommend that you use the full path to the file. However, relative paths are supported.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>-resdir</p></td>
-<td align="left"><p>This option isn't currently supported.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>-name</p></td>
-<td align="left"><p>This option isn't currently supported.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>-ph <code>[true|false]</code></p></td>
-<td align="left"><p>Specifies whether to include page hashes in the catalog. You can use either <code>True</code> to add the hashes or <code>False</code> to not add the hashes.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>-en</p></td>
-<td align="left"><p>Specifies the catalog's encoding type. By default, it's PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0x00010001.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>-ca1</p></td>
-<td align="left"><p>Specifies the CATATTR1 in the catalog and catalog definition files.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>-ca2</p></td>
-<td align="left"><p>Specifies the CATATTR2 in the catalog and catalog definition files.</p></td>
-</tr>
-</tbody>
-</table>
- 
-You can add additional parameters to your catalog beyond what's listed here. For more info, see the [MakeCat](http://go.microsoft.com/fwlink/p/?LinkId=618024) topic.
-
-## Sign your catalog file using Sign Tool
-
-You can sign your catalog file using Sign Tool, located in the Windows 7 or later Windows Software Development Kit (SDK) or by using the Device Guard signing portal. For details on using the Device Guard signing portal, see [Device Guard signing](http://go.microsoft.com/fwlink/p/?LinkID=698760).
-This process shows how to use a password-protected Personal Information Exchange (.pfx) file to sign the catalog file.
-
-> **Important:**  To use this tool, you must have an internal certificate authority code signing certificate, or a code signing certificate issued by an external third-party certificate authority.
- 
-**To use Sign Tool**
-
-1.  Check that your code signing certificates have been imported into your certificate store or that they're on the file system.
-2.  Open SignTool.exe and sign the catalog file, based on where your certificate is stored.
-    If you are using the PFX from a file system location:
-    ``` syntax
-    signtool sign /f <\\SignCertLocation> /p <\\password> /fd sha256 /v
-    ```
-    If you have imported the certificate into your cert store:
-    ``` syntax
-    signtool sign /n <\\CertSubjectName> /fd sha256 /v <CatalogNameAndLocation>
-    ```
-    Where:
-    <table>
-    <colgroup>
-    <col width="50%" />
-    <col width="50%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Option</th>
-    <th align="left">Description</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>signtool</p></td>
-    <td align="left"><p>Specifies the full path location to SignTool.exe.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>sign</p></td>
-    <td align="left"><p>Digitally signs files. For a list of the options supported by the sign command, see the [SignTool options](http://go.microsoft.com/fwlink/p/?LinkId=619283).</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>/n <em>SubjectName</em></p></td>
-    <td align="left"><p>Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>/f <em>SignCertFileLocation</em></p></td>
-    <td align="left"><p>Specifies the signing certificate in a file.</p>
-    <p>If the file is in .pfx format and protected by a password, use the /p option to specify the password. If the file does not contain private keys, use the /csp and /k options to specify the .csp and private key container name.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>/p <em>Password</em></p></td>
-    <td align="left"><p>Specifies the password to use when opening a PFX file. (Use the /f option to specify a PFX file.)</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>/fd <em>Algorithm</em></p></td>
-    <td align="left"><p>Specifies the file digest algorithm to use for creating file signatures. The default is SHA2.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>/v</p></td>
-    <td align="left"><p>Displays verbose output regardless of whether the command runs successfully or fails, and displays warning messages.</p></td>
-    </tr>
-    </tbody>
-    </table>
-     
-    For more detailed info and examples using the available options, see the [SignTool.exe (Sign Tool)](http://go.microsoft.com/fwlink/p/?LinkId=618026) topic.
-    
-3.  In File Explorer, right-click your catalog file, click **Properties**, and then click the **Digital Signatures** tab to make sure your catalog file's digital signature is accurate.
-4.  Copy your catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} and test the file.
-
-    >**Note:**  For testing purposes, you can manually copy your file to this location. However, we recommend that you use Group Policy to copy the catalog file to all of your devices for large-scale implementations.
-    
-## Troubleshooting the Package Inspector
-
-If you see "Error 1181" while stopping the Package Inspector, you'll need to increase your USN journal size and then clear all of the cached data before re-scanning the impacted apps.
-
-You must make sure that you clear the cache by creating and setting a new temporary policy. If you reuse the same policy, the Package Inspector will fail.
-
-**To increase your journal size**
-1.  Open a command-prompt window, and then type:
-    ``` syntax
-    fsutil usn createjournal m=0x8000000 a=0x800000 C:
-    ```
-    Where the "m" value needs to be increased. We recommend that you change the value to at least 4 times the default value of m=0x2000000.
-2.  Re-run the failed app installation(s).
-
-**To clear your cached data and re-scan your apps**
-
-1.  Delete the SIPolicy.p7b file from the C:\\Windows\\System32\\CodeIntegrity\\ folder.
-2.  Create a new temporary Code Integrity Policy to clear all of the cached data by starting Windows Powershell as an administrator and typing:
-    ``` syntax
-    mkdir temp
-    cp C:\Windows\System32\PackageInspector.exe .\temp\
-    New-CIPolicy -l Hash -f .\DenyPackageInspector.xml -s .\temp -u -deny
-    ConvertFrom-CIPolicy .\DenyPackageInspector.xml .\DenyPackageInspector.bin
-    cp .\DenyPackageInspector.bin C:\Windows\System32\SIPolicy.p7b
-    ```
-3.  Restart your device and follow the steps in the [Create a catalog file for unsigned apps](#create-a-catalog-file-for-unsigned-apps) section.
-
-## Related topics
-
-[Download SignTool]( http://go.microsoft.com/fwlink/p/?LinkId=619283)
diff --git a/windows/keep-secure/gpo-domiso-boundary.md b/windows/keep-secure/gpo-domiso-boundary.md
index 22db5273b8..00fb043b7a 100644
--- a/windows/keep-secure/gpo-domiso-boundary.md
+++ b/windows/keep-secure/gpo-domiso-boundary.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
 
diff --git a/windows/keep-secure/gpo-domiso-firewall.md b/windows/keep-secure/gpo-domiso-firewall.md
index 226c9deac1..d1349941e1 100644
--- a/windows/keep-secure/gpo-domiso-firewall.md
+++ b/windows/keep-secure/gpo-domiso-firewall.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
 
diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md
index 0f2faadb9e..a6ab80ad09 100644
--- a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md
+++ b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
 
diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md
index fb984adf5f..91cd4e3890 100644
--- a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md
+++ b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.
 
diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md
index 805ac84dfc..cfd70be3cc 100644
--- a/windows/keep-secure/guidance-and-best-practices-edp.md
+++ b/windows/keep-secure/guidance-and-best-practices-edp.md
@@ -1,38 +1,5 @@
 ---
 title: General guidance and best practices for enterprise data protection (EDP) (Windows 10)
 description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
-ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
-keywords: EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# General guidance and best practices for enterprise data protection (EDP)
-**Applies to:**
-
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-This section includes info about the enlightened Microsoft apps, including how to add them to your **Protected Apps** list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
-
-## In this section
-|Topic |Description |
-|------|------------|
-|[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list. |
-|[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) |We've come up with a list of suggested testing scenarios that you can use to test EDP in your company. |
-
- 
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip
+---
\ No newline at end of file
diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md
new file mode 100644
index 0000000000..ae142779a5
--- /dev/null
+++ b/windows/keep-secure/guidance-and-best-practices-wip.md
@@ -0,0 +1,28 @@
+---
+title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
+description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
+ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# General guidance and best practices for Windows Information Protection (WIP)
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[Windows Information Protection (WIP) overview](wip-enterprise-overview.md) |High-level overview info about why to use WIP, the enterprise scenarios, and how to turn it off. |
+|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP), in your enterprise. |
+|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
+|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
\ No newline at end of file
diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index b1adf33fd9..092982bd0a 100644
--- a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios.
 
diff --git a/windows/keep-secure/images/alert-details.png b/windows/keep-secure/images/alert-details.png
index 7d23ae0374..e2f5a387b0 100644
Binary files a/windows/keep-secure/images/alert-details.png and b/windows/keep-secure/images/alert-details.png differ
diff --git a/windows/keep-secure/images/alertsq2.png b/windows/keep-secure/images/alertsq2.png
index a11b5ba76b..8e823cd9c7 100644
Binary files a/windows/keep-secure/images/alertsq2.png and b/windows/keep-secure/images/alertsq2.png differ
diff --git a/windows/keep-secure/images/defender/client.png b/windows/keep-secure/images/defender/client.png
new file mode 100644
index 0000000000..4f2118206e
Binary files /dev/null and b/windows/keep-secure/images/defender/client.png differ
diff --git a/windows/keep-secure/images/defender/detection-source.png b/windows/keep-secure/images/defender/detection-source.png
new file mode 100644
index 0000000000..7d471dc22d
Binary files /dev/null and b/windows/keep-secure/images/defender/detection-source.png differ
diff --git a/windows/keep-secure/images/defender/download-wdo.png b/windows/keep-secure/images/defender/download-wdo.png
new file mode 100644
index 0000000000..50d2fc3152
Binary files /dev/null and b/windows/keep-secure/images/defender/download-wdo.png differ
diff --git a/windows/keep-secure/images/defender/enhanced-notifications.png b/windows/keep-secure/images/defender/enhanced-notifications.png
new file mode 100644
index 0000000000..8317458416
Binary files /dev/null and b/windows/keep-secure/images/defender/enhanced-notifications.png differ
diff --git a/windows/keep-secure/images/defender/gp.png b/windows/keep-secure/images/defender/gp.png
new file mode 100644
index 0000000000..8b57c7b45c
Binary files /dev/null and b/windows/keep-secure/images/defender/gp.png differ
diff --git a/windows/keep-secure/images/defender/notification.png b/windows/keep-secure/images/defender/notification.png
new file mode 100644
index 0000000000..cad9f162e9
Binary files /dev/null and b/windows/keep-secure/images/defender/notification.png differ
diff --git a/windows/keep-secure/images/defender/sccm-wdo.png b/windows/keep-secure/images/defender/sccm-wdo.png
new file mode 100644
index 0000000000..8f504b94e1
Binary files /dev/null and b/windows/keep-secure/images/defender/sccm-wdo.png differ
diff --git a/windows/keep-secure/images/defender/settings-wdo.png b/windows/keep-secure/images/defender/settings-wdo.png
new file mode 100644
index 0000000000..23412856b0
Binary files /dev/null and b/windows/keep-secure/images/defender/settings-wdo.png differ
diff --git a/windows/keep-secure/images/defender/ux-config-key.png b/windows/keep-secure/images/defender/ux-config-key.png
new file mode 100644
index 0000000000..3e2d966342
Binary files /dev/null and b/windows/keep-secure/images/defender/ux-config-key.png differ
diff --git a/windows/keep-secure/images/defender/ux-uilockdown-key.png b/windows/keep-secure/images/defender/ux-uilockdown-key.png
new file mode 100644
index 0000000000..86d1b4b249
Binary files /dev/null and b/windows/keep-secure/images/defender/ux-uilockdown-key.png differ
diff --git a/windows/keep-secure/images/detection-source.png b/windows/keep-secure/images/detection-source.png
new file mode 100644
index 0000000000..7d471dc22d
Binary files /dev/null and b/windows/keep-secure/images/detection-source.png differ
diff --git a/windows/keep-secure/images/device-guard-gp.png b/windows/keep-secure/images/device-guard-gp.png
index 0c2c1c9d4f..169d2f245b 100644
Binary files a/windows/keep-secure/images/device-guard-gp.png and b/windows/keep-secure/images/device-guard-gp.png differ
diff --git a/windows/keep-secure/images/dg-fig1-enableos.png b/windows/keep-secure/images/dg-fig1-enableos.png
index cefb124344..a114c520de 100644
Binary files a/windows/keep-secure/images/dg-fig1-enableos.png and b/windows/keep-secure/images/dg-fig1-enableos.png differ
diff --git a/windows/keep-secure/images/dg-fig11-dgproperties.png b/windows/keep-secure/images/dg-fig11-dgproperties.png
index ce16705d0f..3c93b2b948 100644
Binary files a/windows/keep-secure/images/dg-fig11-dgproperties.png and b/windows/keep-secure/images/dg-fig11-dgproperties.png differ
diff --git a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png
index bf0d55dd7f..ddc2158a8a 100644
Binary files a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png and b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png differ
diff --git a/windows/keep-secure/images/gp-process-mitigation-options-bit-flag-image.png b/windows/keep-secure/images/gp-process-mitigation-options-bit-flag-image.png
new file mode 100644
index 0000000000..e493da9e20
Binary files /dev/null and b/windows/keep-secure/images/gp-process-mitigation-options-bit-flag-image.png differ
diff --git a/windows/keep-secure/images/gp-process-mitigation-options-show.png b/windows/keep-secure/images/gp-process-mitigation-options-show.png
new file mode 100644
index 0000000000..0269ddf21f
Binary files /dev/null and b/windows/keep-secure/images/gp-process-mitigation-options-show.png differ
diff --git a/windows/keep-secure/images/gp-process-mitigation-options.png b/windows/keep-secure/images/gp-process-mitigation-options.png
new file mode 100644
index 0000000000..cd69708af3
Binary files /dev/null and b/windows/keep-secure/images/gp-process-mitigation-options.png differ
diff --git a/windows/keep-secure/images/hellosettings.png b/windows/keep-secure/images/hellosettings.png
index 77a8753b5c..9b897a136e 100644
Binary files a/windows/keep-secure/images/hellosettings.png and b/windows/keep-secure/images/hellosettings.png differ
diff --git a/windows/keep-secure/images/intune-add-applocker-xml-file.png b/windows/keep-secure/images/intune-add-applocker-xml-file.png
new file mode 100644
index 0000000000..8829c070a6
Binary files /dev/null and b/windows/keep-secure/images/intune-add-applocker-xml-file.png differ
diff --git a/windows/keep-secure/images/intune-add-classic-apps.png b/windows/keep-secure/images/intune-add-classic-apps.png
new file mode 100644
index 0000000000..bf4e5792c1
Binary files /dev/null and b/windows/keep-secure/images/intune-add-classic-apps.png differ
diff --git a/windows/keep-secure/images/intune-add-desktop-app.png b/windows/keep-secure/images/intune-add-desktop-app.png
deleted file mode 100644
index 8d8186398a..0000000000
Binary files a/windows/keep-secure/images/intune-add-desktop-app.png and /dev/null differ
diff --git a/windows/keep-secure/images/intune-add-uwp-apps.png b/windows/keep-secure/images/intune-add-uwp-apps.png
new file mode 100644
index 0000000000..933cd9addf
Binary files /dev/null and b/windows/keep-secure/images/intune-add-uwp-apps.png differ
diff --git a/windows/keep-secure/images/intune-add-uwp.png b/windows/keep-secure/images/intune-add-uwp.png
new file mode 100644
index 0000000000..7b226b7edd
Binary files /dev/null and b/windows/keep-secure/images/intune-add-uwp.png differ
diff --git a/windows/keep-secure/images/intune-addapps.png b/windows/keep-secure/images/intune-addapps.png
index f6569723de..52e3983adf 100644
Binary files a/windows/keep-secure/images/intune-addapps.png and b/windows/keep-secure/images/intune-addapps.png differ
diff --git a/windows/keep-secure/images/intune-corporate-identity.png b/windows/keep-secure/images/intune-corporate-identity.png
new file mode 100644
index 0000000000..4ffb6223ea
Binary files /dev/null and b/windows/keep-secure/images/intune-corporate-identity.png differ
diff --git a/windows/keep-secure/images/intune-createnewpolicy.png b/windows/keep-secure/images/intune-createnewpolicy.png
index 02a989d8ae..26ab066343 100644
Binary files a/windows/keep-secure/images/intune-createnewpolicy.png and b/windows/keep-secure/images/intune-createnewpolicy.png differ
diff --git a/windows/keep-secure/images/intune-data-recovery.png b/windows/keep-secure/images/intune-data-recovery.png
index 0913c7a22b..32d7282110 100644
Binary files a/windows/keep-secure/images/intune-data-recovery.png and b/windows/keep-secure/images/intune-data-recovery.png differ
diff --git a/windows/keep-secure/images/intune-edpsettings.png b/windows/keep-secure/images/intune-edpsettings.png
deleted file mode 100644
index 882bf0d46b..0000000000
Binary files a/windows/keep-secure/images/intune-edpsettings.png and /dev/null differ
diff --git a/windows/keep-secure/images/intune-empty-addapps.png b/windows/keep-secure/images/intune-empty-addapps.png
new file mode 100644
index 0000000000..7987e91454
Binary files /dev/null and b/windows/keep-secure/images/intune-empty-addapps.png differ
diff --git a/windows/keep-secure/images/intune-encryption-level.png b/windows/keep-secure/images/intune-encryption-level.png
deleted file mode 100644
index f094fae2f9..0000000000
Binary files a/windows/keep-secure/images/intune-encryption-level.png and /dev/null differ
diff --git a/windows/keep-secure/images/intune-generalinfo.png b/windows/keep-secure/images/intune-generalinfo.png
new file mode 100644
index 0000000000..c740cad913
Binary files /dev/null and b/windows/keep-secure/images/intune-generalinfo.png differ
diff --git a/windows/keep-secure/images/intune-namedescription.png b/windows/keep-secure/images/intune-namedescription.png
deleted file mode 100644
index 874b8b52a5..0000000000
Binary files a/windows/keep-secure/images/intune-namedescription.png and /dev/null differ
diff --git a/windows/keep-secure/images/intune-network-detection-boxes.png b/windows/keep-secure/images/intune-network-detection-boxes.png
new file mode 100644
index 0000000000..256b586c70
Binary files /dev/null and b/windows/keep-secure/images/intune-network-detection-boxes.png differ
diff --git a/windows/keep-secure/images/intune-networklocation.png b/windows/keep-secure/images/intune-networklocation.png
index 3b1ec39b7c..058aaec38e 100644
Binary files a/windows/keep-secure/images/intune-networklocation.png and b/windows/keep-secure/images/intune-networklocation.png differ
diff --git a/windows/keep-secure/images/intune-optional-settings.png b/windows/keep-secure/images/intune-optional-settings.png
new file mode 100644
index 0000000000..2d2bf90bb1
Binary files /dev/null and b/windows/keep-secure/images/intune-optional-settings.png differ
diff --git a/windows/keep-secure/images/intune-primary-domain.png b/windows/keep-secure/images/intune-primary-domain.png
deleted file mode 100644
index 72105fab7c..0000000000
Binary files a/windows/keep-secure/images/intune-primary-domain.png and /dev/null differ
diff --git a/windows/keep-secure/images/intune-protection-mode.png b/windows/keep-secure/images/intune-protection-mode.png
new file mode 100644
index 0000000000..80804f7946
Binary files /dev/null and b/windows/keep-secure/images/intune-protection-mode.png differ
diff --git a/windows/keep-secure/images/intune-vpn-wipmodeid.png b/windows/keep-secure/images/intune-vpn-wipmodeid.png
new file mode 100644
index 0000000000..80852af30d
Binary files /dev/null and b/windows/keep-secure/images/intune-vpn-wipmodeid.png differ
diff --git a/windows/keep-secure/images/machines-view.png b/windows/keep-secure/images/machines-view.png
index 3baf15a05f..f1d00f4035 100644
Binary files a/windows/keep-secure/images/machines-view.png and b/windows/keep-secure/images/machines-view.png differ
diff --git a/windows/keep-secure/images/oma-uri.png b/windows/keep-secure/images/oma-uri.png
new file mode 100644
index 0000000000..00cfe55d01
Binary files /dev/null and b/windows/keep-secure/images/oma-uri.png differ
diff --git a/windows/keep-secure/images/onboardingstate.png b/windows/keep-secure/images/onboardingstate.png
index 0606e2b2c6..ab49c49e17 100644
Binary files a/windows/keep-secure/images/onboardingstate.png and b/windows/keep-secure/images/onboardingstate.png differ
diff --git a/windows/keep-secure/images/phone-signin-device-select.png b/windows/keep-secure/images/phone-signin-device-select.png
new file mode 100644
index 0000000000..a002efa427
Binary files /dev/null and b/windows/keep-secure/images/phone-signin-device-select.png differ
diff --git a/windows/keep-secure/images/phone-signin-menu.png b/windows/keep-secure/images/phone-signin-menu.png
new file mode 100644
index 0000000000..4672433344
Binary files /dev/null and b/windows/keep-secure/images/phone-signin-menu.png differ
diff --git a/windows/keep-secure/images/phone-signin-settings.png b/windows/keep-secure/images/phone-signin-settings.png
new file mode 100644
index 0000000000..e0ae827426
Binary files /dev/null and b/windows/keep-secure/images/phone-signin-settings.png differ
diff --git a/windows/keep-secure/images/pinerror.png b/windows/keep-secure/images/pinerror.png
index 188b981299..28a759f2fc 100644
Binary files a/windows/keep-secure/images/pinerror.png and b/windows/keep-secure/images/pinerror.png differ
diff --git a/windows/keep-secure/images/portal-image.png b/windows/keep-secure/images/portal-image.png
index be59f06fa5..c038da30de 100644
Binary files a/windows/keep-secure/images/portal-image.png and b/windows/keep-secure/images/portal-image.png differ
diff --git a/windows/keep-secure/images/pua1.png b/windows/keep-secure/images/pua1.png
new file mode 100644
index 0000000000..f3d96a245a
Binary files /dev/null and b/windows/keep-secure/images/pua1.png differ
diff --git a/windows/keep-secure/images/pua2.png b/windows/keep-secure/images/pua2.png
new file mode 100644
index 0000000000..72ffa10aa5
Binary files /dev/null and b/windows/keep-secure/images/pua2.png differ
diff --git a/windows/keep-secure/images/remote-credential-guard-gp.png b/windows/keep-secure/images/remote-credential-guard-gp.png
new file mode 100644
index 0000000000..98c97825fa
Binary files /dev/null and b/windows/keep-secure/images/remote-credential-guard-gp.png differ
diff --git a/windows/keep-secure/images/remote-credential-guard.png b/windows/keep-secure/images/remote-credential-guard.png
new file mode 100644
index 0000000000..d8e3598dc9
Binary files /dev/null and b/windows/keep-secure/images/remote-credential-guard.png differ
diff --git a/windows/keep-secure/images/timeline.png b/windows/keep-secure/images/timeline.png
index 83ac56f312..ac657b2a12 100644
Binary files a/windows/keep-secure/images/timeline.png and b/windows/keep-secure/images/timeline.png differ
diff --git a/windows/keep-secure/images/edp-intune-app-reconfig-warning.png b/windows/keep-secure/images/wip-intune-app-reconfig-warning.png
similarity index 100%
rename from windows/keep-secure/images/edp-intune-app-reconfig-warning.png
rename to windows/keep-secure/images/wip-intune-app-reconfig-warning.png
diff --git a/windows/keep-secure/images/edp-sccm-add-network-domain.png b/windows/keep-secure/images/wip-sccm-add-network-domain.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-add-network-domain.png
rename to windows/keep-secure/images/wip-sccm-add-network-domain.png
diff --git a/windows/keep-secure/images/edp-sccm-addapplockerfile.png b/windows/keep-secure/images/wip-sccm-addapplockerfile.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-addapplockerfile.png
rename to windows/keep-secure/images/wip-sccm-addapplockerfile.png
diff --git a/windows/keep-secure/images/edp-sccm-adddesktopapp.png b/windows/keep-secure/images/wip-sccm-adddesktopapp.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-adddesktopapp.png
rename to windows/keep-secure/images/wip-sccm-adddesktopapp.png
diff --git a/windows/keep-secure/images/edp-sccm-additionalsettings.png b/windows/keep-secure/images/wip-sccm-additionalsettings.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-additionalsettings.png
rename to windows/keep-secure/images/wip-sccm-additionalsettings.png
diff --git a/windows/keep-secure/images/edp-sccm-addpolicy.png b/windows/keep-secure/images/wip-sccm-addpolicy.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-addpolicy.png
rename to windows/keep-secure/images/wip-sccm-addpolicy.png
diff --git a/windows/keep-secure/images/edp-sccm-adduniversalapp.png b/windows/keep-secure/images/wip-sccm-adduniversalapp.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-adduniversalapp.png
rename to windows/keep-secure/images/wip-sccm-adduniversalapp.png
diff --git a/windows/keep-secure/images/edp-sccm-appmgmt.png b/windows/keep-secure/images/wip-sccm-appmgmt.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-appmgmt.png
rename to windows/keep-secure/images/wip-sccm-appmgmt.png
diff --git a/windows/keep-secure/images/edp-sccm-corp-identity.png b/windows/keep-secure/images/wip-sccm-corp-identity.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-corp-identity.png
rename to windows/keep-secure/images/wip-sccm-corp-identity.png
diff --git a/windows/keep-secure/images/edp-sccm-devicesettings.png b/windows/keep-secure/images/wip-sccm-devicesettings.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-devicesettings.png
rename to windows/keep-secure/images/wip-sccm-devicesettings.png
diff --git a/windows/keep-secure/images/edp-sccm-dra.png b/windows/keep-secure/images/wip-sccm-dra.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-dra.png
rename to windows/keep-secure/images/wip-sccm-dra.png
diff --git a/windows/keep-secure/images/edp-sccm-generalscreen.png b/windows/keep-secure/images/wip-sccm-generalscreen.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-generalscreen.png
rename to windows/keep-secure/images/wip-sccm-generalscreen.png
diff --git a/windows/keep-secure/images/edp-sccm-network-domain.png b/windows/keep-secure/images/wip-sccm-network-domain.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-network-domain.png
rename to windows/keep-secure/images/wip-sccm-network-domain.png
diff --git a/windows/keep-secure/images/edp-sccm-optsettings.png b/windows/keep-secure/images/wip-sccm-optsettings.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-optsettings.png
rename to windows/keep-secure/images/wip-sccm-optsettings.png
diff --git a/windows/keep-secure/images/edp-sccm-summaryscreen.png b/windows/keep-secure/images/wip-sccm-summaryscreen.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-summaryscreen.png
rename to windows/keep-secure/images/wip-sccm-summaryscreen.png
diff --git a/windows/keep-secure/images/edp-sccm-supportedplat.png b/windows/keep-secure/images/wip-sccm-supportedplat.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-supportedplat.png
rename to windows/keep-secure/images/wip-sccm-supportedplat.png
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index 1680e13ed9..2dc4c2628a 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -1,6 +1,6 @@
 ---
-title: Implement Microsoft Passport in your organization (Windows 10)
-description: You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
+title: Implement Windows Hello in your organization (Windows 10)
+description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
 ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
 keywords: identity, PIN, biometric, Hello
 ms.prod: w10
@@ -8,41 +8,44 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---
 
-# Implement Microsoft Passport in your organization
+# Implement Windows Hello for Business in your organization
 
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 
-You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
-> **Important:**  The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Microsoft Passport for Work** policy settings to manage PINs.
+You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
+> **Important:**  The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Windows Hello for Business** policy settings to manage PINs.
  
 ## Group Policy settings for Passport
 
-The following table lists the Group Policy settings that you can configure for Passport use in your workplace. These policy settings are available in **Computer Configuration** &gt; **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Passport for Work**.
+The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
+
+
 <table>
 <tr>
 <th colspan="2">Policy</th>
 <th>Options</th>
 </tr>
 <tr>
-<td>Use Microsoft Passport for Work</td>
+<td>Use Windows Hello for Business</td>
 <td></td>
 <td>
-<p><b>Not configured</b>: Users can provision Passport for Work, which encrypts their domain password.</p>
-<p><b>Enabled</b>: Device provisions Passport for Work using keys or certificates for all users.</p>
-<p><b>Disabled</b>: Device does not provision Passport for Work for any user.</p>
+<p><b>Not configured</b>: Users can provision Windows Hello for Business, which encrypts their domain password.</p>
+<p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.</p>
+<p><b>Disabled</b>: Device does not provision Windows Hello for Business for any user.</p>
 </td>
 </tr>
 <tr>
 <td>Use a hardware security device</td>
 <td></td>
 <td>
-<p><b>Not configured</b>: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
-<p><b>Enabled</b>: Passport for Work will only be provisioned using TPM.</p>
-<p><b>Disabled</b>: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+<p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM.</p>
+<p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
 </td>
 </tr>
 <tr>
@@ -122,23 +125,23 @@ The following table lists the Group Policy settings that you can configure for P
 </td>
 </tr>
 <tr>
-<td><a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a></td>
+<td><a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone Sign-in</a></td>
 <td>
-<p>Use Remote Passport</p>
+<p>Use Phone Sign-in</p>
 <div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
 <div> </div>
 </td>
 <td>
-<p><b>Not configured</b>: Remote Passport is disabled.</p>
+<p><b>Not configured</b>: Phone sign-in is disabled.</p>
 <p><b>Enabled</b>: Users can use a portable, registered device as a companion device for desktop authentication.</p>
-<p><b>Disabled</b>: Remote Passport is disabled.</p>
+<p><b>Disabled</b>: Phone sign-in is disabled.</p>
 </td>
 </tr>
 </table>
 
 ## MDM policy settings for Passport
 
-The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070).
+The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070).
 <table>
 <tr>
 <th colspan="2">Policy</th>
@@ -152,9 +155,9 @@ The following table lists the MDM policy settings that you can configure for Pas
 <td>Device</td>
 <td>True</td>
 <td>
-<p>True: Passport will be provisioned for all users on the device.</p>
-<p>False: Users will not be able to provision Passport. </p>
-<div class="alert"><b>Note</b>  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.</div>
+<p>True: Windows Hello for Business will be provisioned for all users on the device.</p>
+<p>False: Users will not be able to provision Windows Hello for Business. </p>
+<div class="alert"><b>Note</b>  If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.</div>
 <div> </div>
 </td>
 </tr>
@@ -164,8 +167,8 @@ The following table lists the MDM policy settings that you can configure for Pas
 <td>Device</td>
 <td>False</td>
 <td>
-<p>True: Passport will only be provisioned using TPM.</p>
-<p>False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+<p>True: Windows Hello for Business will only be provisioned using TPM.</p>
+<p>False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
 </td>
 </tr>
 <tr>
@@ -176,8 +179,8 @@ The following table lists the MDM policy settings that you can configure for Pas
 <td>Device </td>
 <td>False</td>
 <td>
-<p>True: Biometrics can be used as a gesture in place of a PIN for domain logon.</p>
-<p>False: Only a PIN can be used as a gesture for domain logon.</p>
+<p>True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.</p>
+<p>False: Only a PIN can be used as a gesture for domain sign-in.</p>
 </td>
 </tr>
 <tr>
@@ -276,8 +279,8 @@ The following table lists the MDM policy settings that you can configure for Pas
 <td>Device or user</td>
 <td>False</td>
 <td>
-<p>True: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a> is enabled.</p>
-<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a> is disabled.</p>
+<p>True: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is enabled.</p>
+<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is disabled.</p>
 </td>
 </tr>
 </table>
@@ -287,7 +290,7 @@ If policy is not configured to explicitly require letters or special characters,
  
 ## Prerequisites
 
-You’ll need this software to set Microsoft Passport policies in your enterprise.
+You’ll need this software to set Windows Hello for Business policies in your enterprise.
 <table>
 <colgroup>
 <col width="25%" />
@@ -297,10 +300,10 @@ You’ll need this software to set Microsoft Passport policies in your enterpris
 </colgroup>
 <thead>
 <tr class="header">
-<th align="left">Microsoft Passport mode</th>
+<th align="left">Windows Hello for Business mode</th>
 <th align="left">Azure AD</th>
-<th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016 Technical Preview)</th>
-<th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016 Technical Preview)</th>
+<th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016)</th>
+<th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016)</th>
 </tr>
 </thead>
 <tbody>
@@ -308,14 +311,14 @@ You’ll need this software to set Microsoft Passport policies in your enterpris
 <td align="left">Key-based authentication</td>
 <td align="left">Azure AD subscription</td>
 <td align="left"><ul>
-<li>Active Directory Federation Service (AD FS) (Windows Server 2016 Technical Preview)</li>
-<li>A few Windows Server 2016 Technical Preview domain controllers on-site</li>
+<li>Active Directory Federation Service (AD FS) (Windows Server 2016)</li>
+<li>A few Windows Server 2016 domain controllers on-site</li>
 <li>Microsoft System Center 2012 R2 Configuration Manager SP2</li>
 </ul></td>
 <td align="left"><ul>
 <li>Azure AD subscription</li>
 <li>[Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
-<li>A few Windows Server 2016 Technical Preview domain controllers on-site</li>
+<li>A few Windows Server 2016 domain controllers on-site</li>
 <li>A management solution, such as Configuration Manager, Group Policy, or MDM</li>
 <li>Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)</li>
 </ul></td>
@@ -328,8 +331,8 @@ You’ll need this software to set Microsoft Passport policies in your enterpris
 <li>PKI infrastructure</li>
 </ul></td>
 <td align="left"><ul>
-<li>ADFS (Windows Server 2016 Technical Preview)</li>
-<li>Active Directory Domain Services (AD DS) Windows Server 2016 Technical Preview schema</li>
+<li>ADFS (Windows Server 2016)</li>
+<li>Active Directory Domain Services (AD DS) Windows Server 2016 schema</li>
 <li>PKI infrastructure</li>
 <li>Configuration Manager SP2, Intune, or non-Microsoft MDM solution</li>
 </ul></td>
@@ -337,20 +340,23 @@ You’ll need this software to set Microsoft Passport policies in your enterpris
 <li>Azure AD subscription</li>
 <li>[Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
 <li>AD CS with NDES</li>
-<li>Configuration Manager (current branch) or Configuration Manager 2016 Technical Preview for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
+<<<<<<< HEAD
+<li>Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
 </ul></td>
 </tr>
 </tbody>
 </table>
  
-Configuration Manager and MDM provide the ability to manage Passport policy and to deploy and manage certificates protected by Passport.
-Azure AD provides the ability to register devices with your enterprise and to provision Passport for organization accounts.
-Active Directory provides the ability to authorize users and devices using keys protected by Passport if domain controllers are running Windows 10 and the Microsoft Passport provisioning service in Windows 10 AD FS.
+Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business.
 
-## Passport for BYOD
+Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
 
-Passport can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Passport PIN for unlocking the device and a separate work PIN for access to work resources.
-The work PIN is managed using the same Passport policies that you can use to manage Passport on organization owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244).
+
+## Windows Hello for BYOD
+
+Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and used this PIN for access to work resources.
+
+The PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The PIN can also be managed using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244).
 
 ## Related topics
 
@@ -358,14 +364,17 @@ The work PIN is managed using the same Passport policies that you can use to man
 
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
 
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
 
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
 
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
 
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
 
-[Event ID 300 - Passport successfully created](passport-event-300.md)
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
  
\ No newline at end of file
diff --git a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index 25f0fba560..6099d183c9 100644
--- a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan:
 
diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index c400267003..059e35186e 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 # Keep Windows 10 secure
@@ -16,20 +17,21 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 
 | Topic | Description |
 | - | - |
-| [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
 | [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
 | [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
-| [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. |
-| [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) | Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. |
+| [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
 | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
 | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
 | [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
-| [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
+| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
+| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
 | [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
+|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. |
 | [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
 | [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
 | [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
 | [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
+| [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
  
 ## Related topics
 
diff --git a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
index 6bd8e60c5d..575bf12fee 100644
--- a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
+++ b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Install digital certificates on Windows 10 Mobile
@@ -22,6 +23,10 @@ Certificates in Windows 10 Mobile are primarily used for the following purposes
 -   To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email.
 -   For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site).
 
+
+**Warning**  
+In Windows 10, Version 1607, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. [Learn more about this known issue in Version 1607](http://go.microsoft.com/fwlink/p/?LinkId=786764)
+
 ## Install certificates using Microsoft Edge
 
 A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows 10 Mobile device.
diff --git a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
new file mode 100644
index 0000000000..c0577fe786
--- /dev/null
+++ b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
@@ -0,0 +1,79 @@
+---
+title: Introduction to Device Guard - virtualization-based security and code integrity policies (Windows 10)
+description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Introduction to Device Guard: virtualization-based security and code integrity policies
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *code integrity policies*.
+
+Like the operating system, code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been available in previous versions of the Windows operating system, and protects the kernel mode from running unsigned drivers. In Windows 10 and Windows Server 2016, UMCI is also available, to help protect against viruses and malware.
+
+To increase the security level offered by code integrity policies, Device Guard can leverage advanced hardware features on hardware that supports them. These features include CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT). In addition, hardware that includes input/output memory management units (IOMMUs) provides even stronger protections. When you enable the features associated with CPU virtualization extensions and SLAT, the Code Integrity service can run alongside the kernel in a Windows hypervisor-protected container. The following table provides more information about how Device Guard and these hardware features can help protect against various threats.
+
+For an overview of the process of deploying Device Guard features, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+
+## How Device Guard features help protect against threats
+
+The following table lists security threats and describes the corresponding Device Guard features:
+
+| Security threat in the enterprise | How a Device Guard feature helps protect against the threat |
+| --------------------------------- | ----------------------------------------------------------- |
+| **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**:&nbsp;&nbsp;You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.<br>Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.<br><br>**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. |
+| **Exposure to unsigned code** (most malware is unsigned) | **Code integrity policies, plus catalog files as needed**:&nbsp;&nbsp;Because most malware is unsigned, using a code integrity policy (which in most cases requires signed code) can immediately help protect against a large number of threats. However, many organizations use unsigned line-of-business (LOB) applications, for which the process of signing might be difficult. This has changed in Windows 10, because you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.<br><br>**Specialized hardware required?** No security-related hardware features are required for creating and using code integrity policies and catalogs. However, code integrity policies and catalogs are strengthened by the hardware features, as described in later rows of this table. |
+| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:&nbsp;&nbsp;This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.<br>With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory.  Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.<br><br>**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
+| **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**:&nbsp;&nbsp;With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.<br><br>**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. |
+| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:&nbsp;&nbsp; Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Device Guard security.<br><br>**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).  | 
+
+In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](credential-guard.md) and [AppLocker](applocker-overview.md).
+
+## Tools for managing Device Guard features
+
+You can easily manage Device Guard features by using familiar enterprise and client-management tools that IT pros use every day:
+
+<!-- The item about "Intune" below could be updated at some point, when more information and a link are available. -->
+
+-   **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files.
+
+    - For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Device Guard features help protect against threats](#how-device-guard-features-help-protect-against-threats), earlier in this topic.
+    - For information about using Group Policy as a deployment tool, see:<br>[Deploy catalog files with Group Policy](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-group-policy)<br>[Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)
+
+-   **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features, as well as provide version control. For more information, see [Deploy catalog files with System Center Configuration Manager](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-system-center-configuration-manager).
+
+- **Microsoft Intune**. In a future release of Microsoft Intune, Microsoft is considering including features that will support the deployment and management of code integrity policies and catalog files.
+
+-   **Windows PowerShell**. You can use Windows PowerShell to create and service code integrity policies. For more information, see [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) and [Configurable Code Integrity Policy for Windows PowerShell](https://technet.microsoft.com/library/mt634481.aspx).
+
+These options provide the same experience you're used to in order to manage your existing enterprise management solutions. 
+
+For more information about the deployment of Device Guard features, see:
+- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
+
+## Other features that relate to Device Guard
+
+### Device Guard with AppLocker
+
+Although [AppLocker](applocker-overview.md) is not considered a new Device Guard feature, it complements Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
+
+> **Note**&nbsp;&nbsp;One example of how Device Guard functionality can be enhanced by AppLocker is when you want to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule.
+
+AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
+
+### Device Guard with Credential Guard
+
+Another Windows 10 feature that employs VBS is [Credential Guard](credential-guard.md). Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Credential Guard (which is not a feature within Device Guard), see [Protect derived domain credentials with Credential Guard](credential-guard.md).
+
+Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. 
+
+In addition to the client-side enabling of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. For more information, see the [Additional mitigations](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard#additional-mitigations) section in “Protect derived domain credentials with Credential Guard.”
+
diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
index d724b1862d..8bd01c944f 100644
--- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -14,11 +14,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization.
 
 There are three alert severity levels, described in the following table.
@@ -43,17 +44,39 @@ Details displayed about the alert include:
 - When the alert was last observed
 - Alert description
 - Recommended actions
-- The potential scope of breach
+- The incident graph
 - The indicators that triggered the alert
 
-![A detailed view of an alert when clicked](images/alert-details.png)
-
 Alerts attributed to an adversary or actor display a colored tile with the actor name.
 
 Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take.
 
 Some actor profiles include a link to download a more comprehensive threat intelligence report.
 
+![A detailed view of an alert when clicked](images/alert-details.png)
+
+## Incident graph
+The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines. 
+
+You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert. 
+
+## Alert spotlight
+The alert spotlight feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation.
+
+You can click on the machine link from the alert view to see the alerts related to the machine. 
+
+
+  > [!NOTE]
+  > This shortcut is not available from the Incident graph machine links.  
+
+Alerts related to the machine are displayed under the **Alerts related to this machine** section. 
+Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine. 
+
+You can also choose to highlight an alert from the **Alerts related to this machine** or from the  **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**. 
+
+You can also remove the highlight by right-clicking a highlighted alert and selecting **Unmark related events**. 
+
+
 ### Related topics
 - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
index fd75059fff..d138e36e1f 100644
--- a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -13,11 +13,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
 
 You can see information from the following sections in the URL view:
diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
index 2f82d6927e..6c1309102d 100644
--- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
@@ -13,11 +13,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
 
 You can get information from the following sections in the file view:
@@ -62,11 +63,13 @@ Use the deep analysis feature to investigate the details of any file, usually du
 
 In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
 
-> **Note**&nbsp;&nbsp;Only files from Windows 10 can be automatically collected.
+> [!NOTE]
+> Only files from Windows 10 can be automatically collected.
 
 You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
 
-> **Note**&nbsp;&nbsp;Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
+> [!NOTE]
+> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
 
 When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
 
@@ -84,7 +87,8 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
 
 A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
 
-> **Note**&nbsp;&nbsp;Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
+> [!NOTE]
+> Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
 
 ## View deep analysis report
 
@@ -121,10 +125,11 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
   Value = 0 - block sample collection
   Value = 1 - allow sample collection
 ```
-5. Change the organizational unit through the Group Policy. See [Configure with Group Policy](additional-configuration-windows-defender-advanced-threat-protection.md#configure-with-group-policy).
+5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
 
-> **Note**&nbsp;&nbsp;If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
+> [!NOTE]
+> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
 
 ### Related topics
 - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
index e1427b0400..dd72b28bc9 100644
--- a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -13,12 +13,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-
 Examine possible communication between your machines and external internet protocol (IP) addresses.
 
 Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
@@ -43,7 +43,8 @@ The **Communication with IP in organization** section provides a chronological v
 
 Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of machines in the organization that communicated with this IP Address (during selectable time period), and the machines in the organization that were observed communicating with this IP address.
 
-> **Note**&nbsp;&nbsp;Search results will only be returned for IP addresses observed in communication with machines in the organization.
+> [!NOTE]
+> Search results will only be returned for IP addresses observed in communication with machines in the organization.
 
 Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed.
 
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
index 4778e194e5..7eae125102 100644
--- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -14,11 +14,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting telemetry in your network.
 
 Use the Machines view in these two main scenarios:
@@ -37,7 +38,8 @@ The Machines view contains the following columns:
 - **Active Alerts** - the number of alerts reported by the machine by severity
 - **Active malware detections** - the number of active malware detections reported by the machine
 
-> **Note**&nbsp;&nbsp;The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> [!NOTE]
+> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
 
 Click any column header to sort the view in ascending or descending order.
 
@@ -55,7 +57,8 @@ You can filter the view by the following time periods:
 - 30 days
 - 6 months
 
-> **Note**&nbsp;&nbsp;When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period.
+> [!NOTE]
+> When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period.
 
 The threat category filter lets you filter the view by the following categories:
 
@@ -65,7 +68,7 @@ The threat category filter lets you filter the view by the following categories:
 - Threat
 - Low severity
 
-See the [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections) topic for a description of each category.
+For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections).
 
 You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to download the entire list as a CSV file.
 
@@ -100,13 +103,14 @@ You'll see an aggregated view of alerts, a short description of the alert, detai
 
 This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
 
+You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alerts-spotlight) feature to see the correlation between alerts and events on a specific machine.
+
 ![The timeline shows an interactive history of the alerts seen on a machine](images/timeline.png)
 
 Use the search bar to look for specific alerts or files associated with the machine.
 
 You can also filter by:
 
-- Signed or unsigned files
 - Detections mode: displays Windows ATP Alerts and detections
 - Behaviors mode: displays "detections" and selected events of interest
 - Verbose mode: displays "behaviors" (including "detections"), and all reported events
diff --git a/windows/keep-secure/isolated-domain-gpos.md b/windows/keep-secure/isolated-domain-gpos.md
index b7f6c3b921..745da6642b 100644
--- a/windows/keep-secure/isolated-domain-gpos.md
+++ b/windows/keep-secure/isolated-domain-gpos.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section.
 
diff --git a/windows/keep-secure/isolated-domain.md b/windows/keep-secure/isolated-domain.md
index 3d23484bf9..43e1461c41 100644
--- a/windows/keep-secure/isolated-domain.md
+++ b/windows/keep-secure/isolated-domain.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone.
 
diff --git a/windows/keep-secure/isolating-apps-on-your-network.md b/windows/keep-secure/isolating-apps-on-your-network.md
index 09367196c5..c8adf77620 100644
--- a/windows/keep-secure/isolating-apps-on-your-network.md
+++ b/windows/keep-secure/isolating-apps-on-your-network.md
@@ -12,7 +12,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
 
diff --git a/windows/keep-secure/link-the-gpo-to-the-domain.md b/windows/keep-secure/link-the-gpo-to-the-domain.md
index ab224211e6..ba14d60b0e 100644
--- a/windows/keep-secure/link-the-gpo-to-the-domain.md
+++ b/windows/keep-secure/link-the-gpo-to-the-domain.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices.
 
diff --git a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
index 718b2e22ce..ef1ab6abe0 100644
--- a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -14,14 +14,15 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
 
-See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts) topic for more details on how to investigate alerts.
+For more information on how to investigate alerts see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts).
 
 Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the top of the alert to access the Manage Alert menu and manage alerts.
 
@@ -55,7 +56,7 @@ You can resolve an alert by changing the status of the alert to **Resolved**. Th
 
 ![You can resolve an alert as valid, valid - allowed, or false alarm](images/resolve-alert.png)
 
-The comments and change of status are recorded in the [Comments and history window](#view-history-and-comments).
+The comments and change of status are recorded in the Comments and history window.
 
 ![The comments window will display a history of status changes](images/comments.png)
 
@@ -86,7 +87,8 @@ The context of the rule lets you tailor the queue to ensure that only alerts you
 1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of an existing alert.
 2. Choose the context for suppressing the alert.
 
-> **Note**&nbsp;&nbsp;You cannot create a custom or blank suppression rule. You must start from an existing alert.
+> [!NOTE]
+> You cannot create a custom or blank suppression rule. You must start from an existing alert.
 
 **See the list of suppression rules:**
 
@@ -95,7 +97,8 @@ The context of the rule lets you tailor the queue to ensure that only alerts you
 
   ![Click the settings icon and then Suppression rules to create and modify rules](images/suppression-rules.png)
 
-> **Note**&nbsp;&nbsp;You can also click **See rules** in the confirmation window that appears when you suppress an alert.
+> [!NOTE]
+> You can also click **See rules** in the confirmation window that appears when you suppress an alert.
 
 The list of suppression rules shows all the rules that users in your organization have created.
 Each rule shows:
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
index dccabd045e..5422f94366 100644
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -1,73 +1,92 @@
 ---
-title: Manage identity verification using Microsoft Passport (Windows 10)
-description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
+title: Manage identity verification using Windows Hello for Business (Windows 10)
+description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
 ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
-keywords: identity, PIN, biometric, Hello
+keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerMS
+localizationpriority: high
 ---
-# Manage identity verification using Microsoft Passport
+# Manage identity verification using Windows Hello for Business
 
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 
-In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
+In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
 
-Passport addresses the following problems with passwords:
+> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+
+Hello addresses the following problems with passwords:
 -   Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
 -   Server breaches can expose symmetric network credentials.
 -   Passwords can be subject to [replay attacks](http://go.microsoft.com/fwlink/p/?LinkId=615673).
 -   Users can inadvertently expose their passwords due to [phishing attacks](http://go.microsoft.com/fwlink/p/?LinkId=615674).
 
-Passport lets users authenticate to:
+Hello lets users authenticate to:
 -   a Microsoft account.
 -   an Active Directory account.
--   a Microsoft Azure Active Directory (AD) account.
+-   a Microsoft Azure Active Directory (Azure AD) account.
 -   Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication
 
-After an initial two-step verification of the user during Passport enrollment, Passport is set up on the user's device and the user is asked to set a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify their identity. Windows then uses Passport to authenticate users and help them to access protected resources and services.
+After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services.
 
-As an administrator in an enterprise or educational organization, you can create policies to manage Passport use on Windows 10-based devices that connect to your organization.
+As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization.
 
-## Benefits of Microsoft Passport
+ 
+
+
+## The difference between Windows Hello and Windows Hello for Business
+
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by certificate-based authentication. 
+
+- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication.
+
+- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication.  Support for key-based or certificate-based authentication is on the roadmap for a future release.
+
+## Benefits of Windows Hello
 
 Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
+
 You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
 
-In Windows 10, Passport replaces passwords. The Passport provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Passport enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Passport keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Passport keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Passport key is created in software.
+In Windows 10, Hello replaces passwords. The Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software.
 
-![how authentication works in microsoft passport](images/authflow.png)
+![how authentication works in windows hello](images/authflow.png)
 
 Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
-Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs.
 
-Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
-> **Note:**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
+
+Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
+
+> [!NOTE]
+>  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
  
-## How Microsoft Passport works: key points
+## How Windows Hello for Business works: key points
 
--   Passport credentials are based on certificate or asymmetrical key pair. Passport credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
--   Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Microsoft Passport's public key to a user account during the registration step.
+-   Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
+-   Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step.
 -   Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
--   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Passport gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
+-   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
 -   Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process.
--   PIN entry and Hello both trigger Windows 10 to verify the user's identity and authenticate using Passport keys or certificates.
--   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use separate containers for keys. Non-Microsoft identity providers can generate keys for their users in the same container as the Microsoft account; however, all keys are separated by identity providers' domains to help ensure user privacy.
--   Certificates are added to the Passport container and are protected by the Passport gesture.
--   Windows Update behavior: After a reboot is required by Windows Update, the last interactive user is automatically signed on without any user gesture and the session is locked so the user's lock screen apps can run.
+-   PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates.
+-   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+-   Certificate private keys can be protected by the Hello container and the Hello gesture.
+
 
 ## Comparing key-based and certificate-based authentication
 
-Passport can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Passport. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Passport.
+Windows Hello for Business can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Hello.
 
 Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM.
-EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Passport keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
+EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Hello keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
 
-When identity providers such as Active Directory or Azure AD enroll a certificate in Passport, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
+When identity providers such as Active Directory or Azure AD enroll a certificate in Hello, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
 
 ## Learn more
 
@@ -89,15 +108,19 @@ When identity providers such as Active Directory or Azure AD enroll a certificat
 
 ## Related topics
 
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
 
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
 
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
 
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
 
-[Event ID 300 - Passport successfully created](passport-event-300.md)
- 
\ No newline at end of file
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+ 
diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md
new file mode 100644
index 0000000000..0e1345c2ae
--- /dev/null
+++ b/windows/keep-secure/mandatory-settings-for-wip.md
@@ -0,0 +1,31 @@
+---
+title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
+description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) in your enterprise.
+keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Allowed apps list
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+---
+
+# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
+
+>**Important**<br>
+All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise.
+
+
+|Task                                |Description               |
+|------------------------------------|--------------------------|
+|Add at least one app rule in the **App Rules** area in your WIP policy. |You must have at least one app rule specified in the **App Rules** area of your WIP policy. For more info about where this area is and how to add an app rule, see the **Add individual apps to your Protected App list** section of the policy creation topics.|
+|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection level for your enterprise data** section of the policy creation topics.|
+|Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
+|Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. |
+|Specify your Enterprise IPv4 or IPv6 Ranges. |Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
+|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate** section of the policy creation topics. |
\ No newline at end of file
diff --git a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index 3187e17371..49dc1620f6 100644
--- a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
 
diff --git a/windows/keep-secure/microsoft-accounts.md b/windows/keep-secure/microsoft-accounts.md
index 910e6fac1f..6bea7ac9aa 100644
--- a/windows/keep-secure/microsoft-accounts.md
+++ b/windows/keep-secure/microsoft-accounts.md
@@ -98,7 +98,7 @@ Although the Microsoft account was designed to serve consumers, you might find s
 
 -   **Integrated social media services**:
 
-    Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as SkyDrive, Facebook, and Flickr.
+    Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as OneDrive, Facebook, and Flickr.
 
 ### Managing the Microsoft account in the domain
 
diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md
index ceebe00f0a..dd002d75b8 100644
--- a/windows/keep-secure/microsoft-passport-and-password-changes.md
+++ b/windows/keep-secure/microsoft-passport-and-password-changes.md
@@ -1,12 +1,13 @@
 ---
-title: Microsoft Passport and password changes (Windows 10)
-description: When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device.
+title: Windows Hello and password changes (Windows 10)
+description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
 ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---
 # Microsoft Passport and password changes
 
@@ -14,17 +15,17 @@ author: jdeckerMS
 -   Windows 10
 -   Windows 10 Mobile
 
-When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device. You can set up Passport for the same account on multiple devices. If the PIN or biometric is configured as part of a Microsoft Passport for Work, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Microsoft Passport for Work is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Passport.
+When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
 
 ## Example
 
 Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
 Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
 
-Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Passport on **Device A** knows will be outdated.
-> **Note:**  This example also applies to an Active Directory account when [Passport for Work is not implemented](implement-microsoft-passport-in-your-organization.md).
+Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
+> **Note:**  This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
  
-## How to update Passport after you change your password on another device
+## How to update Hello after you change your password on another device
 
 1.  When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
 2.  Click **OK.**
@@ -35,16 +36,19 @@ Suppose instead that you sign in on **Device B** and change your password for yo
 
 ## Related topics
 
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
 
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
 
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
 
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
 
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
 
-[Event ID 300 - Passport successfully created](passport-event-300.md)
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
  
\ No newline at end of file
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
index 490c5c9e6e..8f3d731281 100644
--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -1,6 +1,6 @@
 ---
-title: Microsoft Passport errors during PIN creation (Windows 10)
-description: When you set up Microsoft Passport in Windows 10, you may get an error during the Create a work PIN step.
+title: Windows Hello errors during PIN creation (Windows 10)
+description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step.
 ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
 keywords: PIN, error, create a work PIN
 ms.prod: w10
@@ -8,19 +8,20 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---
 
-# Microsoft Passport errors during PIN creation
+# Windows Hello errors during PIN creation
 
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 
-When you set up Microsoft Passport in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
+When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
 
 ## Where is the error code?
 
-The following image shows an example of an error during **Create a work PIN**.
+The following image shows an example of an error during **Create a PIN**.
 
 ![](images/pinerror.png)
 
@@ -221,14 +222,18 @@ For errors listed in this table, contact Microsoft Support for assistance.
 
 ## Related topics
 
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
 
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
 
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
 
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
 
-[Event ID 300 - Passport successfully created](passport-event-300.md)
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
\ No newline at end of file
diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md
index b78b6f94f7..45548bb40f 100644
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@@ -101,7 +101,7 @@ Microsoft Passport offers four significant advantages over the current state of
 **It’s flexible**
 
 Microsoft Passport offers unprecedented flexibility. Although the format and use of reusable passwords are fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with both biometric identifiers and PINs, so users’ credentials are protected even on devices that don’t support biometrics. Users can even use their phone to release their credentials instead of a PIN or biometric gesture on the main device. Microsoft Passport seamlessly takes advantage of the hardware of the devices in use; as users upgrade to newer devices, Microsoft Passport is ready to use them, and organizations can upgrade existing devices by adding biometric sensors where appropriate.
-Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 Technical Preview domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section).
+Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section).
 
 **It’s standardized**
 
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index 91db7537e8..85249ee5d8 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -14,44 +14,102 @@ author: iaanw
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 There are some minimum requirements for onboarding your network and endpoints.
 
 ## Minimum requirements
 
 ### Network and data storage and configuration requirements
-<!---Your organization must use Azure Active Directory (AAD) to manage users. AAD is used during service onboarding to manage user-based access to the [Windows Defender ATP portal](https://securitycenter.windows.com/).--->
-
-<!--If you’d like help with using AAD to set up user access, contact the [Windows Defender ATP Yammer group](https://www.yammer.com/wsscengineering/\#/threads/inGroup?type=in\_group&feedId=7108776&view=all) or email [winatp@microsoft.com](mailto:winatp@microsoft.com).-->
-
-When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in either a European or United States datacenter.
+When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter.
 
 > **Notes**&nbsp;&nbsp;
 -   You cannot change your data storage location after the first-time setup.
 -   Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
 
 ### Endpoint hardware and software requirements
-Endpoints on your network must be running Windows 10 Insider Preview Build 14332 or later. The hardware requirements for Windows Defender ATP on endpoints is the same as those for Windows 10 Insider Preview Build 14332 or later.
+The Windows Defender ATP agent only supports the following editions of Windows 10:
 
-> **Note**&nbsp;&nbsp;Endpoints that are running Windows Server and mobile versions of Windows are not supported.
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 
-Internet connectivity on endpoints is also required. See [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)  for additional proxy configuration settings.
+Endpoints on your network must be running one of these editions.
+
+The hardware requirements for Windows Defender ATP on endpoints is the same as those for the supported editions.
+
+> [!NOTE]
+> Endpoints that are running Windows Server and mobile versions of Windows are not supported.
+
+#### Internet connectivity
+Internet connectivity on endpoints is required.
+
+SENSE can utilize up to 5MB daily of bandwidth  to communicate with the Windows Defender ATP cloud service and report cyber data.
+
+> [!NOTE]
+> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+
+For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
 
 Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section.
 
-### Deployment channel operating system requirements
+### Telemetry and diagnostics settings
+You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization.
+By default, this service is enabled, but it's good practice to check to ensure that you'll get telemetry from them.
 
-You can choose to onboard endpoints with a scheduled Group Policy (GP) or System Center Configuration Manager (SCCM) update (using a configuration package that you download from the portal or during the service onboarding wizard), or by manually running a script to modify the registry.
+**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
 
-The following describes the minimum operating system or software version
-required for each deployment channel.
+1.  Open an elevated command-line prompt on the endpoint:
 
-Deployment channel | Minimum server requirements
-:---|:---
-Group Policy settings | Windows Server 2008 R2
-System Center Configuration Manager | SCCM 2012
-Manual (script) | No minimum requirements
+  a.  Go to **Start** and type **cmd**.
+
+  b.  Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc qc diagtrack
+    ```
+
+If the service is enabled, then the result should look like the following screenshot:
+
+![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
+
+If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+
+
+
+**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
+
+1.  Open an elevated command-line prompt on the endpoint:
+
+	  a. Go to **Start** and type **cmd**.
+
+    b. Right-click **Command prompt** and select **Run as administrator**.
+
+2.  Enter the following command, and press **Enter**:
+
+    ```text
+    sc config diagtrack start=auto
+    ```
+
+3.  A success message is displayed. Verify the change by entering the following command, and press **Enter**:
+
+    ```text
+    sc qc diagtrack
+    ```
+
+## Windows Defender signature updates are configured
+The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md).
+
+When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
+
+## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
+If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
+
+If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information on how to validate and enable the Windows Defender ELAM driver see, [Ensure the Windows Defender ELAM driver is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-windows-defender-elam-driver-is-enabled).
diff --git a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
index 95ab7cda01..d2ed73907e 100644
--- a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+++ b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain.
 
diff --git a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index 8babe1f172..0000000000
--- a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Monitor Windows Defender ATP onboarding
-description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
-keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
----
-
-# Monitor Windows Defender Advanced Threat Protection onboarding
-
-**Applies to:**
-
-- Windows 10 Insider Preview Build 14322 or later
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-You can monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
-
-You might need to monitor the onboarding if the package did not configure the registry correctly, or the reporting client did not start or execute correctly.
-
-Monitoring can be done directly on the portal, or by using System Center Configuration Manager (SCCM).
-
-## Monitor with the portal
-
-1.  Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
-
-2.  Click **Machines view**.
-
-3.  Verify that endpoints are appearing.
-
-
-> **Note**&nbsp;&nbsp;It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
-
-## Monitor with System Center Configuration Manager
-
-Monitoring with SCCM consists of two parts:
-
-1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
-
-2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service).
-
-**To confirm the configuration package has been correctly deployed:**
-
-1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
-
-2. Click **Overview** and then **Deployments**.
-
-3. Click on the deployment with the package name.
-
-4. Review the status indicators under **Completion Statistics** and **Content Status**.
-
-If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to  troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
-
-![SCCM showing successful deployment with no errors](images/sccm-deployment.png)
-
-## Related topics
-<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
-- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
-- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
-- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
index eaaa736c69..1c962bc1ec 100644
--- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -14,28 +14,18 @@ author: iaanw
 
 **Applies to:**
 
-- Windows 10 TAP program
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 You need to onboard to Windows Defender ATP before you can use the service.
 
-<!--There are two stages to onboarding:
-
-1.  Set up user access in AAD and use a wizard to create a dedicated
-    cloud instance for your network (known as “service onboarding”).
-
-2.  Add endpoints to the service with System Center Configuration Manager, scheduled GP updates, or manual
-    registry changes.-->
-
-<!--[Service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md) | Learn about managing user access to the Windows Defender ATP portal by assigning users to the Windows Defender ATP service application in Azure Active Directory (AAD).-->
 
 ## In this section
 Topic | Description
 :---|:---
-[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn how you can use the configuration package to configure endpoints in your enterprise.
+[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise.
 [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
-[Additional configuration settings] (additional-configuration-windows-defender-advanced-threat-protection.md) | Learn how to configure settings for sample sharing used in the deep analysis feature.
-[Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) | Learn how you can monitor the onboarding to ensure your endpoints are correctly configured and are sending telemetry reports.
 [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.
diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md
index f29f5afbb7..420518e4ca 100644
--- a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md
+++ b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC).
 
diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index e179647bac..bbecb7b8ad 100644
--- a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security.
 
diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md
index 2d848ec539..9712af0076 100644
--- a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To open a GPO to Windows Firewall
 
diff --git a/windows/keep-secure/open-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-windows-firewall-with-advanced-security.md
index cda993d4ad..8f20a73c1c 100644
--- a/windows/keep-secure/open-windows-firewall-with-advanced-security.md
+++ b/windows/keep-secure/open-windows-firewall-with-advanced-security.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This procedure shows you how to open the Windows Firewall with Advanced Security console.
 
diff --git a/windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
new file mode 100644
index 0000000000..89b5072658
--- /dev/null
+++ b/windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
@@ -0,0 +1,102 @@
+---
+title: Optional - Create a code signing certificate for code integrity policies (Windows 10)
+description: This article describes how to create a code signing certificate for code integrity policies, one of the main features that are part of Device Guard in Windows 10. 
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Optional: Create a code signing certificate for code integrity policies
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+As you deploy code integrity policies (part of Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). 
+
+If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate:
+
+1.  Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
+
+2.  When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console.
+
+    ![CA snap-in showing Certificate Templates](images/dg-fig27-managecerttemp.png)
+
+    Figure 1. Manage the certificate templates
+
+3.  In the navigation pane, right-click the Code Signing certificate, and then click **Duplicate Template**.
+
+4.  On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list.
+
+5.  On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **DG Catalog Signing Certificate**.
+
+6.  On the **Request Handling** tab, select the **Allow private key to be exported** check box.
+
+7.  On the **Extensions** tab, select the **Basic Constraints** check box, and then click **Edit**.
+
+8.  In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2.
+
+    ![Edit Basic Constraints Extension](images/dg-fig29-enableconstraints.png)
+
+    Figure 2. Select constraints on the new template
+
+9.  If a certificate manager is required to approve any issued certificates, on the **Issuance Requirements** tab, select **CA certificate manager approval**.
+
+10. On the **Subject Name** tab, select **Supply in the request**.
+
+11. On the **Security** tab, verify that whatever account will be used to request the certificate has the right to enroll the certificate.
+
+12. Click **OK** to create the template, and then close the Certificate Template Console.
+
+When this certificate template has been created, you must publish it to the CA published template store. To do so, complete the following steps:
+
+1.  In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3.
+
+    ![Select Certificate Template to Issue](images/dg-fig30-selectnewcert.png)
+
+    Figure 3. Select the new certificate template to issue
+
+    A list of available templates to issue appears, including the template you just created.
+
+2.  Select the DG Catalog signing certificate, and then click **OK**.
+
+Now that the template is available to be issued, you must request one from the computer running Windows 10 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps:
+
+1.  In MMC, from the **File** menu, click **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**.
+
+2.  In the Certificates snap-in, right-click the Personal store folder, point to **All Tasks**, and then click **Request New Certificate**.
+
+3.  Click **Next** twice to get to the certificate selection list.
+
+4.  In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
+
+    ![Request Certificates: more information required](images/dg-fig31-getmoreinfo.png)
+
+    Figure 4. Get more information for your code signing certificate
+
+5.  In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then click **Add**. When added, click **OK.**
+
+6.  Enroll and finish.
+
+> **Note**&nbsp;&nbsp;If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client.
+
+This certificate must be installed in the user’s personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
+
+1.  Right-click the certificate, point to **All Tasks**, and then click **Export**.
+
+2.  Click **Next**, and then select **Yes, export the private key**.
+
+3.  Choose the default settings, and then select **Export all extended properties**.
+
+4.  Set a password, select an export path, and then select **DGCatSigningCert.pfx** as the file name.
+
+When the certificate has been exported, import it into the personal store for the user who will be signing the catalog files or code integrity policies on the specific computer that will be signing them.
+
+## Related topics
+
+- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+
+- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+
diff --git a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
new file mode 100644
index 0000000000..0f98929851
--- /dev/null
+++ b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
@@ -0,0 +1,58 @@
+
+---
+title: Override Process Mitigation Options to help enforce app-related security policies (Windows 10)
+description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies.
+keywords: Process Mitigation Options, Mitigation Options, Group Policy Mitigation Options
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: security
+ms.sitesec: library
+---
+
+
+# Override Process Mitigation Options to help enforce app-related security policies
+
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows Server 2016
+
+Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.
+
+**To modify Process Mitigation Options**
+
+1. Open your Group Policy editor and go to the **Administrative Templates\System\Mitigation Options\Process Mitigation Options** setting.
+
+    ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active](images/gp-process-mitigation-options.png)
+
+2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you’ll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic.
+
+    **Important**<br>For each app you want to include, you must include:
+    
+    - **Value name.** The app file name, including the extension. For example, iexplore.exe.
+    - **Value.** A bit field with a series of bit flags in particular positions. Bits can be set to 0 (where the setting is forced off), 1 (where the setting is forced on), or ? (where the setting retains the previous, existing value).
+    
+        **Note**<br>Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
+
+    ![Group Policy editor: Process Mitigation Options with Show Contents box and example text](images/gp-process-mitigation-options-show.png)
+
+## Setting the bit field
+Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings:
+
+![Visual representation of the bit flag locations for the Process Mitigation Options settings](images/gp-process-mitigation-options-bit-flag-image.png)
+
+Where the bit flags are read from right to left and are defined as:
+
+|Flag |Bit location |Setting |Details |
+|-----|--------------|--------|--------|
+|A |0 |`PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)` |Turns on Data Execution Prevention (DEP) for child processes. |
+|B |1 |`PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)` |Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept non-executable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. |
+|C |2 |`PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)` |Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique. |
+|D |8 |`PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)` |Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren’t dynamic base compatible. Images without the base relocation section won’t be loaded if relocations are required. |
+|E |15 |`PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)` |Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
+|F |16 |`PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)` |Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
+    
+## Example
+If you want to turn on the **PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE** and **PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON** settings, turn off the **PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF** setting, and leave everything else as the default values, you’d want to type a value of `???????????????0???????1???????1`.
+
+
diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md
index 119659b070..74ca414ed7 100644
--- a/windows/keep-secure/overview-create-edp-policy.md
+++ b/windows/keep-secure/overview-create-edp-policy.md
@@ -1,36 +1,5 @@
 ---
 title: Create an enterprise data protection (EDP) policy (Windows 10)
-description: Microsoft Intune and System Center Configuration Manager (version 1605 Technical Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Create an enterprise data protection (EDP) policy
-**Applies to:**
-
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-Microsoft Intune and System Center Configuration Manager (version 1605 Technical Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-
-## In this section
-|Topic |Description |
-|------|------------|
-|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
-|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |Configuration Manager (version 1605 Technical Preview or later) helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
- 
-
- 
-
- 
-
-
-
-
-
+description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy
+---
\ No newline at end of file
diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md
new file mode 100644
index 0000000000..0bd61f269b
--- /dev/null
+++ b/windows/keep-secure/overview-create-wip-policy.md
@@ -0,0 +1,26 @@
+---
+title: Create a Windows Information Protection (WIP) policy (Windows 10)
+description: Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Create a Windows Information Protection (WIP) policy
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
\ No newline at end of file
diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md
index 9a7c694ae0..3609eec53d 100644
--- a/windows/keep-secure/passport-event-300.md
+++ b/windows/keep-secure/passport-event-300.md
@@ -1,6 +1,6 @@
 ---
-title: Event ID 300 - Passport successfully created (Windows 10)
-description: This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD).
+title: Event ID 300 - Windows Hello successfully created (Windows 10)
+description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
 ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
 keywords: ngc
 ms.prod: w10
@@ -8,15 +8,16 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---
 
-# Event ID 300 - Passport successfully created
+# Event ID 300 - Windows Hello successfully created
 
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 
-This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
+This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
 
 ## Event details
 |              |                                                                                                                                                                                                                                                                                                               |
@@ -34,9 +35,20 @@ This is a normal condition. No further action is required.
 
 ## Related topics
 
-- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
-- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
-- [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-- [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
-- [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
-- [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
diff --git a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
new file mode 100644
index 0000000000..0e1ec374bc
--- /dev/null
+++ b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
@@ -0,0 +1,57 @@
+---
+title: Planning and getting started on the Device Guard deployment process (Windows 10)
+description: To help you plan and begin the initial test stages of a deployment of Microsoft Device Guard, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. 
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Planning and getting started on the Device Guard deployment process
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+This topic provides a roadmap for planning and getting started on the Device Guard deployment process, with links to topics that provide additional detail. Planning for Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you.
+
+**Planning**
+
+1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). 
+
+2. **Group devices by degree of control needed**. Group devices according to the table in [Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?<br>Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
+
+3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create:
+    - How standardized is the hardware?<br>This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
+
+    - Is there already a list of accepted applications?<br>A list of accepted applications can be used to help create a baseline code integrity policy.
+        
+    - What software does each department or role need? Should they be able to install and run other departments’ software?<br>If multiple departments are allowed to run the same list of software, you might be able to merge several code integrity policies to simplify management.
+         
+    - Are there departments or roles where unique, restricted software is used?<br>If one department needs to run an application that no other department is allowed, it might require a separate code integrity policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate code integrity policy.
+
+4.  **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
+
+**Getting started on the deployment process**
+
+1.  **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+
+2.  **Create code integrity policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly-distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy, and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. For more information, see:
+    - [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
+    - [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)<br>
+
+3.  **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. For more information, see [Audit code integrity policies](deploy-code-integrity-policies-steps.md#audit-code-integrity-policies).
+
+4.  **Create a “catalog file” for unsigned LOB applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. For more information, review step 4 **Identify LOB applications that are currently unsigned**, earlier in this list, and see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md). In later steps, you can merge the catalog file's signature into your code integrity policy, so that applications in the catalog will be allowed by the policy. 
+
+6.  **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. For more information, see:
+    - [Create a code integrity policy that captures audit information from the event log](deploy-code-integrity-policies-steps.md#create-a-code-integrity-policy-that-captures-audit-information-from-the-event-log)
+    - [Merge code integrity policies](deploy-code-integrity-policies-steps.md#merge-code-integrity-policies)<br>
+
+7.  **Deploy code integrity policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of auditing mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. For more information, see:
+    - [Enforce code integrity policies](deploy-code-integrity-policies-steps.md#enforce-code-integrity-policies)
+    - [Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)<br>
+
+8.  **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
+
diff --git a/windows/keep-secure/planning-certificate-based-authentication.md b/windows/keep-secure/planning-certificate-based-authentication.md
index 69e599b812..ab5b21c69b 100644
--- a/windows/keep-secure/planning-certificate-based-authentication.md
+++ b/windows/keep-secure/planning-certificate-based-authentication.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication.
 
diff --git a/windows/keep-secure/planning-domain-isolation-zones.md b/windows/keep-secure/planning-domain-isolation-zones.md
index 208265eefb..a18fb27051 100644
--- a/windows/keep-secure/planning-domain-isolation-zones.md
+++ b/windows/keep-secure/planning-domain-isolation-zones.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment.
 
diff --git a/windows/keep-secure/planning-gpo-deployment.md b/windows/keep-secure/planning-gpo-deployment.md
index 050a5550f7..abdff4b8ca 100644
--- a/windows/keep-secure/planning-gpo-deployment.md
+++ b/windows/keep-secure/planning-gpo-deployment.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 You can control which GPOs are applied to devices in Active Directory in a combination of three ways:
 
diff --git a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md
index fff34a12c7..0718187682 100644
--- a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md
+++ b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan.
 
diff --git a/windows/keep-secure/planning-isolation-groups-for-the-zones.md b/windows/keep-secure/planning-isolation-groups-for-the-zones.md
index b4f667a50b..0c4488940a 100644
--- a/windows/keep-secure/planning-isolation-groups-for-the-zones.md
+++ b/windows/keep-secure/planning-isolation-groups-for-the-zones.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone.
 
diff --git a/windows/keep-secure/planning-network-access-groups.md b/windows/keep-secure/planning-network-access-groups.md
index 4d9b002e7c..929c583624 100644
--- a/windows/keep-secure/planning-network-access-groups.md
+++ b/windows/keep-secure/planning-network-access-groups.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required.
 
diff --git a/windows/keep-secure/planning-server-isolation-zones.md b/windows/keep-secure/planning-server-isolation-zones.md
index 12688b93c9..9995c0e5fc 100644
--- a/windows/keep-secure/planning-server-isolation-zones.md
+++ b/windows/keep-secure/planning-server-isolation-zones.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server.
 
diff --git a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md
index 4fcbd977dc..fdcf972088 100644
--- a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices.
 
diff --git a/windows/keep-secure/planning-the-gpos.md b/windows/keep-secure/planning-the-gpos.md
index b22f0497cd..84b3750822 100644
--- a/windows/keep-secure/planning-the-gpos.md
+++ b/windows/keep-secure/planning-the-gpos.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones.
 
diff --git a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md
index 1801d2a86a..8423e4b94f 100644
--- a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization.
 
diff --git a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md
index c800eca94d..736612379f 100644
--- a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs.
 
diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
index 4eaf0224ec..177d0998d6 100644
--- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Windows Defender Advanced Threat Protection portal overview
 description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
-keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, client onboarding, advanced attacks
+keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, endpoint management, advanced attacks
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -14,12 +14,12 @@ author: DulceMV
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-
 Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
 
 You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
@@ -37,19 +37,20 @@ When you open the portal, you’ll see the main areas of the application:
 
  ![Windows Defender Advanced Threat Protection portal](images/portal-image.png)
 
-> **Note**&nbsp;&nbsp;Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> [!NOTE]
+> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
 
 You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
 
 Area | Description
 :---|:---
 (1) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information.
-(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Client onboarding**.
+(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Enpoint Management**.
 **Dashboard**	| Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
 **Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
 **Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
-**Preferences setup**|	Shows the settings you selected <!--during [service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md),-->and lets you update your industry preferences and retention policy period.
-**Client onboarding**|	Allows you to download the onboarding configuration package.
+**Preferences setup**|	Shows the settings you selected and lets you update your industry preferences and retention policy period.
+**Enpoint Management**|	Allows you to download the onboarding configuration package.
 (3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.
 (4) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type.
 
diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
index d377aafd3e..81f36a3d4e 100644
--- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@@ -1,6 +1,6 @@
 ---
-title: Prepare people to use Microsoft Passport (Windows 10)
-description: When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization.
+title: Prepare people to use Windows Hello (Windows 10)
+description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
 ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
 keywords: identity, PIN, biometric, Hello
 ms.prod: w10
@@ -8,21 +8,22 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---
 
-# Prepare people to use Microsoft Passport
+# Prepare people to use Windows Hello
 
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 
-When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization by explaining how to use Passport.
+When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
 
-After enrollment in Passport, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
+After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
 
-Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Passport.
+Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello.
 
-People who are currently using virtual smart cards for authentication can use their virtual smart card to verify their identity when they set up Passport.
+People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
 
 ## On devices owned by the organization
 
@@ -34,35 +35,42 @@ Next, they select a way to connect. Tell the people in your enterprise which opt
 
 ![choose how you'll connect](images/connect.png)
 
-They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a work PIN** screen displays any complexity requirements that you have set, such as minimum length.
+They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
 
-After Passport is set up, people use their PIN to unlock the device, and that will automatically log them on.
+After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
 
 ## On personal devices
 
-People who want to access work resources on their personal devices can add a work or school account in **Settings** &gt; **Accounts** &gt; **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. (This work account gesture doesn't affect the device unlock PIN.)
-
-Assure people that their work credentials and personal credentials are stored in separate containers; the enterprise has no access to their personal credentials.
+People who want to access work resources on their personal devices can add a work or school account in **Settings** &gt; **Accounts** &gt; **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. 
 
 People can go to **Settings** &gt; **Accounts** &gt; **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
 
 ## Using Windows Hello and biometrics
 
-If your policy allows it, people can add Windows Hello to their Passport. Windows Hello can be fingerprint, iris, and facial recognition, and is available to users only if the hardware supports it.
+If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
 
 ![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)
 
-## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC
+## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC or VPN
+
+If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
+
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 
-If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Microsoft Passport credentials.
-> **Note:**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
  
 **Prerequisites:**
--   The PC must be joined to the Active Directory domain or Azure AD cloud domain.
--   The PC must have Bluetooth connectivity.
--   The phone must be joined to the Azure AD cloud domain, or the user must have added a work account to their personal phone.
--   The free **Phone Sign-in** app must be installed on the phone.
+   
+- Both phone and PC must be running Windows 10, version 1607.
+- The PC must be running Windows 10 Pro, Enterprise, or Education
+- Both phone and PC must have Bluetooth.
+- The **Microsoft Authenticator** app must be installed on the phone.
+- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
+- The phone must be joined to Azure AD or have a work account added.
+- The VPN configuration profile must use certificate-based authentication.
+
 **Pair the PC and phone**
+
 1.  On the PC, go to **Settings** &gt; **Devices** &gt; **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing.
 
     ![bluetooth pairing](images/btpair.png)
@@ -72,22 +80,41 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows
     ![bluetooth pairing passcode](images/bt-passcode.png)
     
 3.  On the PC, tap **Yes**.
+
 **Sign in to PC using the phone**
-1.  Open the **Phone Sign-in** app and tap the name of the PC to sign in to.
-    > **Note: **  The first time that you run the Phone-Sign app, you must add an account.
+
+<<<<<<< HEAD
+1.  Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
+    > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
+    
+    ![select a device](images/phone-signin-device-select.png)
+=======
+1.  Open the **Microsoft Authenticator** app and tap the name of the PC to sign in to.
+    > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
+>>>>>>> parent of 9891b67... from master
      
 2.  Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
 
+**Connect to VPN**
+
+You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect. 
+
 ## Related topics
 
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
 
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) 
 
 [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
 
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) 
 
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
 
-[Event ID 300 - Passport successfully created](passport-event-300.md)
diff --git a/windows/keep-secure/procedures-used-in-this-guide.md b/windows/keep-secure/procedures-used-in-this-guide.md
index d19699b94b..7374820ed8 100644
--- a/windows/keep-secure/procedures-used-in-this-guide.md
+++ b/windows/keep-secure/procedures-used-in-this-guide.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order.
 
diff --git a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md
index a24379dacf..f4134b9ce9 100644
--- a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
 
diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md
index 8f09a2e896..3f8df3ef51 100644
--- a/windows/keep-secure/protect-enterprise-data-using-edp.md
+++ b/windows/keep-secure/protect-enterprise-data-using-edp.md
@@ -1,101 +1,5 @@
 ---
 title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10)
 description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control.
-ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
-keywords: EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Protect your enterprise data using enterprise data protection (EDP)
-**Applies to:**
-
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-
-Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
-
-## Prerequisites
-You’ll need this software to run EDP in your enterprise:
-
-|Operating system | Management solution |
-|-----------------|---------------------|
-|Windows 10 Insider Preview | Microsoft Intune<br>-OR-<br>System Center Configuration Manager (version 1605 Tech Preview or later)<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
-
-## How EDP works
-EDP helps address your everyday challenges in the enterprise. Including:
-
--   Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
-
--   Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
-
--   Helping to maintain the ownership and control of your enterprise data.
-
--   Helping control the network and data access and data sharing for apps that aren’t enterprise aware.
-
-### EDP-protection modes
-You can set EDP to 1 of 4 protection and management modes:
-
-|Mode|Description|
-|----|-----------|
-|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
-|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
-|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
-|Off |EDP is turned off and doesn't help to protect or audit your data.<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
-<p>**Note**<br>For more info about setting your EDP-protection modes, see either [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md), depending on your management solution.
-
-## Why use EDP?
-EDP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-
--   **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. EDP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
-
--   **Manage your enterprise documents, apps, and encryption modes.**
-
-    -   **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
-
-    - **Using allowed apps.** Managed apps (apps that you've included on the protected apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
-
-    -   **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps that aren’t on this list are blocked from accessing your enterprise network resources and your EDP-protected data.<p>
-    You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the **Protected App** list.
-
-    -   **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your **Protected App** list.
-
-    -   **Continuous data encryption.** EDP helps protect enterprise data on local files and on removable media.<p>
-    Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
-
-    -   **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your **Protected App** list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your **Protected Apps** list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the cloud, while maintaining the encryption.
-
-    -   **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
-
--   **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.<p>**Note**<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
-
-## Current limitations with EDP
-EDP is still in development and is not yet integrated with Azure Rights Management. This means that while you can deploy an EDP-configured policy to a protected device, that protection is restricted to a single user on the device. Additionally, the EDP-protected data must be stored on NTFS, FAT, or ExFAT file systems.
-
-Use the following table to identify the scenarios that require Azure Rights Management, the behavior when Azure Rights Management is not used with EDP, and the recommended workarounds.
-
-|EDP scenario |Without Azure Rights Management |Workaround |
-|-------------|--------------------------------|-----------|
-|Saving enterprise data to USB drives |Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
-|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list.<p>For more info about adding apps to the **Protected App** list, see either the [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or the [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md) topic, depending on your management solution.
-
-## Next steps
-After deciding to use EDP in your enterprise, you need to:
-
--   [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip 
+---
\ No newline at end of file
diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md
new file mode 100644
index 0000000000..e97e4432da
--- /dev/null
+++ b/windows/keep-secure/protect-enterprise-data-using-wip.md
@@ -0,0 +1,83 @@
+---
+title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10)
+description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control.
+ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Protect your enterprise data using Windows Information Protection (WIP)
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+
+Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
+
+## Prerequisites
+You’ll need this software to run WIP in your enterprise:
+
+|Operating system | Management solution |
+|-----------------|---------------------|
+|Windows 10, version 1607 | Microsoft Intune<br>-OR-<br>System Center Configuration Manager<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
+
+## How WIP works
+WIP helps address your everyday challenges in the enterprise. Including:
+
+- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
+
+- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
+
+- Helping to maintain the ownership and control of your enterprise data.
+
+- Helping control the network and data access and data sharing for apps that aren’t enterprise aware
+
+### WIP-protection modes
+You can set WIP to 1 of 4 protection and management modes:
+
+|Mode|Description|
+|----|-----------|
+|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
+|Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives. |
+<p>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution.
+
+## Why use WIP?
+WIP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
+
+-   **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
+
+-   **Manage your enterprise documents, apps, and encryption modes.**
+
+    -   **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
+
+    - **Using allowed apps.** Managed apps (apps that you've included on the Allowed Apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+
+    -   **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your WIP management-mode.
+    
+        You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
+
+    -   **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list.
+
+    -   **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
+    
+        Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
+
+    -   **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your allowed apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your allowed apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
+
+    -   **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
+
+-   **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.<p>**Note**<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+
+## Next steps
+After deciding to use WIP in your enterprise, you need to:
+
+-   [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
\ No newline at end of file
diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 61313be105..d74bdf6189 100644
--- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -216,7 +216,7 @@ The following Windows 10 services are protected with virtualization-based secur
 
 -   **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory
 -   **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
--   **Other isolated services**: for example, on Windows Server Technical Preview 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
+-   **Other isolated services**: for example, on Windows Server 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
 
 >**Note:**  Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
  
@@ -747,7 +747,7 @@ For more information about conditional access, see [Azure Conditional Access Pre
 For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
 
 -   For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](http://go.microsoft.com/fwlink/p/?LinkId=691618) blog post.
--   Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server Technical Preview 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+-   Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
 
 ![figure 13](images/hva-fig12-conditionalaccess12.png)
 
diff --git a/windows/keep-secure/remote-credential-guard.md b/windows/keep-secure/remote-credential-guard.md
new file mode 100644
index 0000000000..ce2fbc59b1
--- /dev/null
+++ b/windows/keep-secure/remote-credential-guard.md
@@ -0,0 +1,103 @@
+---
+title: Protect Remote Desktop credentials with Remote Credential Guard (Windows 10)
+description: Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+#  Protect Remote Desktop credentials with Remote Credential Guard
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+Introduced in Windows 10, version 1607, Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device.
+
+You can use Remote Credential Guard in the following ways:
+
+- Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device.
+
+- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.
+
+Use the following diagrams to help understand how Remote Credential Guard works and what it helps protect against.
+
+![Remote Credential Guard](images/remote-credential-guard.png)
+
+## Hardware and software requirements
+
+The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard:
+
+- They must be joined to an Active Directory domain
+    - Both devices must either joined to the same domain or the Remote Desktop server must be joined to a domain with a trust relationship to the client device's domain.
+- They must use Kerberos authentication.
+- They must be running at least Windows 10, version 1607 or Windows Server 2016.
+- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.
+
+
+## Enable Remote Credential Guard
+
+You must enable Remote Credential Guard on the target device by using the registry.
+
+1. Open Registry Editor.
+2. Enable Remote Credential Guard:
+    - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
+    - Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Remote Credential Guard.
+3. Close Registry Editor.
+
+You can add this by running the following from an elevated command prompt:
+
+```
+reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
+```
+
+## Using Remote Credential Guard
+
+You can use Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection. 
+
+### Turn on Remote Credential Guard by using Group Policy
+
+1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
+2. Double-click **Restrict delegation of credentials to remote servers**.
+3. In the **Use the following restricted mode** box:
+    - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Require Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
+
+        > **Note:**  Neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
+        
+    - If you want to allow Remote Credential Guard, choose **Prefer Remote Credential Guard**.
+4. Click **OK**.
+
+    ![Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
+
+5. Close the Group Policy Management Console.
+
+6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
+
+
+### Use Remote Credential Guard with a parameter to Remote Desktop Connection 
+
+If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection.
+
+```
+mstsc.exe /remoteGuard
+```
+
+
+## Considerations when using Remote Credential Guard
+
+- Remote Credential Guard does not include device claims. For example, if you’re trying to access a file server from the remote and the file server requires device claim, access will be denied.
+
+- Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory.
+
+- Remote Desktop Credential Guard only works with the RDP protocol.
+
+- No credentials are sent to the target device, but the target device still acquires the Kerberos Service Tickets on its own.
+
+- Remote Desktop Gateway is not compatible with Remote Credential Guard.
+
+- You cannot used saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device.
+
+- Both the client and the server must be joined to the same domain or the domains must have a trust relationship.
+
+- The server and client must authenticate using Kerberos.
\ No newline at end of file
diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md
index 890eaf1d99..42da77aa05 100644
--- a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted.
 
diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
new file mode 100644
index 0000000000..7403b2750b
--- /dev/null
+++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -0,0 +1,142 @@
+---
+title: Requirements and deployment planning guidelines for Device Guard (Windows 10)
+description: To help you plan a deployment of Microsoft Device Guard, this article describes hardware requirements for Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies. 
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Requirements and deployment planning guidelines for Device Guard
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+This article describes the following:
+
+- [Hardware, firmware, and software requirements for Device Guard](#hardware-firmware-and-software-requirements-for-device-guard)
+    - [Device Guard requirements for baseline protections](#device-guard-requirements-for-baseline-protections)
+    - [Device Guard requirements for improved security](#device-guard-requirements-for-improved-security)
+- [Device Guard deployment in different scenarios: types of devices](#device-guard-deployment-in-different-scenarios-types-of-devices)	
+- [Reviewing your applications: application signing and catalog files](#reviewing-your-applications-application-signing-and-catalog-files)
+- [Code integrity policy formats and signing](#code-integrity-policy-formats-and-signing)
+
+The information in this article provides a foundation for [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+
+## Hardware, firmware, and software requirements for Device Guard
+
+To deploy Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy code integrity policies—the difference is that those computers will not be as hardened against certain threats. 
+
+For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Device Guard, see [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md).
+
+You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
+
+The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
+
+> **Notes**
+> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+> - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
+
+## Device Guard requirements for baseline protections
+
+|Baseline Protections - requirement           | Description                                        |
+|---------------------------------------------|----------------------------------------------------|
+| Hardware: **64-bit CPU**              | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
+| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>- VT-x (Intel) or<br>- AMD-V<br>And:<br>- Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
+| Firmware: **Secure firmware update process**      | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: **HVCI compatible drivers**       | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).<br><br>**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
+| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
+
+> **Important**&nbsp;&nbsp;The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
+
+## Device Guard requirements for improved security
+
+The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
+
+### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
+
+| Protections for Improved Security - requirement         | Description                                        |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- BIOS password or stronger authentication must be supported.<br>- In the BIOS configuration, BIOS authentication must be set.<br>- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+
+<br>
+
+### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016)
+
+> **Important**&nbsp;&nbsp;The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
+
+| Protections for Improved Security - requirement         | Description                                        |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).<br><br>**Security benefits**:<br>- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>- HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>- Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+
+<br>
+
+### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017) 
+
+| Protections for Improved Security - requirement         | Description                                        |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **UEFI NX Protections**  | **Requirements**:<br>- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.<br><br>UEFI Runtime Services:<br>- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.<br>- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.<br>- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
+
+## Device Guard deployment in different scenarios: types of devices
+
+Typically, deployment of Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Device Guard in your organization.
+
+| **Type of device**                 | **How Device Guard relates to this type of device**  | **Device Guard components that you can use to protect this kind of device**    |
+|------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------|
+| **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.<br><br>- Code integrity policies in enforced mode, with UMCI enabled. |
+| **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.<br>Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.<br><br>- Code integrity policies in enforced mode, with UMCI enabled. |
+| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.<br><br>- Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started.  |
+| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | 
+
+## Reviewing your applications: application signing and catalog files 
+
+Typically, code integrity policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a “catalog file” from the applications, sign it, and through the signed catalog file, configure the code integrity policy to recognize the applications as signed.
+
+Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your code integrity policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of your code integrity policies (compared to using catalog signing).
+
+To obtain signed applications or embed signatures in your in-house applications, you can choose from a variety of methods:
+
+- Using the Windows Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
+
+- Using your own digital certificate or public key infrastructure (PKI). ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers.
+
+- Using a non-Microsoft signing authority. ISV's and enterprises can use a trusted non-Microsoft signing authority to sign all of their own Classic Windows applications.
+
+To use catalog signing, you can choose from the following options:
+
+- Use the Device Guard signing portal available in the Windows Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
+
+- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Device Guard deployment, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+
+### Catalog files
+
+Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by code integrity policies in the same way as any other signed application.
+
+Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated each time an application is updated, which requires the catalog file to be updated also.
+
+After you have created and signed your catalog files, you can configure your code integrity policies to trust the signer or signing certificate of those files.
+
+> **Note**&nbsp;&nbsp;Package Inspector only works on operating systems that support Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
+
+For information about how creating catalog files fits into Device Guard deployment, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md).
+
+## Code integrity policy formats and signing
+
+When you generate a code integrity policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **&lt;Rules&gt;** section of the file.
+
+We recommend that you keep the original XML file for use when you need to merge the code integrity policy with another policy or update its rule options. For deployment purposes, the file is converted to a binary format, which can be done using a simple Windows PowerShell command.
+
+When the code integrity policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add additional protection against administrative users changing or removing the policy. 
+
+## Related topics
+
+- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
+- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+
+
diff --git a/windows/keep-secure/requirements-to-use-applocker.md b/windows/keep-secure/requirements-to-use-applocker.md
index 6389eb2755..60ac319a63 100644
--- a/windows/keep-secure/requirements-to-use-applocker.md
+++ b/windows/keep-secure/requirements-to-use-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -32,7 +33,7 @@ The following table show the on which operating systems AppLocker features are s
 
 | Version | Can be configured | Can be enforced | Available rules | Notes |
 | - | - | - | - | - |
-| Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview. |
+| Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016. |
 | Windows Server 2012 R2| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| | 
 | Windows 8.1| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| Only the Enterprise edition supports AppLocker| 
 | Windows RT 8.1| No| No| N/A||  
diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md
index 049625343b..fa2225b9c4 100644
--- a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data.
 
diff --git a/windows/keep-secure/restrict-access-to-only-trusted-devices.md b/windows/keep-secure/restrict-access-to-only-trusted-devices.md
index d2b47a2dbe..dc34b9ac84 100644
--- a/windows/keep-secure/restrict-access-to-only-trusted-devices.md
+++ b/windows/keep-secure/restrict-access-to-only-trusted-devices.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required.
 
diff --git a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md
index 85d7267abb..57d1bc1e9d 100644
--- a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md
+++ b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group.
 
diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
index 9e6debeb0f..595d3e6855 100644
--- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
@@ -1,7 +1,7 @@
 ---
-title: Run a scan from the command line in Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can run a scan using the command line in Windows Defender in Windows 10.
-keywords: scan, command line, mpcmdrun, defender
+title: Learn how to run a scan from command line in Windows Defender (Windows 10)
+description: Windows Defender utility enables IT professionals to use command line to run antivirus scans.
+keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -19,19 +19,19 @@ author: mjcaparas
 
 IT professionals can use a command-line utility to run a Windows Defender scan. 
 
-The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_
+The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
 
 This utility can be handy when you want to automate the use of Windows Defender. 
 
-**To run a full system scan from the command line**
+**To run a quick scan from the command line**
 
 1. Click **Start**, type **cmd**, and press **Enter**.
 2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
 
 ```
-C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 2
+C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
 ```
-The full scan will start. When the scan completes, you'll see a message indicating that the scan is finished. 
+The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished. 
 
 
 The utility also provides other commands that you can run:
@@ -43,12 +43,12 @@ MpCmdRun.exe [command] [-options]
 Command | Description 
 :---|:---
 \- ? / -h | Displays all available options for the tool
-\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious softare
+\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
 \-Trace  [-Grouping #] [-Level #]| Starts diagnostic tracing
 \-GetFiles | Collects support information
 \-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
-\-AddDynamicSignature [-Path] | Loads a dyanmic signature
+\-AddDynamicSignature [-Path] | Loads a dynamic signature
 \-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
 \-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
-\-EnableIntegrityServices | Enables integrity services
-\-SubmitSamples | Submit all sample requests 
\ No newline at end of file
+<br>
+The command-line utility provides detailed information on the other commands supported by the tool. 
diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index fa9c66bfb4..e3cd578183 100644
--- a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -12,7 +12,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 IKEv2 offers the following:
 
diff --git a/windows/keep-secure/security-considerations-for-applocker.md b/windows/keep-secure/security-considerations-for-applocker.md
index f7c0df0eab..c959f1bfd0 100644
--- a/windows/keep-secure/security-considerations-for-applocker.md
+++ b/windows/keep-secure/security-considerations-for-applocker.md
@@ -40,6 +40,8 @@ AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Window
 AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules.
 
 >**Note:**  Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded.
+
+You can block the Windows Subsystem for Linux by blocking LxssManager.dll.
  
 ## Related topics
 
diff --git a/windows/keep-secure/server-isolation-gpos.md b/windows/keep-secure/server-isolation-gpos.md
index 149730d1a5..e0075d930f 100644
--- a/windows/keep-secure/server-isolation-gpos.md
+++ b/windows/keep-secure/server-isolation-gpos.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose.
 
diff --git a/windows/keep-secure/server-isolation-policy-design-example.md b/windows/keep-secure/server-isolation-policy-design-example.md
index 4d38ed4c99..f6ddc73bf4 100644
--- a/windows/keep-secure/server-isolation-policy-design-example.md
+++ b/windows/keep-secure/server-isolation-policy-design-example.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section.
 
diff --git a/windows/keep-secure/server-isolation-policy-design.md b/windows/keep-secure/server-isolation-policy-design.md
index a2397773da..de45c1b7c7 100644
--- a/windows/keep-secure/server-isolation-policy-design.md
+++ b/windows/keep-secure/server-isolation-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG).
 
diff --git a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index fb5e5d5cbf..0000000000
--- a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-title: Windows Defender ATP service onboarding
-description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal.
-keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding, manage users,
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
----
-
-# Windows Defender ATP service onboarding
-
-**Applies to:**
-
-- Windows 10 Insider Preview Build 14332 or later
-- Azure Active Directory
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-You have to assign users to the Windows Defender ATP Service application in Azure Active Directory (AAD) before they can access the portal.
-
-**Manage user access to the Windows Defender ATP portal**:
-
-1.  When you first go to the [Windows Defender ATP portal](https://securitycenter.windows.com/) and your directory does not
-    have users assigned to the Windows ATP Service application, you will
-    be directed to open the [Microsoft Azure Dashboard](https://portal.azure.com) to manage user access.
-
-    > **Note**&nbsp;&nbsp;In AAD, a directory is essentially a tenant. See the [Azure AD documentation](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx) for more information on how tenants work with AAD.
-
-2.  Ensure you have logged in to Microsoft Azure with an account that
-    has permissions to assign users to an application in AAD. You might
-    need to sign out of Microsoft Azure and then sign back in again if
-    you used a different account to sign in to the Windows Defender ATP
-    portal:
-
-    a.  On the top menu, click the signed-in user’s name.
-
-    b.  Click **Sign out**.
-
-    ![Azure sign out](images/azure-signout.png)
-
-    c.	Go the [Microsoft Azure Dashboard](https://portal.azure.com) again where you will be asked to sign in.
-
-    d.	Sign in with the correct user name and password for an account that has permissions to assign users in AAD.
-
-3. On the **Microsoft Azure Dashboard**, click **Browse** in the navigation pane and then click **Active Directory** to open the [Azure Management Portal](https://manage.windowsazure.com/).
-
-    ![Azure Active Directory menu](images/azure-browse.png)
-
-4. You might need to open the **Directory** section of the [Azure Management Portal](https://manage.windowsazure.com/) so you can access your directory. There are two ways you can do this:
-
-    a.  Click the arrow icon above the list of directories to see the full list of directories in the main area of the portal.
-
-    ![Azure organization menu](images/azure-org-directory.png)
-
-    b. Scroll down in the navigation pane and click **Active Directory**.
-
-    ![Azure active directory](images/azure-active-directory.png)
-
-5. Click the directory that contains the Windows Defender ATP application. In the following example, the directory is
-    called **Contoso**.
-
-     ![Azure active directory list](images/azure-active-directory-list.png)
-
-    > **Note**&nbsp;&nbsp;You can also access your directory by going straight to the [Azure Management Portal](https://manage.windowsazure.com/), clicking Active Directory and then finding your directory in the list.
-
-6. Click **Applications** from the top menu bar.
-
-    ![Example organization in Azure Active Directory](images/contoso.png)
-
-7. Click the **Windows ATP Service** application. The dashboard for the application is shown.
-
-    ![Example selected organization in Azure Active Directory](images/contoso-application.png)
-
-    > **Note**&nbsp;&nbsp;The application might have a slightly different name than the one shown here. It might be called **Windows Defender ATP Service**.
-
-8. Click **Users** from the top menu bar. A list of users that are in the directory is displayed.
-
-    ![Example windows atp service users](images/windows-atp-service.png)
-
-    ![Example user assignment to the windows atp service](images/assign-users.png)
-
-    > **Note**&nbsp;&nbsp;If you do not normally work with AAD, you might not see any users in the directory, or we might have created a test tenant specifically for a single user’s account. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section for instructions on adding users to a directory.
-
-9. Select the user you want manage.
-
-10. Click **Assign**.
-
-11. Confirm that you want to enable access for the user from the notification bar. If you click **Yes**, the user is given access to the Windows Defender ATP portal.  One or more progress bars will appear that indicates the user is being assigned a role, and you will see confirmation messages. You don’t need to do anything with the messages, they will go away after a short period of time.
-
-    ![Confirmation page to enable access to users](images/confirm-user-access.png)
-
-12. To remove the user's access, click **Remove**.
-
-13. Select the **Disable access to this app for the selected users** checkbox, and then click **Complete** ![Complete icon](images/check-icon.png). One or more progress bars will appear, followed by confirmation messages. The messages will disappear after a short period.
-
-    ![Remove menu](images/remove-menu.png)
-
-14. To remove the access for all users, click **Manage access**. If you click **Complete** ![Complete icon](images/check-icon.png), you will not see the Windows ATP Service in the list of applications in your directory.
-
-    > **Note**&nbsp;&nbsp;If you want to give access to users again, see the Manage access for all users in Azure Active Directory topic in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
-
-15. You can continue assigning roles for other users in your organization now, or you can return to the Windows Defender ATP portal to complete the service onboarding wizard.
-
-    > **Note**&nbsp;&nbsp;You need to assign roles for every user in your organization that requires access to the Windows Defender ATP portal. You can assign roles at any time by going to the Azure Management Portal, clicking **Active Directory**, and then finding your directory in the list and following the steps above.
-
-When you have finished assigning roles, return to the [Windows Defender ATP portal](https://securitycenter.windows.com) and refresh the
-page.
-
-Follow the steps in the onboarding wizard to complete the onboarding process.
-
-At the end of the wizard, you can download the Group Policy configuration package which you will use to configure endpoints on your network. You can also download the package from the **Client onboarding** menu on the portal after you have completed the onboarding wizard.
-
-## Related topics
-- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
-- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
-- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
-- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
index 81d0358abb..e45619b0a3 100644
--- a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
@@ -14,11 +14,12 @@ author: DulceMV
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone, suppression rules, and view license information.
 
 ## Time zone settings
@@ -52,7 +53,7 @@ To set the time zone:
 3.	The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**.
 
 ## Suppression rules
-The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. See [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
+The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
 
 ## License
 Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.
diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md
index e2187af349..3d16ef00df 100644
--- a/windows/keep-secure/testing-scenarios-for-edp.md
+++ b/windows/keep-secure/testing-scenarios-for-edp.md
@@ -1,49 +1,5 @@
 ---
 title: Testing scenarios for enterprise data protection (EDP) (Windows 10)
 description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company.
-ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
-keywords: EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Testing scenarios for enterprise data protection (EDP)
-**Applies to:**
-
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company.
-
-## Testing scenarios
-You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
-
-|Scenario |Processes |
-|---------|----------|
-|Automatically encrypt files from enterprise apps |<ol><li>Start an unmodified (for example, EDP-unaware) line-of-business app that's on your **Protected Apps** list and then create, edit, write, and save files.</li><li>Make sure that all of the files you worked with from the EDP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon.<p>**Note**<br>Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.</li></ol> |
-|Block enterprise data from non-enterprise apps |<ol><li>Start an app that doesn't appear on your **Protected Apps** list, and then try to open an enterprise-encrypted file.<p>The app shouldn't be able to access the file.</li><li>Try double-clicking or tapping on the enterprise-encrypted file.<p>If your default app association is an app not on your **Protected Apps** list, you should get an **Access Denied** error message.</li></ol> |
-|Copy and paste from enterprise apps to non-enterprise apps |<ol><li>Copy (CTRL+C) content from an app on your **Protected Apps** list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your **Protected Apps** list.<p>You should see an EDP-related warning box, asking you to click either **Got it** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't pasted into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Got it**, and try to paste the content again.<p>The content is pasted into the non-enterprise app.</li><li>Try copying and pasting content between apps on your **Protected Apps** list.<p>The content should copy and paste between apps without any warning messages.</li></ol> |
-|Drag and drop from enterprise apps to non-enterprise apps |<ol><li>Drag content from an app on your **Protected Apps** list, and then try to drop the content into an app that doesn't appear on your **Protected Apps** list.<p>You should see an EDP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't dropped into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.<p>The content is dropped into the non-enterprise app.</li><li>Try dragging and dropping content between apps on your **Protected Apps** list.<p>The content should move between the apps without any warning messages.</li></ol> |
-|Share between enterprise apps and non-enterprise apps |<ol><li>Open an app on your **Protected Apps** list, like Microsoft Photos, and try to share content with an app that doesn't appear on your **Protected Apps** list, like Facebook.<p>You should see an EDP-related warning box, asking you to click either **Share Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't shared into Facebook.</li><li>Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.<p>The content is shared into Facebook.</li><li>Try sharing content between apps on your **Protected Apps** list.<p>The content should share between the apps without any warning messages.</li></ol> | 
-|Use the **Encrypt to** functionality |<ol><li>Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.<p>EDP should encrypt the file to your Enterprise Identity.</li><li>Make sure that the newly encrypted file has a **Lock** icon.</li><li>In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.</li><li>Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.<p>The file should be decrypted and the **Lock** icon should disappear.</li></ol> |
-|Verify that Windows system components can use EDP |<ol><li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.</li><li>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon</li><li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the **Protected Apps** list.<p>**Note**<br>Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.<p>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your **Protected Apps** list.</li></ol> |
-|Use EDP on FAT/exFAT systems |<ol><li>Start an app that uses the FAT or exFAT file system and appears on your **Protected Apps** list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
-|Use EDP on NTFS systems |<ol><li>Start an app that uses the NTFS file system and appears on your **Protected Apps** list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
-|Unenroll client devices from EDP |<ul><li>Unenroll a device from EDP by going to **Settings**, click **Accounts**, click **Work**, click the name of the device you want to unenroll, and then click **Remove**.<p>The device should be removed and all of the enterprise content for that managed account should be gone.<p>**Important**<br>Unenrolling a device revokes and erases all of the enterprise data for the managed account.</li></ul> |
-|Verify that app content is protected when a Windows 10 Mobile phone is locked |<ul><li>Check that protected app data doesn't appear on the **Lock** screen of a Windows 10 Mobile phone</li></ul> |
-
- 
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/testing-scenarios-for-wip
+---
\ No newline at end of file
diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md
new file mode 100644
index 0000000000..e74a83cfad
--- /dev/null
+++ b/windows/keep-secure/testing-scenarios-for-wip.md
@@ -0,0 +1,37 @@
+---
+title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
+description: We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
+ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Testing scenarios for Windows Information Protection (WIP)
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
+
+## Testing scenarios
+You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
+
+|Scenario |Processes |
+|---------|----------|
+|Automatically encrypt files from enterprise apps |<ol><li>Start an unmodified (for example, WIP-unaware) line-of-business app that's on your allowed apps list and then create, edit, write, and save files.</li><li>Make sure that all of the files you worked with from the WIP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon.<p>**Note**<br>Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.</li></ol> |
+|Block enterprise data from non-enterprise apps |<ol><li>Start an app that doesn't appear on your allowed apps list, and then try to open an enterprise-encrypted file.<p>The app shouldn't be able to access the file.</li><li>Try double-clicking or tapping on the enterprise-encrypted file.<p>If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message.</li></ol> |
+|Copy and paste from enterprise apps to non-enterprise apps |<ol><li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.<p>You should see a WIP-related warning box, asking you to click either **Got it** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't pasted into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Got it**, and try to paste the content again.<p>The content is pasted into the non-enterprise app.</li><li>Try copying and pasting content between apps on your allowed apps list.<p>The content should copy and paste between apps without any warning messages.</li></ol> |
+|Drag and drop from enterprise apps to non-enterprise apps |<ol><li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.<p>You should see a WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't dropped into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.<p>The content is dropped into the non-enterprise app.</li><li>Try dragging and dropping content between apps on your allowed apps list.<p>The content should move between the apps without any warning messages.</li></ol> |
+|Share between enterprise apps and non-enterprise apps |<ol><li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.<p>You should see a WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't shared into Facebook.</li><li>Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.<p>The content is shared into Facebook.</li><li>Try sharing content between apps on your allowed apps list.<p>The content should share between the apps without any warning messages.</li></ol> | 
+|Use the **Encrypt to** functionality |<ol><li>Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.<p>WIP should encrypt the file to your Enterprise Identity.</li><li>Make sure that the newly encrypted file has a **Lock** icon.</li><li>In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.</li><li>Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.<p>The file should be decrypted and the **Lock** icon should disappear.</li></ol> |
+|Verify that Windows system components can use WIP |<ol><li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.</li><li>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon</li><li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<p>**Note**<br>Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.<p>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.</li></ol> |
+|Use WIP on FAT/exFAT systems |<ol><li>Start an app that uses the FAT or exFAT file system and appears on your allowed apps list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
+|Use WIP on NTFS systems |<ol><li>Start an app that uses the NTFS file system and appears on your allowed apps list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
+|Unenroll client devices from WIP |<ul><li>Unenroll a device from WIP by going to **Settings**, click **Accounts**, click **Work**, click the name of the device you want to unenroll, and then click **Remove**.<p>The device should be removed and all of the enterprise content for that managed account should be gone.<p>**Important**<br>Unenrolling a device revokes and erases all of the enterprise data for the managed account.</li></ul> |
+|Verify that app content is protected when a Windows 10 Mobile phone is locked |<ul><li>Check that protected app data doesn't appear on the **Lock** screen of a Windows 10 Mobile phone</li></ul> |
\ No newline at end of file
diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md
index 81b6385faf..0714fff961 100644
--- a/windows/keep-secure/tpm-recommendations.md
+++ b/windows/keep-secure/tpm-recommendations.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -14,7 +15,7 @@ author: brianlic-msft
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 -   Windows 10 IoT Core (IoT Core)
 
 This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
@@ -104,7 +105,7 @@ For end consumers, TPM is behind the scenes but still very relevant for Hello, P
 
 -   TPM is optional on IoT Core.
 
-### Windows Server 2016 Technical Preview
+### Windows Server 2016
 
 -   TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
 
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 7db942d7ba..2025b51e99 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -7,61 +7,131 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: iaanw
+author: mjcaparas
 ---
 
 # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues.
+This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints.
 
-You might need to troubleshoot the Windows Defender Advanced Threat Protection onboarding process if you encounter issues.
-This page provides detailed steps for troubleshooting endpoints that aren't reporting correctly, and common error codes encountered during onboarding. <!--and steps for resolving problems with Azure Active Directory (AAD).-->
+If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem.
 
-## Endpoints are not reporting to the service correctly
+## Troubleshoot onboarding when deploying with Group Policy
+Deployment with Group Policy is done by running the onboarding script on the endpoints.  The Group Policy console does not indicate if the deployment has succeeded or not.
 
-If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after 20 minutes, it might indicate an endpoint onboarding or connectivity problem.
+If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint).
 
-Go through the following verification topics to address this issue:
+If the script completes successfully, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
 
-- [Ensure the endpoint is onboarded successfully](#Ensure-that-the-endpoint-is-onboarded-successfully)
-- [Ensure the Windows Defender ATP service is enabled](#Ensure-that-the-Windows-Defender-ATP-service-is-enabled)
-- [Ensure the telemetry and diagnostics service is enabled](#Ensure-that-telemetry-and-diagnostics-service-is-enabled)
-- [Ensure the endpoint has an Internet connection](#Ensure-that-the-Windows-Defender-ATP-endpoint-has-internet-connection)
+## Troubleshoot onboarding issues when deploying with System Center Configuration Manager
+When onboarding endpoints using the following versions of System Center Configuration Manager:
+- System Center 2012 Configuration Manager
+- System Center 2012 R2 Configuration Manager
+- System Center Configuration Manager (current branch) version 1511
+- System Center Configuration Manager (current branch) version 1602
 
 
-### Ensure the endpoint is onboarded successfully
-If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service was successfully onboarded onto the endpoint.
+Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the endpoints. You can track the deployment in the Configuration Manager Console.
 
-**Check the onboarding state in Registry**:
+If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint).
 
-1. Click **Start**, type **Run**, and press **Enter**.
+If the onboarding completed successfully but the endpoints are not showing up in the **Machines view** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
 
-2. From the **Run** dialog box, type **regedit** and press **Enter**.
+## Troubleshoot onboarding when deploying with a script on the endpoint
 
-4. In the **Registry Editor** navigate to the Status key under:
+**Check the result of the script on the endpoint**:
+1. Click **Start**, type **Event Viewer**, and press **Enter**.
 
-   ```text
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection
-```
+2. Go to **Windows Logs** > **Application**.
 
-5. Check the **OnboardingState** value is set to **1**.
+3. Look for an event from **WDATPOnboarding** event source.
 
-  ![Image of OnboardingState status in Registry Editor](images/onboardingstate.png)
+If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.
+> [!NOTE]
+> The following event IDs are specific to the onboarding script only.
 
-If the **OnboardingState** value is not set to **1**, you can use Event Viewer to review errors on the endpoint.
+Event ID | Error Type | Resolution steps
+:---|:---|:---
+5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
+10 | Onboarding data couldn't be written to registry |  Check the permissions on the registry, specifically<br> ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.<br>Verify that the script was ran as an administrator.
+15 |  Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
+15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
+30 |  The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
+35 |  The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location<br>```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.<br>The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
+40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
+65 | Insufficient privileges| Run the script again with administrator privileges.
 
-**Use Event Viewer to identify and adress onboarding errors**:   
+## Troubleshoot onboarding issues using Microsoft Intune
+You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
+
+Use the following tables to understand the possible causes of issues while onboarding:
+
+- Microsoft Intune error codes and OMA-URIs table
+- Known issues with non-compliance table
+- Mobile Device Management (MDM) event logs table
+
+If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint Management** section of the portal, and run it in an elevated command prompt.  
+
+**Microsoft Intune error codes and OMA-URIs**:
+
+Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
+:---|:---|:---|:---|:---
+0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding |  **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+ | | | Onboarding <br> Offboarding <br> SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it. <br><br> **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. <br> <br> If it doesn't exist, open an elevated command and add the key.
+  | | | SenseIsRunning <br> OnboardingState <br> OrgId |  **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <br><br> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues). <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+   | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms:  Enterprise, Education, and Professional. <br> Server is not supported.
+   0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient.  | All |  **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms:  Enterprise, Education, and Professional.
+
+<br>
+**Known issues with non-compliance**
+
+The following table provides information on issues with non-compliance and how you can address the issues.
+
+Case | Symptoms | Possible cause and troubleshooting steps
+:---|:---|:---
+1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already. <br><br> **Troubleshooting steps:** Wait for OOBE to complete.
+2 |  Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. |  **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start. <br><br> **Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
+3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time.
+
+<br>
+**Mobile Device Management (MDM) event logs**
+
+View the MDM event logs to troubleshoot issues that might arise during onboarding:
+
+Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
+
+Channel name: Admin
+
+ID | Severity | Event description | Troubleshooting steps
+:---|:---|:---|:---
+1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ELAM driver needs to be enabled see, [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
+
+## Troubleshoot onboarding issues on the endpoint
+If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
+- [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log)
+- [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled)
+- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
+- [Ensure the endpoint has an Internet connection](#ensure-the-endpoint-has-an-internet-connection)
+- [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled)
+
+
+### View agent onboarding errors in the endpoint event log
 
 1. Click **Start**, type **Event Viewer**, and press **Enter**.
 
 2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
 
-    > **Note**&nbsp;&nbsp;SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+  > [!NOTE]
+	> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
 
 3. Select **Operational** to load the log.
 
@@ -75,100 +145,16 @@ If the **OnboardingState** value is not set to **1**, you can use Event Viewer t
 
 Event ID | Message | Resolution steps
 :---|:---|:---
-5 | Windows Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
-6 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
-7 |  Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then [run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
-15 | Windows Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
-
-
-### Ensure the Windows Defender ATP service is enabled
-If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service is set to automatically start and is running on the endpoint.
-
-You can use the SC command line program for checking and managing the startup type and running state of the service.
-
-**Check the Windows Defender ATP service startup type from the command line:**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  Click **Start**, type **cmd**, and press **Enter**.
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc qc sense
-    ```
-
-If the the service is running, then the result should look like the following screenshot:
-
-  ![Result of the sq query sense command](images/sc-query-sense-autostart.png)
-
-If the service **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
-
-**Change the Windows Defender ATP service startup type from the command line:**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  Click **Start**, type **cmd**, and press **Enter**.
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc config sense start=auto
-    ```
-
-3.  A success message is displayed. Verify the change by entering the following command and press **Enter**:
-
-    ```text
-    sc qc sense
-    ```
-
-**Check the Windows Defender ATP service is running from the command line:**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  Click **Start**, type **cmd**, and press **Enter**.
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc query sense
-    ```
-
-If the service is running, the result should look like the following screenshot:
-
-![Result of the sc query sense command](images/sc-query-sense-running.png)
-
-If the service **STATE** is not set to **RUNNING**, then you'll need to start it.
-
-**Start the Windows Defender ATP service from the command line:**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  Click **Start**, type **cmd**, and press **Enter**.
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc start sense
-    ```
-
-3.  A success message is displayed. Verify the change by entering the following command and press **Enter**:
-
-    ```text
-    sc qc sense
-    ```
+5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+7 |  Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
+15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
+<br>
+There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
 
 ### Ensure the telemetry and diagnostics service is enabled
-If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service may have been disabled by other programs or user configuration changes.
-
+If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service might have been disabled by other programs or user configuration changes.
 
 First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
 
@@ -188,12 +174,11 @@ First, you should check that the service is set to start automatically when Wind
     sc qc diagtrack
     ```
 
-If the service is enabled, then the result should look like the following screenshot:
+    If the service is enabled, then the result should look like the following screenshot:
 
-![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
-
-If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+    ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
 
+    If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
 
 
 **Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
@@ -216,109 +201,13 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
     sc qc diagtrack
     ```
 
-**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service startup type**:
+4. Start the service.
 
-1.  Open the services console:
-
-  a. Click **Start** and type **services**.
-
-  b. Press **Enter** to open the console.
-
-2.  Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
-
-3.  Check the **Startup type** column - the service should be set as **Automatic**.
-
-If the startup type is not set to **Automatic**, you'll need to change it so the service starts when the endpoint does.
-
-
-**Use the Windows Services console to set the Windows 10 telemetry and diagnostics service to automatically start:**
-
-1.  Open the services console:
-
-  a. Click **Start** and type **services**.
-
-  b. Press **Enter** to open the console.
-
-2.  Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
-
-3.  Right-click on the entry and click **Properties**.
-
-4.  On the **General** tab, change the **Startup type:** to **Automatic**, as shown in the following image. Click OK.
-
-    ![Select Automatic to change the startup type in the Properties dialog box for the service](images/windefatp-utc-console-autostart.png)
-
-### Ensure the service is running
-
-**Use the command line to check the Windows 10 telemetry and diagnostics service is running**:
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  **Click **Start** and type **cmd**.**
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc query diagtrack
-    ```
-
-If the service is running, the result should look like the following screenshot:
-
-![Result of the sc query command for sc query diagtrack](images/windefatp-sc-query-diagtrack.png)
-
-If the service **STATE** is not set to **RUNNING**, then you'll need to start it.
-
-
-**Use the command line to start the Windows 10 telemetry and diagnostics service:**
-
-1.  Open an elevated command-line prompt on the endpoint:
-
-  a.  **Click **Start** and type **cmd**.**
-
-  b.  Right-click **Command prompt** and select **Run as administrator**.
-
-2.  Enter the following command, and press **Enter**:
-
-    ```text
-    sc start diagtrack
-    ```
-
-3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
-
-    ```text
-    sc query diagtrack
-    ```
-
-**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service is running**:
-
-1.  Open the services console:
-
-  a. Click **Start** and type **services**.
-
-  b. Press **Enter** to open the console.
-
-2.  Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
-
-3.  Check the **Status** column - the service should be marked as **Running**.
-
-If the service is not running, you'll need to start it.
-
-
-**Use the Windows Services console to start the Windows 10 telemetry and diagnostics service:**
-
-1.  Open the services console:
-
-  a. Click **Start** and type **services**.
-
-  b. Press **Enter** to open the console.
-
-2.  Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
-
-3.  Right-click on the entry and click **Start**, as shown in the following image.
-
-![Select Start to start the service](images/windef-utc-console-start.png)
+  a. In the command prompt, type the following command and press **Enter**:
 
+  ```text
+  sc start diagtrack
+  ```
 
 ### Ensure the endpoint has an Internet connection
 
@@ -328,43 +217,103 @@ WinHTTP is independent of the Internet browsing proxy settings and other user co
 
 To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic.
 
-If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.    
+If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
 
-<!--
+### Ensure the Windows Defender ELAM driver is enabled
+If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled.
 
-## There are no users in the Azure Active Directory
-If you don't see any users in the [Azure Management Portal](https://manage.windowsazure.com/) during the service onboarding stage, you might need to add users to the directory first.
+**Check the ELAM driver status:**
 
-1.  Go to the Azure Management Portal and select the directory you want to manage.
+1.	Open a command-line prompt on the endpoint:
 
-2.  Click **Users** from the top menu bar.
+  a. Click **Start**, type **cmd**, and select **Command prompt**.
 
-    ![Example Azure Management Portal organization](images/contoso-users.png)
+2.	Enter the following command, and press Enter:
+    ```
+    sc qc WdBoot
+    ```
+    If the ELAM driver is enabled, the output will be:
 
-3.  Click **Add user** from the menu bar at the bottom.
+    ```
+    [SC] QueryServiceConfig SUCCESS
 
-    ![Add user menu](images/add-user.png)
+    SERVICE_NAME: WdBoot
+            TYPE               : 1  KERNEL_DRIVER
+            START_TYPE         : 0   BOOT_START
+            ERROR_CONTROL      : 1   NORMAL
+            BINARY_PATH_NAME   : \SystemRoot\system32\drivers\WdBoot.sys
+            LOAD_ORDER_GROUP   : Early-Launch
+            TAG                : 0
+            DISPLAY_NAME       : Windows Defender Boot Driver
+            DEPENDENCIES       :
+            SERVICE_START_NAME :
+    ```
+    If the ELAM driver is disabled the output will be:
+    ```
+    [SC] QueryServiceConfig SUCCESS
 
-4.  Select the type of user and enter their details. There might be multiple steps in the **Add user** dialog box depending on the type of user. When you're done, click **Complete** ![Check icon](images/check-icon.png) or **OK**.
+    SERVICE_NAME: WdBoot
+            TYPE               : 1  KERNEL_DRIVER
+            START_TYPE         : 0   DEMAND_START
+            ERROR_CONTROL      : 1   NORMAL
+            BINARY_PATH_NAME   : \SystemRoot\system32\drivers\WdBoot.sys
+            LOAD_ORDER_GROUP   : _Early-Launch
+            TAG                : 0
+            DISPLAY_NAME       : Windows Defender Boot Driver
+            DEPENDENCIES       :
+            SERVICE_START_NAME :
+    ```
 
-5.  Continue to add users. They will now appear in the **Users** section of the **Windows ATP Service** application. You must assign the user a role before they can access the [Windows Defender ATP portal](https://securitycenter.windows.com/).
+#### Enable the ELAM driver
 
-## The Windows Defender ATP app doesn't appear in the Azure Management Portal
-If you remove access for all users to the Windows ATP Service application (by clicking Manage access), you will not see the application in the list of applications in your directory in the [Azure Management Portal](https://manage.windowsazure.com/).
+1. Open an elevated PowerShell console on the endpoint:
 
-Log in to the application in the Azure Management Portal again:
+  a. Click **Start**, type **powershell**.
 
-1.  Sign in to the [Windows Defender ATP portal](https://securitycenter.windows.com/) with the user account you want to give access to.
+  b. Right-click **Command prompt** and select **Run as administrator**.
 
-2.  Confirm that you have signed in with the correct details, and click **Accept**.
+2. Run the following PowerShell cmdlet:
+
+    ```text
+    'Set-ExecutionPolicy -ExecutionPolicy Bypass’
+    ```
+3. Run the following PowerShell script:
+
+    ```text
+    Add-Type @'
+    using System;
+    using System.IO;
+    using System.Runtime.InteropServices;
+    using Microsoft.Win32.SafeHandles;
+    using System.ComponentModel;
+
+    public static class Elam{
+        [DllImport("Kernel32", CharSet=CharSet.Auto, SetLastError=true)]
+        public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);
+
+        public static void InstallWdBoot(string path)
+        {
+            Console.Out.WriteLine("About to call create file on {0}", path);
+            var stream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read);
+            var handle = stream.SafeFileHandle;
+
+            Console.Out.WriteLine("About to call InstallELAMCertificateInfo on handle {0}", handle.DangerousGetHandle());
+            if (!InstallELAMCertificateInfo(handle))
+            {
+                Console.Out.WriteLine("Call failed.");
+                throw new Win32Exception(Marshal.GetLastWin32Error());
+            }
+            Console.Out.WriteLine("Call successful.");
+        }
+    }
+    '@
+
+    $driverPath = $env:SystemRoot + "\System32\Drivers\WdBoot.sys"
+    [Elam]::InstallWdBoot($driverPath)
+    ```
 
-3.  Go to the [Azure Management Portal](https://manage.windowsazure.com/) and navigate to your directory. You will see the **Windows ATP Service** application in the **Applications** section again.
 
--->
 
 ## Related topics
-<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
 - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
 - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
-- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
index 8340e9dcc0..5ed6bf4bc5 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -13,11 +13,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
 
 ### Server error - Access is denied due to invalid credentials
@@ -39,9 +40,11 @@ U.S. region:
 - sevillefeedback-prd.trafficmanager.net			
 - sevillesettings-prd.trafficmanager.net			
 - threatintel-cus-prd.cloudapp.net			
-- threatintel-eus-prd.cloudapp.net			
-
-
+- threatintel-eus-prd.cloudapp.net
+- winatpauthorization.windows.com
+- winatpfeedback.windows.com
+- winatpmanagement.windows.com
+- winatponboarding.windows.com
 
 EU region:
 
@@ -52,7 +55,10 @@ EU region:
 - sevillesettings-prd.trafficmanager.net
 - threatintel-neu-prd.cloudapp.net
 - threatintel-weu-prd.cloudapp.net
-
+- winatpauthorization.windows.com
+- winatpfeedback.windows.com
+- winatpmanagement.windows.com
+- winatponboarding.windows.com
 
 ### Windows Defender ATP service shows event or error logs in the Event Viewer
 
diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
index e60c0f663c..a53f073958 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
@@ -1013,8 +1013,40 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-</dl>
+<p>NOTE:
+<p>Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
+<li>Default Internet Explorer or Edge setting</li>
+<li>User Access Control settings</li>
+<li>Chrome settings</li>
+<li>Boot Control Data</li>
+<li>Regedit and Task Manager registry settings</li>
+<li>Windows Update, Background Intelligent Transfer Service, and Remote Procedure Call service</li>
+<li>Windows Operating System files</li></ul>
+The above context applies to the following client and server versions:
+<table>
+<tr>
+<th>Operating system</th>
+<th>Operating system version</th>
+</tr>
+<tr>
+<td>
+<p>Client Operating System </p>
+</td>
+<td>
+<p>Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Server Operating System</p>
+</td>
+<td>
+<p>Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016</p>
+</td>
+</tr>
+</table>
 </p>
+</dl>
 </td>
 </tr>
 <tr>
@@ -2663,6 +2695,7 @@ Description of the error. </dt>
 </td>
 </tr>
 </table>
+
 ## Windows Defender client error codes
 If Windows Defender experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
 This section provides the following information about Windows Defender client errors.
diff --git a/windows/keep-secure/trusted-platform-module-overview.md b/windows/keep-secure/trusted-platform-module-overview.md
index e7b6e784ff..8b0098f582 100644
--- a/windows/keep-secure/trusted-platform-module-overview.md
+++ b/windows/keep-secure/trusted-platform-module-overview.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md
index 758bffcd66..618894db96 100644
--- a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md
+++ b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
 
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
index e81dff792a..088acf33fa 100644
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
@@ -23,7 +23,8 @@ For a list of the cmdlets and their functions and available parameters, see the
 
 PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. 
 
-> **Note:**&nbsp;&nbsp;PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
+> [!NOTE]
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
 
 PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
 
@@ -32,7 +33,8 @@ PowerShell is typically installed under the folder _%SystemRoot%\system32\Window
 
 1. Click **Start**, type **powershell**, and press **Enter**.
 2. Click **Windows PowerShell** to open the interface. 
-    > **Note:**&nbsp;&nbsp;You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+    > [!NOTE]
+    > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
 3. Enter the command and parameters.
 
 To open online help for any of the cmdlets type the following:
@@ -41,3 +43,7 @@ To open online help for any of the cmdlets type the following:
 Get-Help <cmdlet> -Online
 ```
 Omit the `-online` parameter to get locally cached help.
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
index 717abdaec8..cadbd4c872 100644
--- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
@@ -14,11 +14,12 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
 A typical security breach investigation requires a member of a security operations team to:
 
 1. View an alert on the **Dashboard** or **Alerts queue**
@@ -41,6 +42,6 @@ Topic | Description
 [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
 [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
 [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
-[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external internet protocol (IP) addresses.
+[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses.
 [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
 [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.
diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
index e2e57dd1bd..3aabc0a07e 100644
--- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 **Applies to**
 
 - Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
 
 ## Group Policy settings
 There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).
diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md
index 32edfe0160..66f1abdc16 100644
--- a/windows/keep-secure/user-account-control-overview.md
+++ b/windows/keep-secure/user-account-control-overview.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: operate
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -13,7 +14,7 @@ author: brianlic-msft
 
 **Applies to**
 - Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
 
 User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
 
diff --git a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md
index 44e4ba7803..03fcc34124 100644
--- a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md
+++ b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot.
 
diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md
index 77c548ec2a..ef04831e0b 100644
--- a/windows/keep-secure/vpn-profile-options.md
+++ b/windows/keep-secure/vpn-profile-options.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # VPN profile options
@@ -51,10 +52,16 @@ A VPN profile configured with LockDown secures the device to only allow network
 -   Only one VPN LockDown profile is allowed on a device.
 > **Note:**  For inbox VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) tunnel type.
  
+## Learn about VPN and the Conditional Access Framework in Azure Active Directory
+
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
+- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
+
 ## Learn more
 
-[VPNv2 configuration service provider (CSP) reference](http://go.microsoft.com/fwlink/p/?LinkId=617588)
+- [Learn how to configure VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
+- [VPNv2 configuration service provider (CSP) reference](http://go.microsoft.com/fwlink/p/?LinkId=617588)
+- [How to Create VPN Profiles in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=618028)
 
-[How to Create VPN Profiles in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=618028)
-
-[Help users connect to their work using VPN profiles with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=618029)
diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
index 21d3ce97d3..b9bb671c49 100644
--- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md
+++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
@@ -1,13 +1,14 @@
 ---
 title: Why a PIN is better than a password (Windows 10)
-description: Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
+description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
 ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
-keywords: pin, security, password
+keywords: pin, security, password, hello
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Why a PIN is better than a password
@@ -16,36 +17,36 @@ author: jdeckerMS
 -   Windows 10
 -   Windows 10 Mobile
 
-Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
-On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Passport PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
+Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
+On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
 
 
 ## PIN is tied to the device
-One important difference between a password and a Passport PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
+One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
 
-Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Passport on each device.
+Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
 
 ## PIN is local to the device
 
 A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
 When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
-> **Note:**  For details on how Passport uses asymetric key pairs for authentication, see [Microsoft Passport guide](http://go.microsoft.com/fwlink/p/?LinkId=691928).
+> **Note:**  For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](http://go.microsoft.com/fwlink/p/?LinkId=691928).
  
 ## PIN is backed by hardware
 
-The Passport PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
+The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
 
-User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Microsoft Passport uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
+User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
 
 The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
 
 ## PIN can be complex
 
-The Passport PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
+The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
 
 ## What if someone steals the laptop or phone?
 
-To compromise a Microsoft Passport credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
+To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
 You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
 
 **Configure BitLocker without TPM**
@@ -62,14 +63,14 @@ You can provide additional protection for laptops that don't have TPM by enablng
     
 2.  Set the number of invalid logon attempts to allow, and then click OK.
 
-## Why do you need a PIN to use Windows Hello?
-Windows Hello is the biometric sign-in for Microsoft Passport in Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using Passport when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
+## Why do you need a PIN to use biometrics?
+Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
 
-If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account name and password, which doesn't provide you the same level of protection as Passport.
+If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.
 
 ## Related topics
 
 [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
 
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
  
\ No newline at end of file
diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md
index 30f130d499..a5c487491c 100644
--- a/windows/keep-secure/windows-10-enterprise-security-guides.md
+++ b/windows/keep-secure/windows-10-enterprise-security-guides.md
@@ -1,6 +1,6 @@
 ---
 title: Enterprise security guides (Windows 10)
-description: Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides.
+description: Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides.
 ms.assetid: 57134f84-bd4b-4b1d-b663-4a2d36f5a7f8
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -14,7 +14,7 @@ author: challum
 
 ## Purpose
 
-Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides.
+Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides.
 
 ## In this section
 
@@ -34,10 +34,6 @@ Get proven guidance to help you better secure and protect your enterprise by usi
 <td align="left"><p>[Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)</p></td>
 <td align="left"><p>This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.</p></td>
 </tr>
-<tr class="even">
-<td align="left"><p>[Device Guard deployment guide](device-guard-deployment-guide.md)</p></td>
-<td align="left"><p>Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. Windows 10 employs Device Guard as well as code integrity and advanced hardware features such as CPU virtualization extensions, Trusted Platform Module, and second-level address translation to offer comprehensive modern security to its users. This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them.</p></td>
-</tr>
 <tr class="odd">
 <td align="left"><p>[Microsoft Passport guide](microsoft-passport-guide.md)</p></td>
 <td align="left"><p>This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout.</p></td>
diff --git a/windows/keep-secure/windows-10-mobile-security-guide.md b/windows/keep-secure/windows-10-mobile-security-guide.md
index 16389caf95..0cb9c52700 100644
--- a/windows/keep-secure/windows-10-mobile-security-guide.md
+++ b/windows/keep-secure/windows-10-mobile-security-guide.md
@@ -166,7 +166,7 @@ Table 2. Windows 10 cryptography policies
 </tbody>
 </table>
  
-For a complete list of policies available, see [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=733963).
+For a complete list of policies available, see [Policy CSP](https://technet.microsoft.com/library/dn904962.aspx).
 
 ### <a href="" id="enterprise-data-protection--"></a>Enterprise data protection
 
@@ -174,7 +174,7 @@ Enterprises have seen huge growth in the convergence of personal and corporate d
 
 One growing risk is authorized users’ accidental disclosure of sensitive data—a risk that is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. One example is common among organizations: an employee connects his or her personal phone to the company’s Microsoft Exchange Server instance for email. He or she uses the phone to work on email that includes attachments with sensitive data. When sending the email, the user accidentally copies a supplier. Content protection is only as strong as the weakest link, and in this example, the unintended sharing of sensitive data with unauthorized people might not have been prevented with standard data encryption.
 
-In Windows 10 Mobile, enterprise data protection (EDP) helps separate personal and enterprise data and prevent data leakage. Key features include its ability to:
+In Windows 10 Mobile, Windows Information Protection (WIP) helps separate personal and enterprise data and prevent data leakage. Key features include its ability to:
 
 -   Automatically tag personal and corporate data.
 -   Protect data while it’s at rest on local or removable storage.
@@ -182,21 +182,21 @@ In Windows 10 Mobile, enterprise data protection (EDP) helps separate personal
 -   Control which apps can access a virtual private network (VPN) connection.
 -   Prevent users from copying corporate data to public locations.
 
-> **Note:**  EDP is currently being tested in select customer evaluation programs. For more information about EDP, see [Enterprise data protection overview](../whats-new/edp-whats-new-overview.md).
+> **Note:** WIP is currently being tested in select customer evaluation programs. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip).
  
 ### <a href="" id="enlightenment--"></a>Enlightenment
 
-Third-party data loss protection solutions usually require developers to wrap their apps. In contrast, EDP puts the intelligence in Windows 10 Mobile so that it doesn’t require wrappers. As a result, most apps require nothing extra to work with EDP.
+Third-party data loss protection solutions usually require developers to wrap their apps. In contrast, WIP puts the intelligence in Windows 10 Mobile so that it doesn’t require wrappers. As a result, most apps require nothing extra to work with WIP.
 
-EDP can enforce policy without the need for an app to change. This means that an app that always handles business data (such as an LOB app) can be added to the allowed list and will always encrypt all data that it handles. However, if the app does not use common controls, cut and paste operations from this app to a non-enterprise app will silently fail. In addition, if the app needs to handle personal data, this data will also be encrypted.
-Therefore, to improve the user experience, in some cases, developers should enlighten their apps by adding code to and compiling them to use the EDP application programming interfaces. Those cases include apps that:
+WIP can enforce policy without the need for an app to change. This means that an app that always handles business data (such as an LOB app) can be added to the allowed list and will always encrypt all data that it handles. However, if the app does not use common controls, cut and paste operations from this app to a non-enterprise app will silently fail. In addition, if the app needs to handle personal data, this data will also be encrypted.
+Therefore, to improve the user experience, in some cases, developers should enlighten their apps by adding code to and compiling them to use the WIP application programming interfaces. Those cases include apps that:
 -   Don’t use common controls for saving files.
 -   Don’t use common controls for text boxes.
 -   Work on personal and enterprise data simultaneously (for example, contact apps that display personal and enterprise data in a single view; a browser that displays personal and enterprise web pages on tabs within a single instance).
 
-Figure 1 summarizes when an app might require enlightenment to work with EDP. Microsoft Word is a good example. Not only can Word access personal and enterprise data simultaneously, but it can also transmit enterprise data (for example, email attachments containing enterprise data).
+Figure 1 summarizes when an app might require enlightenment to work with WIP. Microsoft Word is a good example. Not only can Word access personal and enterprise data simultaneously, but it can also transmit enterprise data (for example, email attachments containing enterprise data).
 
-In any case, most apps don’t require enlightenment for them to use EDP protection. Simply adding them to the EDP allow list is all you must do. Because unenlightened apps cannot automatically tag data as personal or enterprise, if they are in an EDP policy, they treat all data as enterprise data. An LOB app is a good example. Adding an LOB app to an EDP policy protects all data that the app handles. Another example is a legacy app that cannot be updated, which you can add to an EDP policy and use without even being aware that EDP exists.
+In any case, most apps don’t require enlightenment for them to use WIP protection. Simply adding them to the WIP allow list is all you must do. Because unenlightened apps cannot automatically tag data as personal or enterprise, if they are in a WIP policy, they treat all data as enterprise data. An LOB app is a good example. Adding an LOB app to a WIP policy protects all data that the app handles. Another example is a legacy app that cannot be updated, which you can add to a WIP policy and use without even being aware that WIP exists.
 
 ![figure 1](images/mobile-security-guide-fig1.png)
 
@@ -204,32 +204,32 @@ Figure 1. When is enlightenment required?
 
 ### Data leakage control
 
-To configure EDP in an MDM solution that supports it, add authorized apps to the EDP allow list. When a device running Windows 10 Mobile enrolls in the MDM solution, apps that this policy doesn’t authorize won’t have access to enterprise data.
+To configure WIP in an MDM solution that supports it, add authorized apps to the WIP allow list. When a device running Windows 10 Mobile enrolls in the MDM solution, apps that this policy doesn’t authorize won’t have access to enterprise data.
 
-EDP works seamlessly until users try to access enterprise data with or try to paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but EDP blocks users from copying enterprise data from an authorized app to an unauthorized app. Likewise, EDP blocks users from using an unauthorized app to open a file that contains enterprise data.
-In addition, users cannot copy and paste data from authorized apps to unauthorized apps or locations on the Web without triggering one of the EDP protection levels:
--   **Block.** EDP blocks users from completing the operation.
--   **Override.** EDP notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log.
--   **Audit.** EDP does not block or notify users but logs the operation in the audit log.
--   **Off.** EDP does not block or notify users and does not log operations in the audit log.
+WIP works seamlessly until users try to access enterprise data with or try to paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but WIP blocks users from copying enterprise data from an authorized app to an unauthorized app. Likewise, WIP blocks users from using an unauthorized app to open a file that contains enterprise data.
+In addition, users cannot copy and paste data from authorized apps to unauthorized apps or locations on the Web without triggering one of the WIP protection levels:
+-   **Block.** WIP blocks users from completing the operation.
+-   **Override.** WIP notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log.
+-   **Audit.** WIP does not block or notify users but logs the operation in the audit log.
+-   **Off.** WIP does not block or notify users and does not log operations in the audit log.
 
 ### Data separation
 
 As the name suggests, data separation separates personal from enterprise data. Most third-party solutions require an app wrapper, and from here, enterprise data goes in a container while personal data is outside the container. Often, people must use two different apps for the same purpose: one for personal data and another for enterprise data.
 
-EDP provides the same data separation but neither uses containers nor requires a special version of an app to access business data, and then a second instance of it to access personal data. There are no containers, partitions, or special folders to physically separate personal and business data. Instead, Windows 10 Mobile is the access control broker, identifying enterprise data because it’s encrypted to the enterprise. Therefore, EDP provides data separation by virtue of encrypting enterprise data.
+WIP provides the same data separation but neither uses containers nor requires a special version of an app to access business data, and then a second instance of it to access personal data. There are no containers, partitions, or special folders to physically separate personal and business data. Instead, Windows 10 Mobile is the access control broker, identifying enterprise data because it’s encrypted to the enterprise. Therefore, WIP provides data separation by virtue of encrypting enterprise data.
 
 ### Visual cues
 
-In Windows 10 Mobile, visual cues indicate the status of EDP to users (see Figure 2):
+In Windows 10 Mobile, visual cues indicate the status of WIP to users (see Figure 2):
 
--   **Start screen.** On the Start screen, apps that an EDP policy manages display a visual cue.
+-   **Start screen.** On the Start screen, apps that a WIP policy manages display a visual cue.
 -   **Files.** In File Explorer, a visual cue indicates whether a file or folder contains enterprise data and is therefore encrypted.
-For example, Erwin is an employee at Fabrikam. He opens Microsoft Edge from the Start screen and sees that the tile indicates that an EDP policy manages the browser. Erwin opens the Fabrikam sales website and downloads a spreadsheet. In File Explorer, Erwin sees that the file he downloaded has a visual cue which indicates that it’s encrypted and contains enterprise data. When Erwin tries to paste data from that spreadsheet into an app that no EDP policy manages (for example, his Twitter app), Erwin might see a message that allows him to override protection while logging the action, depending on the protection level configured in the EDP policy.
+For example, Erwin is an employee at Fabrikam. He opens Microsoft Edge from the Start screen and sees that the tile indicates that a WIP policy manages the browser. Erwin opens the Fabrikam sales website and downloads a spreadsheet. In File Explorer, Erwin sees that the file he downloaded has a visual cue which indicates that it’s encrypted and contains enterprise data. When Erwin tries to paste data from that spreadsheet into an app that no WIP policy manages (for example, his Twitter app), Erwin might see a message that allows him to override protection while logging the action, depending on the protection level configured in the WIP policy.
 
 ![figure 2](images/mobile-security-guide-fig2.png)
 
-Figure 2. Visual cues in EDP
+Figure 2. Visual cues in WIP
 
 ## Malware resistance
 
diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md
index bb757267bb..6a822ec11e 100644
--- a/windows/keep-secure/windows-10-security-guide.md
+++ b/windows/keep-secure/windows-10-security-guide.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: challum
 ---
 
@@ -334,7 +335,7 @@ The sections that follow describe these improvements in more detail.
 
 **SMB hardening improvements for SYSVOL and NETLOGON connections**
 
-In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos).
+In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos).
 - **What value does this change add?**
 This change reduces the likelihood of man-in-the-middle attacks.
 - **What works differently?**
@@ -634,7 +635,7 @@ With Protected Processes, Windows 10 prevents untrusted processes from interact
 
 ## Secure the Windows desktop
 
-Windows 10 includes critical improvements to the Windows core and the desktop environment, where attacks and malware most frequently enter. The desktop environment is now more resistant to malware thanks to significant improvements to Windows Defender and SmartScreen Filters. Internet browsing is a safer experience because of Microsoft Edge, a completely new browser. The Windows Store reduces the likelihood that malware will infect devices by ensuring that all applications that enter the Windows Store ecosystem have been thoroughly reviewed before being made available. Universal Windows applications are inherently more secure than typical applications because they are sandboxed. Sandboxing restricts the application’s risk of being compromised or tampered with in a way that would put the system, data, and other applications at risk.
+Windows 10 includes critical improvements to the Windows core and the desktop environment, where attacks and malware most frequently enter. The desktop environment is now more resistant to malware thanks to significant improvements to Windows Defender and SmartScreen Filters. Internet browsing is a safer experience because of Microsoft Edge, a completely new browser. The Windows Store reduces the likelihood that malware will infect devices by ensuring that all applications that enter the Windows Store ecosystem have been thoroughly reviewed before being made available. Universal Windows apps are inherently more secure than typical applications because they are sandboxed. Sandboxing restricts the application’s risk of being compromised or tampered with in a way that would put the system, data, and other applications at risk.
 The sections that follow describe Windows 10 improvements to application security in more detail.
 
 **Microsoft Edge and Internet Explorer 11**
diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md
index bae239bf1c..108dd74507 100644
--- a/windows/keep-secure/windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md
@@ -14,12 +14,13 @@ author: mjcaparas
 
 **Applies to:**
 
-- Windows 10 Insider Preview Build 14332 or later
+- Windows 10 Enterprise
+- Windows 10 Enterprise for Education
+- Windows 10 Pro
+- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
+Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
 
 Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
 
@@ -63,7 +64,7 @@ detect sophisticated cyber-attacks, providing:
 
 - Behavior-based, cloud-powered, advanced attack detection
 
-    Finds the attacks that made it past all other defenses (post breach detection),provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints.
+    Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints.
 
 - Rich timeline for forensic investigation and mitigation
 
@@ -78,10 +79,12 @@ detect sophisticated cyber-attacks, providing:
 Topic | Description
 :---|:---
 [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | This overview topic for IT professionals provides information on the minimum requirements to use Windows Defender ATP such as network and data storage configuration, and endpoint hardware and software requirements, and deployment channels.
-[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints.
 [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)| Learn about how Windows Defender ATP collects and handles information and where data is stored.
+[Assign user access to the Windows Defender ATP portal](assign-portal-access-windows-defender-advanced-threat-protection.md)| Before users can access the portal, they'll need to be granted specific roles in Azure Active Directory.
+[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints.
 [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the main features of the service and how it leverages Microsoft technology to protect enterprise endpoints from sophisticated cyber attacks.
 [Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise.
 [Windows Defender Advanced Threat Protection settings](settings-windows-defender-advanced-threat-protection.md) | Learn about setting the time zone and configuring the suppression rules to configure the service to your requirements.  
 [Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
 [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
+[Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP.
diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md
new file mode 100644
index 0000000000..71894a0846
--- /dev/null
+++ b/windows/keep-secure/windows-defender-block-at-first-sight.md
@@ -0,0 +1,113 @@
+---
+title: Enable the Block at First Sight feature to detect malware within seconds
+description: In Windows 10 the Block at First Sight feature determines and blocks new malware variants in seconds. You can enable the feature with Group Policy.
+keywords: scan, BAFS, malware, first seen, first sight, cloud, MAPS, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: iaanw
+---
+
+# Enable the Block at First Sight feature in Windows 10
+
+**Applies to**
+
+- Windows 10, version 1607
+
+Block at First Sight is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds. 
+
+You can enable Block at First Sight with Group Policy or individually on endpoints.
+
+## Backend processing and near-instant determinations
+
+When a Windows Defender client encounters a suspicious but previously undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
+
+If the cloud backend is unable to make a determination, a copy of the file is requested for additional processing and analysis in the cloud. 
+
+If the Block at First Sight feature is enabled on the client, the file will be locked by Windows Defender while a copy is uploaded to the cloud, processed, and a verdict returned to the client. Only after a determination is returned from the cloud will Windows Defender release the lock and let the file run.
+ 
+The file-based determination typically takes 1 to 4 seconds.
+
+> [!NOTE]
+> Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files.
+
+
+## Enable Block at First Sight
+
+### Use Group Policy to configure Block at First Sight
+
+You can use Group Policy to control whether Windows Defender will continue to lock a suspicious file until it is uploaded to the backend.
+
+This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
+
+Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work.
+
+**Configure pre-requisite cloud protection Group Policy settings:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following Group Policies:
+    
+    1.  Double-click the **Join Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
+    
+    1.  Double-click the **Send file samples when further analysis is required** setting and set the option as **Enabled** and the additional options as either of the following:
+    
+        1. Send safe samples (1)
+        
+        1. Send all samples (3)
+
+        > [!NOTE]
+        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
+
+    1. Click OK after both Group Policies have been set.
+
+1.  In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**:
+    
+    1.  Double-click the **Scan all downloaded files and attachments** setting and set the option to **Enabled**. Click **OK**.
+    
+    1.  Double-click the **Turn off real-time protection** setting and set the option to **Disabled**. Click **OK**.
+
+
+
+**Enable Block at First Sight with Group Policy**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree through **Windows components > Windows Defender > MAPS**.
+
+1.  Double-click the **Configure the ‘Block at First Sight’ feature** setting and set the option to **Enabled**.
+
+    > [!NOTE]
+    > The Block at First Sight feature will not function if the pre-requisite group policies have not been correctly set.
+
+### Manually enable Block at First Sight on individual clients
+
+To configure un-managed clients that are running Windows 10, Block at First Sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
+
+**Enable Block at First Sight on individual clients**
+
+1. Open Windows Defender settings:
+
+    a. Open the Windows Defender app and click **Settings**.
+    
+    b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**.
+
+2.	Switch **Cloud-based Protection** and **Automatic sample submission** to **On**.
+
+> [!NOTE]
+> These settings will be overridden if the network administrator has configured their associated Group Policies. The settings will appear grayed out and you will not be able to modify them if they are being managed by Group Policy.
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/windows-defender-enhanced-notifications.md b/windows/keep-secure/windows-defender-enhanced-notifications.md
new file mode 100644
index 0000000000..e7ce19cd26
--- /dev/null
+++ b/windows/keep-secure/windows-defender-enhanced-notifications.md
@@ -0,0 +1,43 @@
+---
+title: Configure enhanced notifications for Windows Defender
+description: In Windows 10, you can enable advanced notifications for endpoints throughout your enterprise network.
+keywords: notifications, defender, endpoint, management, admin
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: iaanw
+---
+
+# Configure enhanced notifications for Windows Defender in Windows 10
+
+**Applies to:**
+
+- Windows 10, version 1607
+
+In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise.
+
+Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
+
+You can enable and disable enhanced notifications  with the registry or in Windows Settings. 
+
+## Configure enhanced notifications
+
+You can disable enhanced notifications on individual endpoints in Windows Settings. 
+
+**Use Windows Settings to disable enhanced notifications on individual endpoints**
+
+1. Open the **Start** menu and click or type **Settings**.
+
+1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Enhanced notifications** section.
+
+1. Toggle the setting between **On** and **Off**.
+
+![Windows Defender enhanced notifications](images/defender/enhanced-notifications.png)
+
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md
index 0f5d4d28f0..e052d1a3bb 100644
--- a/windows/keep-secure/windows-defender-in-windows-10.md
+++ b/windows/keep-secure/windows-defender-in-windows-10.md
@@ -31,6 +31,23 @@ Windows Defender provides the most protection when cloud-based protection is ena
 -   Reports and report management
 
 When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
+
+
+### Compatibility with Windows Defender Advanced Threat Protection
+
+Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. 
+
+See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
+
+If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. 
+
+In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware.
+
+You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+
+
  
 ### Minimum system requirements
 
@@ -48,37 +65,14 @@ For more information about what's new in Windows Defender in Windows 10, see [W
 
 ## In this section
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)</p></td>
-<td align="left"><p>IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Active Directory or WSUS, apply updates to endpoints, and manage scans using:</p>
-<ul>
-<li>Group Policy Settings</li>
-<li>Windows Management Instrumentation (WMI)</li>
-<li>PowerShell</li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)</p></td>
-<td align="left"><p>IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Active Directory and WSUS.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)</p></td>
-<td align="left"><p>IT professionals can review information about <em>event IDs</em> in Windows Defender for Windows 10 and see any relevant action they can take.</p></td>
-</tr>
-</tbody>
-</table>
- 
- 
- 
+Topic | Description
+:---|:---
+[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans.
+[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services.
+[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media.
+[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10.
+[Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud.
+[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal.
+[Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)|Use the command-line utility to run a Windows Defender scan.
+[Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)|Use the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions.
diff --git a/windows/keep-secure/windows-defender-offline.md b/windows/keep-secure/windows-defender-offline.md
new file mode 100644
index 0000000000..bdd1e45d8b
--- /dev/null
+++ b/windows/keep-secure/windows-defender-offline.md
@@ -0,0 +1,181 @@
+---
+title: Windows Defender Offline in Windows 10
+description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network.
+keywords: scan, defender, offline
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: iaanw
+---
+
+# Windows Defender Offline in Windows 10
+
+**Applies to:**
+
+- Windows 10, version 1607
+
+Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
+
+In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
+
+## Pre-requisites and requirements
+
+Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10. 
+
+For more information about Windows 10 requirements, see the following topics:
+
+- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
+
+- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx)
+
+> [!NOTE]
+> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
+
+To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
+ 
+## Windows Defender Offline updates
+
+Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+
+> [!NOTE]
+> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+
+For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic.
+
+## Usage scenarios
+
+In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints.
+
+The prompt can occur via a notification, similar to the following:
+
+![Windows notification showing the requirement to run Windows Defender Offline](images/defender/notification.png)
+
+The user will also be notified within the Windows Defender client:
+
+![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png)
+
+In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
+
+![System Center Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png)
+
+## Manage notifications
+<a name="manage-notifications"></a>
+
+You can suppress Windows Defender Offline notifications with Group Policy. 
+
+> [!NOTE]
+> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required.
+
+**Use Group Policy to suppress Windows Defender notifications:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender > Client Interface**.
+
+1.  Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
+
+## Configure Windows Defender Offline settings
+
+You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications. 
+
+For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics:
+
+-	[Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
+
+-	[Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx)
+
+For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic.
+
+## Run a scan 
+
+Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings.
+
+> [!NOTE]
+> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. 
+
+You can set up a Windows Defender Offline scan with the following:
+
+-	Windows Update and Security settings
+
+-	Windows Defender
+
+-	Windows Management Instrumentation
+
+-	Windows PowerShell
+
+-	Group Policy
+
+> [!NOTE]
+> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
+
+**Run Windows Defender Offline from Windows Settings:**
+
+1.	Open the **Start** menu and click or type **Settings**.
+
+1.	Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section.
+
+1.	Click **Scan offline**. 
+
+    ![Windows Defender Offline setting](images/defender/settings-wdo.png)
+
+1.	Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
+
+**Run Windows Defender Offline from Windows Defender:**
+
+1.	Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. 
+
+1.	On the **Home** tab click **Download and Run**.
+
+    ![Windows Defender home tab showing the Download and run button](images/defender/download-wdo.png)
+
+1.	Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
+
+
+**Use Windows Management Instrumentation to configure and run Windows Defender Offline:**
+
+Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan.
+ 
+The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
+
+```WMI
+wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start 
+```
+
+For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics:
+
+-	[Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) 
+
+-	[MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx)
+
+**Run Windows Defender Offline using PowerShell:**
+
+Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan. 
+
+For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic.
+
+## Review scan results
+
+Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan. 
+
+1.	Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. 
+
+1.	Go to the **History** tab.
+
+1.	Select **All detected items**.
+
+1.	Click **View details**.
+
+Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**:
+
+![Windows Defender detection source showing as Offline](images/defender/detection-source.png)
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index 23f9e3d1c0..c70e57a4b1 100644
--- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -12,7 +12,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows.
 
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md
index 5dabaedf02..9cfe29f6c0 100644
--- a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 You can use the Windows Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
 
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md
index acc229bd6a..47830f44c9 100644
--- a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md
@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 Windows Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Firewall with Advanced Security supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
 
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security.md b/windows/keep-secure/windows-firewall-with-advanced-security.md
index 51c6967315..4433aaf633 100644
--- a/windows/keep-secure/windows-firewall-with-advanced-security.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security.md
@@ -12,7 +12,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
 
diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md
index 40a4efa80a..9907572763 100644
--- a/windows/keep-secure/windows-hello-in-enterprise.md
+++ b/windows/keep-secure/windows-hello-in-enterprise.md
@@ -7,7 +7,8 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-author: eross-msft
+author: jdeckerMS
+localizationpriority: high
 ---
 
 # Windows Hello biometrics in the enterprise
@@ -17,21 +18,23 @@ author: eross-msft
 
 Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
 
+> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
 Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
 
 ##How does Windows Hello work?
-Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Microsoft Passport credentials.
+Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
 
-The Windows Hello authenticator works with Microsoft Passport to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
+The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
 
 ## Why should I let my employees use Windows Hello?
 Windows Hello provides many benefits, including:
 
--   Combined with Microsoft Passport, it helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.
+-   It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.
 
 -   Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords!
 
--   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) topic.
+-   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.
 
 ## Where is Microsoft Hello data stored?
 The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
@@ -72,8 +75,8 @@ To allow facial recognition, you must have devices with integrated special infra
 -   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
 
 ## Related topics
-- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
-- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
 - [Microsoft Passport guide](microsoft-passport-guide.md)
 - [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
 - [PassportforWork CSP](http://go.microsoft.com/fwlink/p/?LinkId=708219)
diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/keep-secure/windows-security-baselines.md
index d9f379c2a6..f0db2dc596 100644
--- a/windows/keep-secure/windows-security-baselines.md
+++ b/windows/keep-secure/windows-security-baselines.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -12,7 +13,10 @@ author: brianlic-msft
 
 Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
 
-We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.  
+We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
+
+ > [!NOTE]  
+ > Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353).  
 
 ## What are security baselines?
 
@@ -31,18 +35,19 @@ In modern organizations, the security threat landscape is constantly evolving. I
 
 To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
  
- ## How can you use security baselines?
+## How can you use security baselines?
  
  You can use security baselines to:
  
  - Ensure that user and device configuration settings are compliant with the baseline. 
  - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. 
  
- ## Where can I get the security baselines?
+## Where can I get the security baselines?
  
  Here's a list of security baselines that are currently available.
 
- > **Note:**  If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
+ > [!NOTE]  
+ > If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
 
 ### Windows 10 security baselines
  
diff --git a/windows/keep-secure/wip-enterprise-overview.md b/windows/keep-secure/wip-enterprise-overview.md
new file mode 100644
index 0000000000..241479661a
--- /dev/null
+++ b/windows/keep-secure/wip-enterprise-overview.md
@@ -0,0 +1,78 @@
+---
+title: Windows Information Protection overview (Windows 10)
+description: Conceptual info about Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP).
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+---
+
+# Windows Information Protection (WIP) overview
+
+**Applies to:**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+
+Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
+
+
+## Benefits of WIP
+
+WIP provides:
+- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
+
+- Additional data protection for existing line-of-business apps without a need to update the apps.
+
+- Ability to wipe corporate data from devices while leaving personal data alone.
+
+- Use of audit reports for tracking issues and remedial actions.
+
+- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager 2016, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company.
+
+## Enterprise scenarios
+WIP currently addresses these enterprise scenarios:
+- You can encrypt enterprise data on employee-owned and corporate-owned devices.
+
+- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
+
+- You can select specific apps that can access enterprise data, called "allowed apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
+
+- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
+
+## Why use WIP?
+WIP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
+
+- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
+
+- **Manage your enterprise documents, apps, and encryption modes.**
+
+    - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an WIP-protected device, WIP encrypts the data on the device.
+
+    - **Using allowed apps.** Managed apps (apps that you've included on the allowed apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+
+    - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your WIP management-mode.
+    
+    You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in your protected apps list.
+
+    - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list.
+
+    - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
+    
+    Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
+
+    - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
+
+    - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
+
+    - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
+
+## Turn off WIP
+
+You can turn off all Windows Information Protection and restrictions, reverting to where you were pre-WIP, with no data loss. However, turning off WIP isn't recommended. If you choose to turn it off, you can always turn it back on, but WIP won't retain your decryption and policies info.
+
+## Related topics
+- [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-edp.md)
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index 4c43c597ce..b46f78d870 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -1,22 +1,28 @@
 # [Manage and update Windows 10](index.md)
-## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
 ## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
 ## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
 ## [Manage corporate devices](manage-corporate-devices.md)
+### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
+### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
 ### [New policies for Windows 10](new-policies-for-windows-10.md)
 ### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
 ### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
 ### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
 ### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
-## [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+## [Windows Spotlight on the lock screen](windows-spotlight.md)
+## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
+### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
 ### [Customize and export Start layout](customize-and-export-start-layout.md)
-### [Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-### [Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
 ### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 ## [Lock down Windows 10](lock-down-windows-10.md)
+### [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)
+### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
 ### [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
 #### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
 #### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
+#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
 ### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
 ### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
 ### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
@@ -30,8 +36,134 @@
 ## [Configure devices without MDM](configure-devices-without-mdm.md)
 ## [Windows 10 servicing options](introduction-to-windows-10-servicing.md)
 ## [Application development for Windows as a service](application-development-for-windows-as-a-service.md)
+## [Application Virtualization (App-V) for Windows](appv-for-windows.md)
+### [Getting Started with App-V](appv-getting-started.md)
+#### [About App-V](appv-about-appv.md)
+##### [Release Notes for App-V](appv-release-notes-for-appv-for-windows.md)
+#### [Evaluating App-V](appv-evaluating-appv.md)
+#### [High Level Architecture for App-V](appv-high-level-architecture.md)
+#### [Accessibility for App-V](appv-accessibility.md)
+### [Planning for App-V](appv-planning-for-appv.md)
+#### [Preparing Your Environment for App-V](appv-preparing-your-environment.md)
+##### [App-V Prerequisites](appv-prerequisites.md)
+##### [App-V Security Considerations](appv-security-considerations.md)
+#### [Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
+##### [App-V Supported Configurations](appv-supported-configurations.md)
+##### [App-V Capacity Planning](appv-capacity-planning.md)
+##### [Planning for High Availability with App-V](appv-planning-for-high-availability-with-appv.md)
+##### [Planning to Deploy App-V with an Electronic Software Distribution System](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md)
+##### [Planning for the App-V Server Deployment](appv-planning-for-appv-server-deployment.md)
+##### [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md)
+##### [Planning for Migrating from a Previous Version of App-V](appv-planning-for-migrating-from-a-previous-version-of-appv.md)
+##### [Planning for Using App-V with Office](appv-planning-for-using-appv-with-office.md)
+##### [Planning to Use Folder Redirection with App-V](appv-planning-folder-redirection-with-appv.md)
+#### [App-V Planning Checklist](appv-planning-checklist.md)
+### [Deploying App-V](appv-deploying-appv.md)
+#### [Deploying the App-V Sequencer and Client](appv-deploying-the-appv-sequencer-and-client.md)
+##### [About Client Configuration Settings](appv-client-configuration-settings.md)
+##### [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
+##### [How to Install the App-V Client for Shared Content Store Mode](appv-install-the-appv-client-for-shared-content-store-mode.md)
+##### [How to Install the Sequencer](appv-install-the-sequencer.md)
+##### [How to Modify App-V Client Configuration Using the ADMX Template and Group Policy](appv-modify-client-configuration-with-the-admx-template-and-group-policy.md)
+#### [Deploying the App-V Server](appv-deploying-the-appv-server.md)
+##### [How to Deploy the App-V Server](appv-deploy-the-appv-server.md)
+##### [How to Deploy the App-V Server Using a Script](appv-deploy-the-appv-server-with-a-script.md)
+##### [How to Deploy the App-V Databases by Using SQL Scripts](appv-deploy-appv-databases-with-sql-scripts.md)
+##### [How to Install the Publishing Server on a Remote Computer](appv-install-the-publishing-server-on-a-remote-computer.md)
+##### [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](appv-install-the-management-and-reporting-databases-on-separate-computers.md)
+##### [How to install the Management Server on a Standalone Computer and Connect it to the Database ](appv-install-the-management-server-on-a-standalone-computer.md)
+##### [About App-V Reporting](appv-reporting.md)
+##### [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](appv-install-the-reporting-server-on-a-standalone-computer.md)
+#### [App-V Deployment Checklist](appv-deployment-checklist.md)
+#### [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
+#### [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
+### [Operations for App-V](appv-operations.md)
+#### [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md)
+##### [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md)
+##### [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md)
+##### [How to Create and Use a Project Template](appv-create-and-use-a-project-template.md)
+##### [How to Create a Package Accelerator](appv-create-a-package-accelerator.md)
+##### [How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md)
+#### [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md)
+##### [About App-V Dynamic Configuration](appv-dynamic-configuration.md)
+##### [How to Connect to the Management Console ](appv-connect-to-the-management-console.md)
+##### [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md)
+##### [How to Configure Access to Packages by Using the Management Console ](appv-configure-access-to-packages-with-the-management-console.md)
+##### [How to Publish a Package by Using the Management Console ](appv-publish-a-packages-with-the-management-console.md)
+##### [How to Delete a Package in the Management Console ](appv-delete-a-package-with-the-management-console.md)
+##### [How to Add or Remove an Administrator by Using the Management Console](appv-add-or-remove-an-administrator-with-the-management-console.md)
+##### [How to Register and Unregister a Publishing Server by Using the Management Console](appv-register-and-unregister-a-publishing-server-with-the-management-console.md)
+##### [How to Create a Custom Configuration File by Using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md)
+##### [How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console](appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md)
+##### [How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console](appv-customize-virtual-application-extensions-with-the-management-console.md)
+##### [How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console ](appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md)
+#### [Managing Connection Groups](appv-managing-connection-groups.md)
+##### [About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)
+##### [About the Connection Group File](appv-connection-group-file.md)
+##### [How to Create a Connection Group](appv-create-a-connection-group.md)
+##### [How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)
+##### [How to Delete a Connection Group](appv-delete-a-connection-group.md)
+##### [How to Publish a Connection Group](appv-publish-a-connection-group.md)
+##### [How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)
+##### [How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)
+#### [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md)
+##### [How to deploy App-V Packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md)
+##### [How to Enable Only Administrators to Publish Packages by Using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md)
+#### [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
+##### [How to Access the Client Management Console](appv-accessing-the-client-management-console.md)
+##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server ](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
+#### [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md)
+##### [How to Convert a Package Created in a Previous Version of App-V](appv-convert-a-package-created-in-a-previous-version-of-appv.md)
+#### [Maintaining App-V](appv-maintaining-appv.md)
+##### [How to Move the App-V Server to Another Computer](appv-move-the-appv-server-to-another-computer.md)
+#### [Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md)
+##### [How to Load the PowerShell Cmdlets and Get Cmdlet Help ](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md)
+##### [How to Manage App-V Packages Running on a Stand-Alone Computer by Using PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md)
+##### [How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)
+##### [How to Modify Client Configuration by Using PowerShell](appv-modify-client-configuration-with-powershell.md)
+##### [How to Apply the User Configuration File by Using PowerShell](appv-apply-the-user-configuration-file-with-powershell.md)
+##### [How to Apply the Deployment Configuration File by Using PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)
+##### [How to Sequence a Package  by Using PowerShell ](appv-sequence-a-package-with-powershell.md)
+##### [How to Create a Package Accelerator by Using PowerShell](appv-create-a-package-accelerator-with-powershell.md)
+##### [How to Enable Reporting on the App-V Client by Using PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md)
+##### [How to Install the App-V Databases and Convert the Associated Security Identifiers  by Using PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md)
+### [Troubleshooting App-V](appv-troubleshooting.md)
+### [Technical Reference for App-V](appv-technical-reference.md)
+#### [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
+#### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
+#### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
+#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md)
+## [User Experience Virtualization (UE-V) for Windows](uev-for-windows.md)
+### [Get Started with UE-V](uev-getting-started.md)
+#### [What's New in UE-V for Windows 10, version 1607](uev-whats-new-in-uev-for-windows.md)
+#### [User Experience Virtualization Release Notes](uev-release-notes-1607.md)
+#### [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
+### [Prepare a UE-V Deployment](uev-prepare-for-deployment.md)
+#### [Deploy Required UE-V Features](uev-deploy-required-features.md)
+#### [Deploy UE-V for use with Custom Applications](uev-deploy-uev-for-custom-applications.md)
+### [Administering UE-V](uev-administering-uev.md)
+#### [Manage Configurations for UE-V](uev-manage-configurations.md)
+##### [Configuring UE-V with Group Policy Objects](uev-configuring-uev-with-group-policy-objects.md)
+##### [Configuring UE-V with System Center Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md)
+##### [Administering UE-V with Windows PowerShell and WMI](uev-administering-uev-with-windows-powershell-and-wmi.md)
+###### [Managing the UE-V Service and Packages with Windows PowerShell and WMI](uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md)
+###### [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md)
+#### [Working with Custom UE-V Templates and the UE-V Template Generator](uev-working-with-custom-templates-and-the-uev-generator.md)
+#### [Manage Administrative Backup and Restore in UE-V](uev-manage-administrative-backup-and-restore.md)
+#### [Changing the Frequency of UE-V Scheduled Tasks](uev-changing-the-frequency-of-scheduled-tasks.md)
+#### [Migrating UE-V Settings Packages](uev-migrating-settings-packages.md)
+#### [Using UE-V with Application Virtualization Applications](uev-using-uev-with-application-virtualization-applications.md)
+### [Troubleshooting UE-V](uev-troubleshooting.md)
+### [Technical Reference for UE-V](uev-technical-reference.md)
+#### [Sync Methods for UE-V](uev-sync-methods.md)
+#### [Sync Trigger Events for UE-V](uev-sync-trigger-events.md)
+#### [Synchronizing Microsoft Office with UE-V](uev-synchronizing-microsoft-office-with-uev.md)
+#### [Application Template Schema Reference for UE-V](uev-application-template-schema-reference.md)
+#### [Accessibility for UE-V](uev-accessibility.md)
+#### [Security Considerations for UE-V](uev-security-considerations.md)
 ## [Windows Store for Business](windows-store-for-business.md)
 ### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
+####[Windows Store for Business overview](windows-store-for-business-overview.md)
 #### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
 #### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
 #### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
@@ -46,7 +178,7 @@
 #### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
 #### [Distribute offline apps](distribute-offline-apps.md)
 ### [Manage apps](manage-apps-windows-store-for-business-overview.md)
-#### [App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md)
+#### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md)
 #### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md)
 #### [Manage access to private store](manage-access-to-private-store.md)
 #### [Manage private store settings](manage-private-store-settings.md)
@@ -58,4 +190,4 @@
 #### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
 #### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
 ### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
-
+## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
diff --git a/windows/manage/acquire-apps-windows-store-for-business.md b/windows/manage/acquire-apps-windows-store-for-business.md
index 5f68e8e296..3840db35c7 100644
--- a/windows/manage/acquire-apps-windows-store-for-business.md
+++ b/windows/manage/acquire-apps-windows-store-for-business.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Acquire apps in Windows Store for Business
diff --git a/windows/manage/add-unsigned-app-to-code-integrity-policy.md b/windows/manage/add-unsigned-app-to-code-integrity-policy.md
index d453da171a..a0c9e5ac70 100644
--- a/windows/manage/add-unsigned-app-to-code-integrity-policy.md
+++ b/windows/manage/add-unsigned-app-to-code-integrity-policy.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store, security
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Add unsigned app to code integrity policy
diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md
index ca7d24b2a2..1dedc043ff 100644
--- a/windows/manage/app-inventory-managemement-windows-store-for-business.md
+++ b/windows/manage/app-inventory-managemement-windows-store-for-business.md
@@ -2,6 +2,7 @@
 title: App inventory management for Windows Store for Business (Windows 10)
 description: You can manage all apps that you've acquired on your Inventory page.
 ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2
+redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-management-windows-store-for-business
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -9,224 +10,3 @@ ms.pagetype: store
 author: TrudyHa
 ---
 
-# App inventory management for Windows Store for Business
-
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-You can manage all apps that you've acquired on your **Inventory** page.
-
-The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md).
-
-All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.
-
-![Image shows Inventory page in Windows Store for Business with status status options for an app.](images/wsfb-inventoryaddprivatestore.png)
-
-Store for Business shows this info for each app in your inventory:
-
--   Name
-
--   Access to actions for the app
-
--   Last modified date
-
--   Supported devices
-
--   Private store status
-
-### Find apps in your inventory
-
-There are a couple of ways to find specific apps, or groups of apps in your inventory.
-
-**Search** - Use the Search box to search for an app.
-
-**Refine** - Use **Refine** to scope your list of apps by one or more of these app attributes:
-
--   **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
-
--   **Platforms** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory.
-
--   **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps.
-
--   **Private store** - **In private store**, or **Not in private store**, depending on whether or not you've added the app to your private store.
-
-### Manage apps in your inventory
-
-Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table.
-
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Action</th>
-<th align="left">Online-licensed app</th>
-<th align="left">Offline-licensed app</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Assign to employees</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Add to private store</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Remove from private store</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-</tr>
-<tr class="even">
-<td align="left"><p>View license details</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>View product details</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Download for offline use</p></td>
-<td align="left"></td>
-<td align="left"><p>X</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
-
-### Distribute apps
-
-For online-licensed apps, there are a couple of ways to distribute apps from your inventory:
-
--   Assign apps to people in your organization.
-
--   Add apps to your private store, and let people in your organization install the app.
-
-If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md).
-
-Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
-
-**To make an app in inventory available in your private store**
-
-1.	Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2.	Click **Manage**, and then choose **Inventory**.
-3.	Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
-4.	From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
-
-The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. 
-
-Employees can claim apps that admins added to the private store by doing the following.
-
-**To claim an app from the private store**
-
-1.	Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
-2.	Click the private store tab.
-3.	Click the app you want to install, and then click **Install**.
-
-Another way to distribute apps is by assigning them to people in your organization.
-
-If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store.
-
-**To remove an app from the private store**
- 
-1.  Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2.	Click **Manage**, and then choose **Inventory**.
-3.	Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**.
-
-The app will still be in your inventory, but your employees will not have access to the app from your private store. 
-
-**To assign an app to an employee**
-
-1.	Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2.	Click **Manage**, and then choose **Inventory**.
-3.	Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
-4.	Type the email address for the employee that you're assigning the app to, and click **Confirm**.
-
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
-
-### Manage app licenses
-
-For each app in your inventory, you can view and manage license details. This give you another way to assign apps to people in your organization. It also allows you to reclaim app licenses after they've been assigned to people, or claimed by people in your organization.
-
-**To view license details**
-
-1.  Sign in to [Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=691845)
-
-2.  Click **Manage**, and then choose **Inventory**.
-
-3.  Click the ellipses for an app, and then choose **View license details**.
-
-    ![Image showing Inventory page in Windows Store for Business.](images/wsfb-inventory-viewlicense.png)
-
-    You'll see the names of people in your organization who have installed the app and are using one of the licenses.
-
-    ![Image showing assigned licenses for an app.](images/wsfb-licensedetails.png)
-
-    On **Assigned licenses**, you can do several things:
-
-    -   Assign the app to other people in your organization.
-
-    -   Reclaim app licenses.
-
-    -   View app details.
-
-    -   Add the app to your private store, if it is not in the private store.
-
-    You can assign the app to more people in your organization, or reclaim licenses.
-
-    **To assign an app to more people**
-
-    -   Click **Assign to people**, type the email address for the employee that you're assigning the app to, and click **Assign**.
-
-        ![Image showing Assign to people dialog for assigning app licenses to people in your organization.](images/wsfb-licenseassign.png)
-
-        Store for Business updates the list of assigned licenses.
-
-    **To reclaim licenses**
-
-    -   Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**.
-
-        ![Image showing Assign to people dialog for reclaiming app licenses from people in your organization.](images/wsfb-licensereclaim.png)
-
-        Store for Business updates the list of assigned licenses.
-
-### <a href="" id="download-offline-licensed-apps"></a>Download offline-licensed app
-
-Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
-
-You can download offline-licensed apps from your inventory. You'll need to download these items:
-
--   App metadata
-
--   App package
-
--   App license
-
--   App framework
-
-For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
-
-For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/manage/app-inventory-management-windows-store-for-business.md b/windows/manage/app-inventory-management-windows-store-for-business.md
new file mode 100644
index 0000000000..2472c4a967
--- /dev/null
+++ b/windows/manage/app-inventory-management-windows-store-for-business.md
@@ -0,0 +1,228 @@
+---
+title: App inventory management for Windows Store for Business (Windows 10)
+description: You can manage all apps that you've acquired on your Inventory page.
+ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+---
+
+# App inventory management for Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+You can manage all apps that you've acquired on your **Inventory** page.
+
+The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role.  
+
+All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.
+
+![Image shows Inventory page in Windows Store for Business with status status options for an app.](images/wsfb-inventoryaddprivatestore.png)
+
+Store for Business shows this info for each app in your inventory:
+
+-   Name
+-   Access to actions for the app
+-   Last modified
+-   Available licenses
+-   Private store status
+
+The last modified date tracks changes about the app as an item in your inventory. The last modified date changes when one of the following happens:
+- First purchase (the date you acquire the app from Windows Store for Business)
+- Purchase additional licenses
+- Assign license
+- Reclaim license
+- Refund order (applies to purchased apps, not free apps)
+
+The last modified date does not correspond to when an app was last updated in the Store. It tracks activity for that app, as an item in your inventory.  
+
+### Find apps in your inventory
+
+There are a couple of ways to find specific apps, or groups of apps in your inventory.
+
+**Search** - Use the Search box to search for an app.
+
+**Refine** - Use **Refine** to scope your list of apps by one or more of these app attributes:
+
+-   **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
+
+-   **Platforms** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory.
+
+-   **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps.
+
+-   **Private store** - **In private store**, or **Not in private store**, depending on whether or not you've added the app to your private store.
+
+### Manage apps in your inventory
+
+Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Action</th>
+<th align="left">Online-licensed app</th>
+<th align="left">Offline-licensed app</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Assign to employees</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Add to private store</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Remove from private store</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>View license details</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>View product details</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Download for offline use</p></td>
+<td align="left"></td>
+<td align="left"><p>X</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
+
+### Distribute apps
+
+For online-licensed apps, there are a couple of ways to distribute apps from your inventory:
+
+-   Assign apps to people in your organization.
+
+-   Add apps to your private store, and let people in your organization install the app.
+
+If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md).
+
+Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
+
+**To make an app in inventory available in your private store**
+
+1.	Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2.	Click **Manage**, and then choose **Inventory**.
+3.	Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
+4.	From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
+
+The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. 
+
+Employees can claim apps that admins added to the private store by doing the following.
+
+**To claim an app from the private store**
+
+1.	Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
+2.	Click the private store tab.
+3.	Click the app you want to install, and then click **Install**.
+
+Another way to distribute apps is by assigning them to people in your organization.
+
+If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store.
+
+**To remove an app from the private store**
+ 
+1.  Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2.	Click **Manage**, and then choose **Inventory**.
+3.	Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**.
+
+The app will still be in your inventory, but your employees will not have access to the app from your private store. 
+
+**To assign an app to an employee**
+
+1.	Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2.	Click **Manage**, and then choose **Inventory**.
+3.	Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
+4.	Type the email address for the employee that you're assigning the app to, and click **Confirm**.
+
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
+
+### Manage app licenses
+
+For each app in your inventory, you can view and manage license details. This give you another way to assign apps to people in your organization. It also allows you to reclaim app licenses after they've been assigned to people, or claimed by people in your organization.
+
+**To view license details**
+
+1.  Sign in to [Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=691845)
+
+2.  Click **Manage**, and then choose **Inventory**.
+
+3.  Click the ellipses for an app, and then choose **View license details**.
+
+    ![Image showing Inventory page in Windows Store for Business.](images/wsfb-inventory-viewlicense.png)
+
+    You'll see the names of people in your organization who have installed the app and are using one of the licenses.
+
+    ![Image showing assigned licenses for an app.](images/wsfb-licensedetails.png)
+
+    On **Assigned licenses**, you can do several things:
+
+    -   Assign the app to other people in your organization.
+
+    -   Reclaim app licenses.
+
+    -   View app details.
+
+    -   Add the app to your private store, if it is not in the private store.
+
+    You can assign the app to more people in your organization, or reclaim licenses.
+
+    **To assign an app to more people**
+
+    -   Click **Assign to people**, type the email address for the employee that you're assigning the app to, and click **Assign**.
+
+        ![Image showing Assign to people dialog for assigning app licenses to people in your organization.](images/wsfb-licenseassign.png)
+
+        Store for Business updates the list of assigned licenses.
+
+    **To reclaim licenses**
+
+    -   Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**.
+
+        ![Image showing Assign to people dialog for reclaiming app licenses from people in your organization.](images/wsfb-licensereclaim.png)
+
+        Store for Business updates the list of assigned licenses.
+
+### <a href="" id="download-offline-licensed-apps"></a>Download offline-licensed app
+
+Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
+
+You can download offline-licensed apps from your inventory. You'll need to download these items:
+
+-   App metadata
+
+-   App package
+
+-   App license
+
+-   App framework
+
+For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
+
+For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
\ No newline at end of file
diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md
index dec7d4ca5f..f74b81160c 100644
--- a/windows/manage/apps-in-windows-store-for-business.md
+++ b/windows/manage/apps-in-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Apps in Windows Store for Business
@@ -50,7 +51,7 @@ Apps that you acquire from the Store for Business only work on Windows 10-based
 
 Some apps are free, and some apps charge a price. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
 
-Some apps which are available to consumers in the Windows Store might not be available to organizations in the Windows Store for Business. App developers can opt-out their apps, and they also need to meet eligibility requirements for Windows Store for Business. For more information, read this info on [Organizational licensing options](https://msdn.microsoft.com/en-us/windows/uwp/publish/organizational-licensing). 
+Some apps which are available to consumers in the Windows Store might not be available to organizations in the Windows Store for Business. App developers can opt-out their apps, and they also need to meet eligibility requirements for Windows Store for Business. For more information, read this info on [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing). 
 
 **Note**<br>
 We are still setting up the catalog of apps for Windows Store for Business. If you are searching for an app and it isn’t available, please check again in a couple of days.
diff --git a/windows/manage/appv-about-appv.md b/windows/manage/appv-about-appv.md
new file mode 100644
index 0000000000..28dd41b085
--- /dev/null
+++ b/windows/manage/appv-about-appv.md
@@ -0,0 +1,471 @@
+---
+title: About App-V (Windows 10)
+description: About App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# About App-V for Windows
+
+Applies to: Windows 10, version 1607
+
+Review the following sections for information about significant changes that apply to Application Virtualization (App-V) for Windows:
+
+[App-V software prerequisites and supported configurations](#bkmk-51-prereq-configs)
+
+[Migrating to App-V](#bkmk-migrate-to-51)
+
+[What’s New in App-V](#bkmk-whatsnew)
+
+[App-V support for Windows 10](#bkmk-win10support)
+
+[App-V Management Console Changes](#bkmk-mgmtconsole)
+
+[Sequencer Improvements](#bkmk-seqimprove)
+
+[Improvements to Package Converter](#bkmk-pkgconvimprove)
+
+[Support for multiple scripts on a single event trigger](#bkmk-supmultscripts)
+
+[Hardcoded path to installation folder is redirected to virtual file system root](#bkmk-hardcodepath)
+
+## <a href="" id="bkmk-51-prereq-configs"></a>App-V for Windows software prerequisites and supported configurations
+
+
+Review the following topics for information about App-V for Windows software prerequisites and supported configurations.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Links to prerequisites and supported configurations topics</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[App-V Prerequisites](appv-prerequisites.md)</p></td>
+<td align="left"><p>Prerequisite software that you must install before you can get started with App-V for Windows</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[App-V Supported Configurations](appv-supported-configurations.md)</p></td>
+<td align="left"><p>Supported operating systems and hardware requirements for the App-V server, sequencer, and client components</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+**Support for using Configuration Manager with App-V:** App-V supports System Center 2012 R2 Configuration Manager SP1. See [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx) for information about integrating your App-V environment with Configuration Manager.
+
+## <a href="" id="bkmk-migrate-to-51"></a>Upgrade to App-V for Windows
+
+
+Use the following information to upgrade to App-V for Windows from earlier versions. See [Migrating to App-V for Windows from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md) for more information.
+
+### Before you begin 
+
+Review the following information before you start the upgrade:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Items to review before upgrading</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Components to upgrade, in any order</p></td>
+<td align="left"><ol>
+<li><p>App-V Server</p></li>
+<li><p>Sequencer</p></li>
+<li><p>App-V Client or App-V Remote Desktop Services (RDS) Client</p></li>
+</ol>
+<div class="alert">
+<strong>Note</strong>  
+<p>Prior to App-V 5.0 SP2, the Client Management User Interface (UI) was provided with the App-V Client installation. For App-V 5.0 SP2 installations (or later), you can use the Client Management UI by downloading from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Upgrading from App-V 4.x</p></td>
+<td align="left"><p>You cannot upgrade directly from App-V 4.x to App-V for Windows. You must first upgrade to App-V 5.0. For more information, see [Planning for Migrating from a Previous Version of App-V](appv-planning-for-migrating-from-a-previous-version-of-appv.md)</p></li>
+</ul>
+<p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Upgrading from App-V 5.0 or later</p></td>
+<td align="left"><p>You can upgrade to App-V for Windows directly from any of the following versions:</p>
+<ul>
+<li><p>App-V 5.0</p></li>
+<li><p>App-V 5.0 SP1</p></li>
+<li><p>App-V 5.0 SP2</p></li>
+<li><p>App-V 5.0 SP3</p></li>
+</ul>
+<p>To upgrade to App-V for Windows, follow the steps in the remaining sections of this topic.</p>
+<p>Packages and connection groups will continue to work with App-V for Windows as they currently do.</p></td>
+</tr>
+</tbody>
+</table>
+ 
+
+### <a href="" id="bkmk-steps-upgrd-infrastruc"></a>Steps to upgrade the App-V infrastructure
+
+Complete the following steps to upgrade each component of the App-V infrastructure to App-V for Windows. The following order is only a suggestion; you can upgrade components in any order.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Step</th>
+<th align="left">For more information</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Step 1: Upgrade the App-V server components.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>If you are not using the App-V server, skip this step and go to the next step.</p>
+</div>
+<div>
+ 
+</div></td>
+<td align="left"><p>Follow these steps:</p>
+<ol>
+<li><p>Do one of the following, depending on the method you are using to upgrade the management database and/or reporting database:</p>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Database upgrade method</th>
+<th align="left">Step</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows Installer</p></td>
+<td align="left"><p>Skip this step and go to step 2, “If you are upgrading the App-V server...”</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>SQL scripts</p></td>
+<td align="left"><p>Follow the steps in [How to Deploy the App-V Databases by Using SQL Scripts](https://technet.microsoft.com/en-us/itpro/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts).</p></td>
+</tr>
+</tbody>
+</table>
+<li><p>If you are upgrading to App-V for Windows server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 server](https://technet.microsoft.com/en-us/itpro/mdop/appv-v5/check-reg-key-svr).</p></li>
+<li><p>Follow the steps in [How to Deploy the App-V server components](appv-deploy-the-appv-server.md)</p></li>
+<p> </p></li>
+</ol></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Step 2: Install the new App-V for Windows sequencer.</p></td>
+<td align="left"><p>See [How to Install the Sequencer](appv-install-the-sequencer.md).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Step 3: Enable the in-box App-V client.</p></td>
+<td align="left"><p>See [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Converting packages created using a prior version of App-V
+
+Use the package converter utility to upgrade virtual application packages created using versions of App-V prior to App-V for Windows, version 1607. The package converter uses PowerShell to convert packages and can help automate the process if you have many packages that require conversion.
+
+>**Note**  
+App-V for Windows packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and so there is no need to convert App-V 5.0 packages to App-V for Windows packages.
+
+ 
+
+## <a href="" id="bkmk-whatsnew"></a>What’s New in App-V
+
+
+These sections are for users who are already familiar with App-V and want to know what has changed in App-V for Windows. If you are not already familiar with App-V, you should start by reading [Planning for App-V](appv-planning-for-appv.md).
+
+
+### <a href="" id="bkmk-mgmtconsole"></a>App-V Management Console Changes
+
+This section compares the App-V for Windows Management Console’s current and previous functionality.
+
+### Silverlight is no longer required
+
+The Management Console UI no longer requires Silverlight. The Management Console is built on HTML5 and Javascript.
+
+### Notifications and messages are displayed individually in a dialog box
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">New in App-V for Windows</th>
+<th align="left">Prior to App-V for Windows</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Number of messages indicator:</strong></p>
+<p>On the title bar of the App-V Management Console, a number is now displayed next to a flag icon to indicate the number of messages that are waiting to be read.</p></td>
+<td align="left"><p>You could see only one message or error at a time, and you were unable to determine how many messages there were.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Message appearance:</strong></p>
+<ul>
+<li><p>Messages that require user input appear in a separate dialog box that displays on top of the current page that you were viewing, and require a response before you can dismiss them.</p></li>
+<li><p>Messages and errors appear in a list, with one beneath the other.</p></li>
+</ul></td>
+<td align="left"><p>You could see only one message or error at a time.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Dismissing messages:</strong></p>
+<p>Use the <strong>Dismiss All</strong> link to dismiss all messages and errors at one time, or dismiss them one at a time.</p></td>
+<td align="left"><p>You could dismiss messages and errors only one at a time.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Console pages are now separate URLs
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">New in App-V for Windows</th>
+<th align="left">Prior to App-V for Windows</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Each page in the console has a different URL, which enables you to bookmark specific pages for quick access in the future.</p>
+<p>The number that appears in some URLs indicates the specific package. These numbers are unique.</p></td>
+<td align="left"><p>All console pages are accessed through the same URL.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### New, separate CONNECTION GROUPS page and menu option
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">New in App-V for Windows</th>
+<th align="left">Prior to App-V for Windows</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>The CONNECTION GROUPS page is now part of the main menu, at the same level as the PACKAGES page.</p></td>
+<td align="left"><p>To open the CONNECTION GROUPS page, you navigate through the PACKAGES page.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Menu options for packages have changed
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">New in App-V for Windows</th>
+<th align="left">Prior to App-V Windows</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>The following options are now buttons that appear at the bottom of the PACKAGES page:</p>
+<ul>
+<li><p>Add or Upgrade</p></li>
+<li><p>Publish</p></li>
+<li><p>Unpublish</p></li>
+<li><p>Delete</p></li>
+</ul>
+<p>The following options will still appear when you right-click a package to open the drop-down context menu:</p>
+<ul>
+<li><p>Publish</p></li>
+<li><p>Unpublish</p></li>
+<li><p>Edit AD Access</p></li>
+<li><p>Edit Deployment Config</p></li>
+<li><p>Transfer deployment configuration from…</p></li>
+<li><p>Transfer access and configuration from…</p></li>
+<li><p>Delete</p></li>
+</ul>
+<p>When you click <strong>Delete</strong> to remove a package, a dialog box opens and asks you to confirm that you want to delete the package.</p></td>
+<td align="left"><p>The <strong>Add or Upgrade</strong> option was a button at the top right of the PACKAGES page.</p>
+<p>The <strong>Publish</strong>, <strong>Unpublish</strong>, and <strong>Delete</strong> options were available only if you right-clicked a package name in the packages list.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>The following package operations are now buttons on the package details page for each package:</p>
+<ul>
+<li><p>Transfer (drop-down menu with the following options):</p>
+<ul>
+<li><p>Transfer deployment configuration from…</p></li>
+<li><p>Transfer access and configuration from…</p></li>
+</ul></li>
+<li><p>Edit (connection groups and AD Access)</p></li>
+<li><p>Unpublish</p></li>
+<li><p>Delete</p></li>
+<li><p>Edit Default Configuration</p></li>
+</ul></td>
+<td align="left"><p>These package options were available only if you right-clicked a package name in the packages list.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Icons in left pane have new colors and text
+
+The colors of the icons in the left pane have been changed, and text added, to make the icons consistent with other Microsoft products.
+
+### Overview page has been removed
+
+In the left pane of the Management Console, the OVERVIEW menu option and its associated OVERVIEW page have been removed.
+
+### <a href="" id="bkmk-seqimprove"></a>Sequencer Improvements
+
+The following improvements have been made to the package editor in the App-V Sequencer.
+
+#### Import and export the manifest file
+
+You can import and export the AppxManifest.xml file. To export the manifest file, select the **Advanced** tab and in the Manifest File box, click **Export...**. You can make changes to the manifest file, such as removing shell extensions or editing file type associations.
+
+After you make your changes, click **Import...** and select the file you edited. After you successfully import it back in, the manifest file is immediately updated within the package editor.
+
+>**Caution**  
+When you import the file, your changes are validated against the XML schema. If the file is not valid, you will receive an error. Be aware that it is possible to import a file that is validated against the XML schema, but that might still fail to run for other reasons.
+
+ 
+
+#### Addition of Windows 10 to operating systems list
+
+In the Deployment tab, Windows 10 32-bit and Windows 10-64 bit have been added to the list of operating systems for which you can sequence a package. If you select **Any Operating System**, Windows 10 is automatically included among the operating systems that the sequenced package will support.
+
+#### Current path displays at bottom of virtual registry editor
+
+In the Virtual Registry tab, the path now displays at the bottom of the virtual registry editor, which enables you to determine the currently selected key. Previously, you had to scroll through the registry tree to find the currently selected key.
+
+#### <a href="" id="combined--find-and-replace--dialog-box-and-shortcut-keys-added-in-virtual-registry-editor"></a>Combined “find and replace” dialog box and shortcut keys added in virtual registry editor
+
+In the virtual registry editor, shortcut keys have been added for the Find option (Ctrl+F), and a dialog box that combines the “find” and “replace” tasks has been added to enable you to find and replace values and data. To access this combined dialog box, select a key and do one of the following:
+
+-   Press **Ctrl+H**
+
+-   Right-click a key and select **Replace**.
+
+-   Select **View** &gt; **Virtual Registry** &gt; **Replace**.
+
+Previously, the “Replace” dialog box did not exist, and you had to make changes manually.
+
+#### Rename registry keys and package files successfully
+
+You can rename virtual registry keys and files without experiencing Sequencer issues. Previously, the Sequencer stopped working if you tried to rename a key.
+
+#### Import and export virtual registry keys
+
+You can import and export virtual registry keys. To import a key, right-click the node under which to import the key, navigate to the key you want to import, and then click **Import**. To export a key, right-click the key and select **Export**.
+
+#### Import a directory into the virtual file system
+
+You can import a directory into the VFS. To import a directory, click the **Package Files** tab, and then click **View** &gt; **Virtual File System** &gt; **Import Directory**. If you try to import a directory that contains files that are already in the VFS, the import fails, and an explanatory message is displayed. Prior to App-V, you could not import directories.
+
+#### Import or export a VFS file without having to delete and then add it back to the package
+
+You can import files to or export files from the VFS without having to delete the file and then add it back to the package. For example, you might use this feature to export a change log to a local drive, edit the file using an external editor, and then re-import the file into the VFS.
+
+To export a file, select the **Package Files** tab, right-click the file in the VFS, click **Export**, and choose an export location from which you can make your edits.
+
+To import a file, select the **Package Files** tab and right-click the file that you had exported. Browse to the file that you edited, and then click **Import**. The imported file will overwrite the existing file.
+
+After you import a file, you must save the package by clicking **File** &gt; **Save**.
+
+#### Menu for adding a package file has moved
+
+The menu option for adding a package file has been moved. To find the Add option, select the **Package Files** tab, then click **View** &gt; **Virtual File System** &gt; **Add File**. Previously, you right-clicked a folder under the VFS node, and chose **Add File**.
+
+#### Virtual registry node expands MACHINE and USER hives by default
+
+When you open the virtual registry, the MACHINE and USER hives are shown below the top-level REGISTRY node. Previously, you had to expand the REGISTRY node to show the hives beneath.
+
+#### Enable or disable Browser Helper Objects
+
+You can enable or disable Browser Helper Objects by selecting a new check box, Enable Browser Helper Objects, on the Advanced tab of the Sequencer user interface. If Browser Helper Objects:
+
+-   Exist in the package and are enabled, the check box is selected by default.
+
+-   Exist in the package and are disabled, the check box is clear by default.
+
+-   Exist in the package, with one or more enabled and one or more disabled, the check box is set to indeterminate by default.
+
+-   Do not exist in the package, the check box is disabled.
+
+### <a href="" id="bkmk-pkgconvimprove"></a>Improvements to Package Converter
+
+You can now use the package converter to convert App-V 4.6 packages that contain scripts, and registry information and scripts from source .osd files are now included in package converter output.
+
+For more information including examples, see [Migrating to App-V for Windows from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md).
+
+#### <a href="" id="bkmk-supmultscripts"></a>Support for multiple scripts on a single event trigger
+
+App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you are converting from App-V 4.6 to App-V 5.0 or later. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is installed as part of the App-V client installation.
+
+For more information, including a list of event triggers and the context under which scripts can be run, see the Scripts section in [About App-V Dynamic Configuration](appv-dynamic-configuration.md).
+
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Release Notes for App-V](appv-release-notes-for-appv-for-windows.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-accessibility.md b/windows/manage/appv-accessibility.md
new file mode 100644
index 0000000000..a77cc5c218
--- /dev/null
+++ b/windows/manage/appv-accessibility.md
@@ -0,0 +1,169 @@
+---
+title: Accessibility for App-V (Windows 10)
+description: Accessibility for App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Accessibility for App-V
+
+
+Microsoft is committed to making its products and services easier for everyone to use. This section provides information about features and services that make this product and its corresponding documentation more accessible for people with disabilities.
+
+## Keyboard Shortcuts for the App-V Management Server
+
+
+Following are the keyboard Shortcuts for the App-V Management Server:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">To do this</th>
+<th align="left">Press</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Close a dialog box.</p></td>
+<td align="left"><p>Esc</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Perform the default action of a dialog box.</p></td>
+<td align="left"><p>Enter</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Refresh the current page of the App-V client console.</p></td>
+<td align="left"><p>F5</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Keyboard Shortcuts for the App-V Sequencer
+
+
+Following are the keyboard shortcuts for the Virtual Registry tab in the package editor in the App-V Sequencer:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">To do this</th>
+<th align="left">Press</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Open the Find dialog box.</p></td>
+<td align="left"><p>CTRL + F</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Open the Replace dialog box.</p></td>
+<td align="left"><p>CTRL + H</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Access Any Command with a Few Keystrokes
+
+**Important**  
+The information in this section only applies to the App-V sequencer. For specific information about the App-V server, see the Keyboard Shortcuts for the App-V Management Server section of this document.
+
+ 
+
+Access keys let you quickly use a command by pressing a few keys. You can get to most commands by using two keystrokes. To use an access key:
+
+1.  Press ALT.
+
+    An underline appears beneath the keyboard shortcut for each feature that is available in the current view.
+
+2.  Press the letter underlined in the keyboard shortcut for the feature that you want to use.
+
+**Note**  
+To cancel the action that you are taking and hide the keyboard shortcuts, press ALT.
+
+ 
+
+## Documentation in Alternative Formats
+
+
+If you have difficulty reading or handling printed materials, you can obtain the documentation for many Microsoft products in more accessible formats. You can view an index of accessible product documentation on the Microsoft Accessibility website. In addition, you can obtain additional Microsoft publications from Learning Ally (formerly Recording for the Blind & Dyslexic, Inc.). Learning Ally distributes these documents to registered, eligible members of their distribution service.
+
+For information about the availability of Microsoft product documentation and books from Microsoft Press, contact:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Learning Ally (formerly Recording for the Blind &amp; Dyslexic, Inc.)</strong></p>
+<p>20 Roszel Road</p>
+<p>Princeton, NJ 08540</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Telephone number from within the United States:</p></td>
+<td align="left"><p>(800) 221-4792</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Telephone number from outside the United States and Canada:</p></td>
+<td align="left"><p>(609) 452-0606</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Fax:</p></td>
+<td align="left"><p>(609) 987-8116</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[http://www.learningally.org/](http://go.microsoft.com/fwlink/?linkid=239)</p></td>
+<td align="left"><p>Web addresses can change, so you might be unable to connect to the website or sites mentioned here.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Customer Service for People with Hearing Impairments
+
+
+If you are deaf or hard-of-hearing, complete access to Microsoft product and customer services is available through a text telephone (TTY/TDD) service:
+
+-   For customer service, contact Microsoft Sales Information Center at (800) 892-5234 between 6:30 AM and 5:30 PM Pacific Time, Monday through Friday, excluding holidays.
+
+-   For technical assistance in the United States, contact Microsoft Product Support Services at (800) 892-5234 between 6:00 AM and 6:00 PM Pacific Time, Monday through Friday, excluding holidays. In Canada, dial (905) 568-9641 between 8:00 AM and 8:00 PM Eastern Time, Monday through Friday, excluding holidays.
+
+Microsoft Support Services are subject to the prices, terms, and conditions in place at the time the service is used.
+
+## For More Information
+
+
+For more information about how accessible technology for computers helps to improve the lives of people with disabilities, see the [Microsoft Accessibility website](http://go.microsoft.com/fwlink/?linkid=8431).
+
+## Related topics
+
+
+[Getting Started with App-V](appv-getting-started.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-accessing-the-client-management-console.md b/windows/manage/appv-accessing-the-client-management-console.md
new file mode 100644
index 0000000000..4c622c5423
--- /dev/null
+++ b/windows/manage/appv-accessing-the-client-management-console.md
@@ -0,0 +1,26 @@
+---
+title: How to access the client management console (Windows 10)
+description: How to access the client management console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# How to access the client management console
+
+Use the App-V client management console to manage packages on the computer running the App-V client.
+
+> [!NOTE]  
+To perform all of the actions available using the client management console, you must have administrative access on the computer running the App-V client.
+
+The client management console is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=41186).
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Operations for App-V](appv-operations.md)
diff --git a/windows/manage/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/manage/appv-add-or-remove-an-administrator-with-the-management-console.md
new file mode 100644
index 0000000000..71e3960d3e
--- /dev/null
+++ b/windows/manage/appv-add-or-remove-an-administrator-with-the-management-console.md
@@ -0,0 +1,45 @@
+---
+title: How to Add or Remove an Administrator by Using the Management Console (Windows 10)
+description: How to Add or Remove an Administrator by Using the Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Add or Remove an Administrator by Using the Management Console
+
+
+Use the following procedures to add or remove an administrator on the Microsoft Application Virtualization (App-V) server.
+
+**To add an administrator using the Management Console**
+
+1.  Open the Microsoft Application Virtualization (App-V) Management Console and click **Administrators** in the navigation pane. The navigation pane displays a list of Access Directory (AD) users and groups that currently have administrative access to the Microsoft Application Virtualization (App-V) server.
+
+2.  To add a new administrator, click **Add Administrator** Type the name of the administrator that you want to add in the **Active Directory Name** field. Ensure you provide the associated user account domain name. For example, **Domain** \\ **UserName**.
+
+3.  Select the account that you want to add and click **Add**. The new account is displayed in the list of server administrators.
+
+**To remove an administrator using the Management Console**
+
+1.  Open the Microsoft Application Virtualization (App-V) Management Console and click **Administrators** in the navigation pane. The navigation pane displays a list of AD users and groups that currently have administrative access to the Microsoft Application Virtualization (App-V) server.
+
+2.  Right-click the account to be removed from the list of administrators and select **Remove**.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/manage/appv-add-or-upgrade-packages-with-the-management-console.md
new file mode 100644
index 0000000000..a5f136d917
--- /dev/null
+++ b/windows/manage/appv-add-or-upgrade-packages-with-the-management-console.md
@@ -0,0 +1,54 @@
+---
+title: How to Add or Upgrade Packages by Using the Management Console (Windows 10)
+description: How to Add or Upgrade Packages by Using the Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Add or Upgrade Packages by Using the Management Console
+
+
+You can the following procedure to add or upgrade a package to the App-V Management Console. To upgrade a package that already exists in the Management Console, use the following steps and import the upgraded package using the same package **Name**.
+
+**To add a package to the Management Console**
+
+1.  Click the **Packages** tab in the navigation pane of the Management Console display.
+
+    The console displays the list of packages that have been added to the server along with status information about each package. When a package is selected, detailed information about the package is displayed in the **PACKAGES** pane.
+
+    Click the **Ungrouped** drop-down list box and specify how the packages are to be displayed in the console. You can also click the associated column header to sort the packages.
+
+2.  To specify the package you want to add, click **Add or Upgrade Packages**.
+
+3.  Type the full path to the package that you want to add. Use the UNC or HTTP path format, for example **\\\\servername\\sharename\\foldername\\packagename.appv** or **http://server.1234/file.appv**, and then click **Add**.
+
+    **Important**  
+    You must select a package with the **.appv** file name extension.
+
+     
+
+4.  The page displays the status message **Adding &lt;Packagename&gt;**. Click **IMPORT STATUS** to check the status of a package that you have imported.
+
+    Click **OK** to add the package and close the **Add Package** page. If there was an error during the import, click **Detail** on the **Package Import** page for more information. The newly added package is now available in the **PACKAGES** pane.
+
+5.  Click **Close** to close the **Add or Upgrade Packages** page.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-administering-appv-with-powershell.md b/windows/manage/appv-administering-appv-with-powershell.md
new file mode 100644
index 0000000000..5d9ef4ace0
--- /dev/null
+++ b/windows/manage/appv-administering-appv-with-powershell.md
@@ -0,0 +1,138 @@
+---
+title: Administering App-V by Using PowerShell (Windows 10)
+description: Administering App-V by Using PowerShell
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Administering App-V by Using PowerShell
+
+
+Microsoft Application Virtualization (App-V) provides Windows PowerShell cmdlets, which can help administrators perform various App-V tasks. The following sections provide more information about using PowerShell with App-V.
+
+## How to administer App-V by using PowerShell
+
+
+Use the following PowerShell procedures to perform various App-V tasks.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Name</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[How to Load the PowerShell Cmdlets and Get Cmdlet Help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md)</p></td>
+<td align="left"><p>Describes how to install the PowerShell cmdlets and find cmdlet help and examples.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[How to Manage App-V Packages Running on a Stand-Alone Computer by Using PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md)</p></td>
+<td align="left"><p>Describes how to manage the client package lifecycle on a stand-alone computer using PowerShell.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)</p></td>
+<td align="left"><p>Describes how to manage connection groups using PowerShell.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[How to Modify Client Configuration by Using PowerShell](appv-modify-client-configuration-with-powershell.md)</p></td>
+<td align="left"><p>Describes how to modify the client using PowerShell.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[How to Apply the User Configuration File by Using PowerShell](appv-apply-the-user-configuration-file-with-powershell.md)</p></td>
+<td align="left"><p>Describes how to apply a user configuration file using PowerShell.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[How to Apply the Deployment Configuration File by Using PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)</p></td>
+<td align="left"><p>Describes how to apply a deployment configuration file using PowerShell.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[How to Sequence a Package by Using PowerShell](appv-sequence-a-package-with-powershell.md)</p></td>
+<td align="left"><p>Describes how to create a new package using PowerShell.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[How to Create a Package Accelerator by Using PowerShell](appv-create-a-package-accelerator-with-powershell.md)</p></td>
+<td align="left"><p>Describes how to create a package accelerator using PowerShell. You can use package accelerators automatically sequence large, complex applications.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[How to Enable Reporting on the App-V Client by Using PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md)</p></td>
+<td align="left"><p>Describes how to enable the computer running the App-V to send reporting information.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md)</p></td>
+<td align="left"><p>Describes how to take an array of account names and to convert each of them to the corresponding SID in standard and hexadecimal formats.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+Make sure that any script you execute with your App-V packages matches the execution policy that you have configured for PowerShell.
+
+ 
+
+## PowerShell Error Handling
+
+
+Use the following table for information about App-V PowerShell error handling.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event</th>
+<th align="left">Action</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Using the RollbackOnError attribute with embedded scripts</p></td>
+<td align="left"><p>When you use the <strong>RollbackOnError</strong> attribute with embedded scripts, the attribute is ignored for the following events:</p>
+<ul>
+<li><p>Removing a package</p></li>
+<li><p>Unpublishing a package</p></li>
+<li><p>Terminating a virtual environment</p></li>
+<li><p>Terminating a process</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Package name contains <strong>$</strong></p></td>
+<td align="left"><p>If a package name contains the character ( <strong>$</strong> ), you must use a single-quote ( <strong>‘</strong> ), for example,</p>
+<p><strong>Add-AppvClientPackage ‘Contoso$App.appv’</strong></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-administering-virtual-applications-with-the-management-console.md b/windows/manage/appv-administering-virtual-applications-with-the-management-console.md
new file mode 100644
index 0000000000..0b47267c1a
--- /dev/null
+++ b/windows/manage/appv-administering-virtual-applications-with-the-management-console.md
@@ -0,0 +1,113 @@
+---
+title: Administering App-V Virtual Applications by Using the Management Console (Windows 10)
+description: Administering App-V Virtual Applications by Using the Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Administering App-V Virtual Applications by Using the Management Console
+
+
+Use the Microsoft Application Virtualization (App-V) management server to manage packages, connection groups, and package access in your environment. The server publishes application icons, shortcuts, and file type associations to authorized computers that run the App-V client. One or more management servers typically share a common data store for configuration and package information.
+
+The management server uses Active Directory Domain Services (AD DS) groups to manage user authorization and has SQL Server installed to manage the database and data store.
+
+Because the management servers stream applications to end users on demand, these servers are ideally suited for system configurations that have reliable, high-bandwidth LANs. The management server consists of the following components:
+
+-   Management Server – Use the management server to manage packages and connection groups.
+
+-   Publishing Server – Use the publishing server to deploy packages to computers that run the App-V client.
+
+-   Management Database - Use the management database to manage the package access and to publish the server’s synchronization with the management server.
+
+## Management Console tasks
+
+
+The most common tasks that you can perform with the App-V Management console are:
+
+-   [How to Connect to the Management Console](appv-connect-to-the-management-console.md)
+
+-   [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md)
+
+-   [How to Configure Access to Packages by Using the Management Console](appv-configure-access-to-packages-with-the-management-console.md)
+
+-   [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md)
+
+-   [How to Delete a Package in the Management Console](appv-delete-a-package-with-the-management-console.md)
+
+-   [How to Add or Remove an Administrator by Using the Management Console](appv-add-or-remove-an-administrator-with-the-management-console.md)
+
+-   [How to Register and Unregister a Publishing Server by Using the Management Console](appv-register-and-unregister-a-publishing-server-with-the-management-console.md)
+
+-   [How to Create a Custom Configuration File by Using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md)
+
+-   [How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console](appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md)
+
+-   [How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console](appv-customize-virtual-application-extensions-with-the-management-console.md)
+
+-   [How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console](appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md)
+
+The main elements of the App-V Management Console are:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Management Console tab</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Packages tab</p></td>
+<td align="left"><p>Use the <strong>PACKAGES</strong> tab to add or upgrade packages.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Connection Groups tab</p></td>
+<td align="left"><p>Use the <strong>CONNECTION GROUPS</strong> tab to manage connection groups.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Servers tab</p></td>
+<td align="left"><p>Use the <strong>SERVERS</strong> tab to register a new server.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Administrators tab</p></td>
+<td align="left"><p>Use the <strong>ADMINISTRATORS</strong> tab to register, add, or remove administrators in your App-V environment.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+JavaScript must be enabled on the browser that opens the Web Management Console.
+
+ 
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## <a href="" id="other-resources-for-this-app-v-5-1-deployment-"></a>Other resources for this App-V deployment
+
+
+-   [Application Virtualization (App-V) overview](appv-for-windows.md)
+
+-   [Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-allow-administrators-to-enable-connection-groups.md b/windows/manage/appv-allow-administrators-to-enable-connection-groups.md
new file mode 100644
index 0000000000..faef4d1c5f
--- /dev/null
+++ b/windows/manage/appv-allow-administrators-to-enable-connection-groups.md
@@ -0,0 +1,70 @@
+---
+title: How to Allow Only Administrators to Enable Connection Groups (Windows 10)
+description: How to Allow Only Administrators to Enable Connection Groups
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Allow Only Administrators to Enable Connection Groups
+
+
+You can configure the App-V client so that only administrators (not end users) can enable or disable connection groups. In earlier versions of App-V, you could not prevent end users from performing these tasks.
+
+**Note**  
+**This feature is supported starting in App-V 5.0 SP3.**
+
+ 
+
+Use one of the following methods to allow only administrators to enable or disable connection groups.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Method</th>
+<th align="left">Steps</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Group Policy setting</p></td>
+<td align="left"><p>Enable the “Require publish as administrator” Group Policy setting, which is located in the following Group Policy Object node:</p>
+<p><strong>Computer Configuration &gt; Policies &gt; Administrative Templates &gt; System &gt; App-V &gt; Publishing</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>PowerShell cmdlet</p></td>
+<td align="left"><p>Run the <strong>Set-AppvClientConfiguration</strong> cmdlet with the <strong>–RequirePublishAsAdmin</strong> parameter.</p>
+<p>Parameter values:</p>
+<ul>
+<li><p>0 - False</p></li>
+<li><p>1 - True</p></li>
+</ul>
+<p><strong>Example:</strong>: Set-AppvClientConfiguration –RequirePublishAsAdmin1</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Managing Connection Groups](appv-managing-connection-groups.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-application-publishing-and-client-interaction.md b/windows/manage/appv-application-publishing-and-client-interaction.md
new file mode 100644
index 0000000000..1d9ff36d03
--- /dev/null
+++ b/windows/manage/appv-application-publishing-and-client-interaction.md
@@ -0,0 +1,1291 @@
+---
+title: Application Publishing and Client Interaction (Windows 10)
+description: Application Publishing and Client Interaction
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Application Publishing and Client Interaction
+
+
+This article provides technical information about common App-V client operations and their integration with the local operating system.
+
+## App-V package files created by the Sequencer
+
+
+The Sequencer creates App-V packages and produces a virtualized application. The sequencing process creates the following files:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">File</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>.appv</p></td>
+<td align="left"><ul>
+<li><p>The primary package file, which contains the captured assets and state information from the sequencing process.</p></li>
+<li><p>Architecture of the package file, publishing information, and registry in a tokenized form that can be reapplied to a machine and to a specific user upon delivery.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>.MSI</p></td>
+<td align="left"><p>Executable deployment wrapper that you can use to deploy .appv files manually or by using a third-party deployment platform.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>_DeploymentConfig.XML</p></td>
+<td align="left"><p>File used to customize the default publishing parameters for all applications in a package that is deployed globally to all users on a computer that is running the App-V client.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>_UserConfig.XML</p></td>
+<td align="left"><p>File used to customize the publishing parameters for all applications in a package that is a deployed to a specific user on a computer that is running the App-V client.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Report.xml</p></td>
+<td align="left"><p>Summary of messages resulting from the sequencing process, including omitted drivers, files, and registry locations.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>.CAB</p></td>
+<td align="left"><p><em>Optional:</em> Package accelerator file used to automatically rebuild a previously sequenced virtual application package.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>.appvt</p></td>
+<td align="left"><p><em>Optional:</em> Sequencer template file used to retain commonly reused Sequencer settings.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For information about sequencing, see [Application Virtualization Sequencing Guide](http://go.microsoft.com/fwlink/?LinkID=269810).
+
+## What’s in the appv file?
+
+
+The appv file is a container that stores XML and non-XML files together in a single entity. This file is built from the AppX format, which is based on the Open Packaging Conventions (OPC) standard.
+
+To view the appv file contents, make a copy of the package, and then rename the copied file to a ZIP extension.
+
+The appv file contains the following folder and files, which are used when creating and publishing a virtual application:
+
+| Name | Type | Description |
+| - | - | - |
+| Root | File folder | Directory that contains the file system for the virtualized application that is captured during sequencing. |
+| [Content_Types].xml | XML File | List of the core content types in the appv file (e.g. DLL, EXE, BIN). |
+| AppxBlockMap.xml | XML File | Layout of the appv file, which uses File, Block, and BlockMap elements that enable location and validation of files in the App-V package.|
+| AppxManifest.xml | XML File | Metadata for the package that contains the required information for adding, publishing, and launching the package. Includes extension points (file type associations and shortcuts) and the names and GUIDs associated with the package.|
+| FilesystemMetadata.xml | XML File | List of the files captured during sequencing, including attributes (e.g., directories, files, opaque directories, empty directories,and long and short names). |
+| PackageHistory.xml | XML File | Information about the sequencing computer (operating system version, Internet Explorer version, .Net Framework version) and process (upgrade, package version).|
+| Registry.dat | DAT File | Registry keys and values captured during the sequencing process for the package.|
+| StreamMap.xml | XML File | List of files for the primary and publishing feature block. The publishing feature block contains the ICO files and required portions of files (EXE and DLL) for publishing the package. When present, the primary feature block includes files that have been optimized for streaming during the sequencing process.|
+
+ 
+
+## App-V client data storage locations
+
+The App-V client performs tasks to ensure that virtual applications run properly and work like locally installed applications. The process of opening and running virtual applications requires mapping from the virtual file system and registry to ensure the application has the required components of a traditional application expected by users. This section describes the assets that are required to run virtual applications and lists the location where App-V stores the assets.
+
+| Name | Location | Description |
+| - | - | - |
+| Package Store | %ProgramData%\App-V| Default location for read only package files| 
+| Machine Catalog | %ProgramData%\Microsoft\AppV\Client\Catalog| Contains per-machine configuration documents| 
+| User Catalog | %AppData%\Microsoft\AppV\Client\Catalog| Contains per-user configuration documents| 
+| Shortcut Backups | %AppData%\Microsoft\AppV\Client\Integration\ShortCutBackups| Stores previous integration points that enable restore on package unpublish| 
+| Copy on Write (COW) Roaming | %AppData%\Microsoft\AppV\Client\VFS| Writeable roaming location for package modification| 
+| Copy on Write (COW) Local | %LocalAppData%\Microsoft\AppV\Client\VFS| Writeable non-roaming location for package modification| 
+| Machine Registry | HKLM\Software\Microsoft\AppV| Contains package state information, including VReg for machine or globally published packages (Machine hive)| 
+| User Registry | HKCU\Software\Microsoft\AppV| Contains user package state information including VReg| 
+| User Registry Classes | HKCU\Software\Classes\AppV| Contains additional user package state information| 
+
+Additional details for the table are provided in the section below and throughout the document.
+
+### Package store
+
+The App-V Client manages the applications assets mounted in the package store. This default storage location is `%ProgramData%\App-V`, but you can configure it during or after setup by using the `Set-AppVClientConfiguration` Windows PowerShell cmdlet, which modifies the local registry (`PackageInstallationRoot` value under the `HKLM\Software\Microsoft\AppV\Client\Streaming` key). The package store must be located at a local path on the client operating system. The individual packages are stored in the package store in subdirectories named for the Package GUID and Version GUID.
+
+Example of a path to a specific application:
+
+``` syntax
+C:\ProgramData\App-V\PackGUID\VersionGUID 
+```
+
+To change the default location of the package store during setup, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md).
+
+### Shared Content Store
+
+If the App-V Client is configured in Shared Content Store mode, no data is written to disk when a stream fault occurs, which means that the packages require minimal local disk space (publishing data). The use of less disk space is highly desirable in VDI environments, where local storage can be limited, and streaming the applications from a high performance network location (such as a SAN) is preferable. For more information on shared content store mode, see <http://go.microsoft.com/fwlink/p/?LinkId=392750>.
+
+> [!NOTE]  
+> The machine and package store must be located on a local drive, even when you’re using Shared Content Store configurations for the App-V Client.
+
+ 
+
+### Package catalogs
+
+The App-V Client manages the following two file-based locations:
+
+-   **Catalogs (user and machine).**
+
+-   **Registry locations** - depends on how the package is targeted for publishing. There is a Catalog (data store) for the computer, and a catalog for each individual user. The Machine Catalog stores global information applicable to all users or any user, and the User Catalog stores information applicable to a specific user. The Catalog is a collection of Dynamic Configurations and manifest files; there is discrete data for both file and registry per package version. 
+
+### Machine catalog
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Description</p></td>
+<td align="left"><p>Stores package documents that are available to users on the machine, when packages are added and published. However, if a package is “global” at publishing time, the integrations are available to all users.</p>
+<p>If a package is non-global, the integrations are published only for specific users, but there are still global resources that are modified and visible to anyone on the client computer (e.g., the package directory is in a shared disk location).</p>
+<p>If a package is available to a user on the computer (global or non-global), the manifest is stored in the Machine Catalog. When a package is published globally, there is a Dynamic Configuration file, stored in the Machine Catalog; therefore, the determination of whether a package is global is defined according to whether there is a policy file (UserDeploymentConfiguration file) in the Machine Catalog.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default storage location</p></td>
+<td align="left"><p><code>%programdata%\Microsoft\AppV\Client\Catalog\</code></p>
+<p>This location is not the same as the Package Store location. The Package Store is the golden or pristine copy of the package files.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Files in the machine catalog</p></td>
+<td align="left"><ul>
+<li><p>Manifest.xml</p></li>
+<li><p>DeploymentConfiguration.xml</p></li>
+<li><p>UserManifest.xml (Globally Published Package)</p></li>
+<li><p>UserDeploymentConfiguration.xml (Globally Published Package)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Additional machine catalog location, used when the package is part of a connection group</p></td>
+<td align="left"><p>The following location is in addition to the specific package location mentioned above:</p>
+<p><code>%programdata%\Microsoft\AppV\Client\Catalog\PackageGroups\ConGroupGUID\ConGroupVerGUID</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Additional files in the machine catalog when the package is part of a connection group</p></td>
+<td align="left"><ul>
+<li><p>PackageGroupDescriptor.xml</p></li>
+<li><p>UserPackageGroupDescriptor.xml (globally published Connection Group)</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### User catalog
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Description</p></td>
+<td align="left"><p>Created during the publishing process. Contains information used for publishing the package, and also used at launch to ensure that a package is provisioned to a specific user. Created in a roaming location and includes user-specific publishing information.</p>
+<p>When a package is published for a user, the policy file is stored in the User Catalog. At the same time, a copy of the manifest is also stored in the User Catalog. When a package entitlement is removed for a user, the relevant package files are removed from the User Catalog. Looking at the user catalog, an administrator can view the presence of a Dynamic Configuration file, which indicates that the package is entitled for that user.</p>
+<p>For roaming users, the User Catalog needs to be in a roaming or shared location to preserve the legacy App-V behavior of targeting users by default. Entitlement and policy are tied to a user, not a computer, so they should roam with the user once they are provisioned.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default storage location</p></td>
+<td align="left"><p><code>appdata\roaming\Microsoft\AppV\Client\Catalog\Packages\PkgGUID\VerGUID</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Files in the user catalog</p></td>
+<td align="left"><ul>
+<li><p>UserManifest.xml</p></li>
+<li><p>DynamicConfiguration.xml or UserDeploymentConfiguration.xml</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Additional user catalog location, used when the package is part of a connection group</p></td>
+<td align="left"><p>The following location is in addition to the specific package location mentioned above:</p>
+<p><code>appdata\roaming\Microsoft\AppV\Client\Catalog\PackageGroups\PkgGroupGUID\PkgGroupVerGUID</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Additional file in the machine catalog when the package is part of a connection group</p></td>
+<td align="left"><p><code>UserPackageGroupDescriptor.xml</code></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Shortcut backups
+
+During the publishing process, the App-V Client backs up any shortcuts and integration points to `%AppData%\Microsoft\AppV\Client\Integration\ShortCutBackups.` This backup enables the restoration of these integration points to the previous versions when the package is unpublished.
+
+### Copy on Write files
+
+The Package Store contains a pristine copy of the package files that have been streamed from the publishing server. During normal operation of an App-V application, the user or service may require changes to the files. These changes are not made in the package store in order to preserve your ability to repair the application, which removes these changes. These locations, called Copy on Write (COW), support both roaming and non-roaming locations. The location where the modifications are stored depends where the application has been programmed to write changes to in a native experience.
+
+### COW roaming
+
+The COW Roaming location described above stores changes to files and directories that are targeted to the typical %AppData% location or \\Users\\*<username>*\\AppData\\Roaming location. These directories and files are then roamed based on the operating system settings.
+
+### COW local
+
+The COW Local location is similar to the roaming location, but the directories and files are not roamed to other computers, even if roaming support has been configured. The COW Local location described above stores changes applicable to typical windows and not the %AppData% location. The directories listed will vary but there will be two locations for any typical Windows locations (e.g. Common AppData and Common AppDataS). The **S** signifies the restricted location when the virtual service requests the change as a different elevated user from the logged on users. The non-**S** location stores user based changes.
+
+## <a href="" id="bkmk-pkg-registry"></a>Package registry
+
+
+Before an application can access the package registry data, the App-V Client must make the package registry data available to the applications. The App-V Client uses the real registry as a backing store for all registry data.
+
+When a new package is added to the App-V Client, a copy of the REGISTRY.DAT file from the package is created at `%ProgramData%\Microsoft\AppV\Client\VREG\{Version GUID}.dat`. The name of the file is the version GUID with the .DAT extension. The reason this copy is made is to ensure that the actual hive file in the package is never in use, which would prevent the removal of the package at a later time.
+
+**Registry.dat from Package Store ** > **%ProgramData%\Microsoft\AppV\Client\Vreg\{VersionGuid}.dat**
+ 
+
+When the first application from the package is launched on the client, the client stages or copies the contents out of the hive file, re-creating the package registry data in an alternate location `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Packages\PackageGuid\Versions\VersionGuid\REGISTRY`. The staged registry data has two distinct types of machine data and user data. Machine data is shared across all users on the machine. User data is staged for each user to a userspecific location `HKCU\Software\Microsoft\AppV\Client\Packages\PackageGuid\Registry\User`. The machine data is ultimately removed at package removal time, and the user data is removed on a user unpublish operation.
+
+### Package registry staging vs. connection group registry staging
+
+When connection groups are present, the previous process of staging the registry holds true, but instead of having one hive file to process, there are more than one. The files are processed in the order in which they appear in the connection group XML, with the first writer winning any conflicts.
+
+The staged registry persists the same way as in the single package case. Staged user registry data remains for the connection group until it is disabled; staged machine registry data is removed on connection group removal.
+
+### Virtual registry
+
+The purpose of the virtual registry (VREG) is to provide a single merged view of the package registry and the native registry to applications. It also provides copy-on-write (COW) functionality – that is any changes made to the registry from the context of a virtual process are made to a separate COW location. This means that the VREG must combine up to three separate registry locations into a single view based on the populated locations in the registry COW -&gt; package -&gt; native. When a request is made for a registry data it will locate in order until it finds the data it was requesting. Meaning if there is a value stored in a COW location it will not proceed to other locations, however, if there is no data in the COW location it will proceed to the Package and then Native location until it finds the appropriate data.
+
+### Registry locations
+
+There are two package registry locations and two connection group locations where the App-V Client stores registry information, depending on whether the Package is published individually or as part of a connection group. There are three COW locations for packages and three for connection groups, which are created and managed by the VREG. Settings for packages and connection groups are not shared:
+
+**Single Package VReg:**
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Location</strong></p></td>
+<td align="left"><p><strong>Description</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>COW</strong></p></td>
+<td align="left"><ul>
+<li><p>Machine Registry\Client\Packages\PkgGUID\REGISTRY (Only elevate process can write)</p></li>
+<li><p>User Registry\Client\Packages\PkgGUID\REGISTRY (User Roaming anything written under HKCU except Software\Classes</p></li>
+<li><p>User Registry Classes\Client\Packages\PkgGUID\REGISTRY (HKCU\Software\Classes writes and HKLM for non elevated process)</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Package</strong></p></td>
+<td align="left"><ul>
+<li><p>Machine Registry\Client\Packages\PkgGUID\Versions\VerGuid\Registry\Machine</p></li>
+<li><p>User Registry Classes\Client\Packages\PkgGUID\Versions\VerGUID\Registry</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Native</strong></p></td>
+<td align="left"><ul>
+<li><p>Native application registry location</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+**Connection Group VReg:**
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Location</strong></p></td>
+<td align="left"><p><strong>Description</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>COW</strong></p></td>
+<td align="left"><ul>
+<li><p>Machine Registry\Client\PackageGroups\GrpGUID\REGISTRY (only elevate process can write)</p></li>
+<li><p>User Registry\Client\PackageGroups\GrpGUID\REGISTRY (Anything written to HKCU except Software\Classes</p></li>
+<li><p>User Registry Classes\Client\PackageGroups\GrpGUID\REGISTRY</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Package</strong></p></td>
+<td align="left"><ul>
+<li><p>Machine Registry\Client\PackageGroups\GrpGUID\Versions\VerGUID\REGISTRY</p></li>
+<li><p>User Registry Classes\Client\PackageGroups\GrpGUID\Versions\VerGUID\REGISTRY</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Native</strong></p></td>
+<td align="left"><ul>
+<li><p>Native application registry location</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+There are two COW locations for HKLM; elevated and non-elevated processes. Elevated processes always write HKLM changes to the secure COW under HKLM. Non-elevated processes always write HKLM changes to the non-secure COW under HKCU\\Software\\Classes. When an application reads changes from HKLM, elevated processes will read changes from the secure COW under HKLM. Non-elevated reads from both, favoring the changes made in the unsecure COW first.
+
+### Pass-through keys
+
+Pass-through keys enable an administrator to configure certain keys so they can only be read from the native registry, bypassing the Package and COW locations. Pass-through locations are global to the machine (not package specific) and can be configured by adding the path to the key, which should be treated as pass-through to the **REG\_MULTI\_SZ** value called **PassThroughPaths** of the key `HKLM\Software\Microsoft\AppV\Subsystem\VirtualRegistry`. Any key that appears under this multi-string value (and their children) will be treated as pass-through.
+
+The following locations are configured as pass-through locations by default:
+
+-   HKEY\_CURRENT\_USER\\SOFTWARE\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel
+
+-   HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel
+
+-   HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT
+
+-   HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application
+
+-   HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger
+
+-   HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
+
+-   HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib
+
+-   HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies
+
+-   HKEY\_CURRENT\_USER\\SOFTWARE\\Policies
+
+The purpose of Pass-through keys is to ensure that a virtual application does not write registry data in the VReg that is required for non-virtual applications for successful operation or integration. The Policies key ensures that Group Policy based settings set by the administrator are utilized and not per package settings. The AppModel key is required for integration with Windows Modern UI based applications. It is recommend that administers do not modify any of the default pass-through keys, but in some instances, based on application behavior may require adding additional pass-through keys.
+
+## App-V package store behavior
+
+
+App-V manages the Package Store, which is the location where the expanded asset files from the appv file are stored. By default, this location is stored at %ProgramData%\\App-V, and is limited in terms of storage capabilities only by free disk space. The package store is organized by the GUIDs for the package and version as mentioned in the previous section.
+
+### Add packages
+
+App-V Packages are staged upon addition to the computer with the App-V Client. The App-V Client provides on-demand staging. During publishing or a manual Add-AppVClientPackage, the data structure is built in the package store (c:\\programdata\\App-V\\{PkgGUID}\\{VerGUID}). The package files identified in the publishing block defined in the StreamMap.xml are added to the system and the top level folders and child files staged to ensure proper application assets exist at launch.
+
+### Mounting packages
+
+Packages can be explicitly loaded using the PowerShell `Mount-AppVClientPackage` or by using the **App-V Client UI** to download a package. This operation completely loads the entire package into the package store.
+
+### Streaming packages
+
+The App-V Client can be configured to change the default behavior of streaming. All streaming policies are stored under the following registry key: `HKEY_LOCAL_MAcHINE\Software\Microsoft\AppV\Client\Streaming`. Policies are set using the Windows PowerShell cmdlet `Set-AppvClientConfiguration`. The following policies apply to Streaming:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Policy</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>AllowHighCostLaunch</p></td>
+<td align="left"><p>Allows streaming over 3G and cellular networks</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>AutoLoad</p></td>
+<td align="left"><p>Specifies the Background Load setting:</p>
+<p><strong>0</strong> - Disabled</p>
+<p><strong>1</strong> – Previously Used Packages only</p>
+<p><strong>2</strong> – All Packages</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>PackageInstallationRoot</p></td>
+<td align="left"><p>The root folder for the package store in the local machine</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>PackageSourceRoot</p></td>
+<td align="left"><p>The root override where packages should be streamed from</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>SharedContentStoreMode</p></td>
+<td align="left"><p>Enables the use of Shared Content Store for VDI scenarios</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors around streaming packages that must be explained:
+
+-   Background Streaming
+
+-   Optimized Streaming
+
+-   Stream Faults
+
+### Background streaming
+
+The PowerShell cmdlet `Get-AppvClientConfiguration` can be used to determine the current mode for background streaming with the AutoLoad setting and modified with the cmdlet Set-AppvClientConfiguration or from the registry (HKLM\\SOFTWARE\\Microsoft\\AppV\\ClientStreaming key). Background streaming is a default setting where the Autoload setting is set to download previously used packages. The behavior based on default setting (value=1) downloads App-V data blocks in the background after the application has been launched. This setting can be disabled all together (value=0) or enabled for all packages (value=2), whether they have been launched.
+
+### Optimized streaming
+
+App-V packages can be configured with a primary feature block during sequencing. This setting allows the sequencing engineer to monitor launch files for a specific application, or applications, and mark the blocks of data in the App-V package for streaming at first launch of any application in the package.
+
+### Stream faults
+
+After the initial stream of any publishing data and the primary feature block, requests for additional files perform stream faults. These blocks of data are downloaded to the package store on an as-needed basis. This allows a user to download only a small part of the package, typically enough to launch the package and run normal tasks. All other blocks are downloaded when a user initiates an operation that requires data not currently in the package store.
+
+### Package upgrades
+
+App-V Packages require updating throughout the lifecycle of the application. App-V Package upgrades are similar to the package publish operation, as each version will be created in its own PackageRoot location: `%ProgramData%\App-V\{PkgGUID}\{newVerGUID}`. The upgrade operation is optimized by creating hard links to identical- and streamed-files from other versions of the same package.
+
+### Package removal
+
+The behavior of the App-V Client when packages are removed depends on the method used for removal. Using an App-V full infrastructure to unpublish the application, the user catalog files (machine catalog for globally published applications) are removed, but retains the package store location and COW locations. When the PowerShell cmdlet `Remove-AppVClientPackge` is used to remove an App-V Package, the package store location is cleaned. Remember that unpublishing an App-V Package from the Management Server does not perform a Remove operation. Neither operation will remove the Package Store package files.
+
+## <a href="" id="bkmk-roaming-reg-data"></a>Roaming registry and data
+
+
+App-V is able to provide a near-native experience when roaming, depending on how the application being used is written. By default, App-V roams AppData that is stored in the roaming location, based on the roaming configuration of the operating system. Other locations for storage of file-based data do not roam from computer to computer, since they are in locations that are not roamed.
+
+### <a href="" id="bkmk-clt-inter-roam-reqs"></a>Roaming requirements and user catalog data storage
+
+App-V stores data, which represents the state of the user’s catalog, in the form of:
+
+-   Files under %appdata%\\Microsoft\\AppV\\Client\\Catalog
+
+-   Registry settings under `HKEY_CURRENT_USER\Software\Microsoft\AppV\Client\Packages`
+
+Together, these files and registry settings represent the user’s catalog, so either both must be roamed, or neither must be roamed for a given user. App-V does not support roaming %AppData%, but not roaming the user’s profile (registry), or vice versa.
+
+> [!NOTE]  
+> The **Repair-AppvClientPackage** cmdlet does not repair the publishing state of packages, where the user’s App-V state under `HKEY_CURRENT_USER` is missing or mismatched with the data in %appdata%.
+
+ 
+
+### Registry-based data
+
+App-V registry roaming falls into two scenarios, as shown in the following table.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Scenario</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Applications that are run as standard users</p></td>
+<td align="left"><p>When a standard user launches an App-V application, both HKLM and HKCU for App-V applications are stored in the HKCU hive on the machine. This presents as two distinct paths:</p>
+<ul>
+<li><p>HKLM: HKCU\SOFTWARE\Classes\AppV\Client\Packages\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE</p></li>
+<li><p>HKCU: HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\REGISTRY\USER\{UserSID}\SOFTWARE</p></li>
+</ul>
+<p>The locations are enabled for roaming based on the operating system settings.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Applications that are run with elevation</p></td>
+<td align="left"><p>When an application is launched with elevation:</p>
+<ul>
+<li><p>HKLM data is stored in the HKLM hive on the local computer</p></li>
+<li><p>HKCU data is stored in the User Registry location</p></li>
+</ul>
+<p>In this scenario, these settings are not roamed with normal operating system roaming configurations, and the resulting registry keys and values are stored in the following location:</p>
+<ul>
+<li><p>HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\{UserSID}\REGISTRY\MACHINE\SOFTWARE</p></li>
+<li><p>HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\Registry\User\{UserSID}\SOFTWARE</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### App-V and folder redirection
+
+App-V supports folder redirection of the roaming AppData folder (%AppData%). When the virtual environment is started, the roaming AppData state from the user’s roaming AppData directory is copied to the local cache. Conversely, when the virtual environment is shut down, the local cache that is associated with a specific user’s roaming AppData is transferred to the actual location of that user’s roaming AppData directory.
+
+A typical package has several locations mapped in the user’s backing store for settings in both AppData\\Local and AppData\\Roaming. These locations are the Copy on Write locations that are stored per user in the user’s profile, and that are used to store changes made to the package VFS directories and to protect the default package VFS.
+
+The following table shows local and roaming locations, when folder redirection has not been implemented.
+
+| VFS directory in package | Mapped location of backing store |
+| - | - |
+| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\ProgramFilesX86 |
+| SystemX86 | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\SystemX86 |
+| Windows | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\Windows |
+| appv\_ROOT | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\appv_ROOT|
+| AppData | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\AppData |
+
+The following table shows local and roaming locations, when folder redirection has been implemented for %AppData%, and the location has been redirected (typically to a network location).
+
+| VFS directory in package | Mapped location of backing store |
+| - | - |
+| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\ProgramFilesX86 |
+| SystemX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\SystemX86 |
+| Windows | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\Windows |
+| appv_ROOT | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\appv\_ROOT |
+| AppData | \\Fileserver\users\Local\roaming\Microsoft\AppV\Client\VFS\<GUID>\AppData |
+ 
+
+The current App-V Client VFS driver cannot write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to additional machines, where the process will be repeated. The detailed steps of the processes are:
+
+1.  During publishing or virtual environment startup, the App-V Client detects the location of the AppData directory.
+
+2.  If the roaming AppData path is local or ino AppData\\Roaming location is mapped, nothing happens.
+
+3.  If the roaming AppData path is not local, the VFS AppData directory is mapped to the local AppData directory.
+
+This process solves the problem of a non-local %AppData% that is not supported by the App-V Client VFS driver. However, the data stored in this new location is not roamed with folder redirection. All changes during the running of the application happen to the local AppData location and must be copied to the redirected location. The detailed steps of this process are:
+
+1.  App-V application is shut down, which shuts down the virtual environment.
+
+2.  The local cache of the roaming AppData location is compressed and stored in a ZIP file.
+
+3.  A timestamp at the end of the ZIP packaging process is used to name the file.
+
+4.  The timestamp is recorded in the registry: HKEY\_CURRENT\_USER\\Software\\Microsoft\\AppV\\Client\\Packages\\&lt;GUID&gt;\\AppDataTime as the last known AppData timestamp.
+
+5.  The folder redirection process is called to evaluate and initiate the ZIP file uploaded to the roaming AppData directory.
+
+The timestamp is used to determine a “last writer wins” scenario if there is a conflict and is used to optimize the download of the data when the App-V application is published or the virtual environment is started. Folder redirection will make the data available from any other clients covered by the supporting policy and will initiate the process of storing the AppData\\Roaming data to the local AppData location on the client. The detailed processes are:
+
+1.  The user starts the virtual environment by starting an application.
+
+2.  The application’s virtual environment checks for the most recent time stamped ZIP file, if present.
+
+3.  The registry is checked for the last known uploaded timestamp, if present.
+
+4.  The most recent ZIP file is downloaded unless the local last known upload timestamp is greater than or equal to the timestamp from the ZIP file.
+
+5.  If the local last known upload timestamp is earlier than that of the most recent ZIP file in the roaming AppData location, the ZIP file is extracted to the local temp directory in the user’s profile.
+
+6.  After the ZIP file is successfully extracted, the local cache of the roaming AppData directory is renamed and the new data is moved into place.
+
+7.  The renamed directory is deleted and the application opens with the most recently saved roaming AppData data.
+
+This completes the successful roaming of application settings that are present in AppData\\Roaming locations. The only other condition that must be addressed is a package repair operation. The details of the process are:
+
+1.  During repair, detect if the path to the user’s roaming AppData directory is not local.
+
+2.  Map the non-local roaming AppData path targets are recreated the expected roaming and local AppData locations.
+
+3.  Delete the timestamp stored in the registry, if present.
+
+This process will re-create both the local and network locations for AppData and remove the registry record of the timestamp.
+
+## App-V client application lifecycle management
+
+
+In an App-V Full Infrastructure, after applications are sequenced they are managed and published to users or computers via the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are performed as a series of PowerShell commands initiated on the computer running the App-V Client.
+
+This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012 visit: <http://go.microsoft.com/fwlink/?LinkId=392773>.
+
+The App-V application lifecycle tasks are triggered at user login (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured during setup of the client or post-setup with PowerShell commands. See [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md) or use Windows PowerShell:
+
+``` syntax
+get-command *appv*
+```
+
+### Publishing refresh
+
+The publishing refresh process is comprised of several smaller operations that are performed on the App-V Client. Since App-V is an application virtualization technology and not a task scheduling technology, the Windows Task Scheduler is utilized to enable the process at user logon, machine startup, and at scheduled intervals. The configuration of the client during setup listed above is the preferred method when distributing the client to a large group of computers with the correct settings. These client settings can be configured with the following PowerShell cmdlets:
+
+-   **Add-AppVPublishingServer:** Configures the client with an App-V Publishing Server that provides App-V packages.
+
+-   **Set-AppVPublishingServer:** Modifies the current settings for the App-V Publishing Server.
+
+-   **Set-AppVClientConfiguration:** Modifies the currents settings for the App-V Client.
+
+-   **Sync-AppVPublishingServer:** Initiates an App-V Publishing Refresh process manually. This is also utilized in the scheduled tasks created during configuration of the publishing server.
+
+The focus of the following sections is to detail the operations that occur during different phases of an App-V Publishing Refresh. The topics include:
+
+-   Adding an App-V Package
+
+-   Publishing an App-V Package
+
+### Adding an App-V package
+
+Adding an App-V package to the client is the first step of the publishing refresh process. The end result is the same as the `Add-AppVClientPackage` cmdlet in PowerShell, except during the publishing refresh add process, the configured publishing server is contacted and passes a high-level list of applications back to the client to pull more detailed information and not a single package add operation. The process continues by configuring the client for package or connection group additions or updates, then accesses the appv file. Next, the contents of the appv file are expanded and placed on the local operating system in the appropriate locations. The following is a detailed workflow of the process, assuming the package is configured for Fault Streaming.
+
+**How to add an App-V package**
+
+1.  Manual initiation via Windows PowerShell or Task Sequence initiation of the Publishing Refresh process.
+
+    1.  The App-V Client makes an HTTP connection and requests a list of applications based on the target. The Publishing refresh process supports targeting machines or users.
+
+    2.  The App-V Publishing Server uses the identity of the initiating target, user or machine, and queries the database for a list of entitled applications. The list of applications is provided as an XML response, which the client uses to send additional requests to the server for more information on a per package basis.
+
+2.  The Publishing Agent on the App-V Client performs all actions below serialized.
+
+    Evaluate any connection groups that are unpublished or disabled, since package version updates that are part of the connection group cannot be processed.
+
+3.  Configure the packages by identifying an Add or Update operations.
+
+    1.  The App-V Client utilizes the AppX API from Windows and accesses the appv file from the publishing server.
+
+    2.  The package file is opened and the AppXManifest.xml and StreamMap.xml are downloaded to the Package Store.
+
+    3.  Completely stream publishing block data defined in the StreamMap.xml. Stores the publishing block data in the Package Store\\PkgGUID\\VerGUID\\Root.
+
+        -   Icons: Targets of extension points.
+
+        -   Portable Executable Headers (PE Headers): Targets of extension points that contain the base information about the image need on disk, directly accessed or via file types.
+
+        -   Scripts: Download scripts directory for use throughout the publishing process.
+
+    4.  Populate the Package store:
+
+        1.  Create sparse files on disk that represent the extracted package for any directories listed.
+
+        2.  Stage top level files and directories under root.
+
+        3.  All other files are created when the directory is listed as sparse on disk and streamed on demand.
+
+    5.  Create the machine catalog entries. Create the Manifest.xml and DeploymentConfiguration.xml from the package files (if no DeploymentConfiguration.xml file in the package a placeholder is created).
+
+    6.  Create location of the package store in the registry HKLM\\Software\\Microsoft\\AppV\\Client\\Packages\\PkgGUID\\Versions\\VerGUID\\Catalog
+
+    7.  Create the Registry.dat file from the package store to %ProgramData%\\Microsoft\\AppV\\Client\\VReg\\{VersionGUID}.dat
+
+    8.  Register the package with the App-V Kernal Mode Driver HKLM\\Microsoft\\Software\\AppV\\MAV
+
+    9.  Invoke scripting from the AppxManifest.xml or DeploymentConfig.xml file for Package Add timing.
+
+4.  Configure Connection Groups by adding and enabling or disabling.
+
+5.  Remove objects that are not published to the target (user or machine).
+
+    > [!NOTE]  
+    > This will not perform a package deletion but rather remove integration points for the specific target (user or machine) and remove user catalog files (machine catalog files for globally published).
+
+     
+
+6.  Invoke background load mounting based on client configuration.
+
+7.  Packages that already have publishing information for the machine or user are immediately restored.
+
+    > [!NOTE]    
+    > This condition occurs as a product of removal without unpublishing with background addition of the package.
+
+     
+
+This completes an App-V package add of the publishing refresh process. The next step is publishing the package to the specific target (machine or user).
+
+![package add file and registry data](images/packageaddfileandregistrydata.png)
+
+### Publishing an App-V package
+
+During the Publishing Refresh operation, the specific publishing operation (Publish-AppVClientPackage) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps. The following are the detailed steps.
+
+**How to publish and App-V package**
+
+1.  Package entries are added to the user catalog
+
+    1.  User targeted packages: the UserDeploymentConfiguration.xml and UserManifest.xml are placed on the machine in the User Catalog
+
+    2.  Machine targeted (global) packages: the UserDeploymentConfiguration.xml is placed in the Machine Catalog
+
+2.  Register the package with the kernel mode driver for the user at HKLM\\Software\\Microsoft\\AppV\\MAV
+
+3.  Perform integration tasks.
+
+    1.  Create extension points.
+
+    2.  Store backup information in the user’s registry and roaming profile (Shortcut Backups).
+
+        **Note**  
+        This enables restore extension points if the package is unpublished.
+
+         
+
+    3.  Run scripts targeted for publishing timing.
+
+Publishing an App-V Package that is part of a Connection Group is very similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the machine and users catalog information above for details.
+
+![package add file and registry data - global](images/packageaddfileandregistrydata-global.png)
+
+### Application launch
+
+After the Publishing Refresh process, the user launches and subsequently re-launches an App-V application. The process is very simple and optimized to launch quickly with a minimum of network traffic. The App-V Client checks the path to the user catalog for files created during publishing. After rights to launch the package are established, the App-V Client creates a virtual environment, begins streaming any necessary data, and applies the appropriate manifest and deployment configuration files during virtual environment creation. With the virtual environment created and configured for the specific package and application, the application starts.
+
+**How to launch App-V applications**
+
+1.  User launches the application by clicking on a shortcut or file type invocation.
+
+2.  The App-V Client verifies existence in the User Catalog for the following files
+
+    -   UserDeploymentConfiguration.xml
+
+    -   UserManifest.xml
+
+3.  If the files are present, the application is entitled for that specific user and the application will start the process for launch. There is no network traffic at this point.
+
+4.  Next, the App-V Client checks that the path for the package registered for the App-V Client service is found in the registry.
+
+5.  Upon finding the path to the package store, the virtual environment is created. If this is the first launch, the Primary Feature Block downloads if present.
+
+6.  After downloading, the App-V Client service consumes the manifest and deployment configuration files to configure the virtual environment and all App-V subsystems are loaded.
+
+7.  The Application launches. For any missing files in the package store (sparse files), App-V will stream fault the files on an as needed basis.
+
+    ![package add file and registry data - stream](images/packageaddfileandregistrydata-stream.png)
+
+### Upgrading an App-V package
+
+The App-V package upgrade process differs from the older versions of App-V. App-V supports multiple versions of the same package on a machine entitled to different users. Package versions can be added at any time as the package store and catalogs are updated with the new resources. The only process specific to the addition of new version resources is storage optimization. During an upgrade, only the new files are added to the new version store location and hard links are created for unchanged files. This reduces the overall storage by only presenting the file on one disk location and then projecting it into all folders with a file location entry on the disk. The specific details of upgrading an App-V Package are as follows:
+
+**How to upgrade an App-V package**
+
+1.  The App-V Client performs a Publishing Refresh and discovers a newer version of an App-V Package.
+
+2.  Package entries are added to the appropriate catalog for the new version
+
+    1.  User targeted packages: the UserDeploymentConfiguration.xml and UserManifest.xml are placed on the machine in the user catalog at appdata\\roaming\\Microsoft\\AppV\\Client\\Catalog\\Packages\\PkgGUID\\VerGUID
+
+    2.  Machine targeted (global) packages: the UserDeploymentConfiguration.xml is placed in the machine catalog at %programdata%\\Microsoft\\AppV\\Client\\Catalog\\Packages\\PkgGUID\\VerGUID
+
+3.  Register the package with the kernel mode driver for the user at HKLM\\Software\\Microsoft\\AppV\\MAV
+
+4.  Perform integration tasks.
+
+    1. Integrate extensions points (EP) from the Manifest and Dynamic Configuration files.
+
+    2.  File based EP data is stored in the AppData folder utilizing Junction Points from the package store.
+
+    3.  Version 1 EPs already exist when a new version becomes available.
+
+    4.  The extension points are switched to the Version 2 location in machine or user catalogs for any newer or updated extension points.
+
+5.  Run scripts targeted for publishing timing.
+
+6.  Install Side by Side assemblies as required.
+
+### Upgrading an in-use App-V package
+
+If you try to upgrade a package that is in use by an end user, the upgrade task is placed in a pending state. The upgrade will run later, according to the following rules:
+
+| Task type | Applicable rule |
+| - | - |
+| User-based task, e.g., publishing a package to a user | The pending task will be performed after the user logs off and then logs back on. |
+| Globally based task, e.g., enabling a connection group globally | The pending task will be performed when the computer is shut down and then restarted. |
+
+When a task is placed in a pending state, the App-V client also generates a registry key for the pending task, as follows:
+
+| User-based or globally based task | Where the registry key is generated |
+| - | - |
+| User-based tasks | HKEY\_CURRENT\_USER\Software\Microsoft\AppV\Client\PendingTasks |
+| Globally based tasks | HKEY\_LOCAL\_MACHINE\Software\Microsoft\AppV\Client\PendingTasks |
+
+The following operations must be completed before users can use the newer version of the package:
+
+| Task | Details |
+| - | - |
+| Add the package to the computer | This task is computer specific and you can perform it at any time by completing the steps in the Package Add section above. |
+| Publish the package |  See the Package Publishing section above for steps. This process requires that you update extension points on the system. End users cannot be using the application when you complete this task. |
+
+Use the following example scenarios as a guide for updating packages.
+
+| Scenario | Requirements |
+| - | - |
+| App-V package is not in use when you try to upgrade | None of the following components of the package can be in use: virtual application, COM server, or shell extensions.<br/><br/>The administrator publishes a newer version of the package and the upgrade works the next time a component or application inside the package is launched. The new version of the package is streamed and ran. |
+| App-V package is in use when the administrator publishes a newer version of the package | The upgrade operation is set to pending by the App-V Client, which means that it is queued and carried out later when the package is not in use.<br/><br/>If the package application is in use, the user shuts down the virtual application, after which the upgrade can occur.<br/><br/>If the package has shell extensions, which are permanently loaded by Windows Explorer, the user cannot be logged in. Users must log off and the log back in to initiate the App-V package upgrade.|
+
+ 
+### Global vs user publishing
+
+App-V Packages can be published in one of two ways; User which entitles an App-V package to a specific user or group of users and Global which entitles the App-V package to the entire machine for all users of the machine. Once a package upgrade has been pended and the App-V package is not in use, consider the two types of publishing:
+
+-   **Globally published**: the application is published to a machine; all users on that machine can use it. The upgrade will happen when the App-V Client Service starts, which effectively means a machine restart.
+
+-   **User published**: the application is published to a user. If there are multiple users on the machine, the application can be published to a subset of the users. The upgrade will happen when the user logs in or when it is published again (periodically, ConfigMgr Policy refresh and evaluation, or an App-V periodic publishing/refresh, or explicitly via Windows PowerShell commands).
+
+### Removing an App-V package
+
+Removing App-V applications in a Full Infrastructure is an unpublish operation, and does not perform a package removal. The process is the same as the publish process above, but instead of adding the removal process reverses the changes that have been made for App-V Packages.
+
+### Repairing an App-V package
+
+The repair operation is very simple but may affect many locations on the machine. The previously mentioned Copy on Write (COW) locations are removed, and extension points are de-integrated and then re-integrated. Please review the COW data placement locations by reviewing where they are registered in the registry. This operation is done automatically and there is no administrative control other than initiating a Repair operation from the App-V Client Console or via Windows PowerShell (Repair-AppVClientPackage).
+
+## Integration of App-V packages
+
+
+The App-V Client and package architecture provides specific integration with the local operating system during the addition and publishing of packages. Three files define the integration or extension points for an App-V Package:
+
+-   AppXManifest.xml: Stored inside of the package with fallback copies stored in the package store and the user profile. Contains the options created during the sequencing process.
+
+-   DeploymentConfig.xml: Provides configuration information of computer and user based integration extension points.
+
+-   UserConfig.xml: A subset of the Deploymentconfig.xml that only provides user- based configurations and only targets user-based extension points.
+
+### Rules of integration
+
+When App-V applications are published to a computer with the App-V Client, some specific actions take place as described in the list below:
+
+-   Global Publishing: Shortcuts are stored in the All Users profile location and other extension points are stored in the registry in the HKLM hive.
+
+-   User Publishing: Shortcuts are stored in the current user account profile and other extension points are stored in the registry in the HKCU hive.
+
+-   Backup and Restore: Existing native application data and registry (such as FTA registrations) are backed up during publishing.
+
+    1.  App-V packages are given ownership based on the last integrated package where the ownership is passed to the newest published App-V application.
+
+    2.  Ownership transfers from one App-V package to another when the owning App-V package is unpublished. This will not initiate a restore of the data or registry.
+
+    3.  Restore the backed up data when the last package is unpublished or removed on a per extension point basis.
+
+### Extension points
+
+The App-V publishing files (manifest and dynamic configuration) provide several extension points that enable the application to integrate with the local operating system. These extension points perform typical application installation tasks, such as placing shortcuts, creating file type associations, and registering components. As these are virtualized applications that are not installed in the same manner a traditional application, there are some differences. The following is a list of extension points covered in this section:
+
+-   Shortcuts
+
+-   File Type Associations
+
+-   Shell Extensions
+
+-   COM
+
+-   Software Clients
+
+-   Application capabilities
+
+-   URL Protocol Handler
+
+-   AppPath
+
+-   Virtual Application
+
+### Shortcuts
+
+The short cut is one of the basic elements of integration with the OS and is the interface for direct user launch of an App-V application. During the publishing and unpublishing of App-V applications.
+
+From the package manifest and dynamic configuration XML files, the path to a specific application executable can be found in a section similar to the following:
+
+``` syntax
+<Extension Category="AppV.Shortcut">
+          <Shortcut>
+            <File>[{Common Desktop}]\Adobe Reader.lnk</File>
+            <Target>[{AppVPackageRoot}]\Reader\AcroRd32.exe</Target>
+            <Icon>[{Windows}]\Installer\{AC76BA86-7AD7-1033-7B44-A94000000001}\SC_Reader.ico</Icon>
+            <Arguments />
+            <WorkingDirectory />
+            <ShowCommand>1</ShowCommand>
+            <ApplicationId>[{AppVPackageRoot}]\Reader\AcroRd32.exe</ApplicationId>
+          </Shortcut>
+        </Extension>
+```
+
+As mentioned previously, the App-V shortcuts are placed by default in the user’s profile based on the refresh operation. Global refresh places shortcuts in the All Users profile and user refresh stores them in the specific user’s profile. The actual executable is stored in the Package Store. The location of the ICO file is a tokenized location in the App-V package.
+
+### File type associations
+
+The App-V Client manages the local operating system File Type Associations during publishing, which enables users to use file type invocations or to open a file with a specifically registered extension (.docx) to start an App-V application. File type associations are present in the manifest and dynamic configuration files as represented in the example below:
+
+``` syntax
+<Extension Category="AppV.FileTypeAssociation">
+          <FileTypeAssociation>
+            <FileExtension MimeAssociation="true">
+              <Name>.xdp</Name>
+              <ProgId>AcroExch.XDPDoc</ProgId>
+              <ContentType>application/vnd.adobe.xdp+xml</ContentType>
+            </FileExtension>
+            <ProgId>
+              <Name>AcroExch.XDPDoc</Name>
+              <Description>Adobe Acrobat XML Data Package File</Description>
+              <EditFlags>65536</EditFlags>
+              <DefaultIcon>[{Windows}]\Installer\{AC76BA86-7AD7-1033-7B44-A94000000001}\XDPFile_8.ico</DefaultIcon>
+              <ShellCommands>
+                <DefaultCommand>Read</DefaultCommand>
+                <ShellCommand>
+                  <ApplicationId>[{AppVPackageRoot}]\Reader\AcroRd32.exe</ApplicationId>
+                  <Name>Open</Name>
+                  <CommandLine>"[{AppVPackageRoot}]\Reader\AcroRd32.exe" "%1"</CommandLine>
+                </ShellCommand>
+                <ShellCommand>
+                  <ApplicationId>[{AppVPackageRoot}]\Reader\AcroRd32.exe</ApplicationId>
+                  <Name>Printto</Name>
+                  <CommandLine>"[{AppVPackageRoot}]\Reader\AcroRd32.exe"  /t "%1" "%2" "%3" "%4"</CommandLine>
+                </ShellCommand>
+                <ShellCommand>
+                  <ApplicationId>[{AppVPackageRoot}]\Reader\AcroRd32.exe</ApplicationId>
+                  <Name>Read</Name>
+                  <FriendlyName>Open with Adobe Reader</FriendlyName>
+                  <CommandLine>"[{AppVPackageRoot}]\Reader\AcroRd32.exe" "%1"</CommandLine>
+                </ShellCommand>
+              </ShellCommands>
+            </ProgId>
+          </FileTypeAssociation>
+        </Extension>
+```
+
+**Note**  
+In this example:
+
+-   `<Name>.xdp</Name>` is the extension
+
+-   `<Name>AcroExch.XDPDoc</Name>` is the ProgId value (which points to the adjoining ProgId)
+
+-   `<CommandLine>"[{AppVPackageRoot}]\Reader\AcroRd32.exe" "%1"</CommandLine>` is the command line, which points to the application executable
+
+ 
+
+### Shell extensions
+
+Shell extensions are embedded in the package automatically during the sequencing process. When the package is published globally, the shell extension gives users the same functionality as if the application were locally installed. The application requires no additional setup or configuration on the client to enable the shell extension functionality.
+
+**Requirements for using shell extensions:**
+
+-   Packages that contain embedded shell extensions must be published globally.
+
+-   The “bitness” of the application, Sequencer, and App-V client must match, or the shell extensions won’t work. For example:
+
+    -   The version of the application is 64-bit.
+
+    -   The Sequencer is running on a 64-bit computer.
+
+    -   The package is being delivered to a 64-bit App-V client computer.
+
+The following table displays the supported shell extensions.
+
+| Handler | Description |
+| - | - |
+| Context menu handler | Adds menu items to the context menu. It is called before the context menu is displayed. |
+| Drag-and-drop handler | Controls the action upon right-click drag-and-drop and modifies the context menu that appears. |
+| Drop target handler | Controls the action after a data object is dragged-and-dropped over a drop target such as a file.|
+| Data object handler| Controls the action after a file is copied to the clipboard or dragged-and-dropped over a drop target. It can provide additional clipboard formats to the drop target.|
+| Property sheet handler| Replaces or adds pages to the property sheet dialog box of an object.|
+| Infotip handler| Allows retrieving flags and infotip information for an item and displaying it inside a popup tooltip upon mouse- hover.|
+| Column handler| Allows creating and displaying custom columns in Windows Explorer *Details view*. It can be used to extend sorting and grouping.|
+| Preview handler| Enables a preview of a file to be displayed in the Windows Explorer Preview Pane.|
+
+ 
+
+### COM
+
+The App-V Client supports publishing applications with support for COM integration and virtualization. COM integration allows the App-V Client to register COM objects on the local operating system and virtualization of the objects. For the purposes of this document, the integration of COM objects requires additional detail.
+
+App-V supports registering COM objects from the package to the local operating system with two process types: Out-of-process and in-process. Registering COM objects is accomplished with one or a combination of multiple modes of operation for a specific App-V package that includes off, Isolated, and Integrated. The integrated mode is configured for either the out-of-process or in-process type. Configuration of COM modes and types is accomplished with dynamic configuration files (deploymentconfig.xml or userconfig.xml).
+
+Details on App-V integration are available at: <http://go.microsoft.com/fwlink/?LinkId=392834>.
+
+### Software clients and application capabilities
+
+App-V supports specific software clients and application capabilities extension points that enable virtualized applications to be registered with the software client of the operating system. This enables users to select default programs for operations like email, instant messaging, and media player. This operation is performed in the control panel with the Set Program Access and Computer Defaults, and configured during sequencing in the manifest or dynamic configuration files. Application capabilities are only supported when the App-V applications are published globally.
+
+Example of software client registration of an App-V based mail client.
+
+``` syntax
+    <SoftwareClients Enabled="true">
+      <ClientConfiguration EmailEnabled="true" />
+      <Extensions>
+        <Extension Category="AppV.SoftwareClient">
+          <SoftwareClients>
+            <EMail MakeDefault="true">
+              <Name>Mozilla Thunderbird</Name>
+              <Description>Mozilla Thunderbird</Description>
+              <DefaultIcon>[{ProgramFilesX86}]\Mozilla Thunderbird\thunderbird.exe,0</DefaultIcon>
+              <InstallationInformation>
+                <RegistrationCommands>
+                  <Reinstall>"[{ProgramFilesX86}]\Mozilla Thunderbird\uninstall\helper.exe" /SetAsDefaultAppGlobal</Reinstall>
+                  <HideIcons>"[{ProgramFilesX86}]\Mozilla Thunderbird\uninstall\helper.exe" /HideShortcuts</HideIcons>
+                  <ShowIcons>"[{ProgramFilesX86}]\Mozilla Thunderbird\uninstall\helper.exe" /ShowShortcuts</ShowIcons>
+                </RegistrationCommands>
+                <IconsVisible>1</IconsVisible>
+                <OEMSettings />
+              </InstallationInformation>
+              <ShellCommands>
+                <ApplicationId>[{ProgramFilesX86}]\Mozilla Thunderbird\thunderbird.exe</ApplicationId>
+                <Open>"[{ProgramFilesX86}]\Mozilla Thunderbird\thunderbird.exe" -mail</Open>
+              </ShellCommands>
+              <MAPILibrary>[{ProgramFilesX86}]\Mozilla Thunderbird\mozMapi32_InUse.dll</MAPILibrary>
+              <MailToProtocol>
+                <Description>Thunderbird URL</Description>
+                <EditFlags>2</EditFlags>
+                <DefaultIcon>[{ProgramFilesX86}]\Mozilla Thunderbird\thunderbird.exe,0</DefaultIcon>
+                <ShellCommands>
+                  <ApplicationId>[{ProgramFilesX86}]\Mozilla Thunderbird\thunderbird.exe</ApplicationId>
+                  <Open>"[{ProgramFilesX86}]\Mozilla Thunderbird\thunderbird.exe" -osint -compose "%1"</Open>
+                </ShellCommands>
+              </MailToProtocol>
+            </EMail>
+          </SoftwareClients>
+        </Extension>
+      </Extensions>
+    </SoftwareClients>
+```
+
+**Note**  
+In this example:
+
+-   `<ClientConfiguration EmailEnabled="true" />` is the overall Software Clients setting to integrate Email clients
+
+-   `<EMail MakeDefault="true">` is the flag to set a particular Email client as the default Email client
+
+-   `<MAPILibrary>[{ProgramFilesX86}]\Mozilla Thunderbird\mozMapi32_InUse.dll</MAPILibrary>` is the MAPI dll registration
+
+ 
+
+### URL Protocol handler
+
+Applications do not always specifically called virtualized applications utilizing file type invocation. For, example, in an application that supports embedding a mailto: link inside a document or web page, the user clicks on a mailto: link and expects to get their registered mail client. App-V supports URL Protocol handlers that can be registered on a per-package basis with the local operating system. During sequencing, the URL protocol handlers are automatically added to the package.
+
+For situations where there is more than one application that could register the specific URL Protocol handler, the dynamic configuration files can be utilized to modify the behavior and suppress or disable this feature for an application that should not be the primary application launched.
+
+### AppPath
+
+The AppPath extension point supports calling App-V applications directly from the operating system. This is typically accomplished from the Run or Start Screen, depending on the operating system, which enables administrators to provide access to App-V applications from operating system commands or scripts without calling the specific path to the executable. It therefore avoids modifying the system path environment variable on all systems, as it is accomplished during publishing.
+
+The AppPath extension point is configured either in the manifest or in the dynamic configuration files and is stored in the registry on the local machine during publishing for the user. For additional information on AppPath review: <http://go.microsoft.com/fwlink/?LinkId=392835>.
+
+### Virtual application
+
+This subsystem provides a list of applications captured during sequencing which is usually consumed by other App-V components. Integration of extension points belonging to a particular application can be disabled using dynamic configuration files. For example, if a package contains two applications, it is possible to disable all extension points belonging to one application, in order to allow only integration of extension points of other application.
+
+### Extension point rules
+
+The extension points described above are integrated into the operating system based on how the packages has been published. Global publishing places extension points in public machine locations, where user publishing places extension points in user locations. For example a shortcut that is created on the desktop and published globally will result in the file data for the shortcut (%Public%\\Desktop) and the registry data (HKLM\\Software\\Classes). The same shortcut would have file data (%UserProfile%\\Desktop) and registry data (HKCU\\Software\\Classes).
+
+Extension points are not all published the same way, where some extension points will require global publishing and others require sequencing on the specific operating system and architecture where they are delivered. Below is a table that describes these two key rules.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Virtual Extension</th>
+<th align="left">Requires target OS Sequencing</th>
+<th align="left">Requires Global Publishing</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Shortcut</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>File Type Association</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>URL Protocols</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>AppPaths</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>COM Mode</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Software Client</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Application Capabilities</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Context Menu Handler</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Drag-and-drop Handler</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Data Object Handler</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Property Sheet Handler</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Infotip Handler</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Column Handler</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Shell Extensions</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Browser Helper Object</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Active X Object</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-dynamic-config"></a>Dynamic configuration processing
+
+
+Deploying App-V packages to one machine or user is very simple. However, as organizations deploy AppV applications across business lines and geographic and political boundaries, the ability to sequence an application one time with one set of settings becomes impossible. App-V was designed for this scenario, as it captures specific settings and configurations during sequencing in the Manifest file, but also supports modification with Dynamic Configuration files.
+
+App-V dynamic configuration allows for specifying a policy for a package either at the machine level or at the user level. The Dynamic Configuration files enable sequencing engineers to modify the configuration of a package, post-sequencing, to address the needs of individual groups of users or machines. In some instances it may be necessary to make modifications to the application to provide proper functionality within the App-V environment. For example, it may be necessary to make modifications to the \_\*config.xml files to allow certain actions to be performed at a specified time during the execution of the application, like disabling a mailto extension to prevent a virtualized application from overwriting that extension from another application.
+
+App-V Packages contain the Manifest file inside of the appv package file, which is representative of sequencing operations and is the policy of choice unless Dynamic Configuration files are assigned to a specific package. Post-sequencing, the Dynamic Configuration files can be modified to allow the publishing of an application to different desktops or users with different extension points. The two Dynamic Configuration Files are the Dynamic Deployment Configuration (DDC) and Dynamic User Configuration (DUC) files. This section focuses on the combination of the manifest and dynamic configuration files.
+
+### Example for dynamic configuration files
+
+The example below shows the combination of the Manifest, Deployment Configuration and User Configuration files after publishing and during normal operation. These examples are abbreviated examples of each of the files. The purpose is show the combination of the files only and not to be a complete description of the specific categories available in each of the files. For more information review the App-V Sequencing Guide at: [http://go.microsoft.com/fwlink/?LinkID=269810](http://go.microsoft.com/fwlink/?LinkID=269810).
+
+**Manifest**
+
+``` syntax
+<appv:Extension Category="AppV.Shortcut">
+     <appv:Shortcut>
+          <appv:File>[{Common Programs}]\7-Zip\7-Zip File Manager.lnk</appv:File>
+          <appv:Target>[{AppVPackageRoot}]\7zFM.exe</appv:Target>
+          <appv:Icon>[{AppVPackageRoot}]\7zFM exe.O.ico</appv:Icon>
+     </appv:Shortcut>
+</appv:Extension>
+```
+
+**Deployment Configuration**
+
+``` syntax
+<MachineConfiguration>
+     <Subsystems>
+          <Registry>
+               <Include>
+                    <Key Path= "\REGISTRY\Machine\Software\7zip">
+                    <Value Type="REG_SZ" Name="Config" Data="1234"/>
+                    </Key>
+               </Include>
+          </Registry>
+     </Subsystems>
+```
+
+**User Configuration**
+
+``` syntax
+<UserConfiguration>
+     <Subsystems>
+<appv:ExtensionCategory="AppV.Shortcut">
+     <appv:Shortcut>
+          <appv:File>[{Desktop}]\7-Zip\7-Zip File Manager.lnk</appv:File>
+          <appv:Target>[{AppVPackageRoot}]\7zFM.exe</appv:Target>
+          <appv:Icon>[{AppVPackageRoot}]\7zFM exe.O.ico</appv:Icon>
+     </appv:Shortcut>
+</appv:Extension>
+     </Subsystems>
+<UserConfiguration>
+     <Subsystems>
+<appv:Extension Category="AppV.Shortcut">
+     <appv:Shortcut>
+          <appv:Fìle>[{Desktop}]\7-Zip\7-Zip File Manager.lnk</appv:File>
+          <appv:Target>[{AppVPackageRoot}]\7zFM.exe</appv:Target>
+          <appv:lcon>[{AppVPackageRoot}]\7zFM.exe.O.ico</appv:Icon>
+     </appv:Shortcut>
+     <appv:Shortcut>
+          <appv:File>[{Common Programs}]\7-Zip\7-Zip File Manager.Ink</appv:File>
+          <appv:Target>[{AppVPackageRoot}]\7zFM.exe</appv:Target>
+          <appv:lcon>[{AppVPackageRoot)]\7zFM.exe.O.ico</appv: Icon>
+     </appv:Shortcut>
+</appv:Extension>
+     </Subsystems>
+<MachineConfiguration>
+     <Subsystems>
+          <Registry>
+               <Include>
+                    <Key Path="\REGISTRY\Machine\Software\7zip">
+                    <Value Type=”REG_SZ" Name="Config" Data="1234"/>
+               </Include>
+          </Registry>
+     </Subsystems>
+```
+
+## Side-by-side assemblies
+
+
+App-V supports the automatic packaging of side-by-side (SxS) assemblies during sequencing and deployment on the client during virtual application publishing. App-V supports capturing SxS assemblies during sequencing for assemblies not present on the sequencing machine. And for assemblies consisting of Visual C++ (Version 8 and newer) and/or MSXML run-time, the Sequencer will automatically detect and capture these dependencies even if they were not installed during monitoring. The Side by Side assemblies feature removes the limitations of previous versions of App-V, where the App-V Sequencer did not capture assemblies already present on the sequencing workstation, and privatizing the assemblies which limited to one bit version per package. This behavior resulted in deployed App-V applications to clients missing the required SxS assemblies, causing application launch failures. This forced the packaging process to document and then ensure that all assemblies required for packages were locally installed on the user’s client operating system to ensure support for the virtual applications. Based on the number of assemblies and the lack of application documentation for the required dependencies, this task was both a management and implementation challenge.
+
+Side by Side Assembly support in App-V has the following features.
+
+-   Automatic captures of SxS assembly during Sequencing, regardless of whether the assembly was already installed on the sequencing workstation.
+
+-   The App-V Client automatically installs required SxS assemblies to the client computer at publishing time when they are not present.
+
+-   The Sequencer reports the VC run-time dependency in Sequencer reporting mechanism.
+
+-   The Sequencer allows opting to not package the assemblies that are already installed on the Sequencer, supporting scenarios where the assemblies have previously been installed on the target computers.
+
+### Automatic publishing of SxS assemblies
+
+During publishing of an App-V package with SxS assemblies the App-V Client will check for the presence of the assembly on the machine. If the assembly does not exist, the client will deploy the assembly to the machine. Packages that are part of connection groups will rely on the Side by Side assembly installations that are part of the base packages, as the connection group does not contain any information about assembly installation.
+
+> [!NOTE]  
+> Unpublishing or removing a package with an assembly does not remove the assemblies for that package.
+
+ 
+
+## Client logging
+
+
+The App-V client logs information to the Windows Event log in standard ETW format. The specific App-V events can be found in the event viewer, under Applications and Services Logs\\Microsoft\\AppV\\Client.
+
+There are three specific categories of events recorded described below.
+
+**Admin**: Logs events for configurations being applied to the App-V Client, and contains the primary warnings and errors.
+
+**Operational**: Logs the general App-V execution and usage of individual components creating an audit log of the App-V operations that have been completed on the App-V Client.
+
+**Virtual Application**: Logs virtual application launches and use of virtualization subsystems.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
diff --git a/windows/manage/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/manage/appv-apply-the-deployment-configuration-file-with-powershell.md
new file mode 100644
index 0000000000..5da620fe9f
--- /dev/null
+++ b/windows/manage/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -0,0 +1,48 @@
+---
+title: How to Apply the Deployment Configuration File by Using PowerShell (Windows 10)
+description: How to Apply the Deployment Configuration File by Using PowerShell
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Apply the Deployment Configuration File by Using PowerShell
+
+
+The dynamic deployment configuration file is applied when a package is added or set to a computer running the App-V client before the package has been published. The file configures the default settings for package for all users on the computer running the App-V client. This section describes the steps used to use a deployment configuration file. The procedure is based on the following example and assumes the following package and configuration files exist on a computer:
+
+**c:\\Packages\\Contoso\\MyApp.appv**
+
+**c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
+
+**To Apply the Deployment Configuration File Using PowerShell**
+
+-   To specify a new default set of configurations for all users who will run the package on a specific computer, using a PowerShell console type the following:
+
+    **Add-AppVClientPackage –Path c:\\Packages\\Contoso\\MyApp.appv -DynamicDeploymentConfiguration c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
+
+    **Note**  
+    This command captures the resulting object into $pkg. If the package is already present on the computer, the **Set-AppVclientPackage** cmdlet can be used to apply the deployment configuration document:
+
+    **Set-AppVClientPackage –Name Myapp –Path c:\\Packages\\Contoso\\MyApp.appv -DynamicDeploymentConfiguration c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
+
+     
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-apply-the-user-configuration-file-with-powershell.md b/windows/manage/appv-apply-the-user-configuration-file-with-powershell.md
new file mode 100644
index 0000000000..b924e0df13
--- /dev/null
+++ b/windows/manage/appv-apply-the-user-configuration-file-with-powershell.md
@@ -0,0 +1,45 @@
+---
+title: How to Apply the User Configuration File by Using PowerShell (Windows 10)
+description: How to Apply the User Configuration File by Using PowerShell
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Apply the User Configuration File by Using PowerShell
+
+
+The dynamic user configuration file is applied when a package is published to a specific user and determines how the package will run.
+
+Use the following procedure to specify a user-specific configuration file. The following procedure is based on the example:
+
+**c:\\Packages\\Contoso\\MyApp.appv**
+
+**To apply a user Configuration file**
+
+1.  To add the package to the computer using the PowerShell console type the following command:
+
+    **Add-AppVClientPackage c:\\Packages\\Contoso\\MyApp.appv**.
+
+2.  Use the following command to publish the package to the user and specify the updated the dynamic user configuration file:
+
+    **Publish-AppVClientPackage $pkg –DynamicUserConfigurationPath c:\\Packages\\Contoso\\config.xml**
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-capacity-planning.md b/windows/manage/appv-capacity-planning.md
new file mode 100644
index 0000000000..b41c87dd1b
--- /dev/null
+++ b/windows/manage/appv-capacity-planning.md
@@ -0,0 +1,958 @@
+---
+title: App-V Capacity Planning (Windows 10)
+description: App-V Capacity Planning
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# App-V Capacity Planning
+
+
+The following recommendations can be used as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure.
+
+**Important**  
+Use the information in this section only as a general guide for planning your App-V deployment. Your system capacity requirements will depend on the specific details of your hardware and application environment. Additionally, the performance numbers displayed in this document are examples and your results may vary.
+
+ 
+
+## Determine the Project Scope
+
+
+Before you design the App-V infrastructure, you must determine the project’s scope. The scope consists of determining which applications will be available virtually and to also identify the target users, and their locations. This information will help determine what type of App-V infrastructure should be implemented. Decisions about the scope of the project must be based on the specific needs of your organization.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task</th>
+<th align="left">More Information</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Determine Application Scope</p></td>
+<td align="left"><p>Depending on the applications to be virtualized, the App-V infrastructure can be set up in different ways. The first task is to define what applications you want to virtualize.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Determine Location Scope</p></td>
+<td align="left"><p>Location scope refers to the physical locations (for example, enterprise-wide or a specific geographic location) where you plan to run the virtualized applications. It can also refer to the user population (for example, a single department) who will run the virtual applications. You should obtain a network map that includes the connection paths as well as available bandwidth to each location and the number of users using virtualized applications and the WAN link speed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Determine Which App-V Infrastructure is Required
+
+
+**Important**  
+Both of the following models require the App-V client to be installed on the computer where you plan to run virtual applications.
+
+You can also manage your App-V environment using an Electronic Software Distribution (ESD) solution such as Microsoft Systems Center Configuration Manager. For more information see [How to deploy App-V Packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md).
+
+ 
+
+-   **Standalone Model** - The standalone model allows virtual applications to be Windows Installer-enabled for distribution without streaming. App-V in Standalone Mode consists of the sequencer and the client; no additional components are required. Applications are prepared for virtualization using a process called sequencing. For more information see, [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md). The stand-alone model is recommended for the following scenarios:
+
+    -   With disconnected remote users who cannot connect to the App-V infrastructure.
+
+    -   When you are running a software management system, such as Configuration Manager 2012.
+
+    -   When network bandwidth limitations inhibit electronic software distribution.
+
+-   **Full Infrastructure Model** - The full infrastructure model provides for software distribution, management, and reporting capabilities; it also includes the streaming of applications across the network. The App-V Full Infrastructure Model consists of one or more App-V management servers. The Management Server can be used to publish applications to all clients. The publishing process places the virtual application icons and shortcuts on the target computer. It can also stream applications to local users. For more information about installing the management server see, [Planning for the App-V Server Deployment](appv-planning-for-appv-server-deployment.md). The full infrastructure model is recommended for the following scenarios:
+
+    **Important**  
+    The App-V full infrastructure model requires Microsoft SQL Server to store configuration data. For more information see [App-V Supported Configurations](appv-supported-configurations.md).
+
+     
+
+    -   When you want to use the Management Server to publish the application to target computers.
+
+    -   For rapid provisioning of applications to target computers.
+
+    -   When you want to use App-V reporting.
+
+## End-to-end Server Sizing Guidance
+
+
+The following section provides information about end-to-end App-V sizing and planning. For more specific information, refer to the subsequent sections.
+
+**Note**  
+Round trip response time on the client is the time taken by the computer running the App-V client to receive a successful notification from the publishing server. Round trip response time on the publishing server is the time taken by the computer running the publishing server to receive a successful package metadata update from the management server.
+
+ 
+
+-   20,000 clients can target a single publishing server to obtain the package refreshes in an acceptable round trip time. (&lt;3 seconds)
+
+-   A single management server can support up to 50 publishing servers for package metadata refreshes in an acceptable round trip time. (&lt;5 seconds)
+
+## <a href="" id="---------app-v-5-1-management-server-capacity-planning-recommendations"></a> App-V Management Server Capacity Planning Recommendations
+
+
+The App-V publishing servers require the management server for package refresh requests and package refresh responses. The management server then sends the information to the management database to retrieve information. For more information about App-V management server supported configurations see [App-V Supported Configurations](appv-supported-configurations.md).
+
+**Note**  
+The default refresh time on the App-V publishing server is ten minutes.
+
+ 
+
+When multiple simultaneous publishing servers contact a single management server for package metadata refreshes, the following three factors influence the round trip response time on the publishing server:
+
+1.  Number of publishing servers making simultaneous requests.
+
+2.  Number of connection groups configured on the management server.
+
+3.  Number of access groups configured on the management server.
+
+The following table displays more information about each factor that impacts round trip time.
+
+**Note**  
+Round trip response time is the time taken by the computer running the App-V publishing server to receive a successful package metadata update from the management server.
+
+ 
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Factors impacting round trip response time</th>
+<th align="left">More Information</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>The number of publishing servers simultaneously requesting package metadata refreshes.</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>A single management server can respond to up to 320 publishing servers requesting publishing metadata simultaneously.</p></li>
+<li><p>Round trip response time for 320 pub servers is ~40 seconds.</p></li>
+<li><p>For &lt;50 publishing servers requesting metadata simultaneously, the round trip response time is &lt;5 seconds.</p></li>
+<li><p>From 50 to 320 publishing servers, the response time increases linearly (approximately 2x).</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>The number of connection groups configured on the management server.</p>
+<p></p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>For up to 100 connection groups, there is no significant change in the round trip response time on the publishing server.</p></li>
+<li><p>For 100 - 400 connection groups, there is a minor linear increase in the round trip response time.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>The number of access groups configured on the management server.</p>
+<p></p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>For up to 40 access groups, there is a linear (approximately 3x) increase in the round trip response time on the publishing server.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following table displays sample values for each of the previous factors. In each variation, 120 packages are refreshed from the App-Vmanagement server.
+
+<table>
+<colgroup>
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Scenario</th>
+<th align="left">Variation</th>
+<th align="left">Number of connection groups</th>
+<th align="left">Number of access groups</th>
+<th align="left">Number of publishing servers</th>
+<th align="left">Network connection type publishing server / management server</th>
+<th align="left">Round trip response time on the publishing server (in seconds)</th>
+<th align="left">CPU utilization on management server</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Publishing servers simultaneously contacting management server for publishing metadata.</p></td>
+<td align="left"><p>Number of publishing servers</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>0</p></li>
+<li><p>0</p></li>
+<li><p>0</p></li>
+<li><p>0</p></li>
+<li><p>0</p></li>
+<li><p>0</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>1</p></li>
+<li><p>1</p></li>
+<li><p>1</p></li>
+<li><p>1</p></li>
+<li><p>1</p></li>
+<li><p>1</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>50</p></li>
+<li><p>100</p></li>
+<li><p>200</p></li>
+<li><p>300</p></li>
+<li><p>315</p></li>
+<li><p>320</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>5</p></li>
+<li><p>10</p></li>
+<li><p>19</p></li>
+<li><p>32</p></li>
+<li><p>30</p></li>
+<li><p>37</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>17</p></li>
+<li><p>17</p></li>
+<li><p>17</p></li>
+<li><p>15</p></li>
+<li><p>17</p></li>
+<li><p>15</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Publishing metadata contains connection groups</p></td>
+<td align="left"><p>Number of connection groups</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>10</p></li>
+<li><p>50</p></li>
+<li><p>100</p></li>
+<li><p>150</p></li>
+<li><p>300</p></li>
+<li><p>400</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>1</p></li>
+<li><p>1</p></li>
+<li><p>1</p></li>
+<li><p>1</p></li>
+<li><p>1</p></li>
+<li><p>1</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>100</p></li>
+<li><p>100</p></li>
+<li><p>100</p></li>
+<li><p>100</p></li>
+<li><p>100</p></li>
+<li><p>100</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>10</p></li>
+<li><p>11</p></li>
+<li><p>11</p></li>
+<li><p>16</p></li>
+<li><p>22</p></li>
+<li><p>25</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>17</p></li>
+<li><p>19</p></li>
+<li><p>22</p></li>
+<li><p>19</p></li>
+<li><p>20</p></li>
+<li><p>20</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Publishing metadata contains access groups</p></td>
+<td align="left"><p>Number of access groups</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>0</p></li>
+<li><p>0</p></li>
+<li><p>0</p></li>
+<li><p>0</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>1</p></li>
+<li><p>10</p></li>
+<li><p>20</p></li>
+<li><p>40</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>100</p></li>
+<li><p>100</p></li>
+<li><p>100</p></li>
+<li><p>100</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>10</p></li>
+<li><p>43</p></li>
+<li><p>153</p></li>
+<li><p>535</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>17</p></li>
+<li><p>26</p></li>
+<li><p>24</p></li>
+<li><p>24</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The CPU utilization of the computer running the management server is around 25% irrespective of the number of publishing servers targeting it. The Microsoft SQL Server database transactions/sec, batch requests/sec and user connections are identical irrespective of the number of publishing servers. For example: Transactions/sec is ~30, batch requests ~200, and user connects ~6.
+
+Using a geographically distributed deployment, where the management server & publishing servers utilize a slow link network between them, the round trip response time on the publishing servers is within acceptable time limits (&lt;5 seconds), even for 100 simultaneous requests on a single management server.
+
+<table>
+<colgroup>
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Scenario</th>
+<th align="left">Variation</th>
+<th align="left">Number of connection groups</th>
+<th align="left">Number of access groups</th>
+<th align="left">Number of publishing servers</th>
+<th align="left">Network connection type publishing server / management server</th>
+<th align="left">Round trip response time on the publishing server (in seconds)</th>
+<th align="left">CPU utilization on management server</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Network connection between the publishing server and management server</p></td>
+<td align="left"><p>1.5 Mbps Slow link Network</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>0</p></li>
+<li><p>0</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>1</p></li>
+<li><p>1</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>50</p></li>
+<li><p>100</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>1.5Mbps Cable DSL</p></li>
+<li><p>1.5Mbps Cable DSL</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>4</p></li>
+<li><p>5</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>1</p></li>
+<li><p>2</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Network connection between the publishing server and management server</p></td>
+<td align="left"><p>LAN / WIFI Network</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>0</p></li>
+<li><p>0</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>1</p></li>
+<li><p>1</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>100</p></li>
+<li><p>200</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>Wifi</p></li>
+<li><p>Wifi</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>11</p></li>
+<li><p>20</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>15</p></li>
+<li><p>17</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Whether the management server and publishing servers are connected over a slow link network, or a high speed network, the management server can handle approximately 15,000 package refresh requests in 30 minutes.
+
+## <a href="" id="---------app-v-5-1-reporting-server-capacity-planning-recommendations"></a> App-V Reporting Server Capacity Planning Recommendations
+
+
+App-V clients send reporting data to the reporting server. The reporting server then records the information in the Microsoft SQL Server database and returns a successful notification back to the computer running App-V client. For more information about App-V Reporting Server supported configurations see [App-V Supported Configurations](appv-supported-configurations.md).
+
+**Note**  
+Round trip response time is the time taken by the computer running the App-V client to send the reporting information to the reporting server and receive a successful notification from the reporting server.
+
+ 
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Scenario</th>
+<th align="left">Summary</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Multiple App-V clients send reporting information to the reporting server simultaneously.</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>Round trip response time from the reporting server is 2.6 seconds for 500 clients.</p></li>
+<li><p>Round trip response time from the reporting server is 5.65 seconds for 1000 clients.</p></li>
+<li><p>Round trip response time increases linearly depending on number of clients.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Requests per second processed by the reporting server.</p>
+<p></p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>A single reporting server and a single database, can process a maximum of 139 requests per second. The average is 121 requests/second.</p></li>
+<li><p>Using two reporting servers reporting to the same Microsoft SQL Server database, the average requests/second is similar to a single reporting server = ~127, with a max of 278 requests/second.</p></li>
+<li><p>A single reporting server can process 500 concurrent/active connections.</p></li>
+<li><p>A single reporting server can process a maximum 1500 concurrent connections.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Reporting Database.</p>
+<p></p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>Lock contention on the computer running Microsoft SQL Server is the limiting factor for requests/second.</p></li>
+<li><p>Throughput and response time are independent of database size.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Calculating random delay**:
+
+The random delay specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between **0** and **ReportingRandomDelay** and will wait the specified duration before sending data.
+
+Random delay = 4 \* number of clients / average requests per second.
+
+Example: For 500 clients, with 120 requests per second, the Random delay is, 4 \* 500 / 120 = ~17 minutes.
+
+## <a href="" id="---------app-v-5-1-publishing-server-capacity-planning-recommendations"></a> App-V Publishing Server Capacity Planning Recommendations
+
+
+Computers running the App-V client connect to the App-V publishing server to send a publishing refresh request and to receive a response. Round trip response time is measured on the computer running the App-V client. Processor time is measured on the publishing server. For more information about App-V Publishing Server supported configurations see [App-V Supported Configurations](appv-supported-configurations.md).
+
+**Important**  
+The following list displays the main factors to consider when setting up the App-V publishing server:
+
+-   The number of clients connecting simultaneously to a single publishing server.
+
+-   The number of packages in each refresh.
+
+-   The available network bandwidth in your environment between the client and the App-V publishing server.
+
+ 
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Scenario</th>
+<th align="left">Summary</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Multiple App-V clients connect to a single publishing server simultaneously.</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>A publishing server running dual core processors can respond to at most 5000 clients requesting a refresh simultaneously.</p></li>
+<li><p>For 5000-10000 clients, the publishing server requires a minimum quad core.</p></li>
+<li><p>For 10000-20000 clients, the publishing server should have dual quad cores for more efficient response times.</p></li>
+<li><p>A publishing server with a quad core can refresh up to 10000 packages within 3 seconds. (Supporting 10000 simultaneous clients)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Number of packages in each refresh.</p>
+<p></p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>Increasing number of packages will increase response time by ~40% (up to 1000 packages).</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Network between the App-V client and the publishing server.</p>
+<p></p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>Across a slow network (1.5 Mbps bandwidth), there is a 97% increase in response time compared to LAN (up to 1000 users).</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+The publishing server CPU usage is always high during the time interval when it has to process simultaneous requests (&gt;90% in most cases). The publishing server can handle ~1500 client requests in 1 second.
+
+ 
+
+<table>
+<colgroup>
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Scenario</th>
+<th align="left">Variation</th>
+<th align="left">Number of App-V clients</th>
+<th align="left">Number of packages</th>
+<th align="left">Processor configuration on the publishing server</th>
+<th align="left">Network connection type publishing server / App-V client</th>
+<th align="left">Round trip time on the App-V client (in seconds)</th>
+<th align="left">CPU utilization on publishing server (in %)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>App-V client sends publishing refresh request &amp; receives response, each request containing 120 packages</p></td>
+<td align="left"><p>Number of clients</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>100</p></li>
+<li><p>1000</p></li>
+<li><p>5000</p></li>
+<li><p>10000</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>120</p></li>
+<li><p>120</p></li>
+<li><p>120</p></li>
+<li><p>120</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>Dual Core</p></li>
+<li><p>Dual Core</p></li>
+<li><p>Quad Core</p></li>
+<li><p>Quad Core</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>1</p></li>
+<li><p>2</p></li>
+<li><p>2</p></li>
+<li><p>3</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>100</p></li>
+<li><p>99</p></li>
+<li><p>89</p></li>
+<li><p>77</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Multiple packages in each refresh</p></td>
+<td align="left"><p>Number of packages</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>1000</p></li>
+<li><p>1000</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>500</p></li>
+<li><p>1000</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>Quad Core</p></li>
+<li><p>Quad Core</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>2</p></li>
+<li><p>3</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>92</p></li>
+<li><p>91</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Network between client and publishing server</p></td>
+<td align="left"><p>1.5 Mbps Slow link network</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>100</p></li>
+<li><p>500</p></li>
+<li><p>1000</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>120</p></li>
+<li><p>120</p></li>
+<li><p>120</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>Quad Core</p></li>
+<li><p>Quad Core</p></li>
+<li><p>Quad Core</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>1.5 Mbps Intra-Continental Network</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>3</p></li>
+<li><p>10 (with 0.2% failure rate)</p></li>
+<li><p>17 (with 1% failure rate)</p></li>
+</ul></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="---------app-v-5-1-streaming-capacity-planning-recommendations"></a> App-V Streaming Capacity Planning Recommendations
+
+
+Computers running the App-V client stream the virtual application package from the streaming server. Round trip response time is measured on the computer running the App-V client, and is the time taken to stream the entire package.
+
+**Important**  
+The following list identifies the main factors to consider when setting up the App-V streaming server:
+
+-   The number of clients streaming application packages simultaneously from a single streaming server.
+
+-   The size of the package being streamed.
+
+-   The available network bandwidth in your environment between the client and the streaming server.
+
+ 
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Scenario</th>
+<th align="left">Summary</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Multiple App-V clients stream applications from a single streaming server simultaneously.</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>If the number of clients simultaneously streaming from the same server increases, there is a linear relationship with the package download/streaming time.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Size of the package being streamed.</p>
+<p></p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>The package size has a significant impact on the streaming/download time only for larger packages with a size ~ 1GB. For package sizes ranging from 3 MB to 100 MB, the streaming time ranges from 20 seconds to 100 seconds, with 100 simultaneous clients.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Network between the App-V client and the streaming server.</p>
+<p></p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>Across a slow network (1.5 Mbps bandwidth), there is a 70-80% increase in response time compared to LAN (up to 100 users).</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following table displays sample values for each of the factors in the previous list:
+
+<table style="width:100%;">
+<colgroup>
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Scenario</th>
+<th align="left">Variation</th>
+<th align="left">Number of App-V clients</th>
+<th align="left">Size of each package</th>
+<th align="left">Network connection type streaming server / App-V client</th>
+<th align="left">Round trip time on the App-V client (in seconds)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Multiple App-V clients streaming virtual application packages from a streaming server.</p></td>
+<td align="left"><p>Number of clients.</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>100</p></li>
+<li><p>200</p></li>
+<li><p>1000</p></li>
+<li><p></p></li>
+<li><p>100</p></li>
+<li><p>200</p></li>
+<li><p>1000</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>3.5 MB</p></li>
+<li><p>3.5 MB</p></li>
+<li><p>3.5 MB</p></li>
+<li><p></p></li>
+<li><p>5 MB</p></li>
+<li><p>5 MB</p></li>
+<li><p>5 MB</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p></p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>29</p></li>
+<li><p>39</p></li>
+<li><p>391</p></li>
+<li><p></p></li>
+<li><p>35</p></li>
+<li><p>68</p></li>
+<li><p>461</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Size of each package being streamed.</p></td>
+<td align="left"><p>Size of each package.</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>100</p></li>
+<li><p>200</p></li>
+<li><p></p></li>
+<li><p>100</p></li>
+<li><p>200</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>21 MB</p></li>
+<li><p>21 MB</p></li>
+<li><p></p></li>
+<li><p>109</p></li>
+<li><p>109</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+<li><p></p></li>
+<li><p>LAN</p></li>
+<li><p>LAN</p></li>
+</ul></td>
+<td align="left"><p></p>
+<p>33</p>
+<p>83</p>
+<p></p>
+<p>100</p>
+<p>160</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Network connection between client and App-V streaming server.</p></td>
+<td align="left"><p>1.5 Mbps Slow link network.</p></td>
+<td align="left"><p></p>
+<ul>
+<li><p>100</p></li>
+<li><p></p></li>
+<li><p>100</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>3.5 MB</p></li>
+<li><p></p></li>
+<li><p>5 MB</p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>1.5 Mbps Intra-Continental Network</p></li>
+</ul></td>
+<td align="left"><p></p>
+<p>102</p>
+<p></p>
+<p>121</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Each App-V streaming server should be able to handle a minimum of 200 clients concurrently streaming virtualized applications.
+
+**Note**  
+The actual time to it will take to stream is determined primarily by the number of clients streaming simultaneously, number of packages, package size, the server’s network activity, and network conditions.
+
+ 
+
+For example, an average user can stream a 100 MB package in less than 2 minutes, when 100 simultaneous clients are streaming from the server. However, a package of size 1 GB could take up to 30 minutes. In most real world environments streaming demand is not uniformly distributed, you will need to understand the approximate peak streaming requirements present in your environment in order to properly size the number of required streaming servers.
+
+The number of clients a streaming server can support can be significantly increased and the peak streaming requirements reduced if you pre-cache your applications. You can also increase the number of clients a streaming server can support by using on-demand streaming delivery and stream optimized packages.
+
+## Combining App-V Server Roles
+
+
+Discounting scaling and fault-tolerance requirements, the minimum number of servers needed for a location with connectivity to Active Directory is one. This server will host the management server, management server service, and Microsoft SQL Server roles. Server roles, therefore, can be arranged in any desired combination since they do not conflict with one another.
+
+Ignoring scaling requirements, the minimum number of servers necessary to provide a fault-tolerant implementation is four. The management server, and Microsoft SQL Server roles support being placed in fault-tolerant configurations. The management server service can be combined with any of the roles, but remains a single point of failure.
+
+Although there are a number of fault-tolerance strategies and technologies available, not all are applicable to a given service. Additionally, if App-V roles are combined, certain fault-tolerance options may no longer apply due to incompatibilities.
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[App-V Supported Configurations](appv-supported-configurations.md)
+
+[Planning for High Availability with App-V](appv-planning-for-high-availability-with-appv.md)
+
+[Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-client-configuration-settings.md b/windows/manage/appv-client-configuration-settings.md
new file mode 100644
index 0000000000..93b6745d4e
--- /dev/null
+++ b/windows/manage/appv-client-configuration-settings.md
@@ -0,0 +1,113 @@
+---
+title: About Client Configuration Settings (Windows 10)
+description: About Client Configuration Settings
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# About Client Configuration Settings
+
+The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. You can gather some useful information about the client if you understand the format of data in the registry. You can also configure many client actions by changing registry entries. This topic lists the App-V Client configuration settings and explains their uses. You can use PowerShell to modify the client configuration settings. For more information about using PowerShell and App-V see [Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md).
+
+
+
+## App-V Client Configuration Settings: Windows PowerShell
+
+The following table provides information about App-V client configuration settings that can be configured through Windows PowerShell cmdlets:
+
+| **Name of option in Windows PowerShell**<br>Type  | Description  | Cmdlet or cmdlets for setting  | Disabled Policy State Keys and Values |
+|------------|------------|------------|------------|
+| **PackageInstallationRoot**<br>String  | Specifies directory where all new applications and updates will be installed.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **PackageSourceRoot**<br>String  | Overrides source location for downloading package content.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **AllowHighCostLaunch**<br>True (enabled); False (Disabled state)  | This setting controls whether virtualized applications are launched on Windows 10 machines connected via a metered network connection (For example, 4G).  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | 0 |
+| **ReestablishmentRetries**<br>Integer (0-99)  | Specifies the number of times to retry a dropped session.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **ReestablishmentInterval**<br>Integer (0-3600)  | Specifies the number of seconds between attempts to reestablish a dropped session.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **LocationProvider**<br>String  | Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **CertFilterForClientSsl**<br>String  | Specifies the path to a valid certificate in the certificate store.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **VerifyCertificateRevocationList**<br>True(enabled); False(Disabled state)  | Verifies Server certificate revocation status before steaming using HTTPS.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | 0 |
+| **SharedContentStoreMode**<br>True(enabled); False(Disabled state)  | Specifies that streamed package contents will be not be saved to the local hard disk.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | 0 |
+| **Name**<br>String  | Displays the name of publishing server.  | Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **URL**<br>String  | Displays the URL of publishing server.  | Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **GlobalRefreshEnabled**<br>True(enabled); False(Disabled state)  | Enables global publishing refresh (Boolean)  | Set-AppvPublishingServer  | False |
+| **GlobalRefreshOnLogon**<br>True(enabled); False(Disabled state)  | Triggers a global publishing refresh on logon. ( Boolean)  | Set-AppvPublishingServer  | False |
+| **GlobalRefreshInterval**<br>Integer (0-744)  | Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.  | Set-AppvPublishingServer  | 0 |
+| **GlobalRefreshIntervalUnit** <br>0 for hour, 1 for day  | Specifies the interval unit (Hour 0-23, Day 0-31).  | Set-AppvPublishingServer  | 1 |
+| **UserRefreshEnabled**<br>True(enabled); False(Disabled state)  | Enables user publishing refresh (Boolean)  | Set-AppvPublishingServer  | False |
+| **UserRefreshOnLogon**<br>True(enabled); False(Disabled state)  | Triggers a user publishing refresh onlogon. ( Boolean)Word count (with spaces): 60  | Set-AppvPublishingServer  | False |
+| **UserRefreshInterval**<br>Word count (with spaces): 85Integer (0-744 Hours)  | Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.  | Set-AppvPublishingServer  | 0 |
+| **UserRefreshIntervalUnit**<br>0 for hour, 1 for day  | Specifies the interval unit (Hour 0-23, Day 0-31).  | Set-AppvPublishingServer  | 1 |
+| **MigrationMode**<br>True(enabled state); False (disabled state)  | Migration mode allows the App-V client to modify shortcuts and FTA’s for packages created using a previous version of App-V.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | |
+| **EnablePackageScripts**<br>True(enabled); False(Disabled state)  | Enables scripts defined in the package manifest of configuration files that should run.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | |
+| **RoamingFileExclusions**<br>String  | Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /ROAMINGFILEEXCLUSIONS='desktop;my pictures'  | Set-AppvClientConfiguration  | |
+| **RoamingRegistryExclusions**<br>String  | Specifies the registry paths that do not roam with a user profile. Example usage: /ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **IntegrationRootUser**<br>String  | Specifies the location to create symbolic links associated with the current version of a per-user published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %localappdata%\\Microsoft\\AppV\\Client\\Integration.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **IntegrationRootGlobal**<br>String  | Specifies the location to create symbolic links associated with the current version of a globally published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %allusersprofile%\\Microsoft\\AppV\\Client\\Integration  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **VirtualizableExtensions**<br>String  | A comma -delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment. When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application that is associated with the extension point is locally installed. If the extension is located, the **RunVirtual** command line parameter will be added, and the application will run virtually. For more information about the **RunVirtual** parameter, see [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](https://microsoft.sharepoint.com/teams/osg_core_dcp/cpub/partner/Shared%20Documents/APPV&UEV-for-Windows-RS1/App-V/App-V%20updated%20topics%20from%20JAN%20-%20PM%20reviews/appv-running-locally-installed-applications-inside-a-virtual-environment.md).  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written |
+| **ReportingEnabled**<br>True (enabled); False (Disabled state)  | Enables the client to return information to a reporting server.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | False |
+| **ReportingServerURL**<br>String  | Specifies the location on the reporting server where client information is saved.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **ReportingDataCacheLimit**<br>Integer \[0-1024\]  | Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over. Set between 0 and 1024.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **ReportingDataBlockSize**<br>Integer \[1024 - Unlimited\]  | Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **ReportingStartTime**<br>Integer (0 – 23)  | Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0-23 corresponding to the hour of the day. By default the **ReportingStartTime** will start on the current day at 10 P.M.or 22.<br>**Note** You should configure this setting to a time when computers running the App-V client are least likely to be offline.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **ReportingInterval**<br>Integer  | Specifies the retry interval that the client will use to resend data to the reporting server.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **ReportingRandomDelay**<br>Integer \[0 - ReportingRandomDelay\]  | Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and **ReportingRandomDelay** and will wait the specified duration before sending data. This can help to prevent collisions on the server.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Policy value not written (same as Not Configured) |
+| **EnableDynamicVirtualization<br>**1 (Enabled), 0 (Disabled)  | Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | |
+| **EnablePublishingRefreshUI**<br>1 (Enabled), 0 (Disabled)  | Enables the publishing refresh progress bar for the computer running the App-V Client.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | |
+| **HidePublishingRefreshUI**<br>1 (Enabled), 0 (Disabled)  | Hides the publishing refresh progress bar.  | Sync-AppvPublishingServer  | |
+| **ProcessesUsingVirtualComponents**<br>String  | Specifies a list of process paths (that may contain wildcards), which are candidates for using dynamic virtualization (supported shell extensions, browser helper objects, and ActiveX controls). Only processes whose full path matches one of these items can use dynamic virtualization.  | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer  | Empty string. |
+
+## App-V Client Configuration Settings: Setup Flags and Registry Keys
+
+The following table provides information about App-V client configuration settings that can be configured through setup flags or in the registry:
+
+| **Setting name**<br>Type  | Setup Flag  | Registry Key Value  | Disabled Policy State Keys and Values |
+|--------------------------------------------------------------------------------|---------------------------|-------------------------------------------------------------------------|---------------------------------------------------|
+| **PackageInstallationRoot**<br>String  | PACKAGEINSTALLATIONROOT  | Streaming\\PackageInstallationRoot  | Policy value not written (same as Not Configured) |
+| **PackageSourceRoot**<br>String  | PACKAGESOURCEROOT  | Streaming\\PackageSourceRoot  | Policy value not written (same as Not Configured) |
+| **AllowHighCostLaunch**<br>True (enabled); False (Disabled state)  | Not available.  | Streaming\\AllowHighCostLaunch  | 0 |
+| **ReestablishmentRetries**<br>Integer (0-99)  | Not available.  | Streaming\\ReestablishmentRetries  | Policy value not written (same as Not Configured) |
+| **ReestablishmentInterval**<br>Integer (0-3600)  | Not available.  | Streaming\\ReestablishmentInterval  | Policy value not written (same as Not Configured) |
+| **LocationProvider**<br>String  | Not available.  | Streaming\\LocationProvider  | Policy value not written (same as Not Configured) |
+| **CertFilterForClientSsl**<br>String  | Not available.  | Streaming\\CertFilterForClientSsl  | Policy value not written (same as Not Configured) |
+| **VerifyCertificateRevocationList**<br>True(enabled); False(Disabled state)  | Not available.  | Streaming\\VerifyCertificateRevocationList  | 0 |
+| **SharedContentStoreMode**<br>True(enabled); False(Disabled state)  | SHAREDCONTENTSTOREMODE  | Streaming\\SharedContentStoreMode  | 0 |
+| **Name**<br>String  | PUBLISHINGSERVERNAME  | Publishing\\Servers{serverId}\\FriendlyName  | Policy value not written (same as Not Configured) |
+| **URL**<br>String  | PUBLISHINGSERVERURL  | Publishing\\Servers{serverId}\\URL  | Policy value not written (same as Not Configured) |
+| **GlobalRefreshEnabled**<br>True(enabled); False(Disabled state)  | GLOBALREFRESHENABLED  | Publishing\\Servers{serverId}\\GlobalEnabled  | False |
+| **GlobalRefreshOnLogon**<br>True(enabled); False(Disabled state)  | GLOBALREFRESHONLOGON  | Publishing\\Servers{serverId}\\GlobalLogonRefresh  | False |
+| **GlobalRefreshInterval**<br>Integer (0-744)  | GLOBALREFRESHINTERVAL  | Publishing\\Servers{serverId}\\GlobalPeriodicRefreshInterval  | 0 |
+| **GlobalRefreshIntervalUnit** <br>0 for hour, 1 for day  | GLOBALREFRESHINTERVALUNI  | Publishing\\Servers{serverId}\\GlobalPeriodicRefreshIntervalUnit  | 1 |
+| **UserRefreshEnabled**<br>True(enabled); False(Disabled state)  | USERREFRESHENABLED  | Publishing\\Servers{serverId}\\UserEnabled  | False |
+| **UserRefreshOnLogon**<br>True(enabled); False(Disabled state)  | USERREFRESHONLOGON  | Publishing\\Servers{serverId}\\UserLogonRefresh  | False |
+| **UserRefreshInterval**<br>Word count (with spaces): 85Integer (0-744 Hours)  | USERREFRESHINTERVAL  | Publishing\\Servers{serverId}\\UserPeriodicRefreshInterval  | 0 |
+| **UserRefreshIntervalUnit**<br>0 for hour, 1 for day  | USERREFRESHINTERVALUNIT  | Publishing\\Servers{serverId}\\UserPeriodicRefreshIntervalUnit  | 1 |
+| **MigrationMode**<br>True(enabled state); False (disabled state)  | MIGRATIONMODE  | Coexistence\\MigrationMode  | |
+| **EnablePackageScripts**<br>True(enabled); False(Disabled state)  | ENABLEPACKAGESCRIPTS  | \\Scripting\\EnablePackageScripts  | |
+| **RoamingFileExclusions**<br>String  | ROAMINGFILEEXCLUSIONS  | | |
+| **RoamingRegistryExclusions**<br>String  | ROAMINGREGISTRYEXCLUSIONS  | Integration\\RoamingReglstryExclusions  | Policy value not written (same as Not Configured) |
+| **IntegrationRootUser**<br>String  | Not available.  | Integration\\IntegrationRootUser  | Policy value not written (same as Not Configured) |
+| **IntegrationRootGlobal**<br>String  | Not available.  | Integration\\IntegrationRootGlobal  | Policy value not written (same as Not Configured) |
+| **VirtualizableExtensions**<br>String  | Not available.  | Integration\\VirtualizableExtensions  | Policy value not written |
+| **ReportingEnabled**<br>True (enabled); False (Disabled state)  | Not available.  | Reporting\\EnableReporting  | False |
+| **ReportingServerURL**<br>String  | Not available.  | Reporting\\ReportingServer  | Policy value not written (same as Not Configured) |
+| **ReportingDataCacheLimit**<br>Integer \[0-1024\]  | Not available.  | Reporting\\DataCacheLimit  | Policy value not written (same as Not Configured) |
+| **ReportingDataBlockSize**<br>Integer \[1024 - Unlimited\]  | Not available.  | Reporting\\DataBlockSize  | Policy value not written (same as Not Configured) |
+| **ReportingStartTime**<br>Integer (0 – 23)  | Not available.  | Reporting\\ StartTime  | Policy value not written (same as Not Configured) |
+| **ReportingInterval**<br>Integer  | Not available.  | Reporting\\RetryInterval  | Policy value not written (same as Not Configured) |
+| **ReportingRandomDelay**<br>Integer \[0 - ReportingRandomDelay\]  | Not available.  | Reporting\\RandomDelay  | Policy value not written (same as Not Configured) |
+| **EnableDynamicVirtualization<br>**1 (Enabled), 0 (Disabled)  | Not available.  | HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\AppV\\Client\\Virtualization  | |
+| **EnablePublishingRefreshUI**<br>1 (Enabled), 0 (Disabled)  | Not available.  | HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\AppV\\Client\\Publishing  | |
+| **HidePublishingRefreshUI**<br>1 (Enabled), 0 (Disabled)  | Not available.  | | |
+| **ProcessesUsingVirtualComponents**<br>String  | Not available.  | Virtualization\\ProcessesUsingVirtualComponents  | Empty string. |
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+[Deploying the App-V Sequencer and Client](appv-deploying-the-appv-sequencer-and-client.md)
+
+[How to Modify App-V Client Configuration Using the ADMX Template and Group Policy](appv-modify-client-configuration-with-the-admx-template-and-group-policy.md)
diff --git a/windows/manage/appv-configure-access-to-packages-with-the-management-console.md b/windows/manage/appv-configure-access-to-packages-with-the-management-console.md
new file mode 100644
index 0000000000..b2c55b2ab7
--- /dev/null
+++ b/windows/manage/appv-configure-access-to-packages-with-the-management-console.md
@@ -0,0 +1,72 @@
+---
+title: How to Configure Access to Packages by Using the Management Console (Windows 10)
+description: How to Configure Access to Packages by Using the Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Configure Access to Packages by Using the Management Console
+
+
+Before you deploy an App-V virtualized package, you must configure the Active Directory Domain Services (AD DS) security groups that will be allowed to access and run the applications. The security groups may contain computers or users. Entitling a package to a computer group publishes the package globally to all computers in the group.
+
+Use the following procedure to configure access to virtualized packages.
+
+**To grant access to an App-V package**
+
+1.  Find the package you want to configure:
+
+    1.  Open the App-V Management console.
+
+    2.  To display the **AD ACCESS** page, right-click the package to be configured, and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane.
+
+2.  Provision a security group for the package:
+
+    1.  Go to the **FIND VALID ACTIVE DIRECTORY NAMES AND GRANT ACCESS** page.
+
+    2.  Using the format **mydomain** \\ **groupname**, type the name or part of the name of an Active Directory group object, and click **Check**.
+
+        **Note**  
+        Ensure that you provide an associated domain name for the group that you are searching for.
+
+         
+
+3.  To grant access to the package, select the desired group and click **Grant Access**. The newly added group is displayed in the **AD ENTITIES WITH ACCESS** pane.
+
+4.  
+
+    To accept the default configuration settings and close the **AD ACCESS** page, click **Close**.
+
+    To customize configurations for a specific group, click the **ASSIGNED CONFIGURATIONS** drop-down and select **Custom**. To configure the custom configurations, click **EDIT**. After you grant access, click **Close**.
+
+**To remove access to an App-V package**
+
+1.  Find the package you want to configure:
+
+    1.  Open the App-V Management console.
+
+    2.  To display the **AD ACCESS** page, right-click the package to be configured, and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane.
+
+2.  Select the group you want to remove, and click **DELETE**.
+
+3.  To close the **AD ACCESS** page, click **Close**.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/manage/appv-configure-connection-groups-to-ignore-the-package-version.md
new file mode 100644
index 0000000000..d05ca6113b
--- /dev/null
+++ b/windows/manage/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -0,0 +1,104 @@
+---
+title: How to Make a Connection Group Ignore the Package Version (Windows 10)
+description: How to Make a Connection Group Ignore the Package Version
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Make a Connection Group Ignore the Package Version
+
+
+Microsoft Application Virtualization (App-V) lets you configure a connection group to use any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.
+
+To upgrade a package in some earlier versions of App-V, you had to perform several steps, including disabling the connection group and modifying the connection group’s XML definition file.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task description with App-V</th>
+<th align="left">How to perform the task with App-V</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>You can configure a connection group to accept any version of a package, which enables you to upgrade the package without having to disable the connection group.</p>
+<p><strong>How the feature works:</strong></p>
+<ul>
+<li><p>If the connection group has access to multiple versions of a package, the latest version is used.</p></li>
+<li><p>If the connection group contains an optional package that has an incorrect version, the package is ignored and won’t block the connection group’s virtual environment from being created.</p></li>
+<li><p>If the connection group contains a non-optional package that has an incorrect version, the connection group’s virtual environment cannot be created.</p></li>
+</ul></td>
+<td align="left"><table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Method</th>
+<th align="left">Steps</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>App-V Server – Management Console</p></td>
+<td align="left"><ol>
+<li><p>In the Management Console, select <strong>CONNECTION GROUPS</strong>.</p></li>
+<li><p>Select the correct connection group from the Connection Groups library.</p></li>
+<li><p>Click <strong>EDIT</strong> in the CONNECTED PACKAGES pane.</p></li>
+<li><p>Select <strong>Use Any Version</strong> check box next to the package name, and click <strong>Apply</strong>.</p></li>
+</ol>
+<p>For more about adding or upgrading packages, see [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V Client on a Stand-alone computer</p></td>
+<td align="left"><ol>
+<li><p>Create the connection group XML document.</p></li>
+<li><p>For the package to be upgraded, set the <strong>Package</strong> tag attribute <strong>VersionID</strong> to an asterisk (<strong>*</strong>).</p></li>
+<li><p>Use the following cmdlet to add the connection group, and include the path to the connection group XML document:</p>
+<p><strong>Add-AppvClientConnectionGroup</strong></p></li>
+<li><p>When you upgrade a package, use the following cmdlets to remove the old package, add the upgraded package, and publish the upgraded package:</p>
+<ul>
+<li><p>RemoveAppvClientPackage</p></li>
+<li><p>Add-AppvClientPackage</p></li>
+<li><p>Publish-AppvClientPackage</p></li>
+</ul></li>
+</ol>
+<p>For more information, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md).</p>
+</td>
+</tr>
+</tbody>
+</table>
+<p> </p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Managing Connection Groups](appv-managing-connection-groups.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/manage/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
new file mode 100644
index 0000000000..f3d3469885
--- /dev/null
+++ b/windows/manage/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
@@ -0,0 +1,82 @@
+---
+title: How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server (Windows 10)
+description: How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server
+
+
+Deploying packages and connection groups using the App-V publishing server is helpful because it offers single-point management and high scalability.
+
+Use the following steps to configure the App-V client to receive updates from the publishing server.
+
+**Note**  
+For the following procedures the management server was installed on a computer named **MyMgmtSrv**, and the publishing server was installed on a computer named **MyPubSrv**.
+
+ 
+
+**To configure the App-V client to receive updates from the publishing server**
+
+1.  Deploy the App-V management and publishing servers, and add the required packages and connection groups. For more information about adding packages and connection groups, see [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md) and [How to Create a Connection Group](appv-create-a-connection-group.md).
+
+2.  To open the management console click the following link, open a browser and type the following: http://MyMgmtSrv/AppvManagement/Console.html in a web browser, and import, publish, and entitle all the packages and connection groups which will be necessary for a particular set of users.
+
+3.  On the computer running the App-V client, open an elevated PowerShell command prompt, run the following command:
+
+    **Add-AppvPublishingServer  -Name  ABC  -URL  http:// MyPubSrv/AppvPublishing**
+
+    This command will configure the specified publishing server. You should see output similar to the following:
+
+    Id                        : 1
+
+    SetByGroupPolicy          : False
+
+    Name                      : ABC
+
+    URL                       : http:// MyPubSrv/AppvPublishing
+
+    GlobalRefreshEnabled      : False
+
+    GlobalRefreshOnLogon      : False
+
+    GlobalRefreshInterval     : 0
+
+    GlobalRefreshIntervalUnit : Day
+
+    UserRefreshEnabled        : True
+
+    UserRefreshOnLogon        : True
+
+    UserRefreshInterval       : 0
+
+    UserRefreshIntervalUnit   : Day
+
+    The returned Id – in this case 1
+
+4.  On the computer running the App-V client, open a PowerShell command prompt, and type the following command:
+
+    **Sync-AppvPublishingServer  -ServerId  1**
+
+    The command will query the publishing server for the packages and connection groups that need to be added or removed for this particular client based on the entitlements for the packages and connection groups as configured on the management server.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-connect-to-the-management-console.md b/windows/manage/appv-connect-to-the-management-console.md
new file mode 100644
index 0000000000..ff0f1cc327
--- /dev/null
+++ b/windows/manage/appv-connect-to-the-management-console.md
@@ -0,0 +1,27 @@
+---
+title: How to Connect to the Management Console (Windows 10)
+description: How to Connect to the Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# How to Connect to the Management Console
+
+Use the following procedure to connect to the App-V Management Console.
+
+**To connect to the App-V Management Console**
+
+1.  Open Internet Explorer browser and type the address for the App-V. For example, **http://\<_management server name_\>:\<_management service port number_\>/console.html**.
+
+2.  To view different sections of the console, click the desired section in the navigation pane.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Operations for App-V](appv-operations.md)
diff --git a/windows/manage/appv-connection-group-file.md b/windows/manage/appv-connection-group-file.md
new file mode 100644
index 0000000000..cf82d7392b
--- /dev/null
+++ b/windows/manage/appv-connection-group-file.md
@@ -0,0 +1,292 @@
+---
+title: About the Connection Group File (Windows 10)
+description: About the Connection Group File
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# About the Connection Group File
+
+
+**In this topic:**
+
+-   [Connection group file purpose and location](#bkmk-cg-purpose-loc)
+
+-   [Structure of the connection group XML file](#bkmk-define-cg-5-0sp3)
+
+-   [Configuring the priority of packages in a connection group](#bkmk-config-pkg-priority-incg)
+
+-   [Supported virtual application connection configurations](#bkmk-va-conn-configs)
+
+## <a href="" id="bkmk-cg-purpose-loc"></a>Connection group file purpose and location
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Connection group purpose</p></td>
+<td align="left"><p>A connection group is an App-V feature that enables you to group packages together to create a virtual environment in which the applications in those packages can interact with each other.</p>
+<p>Example: You want to use plug-ins with Microsoft Office. You can create a package that contains the plug-ins, and create another package that contains Office, and then add both packages to a connection group to enable Office to use those plug-ins.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>How the connection group file works</p></td>
+<td align="left"><p>When you apply an App-V connection group file, the packages that are enumerated in the file will be combined at runtime into a single virtual environment. Use the Microsoft Application Virtualization (App-V) connection group file to configure existing App-V connection groups.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Example file path</p></td>
+<td align="left"><p>%APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\{6CCC7575-162E-4152-9407-ED411DA138F4}\{4D1E16E1-8EF8-41ED-92D5-8910A8527F96}.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-define-cg-5-0sp3"></a>Structure of the connection group XML file
+
+
+**In this section:**
+
+-   [Parameters that define the connection group](#bkmk-params-define-cg)
+
+-   [Parameters that define the packages in the connection group](#bkmk-params-define-pkgs-incg)
+
+-   [App-V example connection group XML file](#bkmk-50sp3-exp-cg-xml)
+
+### <a href="" id="bkmk-params-define-cg"></a>Parameters that define the connection group
+
+The following table describes the parameters in the XML file that define the connection group itself, not the packages.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Field</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Schema name</p></td>
+<td align="left"><p>Name of the schema.</p>
+<p>If you want to use the “optional packages” and “use any version” features that are described in this table, you must specify the following schema in the XML file:</p>
+<p><code>xmlns=&quot;http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&quot;</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>AppConnectionGroupId</p></td>
+<td align="left"><p>Unique GUID identifier for this connection group. The connection group state is associated with this identifier. Specify this identifier only when you create the connection group.</p>
+<p>You can create a new GUID by typing: <strong>[Guid]::NewGuid()</strong>.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>VersionId</p></td>
+<td align="left"><p>Version GUID identifier for this version of the connection group.</p>
+<p>When you update a connection group (for example, by adding or updating a new package), you must update the version GUID to reflect the new version.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DisplayName</p></td>
+<td align="left"><p>Display name of the connection group.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Priority</p></td>
+<td align="left"><p>Optional priority field for the connection group.</p>
+<p><strong>“0”</strong> - indicates the highest priority.</p>
+<p>If a priority is required, but has not been configured, the package will fail because the correct connection group to use cannot be determined.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-params-define-pkgs-incg"></a>Parameters that define the packages in the connection group
+
+In the &lt;Packages&gt; section of the connection group XML file, you list the member packages in the connection group by specifying each package’s unique package identifier and version identifier, as described in the following table. The first package in the list has the highest precedence.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Field</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>PackageId</p></td>
+<td align="left"><p>Unique GUID identifier for this package. This GUID doesn’t change when newer versions of the package are published.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>VersionId</p></td>
+<td align="left"><p>Unique GUID identifier for the version of the package.</p>
+<p>If you specify <strong>“*”</strong> for the package version, the GUID of the latest available package version is dynamically inserted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>IsOptional</p></td>
+<td align="left"><p>Parameter that enables you to make a package optional within the connection group. Valid entries are:</p>
+<ul>
+<li><p><strong>“true”</strong> – package is optional in the connection group</p></li>
+<li><p><strong>“false”</strong> – package is required in the connection group</p></li>
+</ul>
+</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-50sp3-exp-cg-xml"></a>App-V example connection group XML file
+
+The following example connection group XML file shows examples of the fields in the previous tables.
+
+```
+<?xml version="1.0" encoding="UTF-16"?>
+<appv:AppConnectionGroup
+xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
+xmlns:appv="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
+  AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"
+  VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"
+  Priority="0"
+  DisplayName="Sample Connection Group">
+  <appv:Packages>
+    <appv:Package
+      PackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"
+      VersionId="*"
+      IsOptional=”true”
+    />    
+    <appv:Package
+      PackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"
+      VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"
+      IsOptional=”false”
+    />
+  </appv:Packages>
+```
+
+## <a href="" id="bkmk-config-pkg-priority-incg"></a>Configuring the priority of packages in a connection group
+
+
+Package precedence is configured using the package list order. The first package in the document has the highest precedence. Subsequent packages in the list have descending priority.
+
+Package precedence is the resolution for otherwise inevitable resource collisions during virtual environment initialization. For example, if two packages that are opening in the same virtual environment define the same registry DWORD value, the package with the highest precedence determines the value that is set.
+
+You can use the connection group file to configure each connection group by using the following methods:
+
+-   Specify runtime priorities for connection groups. To edit priority by using the App-V Management Console, click the connection group and then click **Edit**.
+
+    **Note**  
+    Priority is required only if the package is associated with more than one connection group.
+
+     
+
+-   Specify package precedence within the connection group.
+
+The priority field is required when a running virtual application initiates from a native application request, for example, Microsoft Windows Explorer. The App-V client uses the priority to determine which connection group virtual environment the application should run in. This situation occurs if a virtual application is part of multiple connection groups.
+
+If a virtual application is opened using another virtual application the virtual environment of the original virtual application will be used. The priority field is not used in this case.
+
+**Example:**
+
+The virtual application Microsoft Outlook is running in virtual environment **XYZ**. When you open an attached Microsoft Word document, a virtualized version Microsoft Word opens in the virtual environment **XYZ**, regardless of the virtualized Microsoft Word’s associated connection groups or runtime priorities.
+
+## <a href="" id="bkmk-va-conn-configs"></a>Supported virtual application connection configurations
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Configuration</th>
+<th align="left">Example scenario</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>An. exe file and plug-in (.dll)</p></td>
+<td align="left"><ul>
+<li><p>You want to distribute Microsoft Office to all users, but distribute a Microsoft Excel plug-in to only a subset of users.</p></li>
+<li><p>Enable the connection group for the appropriate users.</p></li>
+<li><p>Update each package individually as required.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>An. exe file and a middleware application</p></td>
+<td align="left"><ul>
+<li><p>You have an application requires a middleware application, or several applications that all depend on the same middleware runtime version.</p></li>
+<li><p>All computers that require one or more of the applications receive the connection groups with the application and middleware application runtime.</p></li>
+<li><p>You can optionally combine multiple middleware applications into a single connection group.</p>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Example</th>
+<th align="left">Example description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Virtual application connection group for the financial division</p></td>
+<td align="left"><ul>
+<li><p>Middleware application 1</p></li>
+<li><p>Middleware application 2</p></li>
+<li><p>Middleware application 3</p></li>
+<li><p>Middleware application runtime</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Virtual application connection group for HR division</p></td>
+<td align="left"><ul>
+<li><p>Middleware application 5</p></li>
+<li><p>Middleware application 6</p></li>
+<li><p>Middleware application runtime</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+<p> </p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>An. exe file and an .exe file</p></td>
+<td align="left"><p>You have an application that relies on another application, and you want to keep the packages separate for operational efficiencies, licensing restrictions, or rollout timelines.</p>
+<p><strong>Example:</strong></p>
+<p>If you are deploying Microsoft Lync 2010, you can use three packages:</p>
+<ul>
+<li><p>Microsoft Office 2010</p></li>
+<li><p>Microsoft Communicator 2007</p></li>
+<li><p>Microsoft Lync 2010</p></li>
+</ul>
+<p>You can manage the deployment using the following connection groups:</p>
+<ul>
+<li><p>Microsoft Office 2010 and Microsoft Communicator 2007</p></li>
+<li><p>Microsoft Office 2010 and Microsoft Lync 2010</p></li>
+</ul>
+<p>When the deployment has completed, you can either create a single new Microsoft Office 2010 + Microsoft Lync 2010 package, or keep and maintain them as separate packages and deploy them by using a connection group.</p></td>
+</tr>
+</tbody>
+</table>
+
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+[Managing Connection Groups](appv-managing-connection-groups.md)
diff --git a/windows/manage/appv-connection-group-virtual-environment.md b/windows/manage/appv-connection-group-virtual-environment.md
new file mode 100644
index 0000000000..8b3a5e00fc
--- /dev/null
+++ b/windows/manage/appv-connection-group-virtual-environment.md
@@ -0,0 +1,109 @@
+---
+title: About the Connection Group Virtual Environment (Windows 10)
+description: About the Connection Group Virtual Environment
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# About the Connection Group Virtual Environment
+
+
+**In this topic:**
+
+-   [How package priority is determined](#bkmk-pkg-priority-deter)
+
+-   [Merging identical package paths into one virtual directory in connection groups](#bkmk-merged-root-ve-exp)
+
+## <a href="" id="bkmk-pkg-priority-deter"></a>How package priority is determined
+
+
+The virtual environment and its current state are associated with the connection group, not with the individual packages. If an App-V package is removed from the connection group, the state that existed as part of the connection group will not migrate with the package.
+
+If the same package is a part of two different connection groups, you have to indicate which connection group App-V should use. For example, you might have two packages in a connection group that each define the same registry DWORD value.
+
+The connection group that is used is based on the order in which a package appears inside the **AppConnectionGroup** XML document:
+
+-   The first package has the highest precedence.
+
+-   The second package has the second highest precedence.
+
+Consider the following example section:
+
+``` syntax
+<appv:Packages><appv:PackagePackageId="A8731008-4523-4713-83A4-CD1363907160"VersionId="E889951B-7F30-418B-A69C-B37283BC0DB9"/><appv:PackagePackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"VersionId="01F1943B-C778-40AD-BFAD-AC34A695DF3C"/><appv:PackagePackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"/></appv:Packages>
+```
+
+Assume that same DWORD value ABC (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region) is defined in the first and third package, such as:
+
+-   Package 1 (A8731008-4523-4713-83A4-CD1363907160): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5
+
+-   Package 3 (04220DCA-EE77-42BE-A9F5-96FD8E8593F2): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=10
+
+Since Package 1 appears first, the AppConnectionGroup's virtual environment will have the single DWORD value of 5 (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5). This means that the virtual applications in Package 1, Package 2, and Package 3 will all see the value 5 when they query for HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region.
+
+Other virtual environment resources are resolved similarly, but the usual case is that the collisions occur in the registry.
+
+## <a href="" id="bkmk-merged-root-ve-exp"></a>Merging identical package paths into one virtual directory in connection groups
+
+
+If two or more packages in a connection group contain identical directory paths, the paths are merged into a single virtual directory inside the connection group virtual environment. This merging of paths allows an application in one package to access files that are in a different package.
+
+When you remove a package from a connection group, the applications in that removed package are no longer able to access files in the remaining packages in the connection group.
+
+The order in which App-V looks up a file’s name in the connection group is specified by the order in which the App-V packages are listed in the connection group manifest file.
+
+The following example shows the order and relationship of a file name lookup in a connection group for **Package A** and **Package B**.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Package A</th>
+<th align="left">Package B</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>C:\Windows\System32</p></td>
+<td align="left"><p>C:\Windows\System32</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>C:\AppTest</p></td>
+<td align="left"><p>C:\AppTest</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+In the example above, when a virtualized application tries to find a specific file, Package A is searched first for a matching file path. If a matching path is not found, Package B is searched, using the following mapping rules:
+
+-   If a file named **test.txt** exists in the same virtual folder hierarchy in both application packages, the first matching file is used.
+
+-   If a file named **bar.txt** exists in the virtual folder hierarchy of one application package, but not in the other, the first matching file is used.
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Managing Connection Groups](appv-managing-connection-groups.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/manage/appv-convert-a-package-created-in-a-previous-version-of-appv.md
new file mode 100644
index 0000000000..6ef26859d9
--- /dev/null
+++ b/windows/manage/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -0,0 +1,61 @@
+---
+title: How to Convert a Package Created in a Previous Version of App-V (Windows 10)
+description: How to Convert a Package Created in a Previous Version of App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Convert a Package Created in a Previous Version of App-V
+
+You can use the package converter utility to upgrade virtual application packages that have been created with previous versions of App-V.
+
+> [!NOTE]  
+> If you are running a computer with a 64-bit architecture, you must use the x86 version of Windows PowerShell.
+
+The package converter can only directly convert packages that were created by using the App-V 4.5 sequencer or later. Packages that were created using a version prior to App-V 4.5 must be upgraded to at least App-V 4.5 before conversion.
+
+The following information provides direction for converting existing virtual application packages.
+
+> [!IMPORTANT]  
+> You must configure the package converter to always save the package ingredients file to a secure location and directory. A secure location is accessible only by an administrator. Additionally, when you deploy the package, you should save the package to a location that is secure, or make sure that no other user is allowed to be logged in during the conversion process.
+
+## App-V 4.6 installation folder is redirected to virtual file system root
+
+When you convert packages from App-V 4.6 to App-V for Windows 10, the App-V for Windows 10 package can access the hardcoded drive that you were required to use when you created 4.6 packages. The drive letter will be the drive you selected as the installation drive on the 4.6 sequencing machine. (The default drive letter is Q:\\.)
+
+**Technical Details:** The App-V package converter will save the App-V 4.6 installation root folder and short folder names in the FilesystemMetadata.xml file in the Filesystem element. When the App-V for Windows 10 client creates the virtual process, it will map requests from the App-V 4.6 installation root to the virtual file system root.
+
+## Getting started
+
+1.  Install the App-V Sequencer on a computer in your environment. For information about how to install the Sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
+
+2.  The following cmdlets are available:
+
+    -   **Test-AppvLegacyPackage** – This cmdlet is designed to check packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in depth validation. For information about options and basic functionality for this cmdlet, using Windows PowerShell, type `Test-AppvLegacyPackage -?`.
+
+    -   **ConvertFrom-AppvLegacyPackage** – To convert an existing package, type `ConvertFrom-AppvLegacyPackage c:\contentStore c:\convertedPackages`. In this command, `c:\contentStore` represents the location of the existing package and `c:\convertedPackages` is the output directory to which the resulting App-V for Windows 10 virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used.
+
+        Additionally, the package converter optimizes performance of packages in App-V for Windows 10 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default.
+
+        > [!NOTE]  
+        > Before you specify the output directory, you must create the output directory.
+
+### Advanced Conversion Tips
+
+-   Piping - Windows PowerShell supports piping. Piping allows you to call `dir c:\contentStore\myPackage | Test-AppvLegacyPackage`. In this example, the directory object that represents `myPackage` will be given as input to the `Test-AppvLegacyPackage` command and bound to the `-Source` parameter. Piping like this is especially useful when you want to batch commands together; for example, `dir .\ | Test-AppvLegacyPackage | ConvertFrom-AppvLegacyAppvPackage -Target .\ConvertedPackages`. This piped command would test the packages and then pass those objects on to actually be converted. You can also apply a filter on packages without errors or only specify a directory which contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V client.
+
+-   Batching - The Windows PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the `-Source` parameter which represents a list of directory paths. This allows you to enter `$packages = dir c:\contentStore` and then call `ConvertFrom-AppvLegacyAppvPackage-Source $packages -Target c:\ConvertedPackages` or to use piping and call `dir c:\ContentStore | ConvertFrom-AppvLegacyAppvPackage -Target C:\ConvertedPackages`.
+
+-   Other functionality - Windows PowerShell has other built-in functionality for features such as aliases, piping, lazy-binding, .NET object, and many others. All of these are usable in Windows PowerShell and can help you create advanced scenarios for the Package Converter.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Operations for App-V](appv-operations.md)
diff --git a/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
new file mode 100644
index 0000000000..fab3419e83
--- /dev/null
+++ b/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -0,0 +1,82 @@
+---
+title: How to Create a Connection Group with User-Published and Globally Published Packages (Windows 10)
+description: How to Create a Connection Group with User-Published and Globally Published Packages
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Create a Connection Group with User-Published and Globally Published Packages
+
+
+You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods:
+
+-   [How to use PowerShell cmdlets to create the user-entitled connection groups](#bkmk-posh-userentitled-cg)
+
+-   [How to use the App-V Server to create the user-entitled connection groups](#bkmk-appvserver-userentitled-cg)
+
+**What to know before you start:**
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Unsupported scenarios and potential issues</th>
+<th align="left">Result</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>You cannot include user-published packages in globally entitled connection groups.</p></td>
+<td align="left"><p>The connection group will fail.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>If you publish a package globally and then create a user-published connection group in which you’ve made that package non-optional, you can still run <strong>Unpublish-AppvClientPackage &lt;package&gt; -global</strong> to unpublish the package, even when that package is being used in another connection group.</p></td>
+<td align="left"><p>If any other connection groups are using that package, the package will fail in those connection groups.</p>
+<p>To avoid inadvertently unpublishing a non-optional package that is being used in another connection group, we recommend that you track the connection groups in which you’ve used a non-optional package.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**How to use PowerShell cmdlets to create user-entitled connection groups**
+
+1.  Add and publish packages by using the following commands:
+
+    **Add-AppvClientPackage Pacakage1\_AppV\_file\_Path**
+
+    **Add-AppvClientPackage Pacakage2\_AppV\_file\_Path**
+
+    **Publish-AppvClientPackage -PackageId Package1\_ID -VersionId Package1\_Version ID -Global**
+
+    **Publish-AppvClientPackage -PackageId Package2\_ID -VersionId Package2\_ID**
+
+2.  Create the connection group XML file. For more information, see [About the Connection Group File](appv-connection-group-file.md).
+
+3.  Add and publish the connection group by using the following commands:
+
+    **Add-AppvClientConnectionGroup Connection\_Group\_XML\_file\_Path**
+
+    **Enable-AppvClientConnectionGroup  -GroupId CG\_Group\_ID -VersionId CG\_Version\_ID**
+
+**How to use the App-V Server to create user-entitled connection groups**
+
+1.  Open the App-V Management Console.
+
+2.  Follow the instructions in [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md) to publish packages globally and to the user.
+
+3.  Follow the instructions in [How to Create a Connection Group](appv-create-a-connection-group.md) to create the connection group, and add the user-published and globally published packages.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Managing Connection Groups](appv-managing-connection-groups.md)
diff --git a/windows/manage/appv-create-a-connection-group.md b/windows/manage/appv-create-a-connection-group.md
new file mode 100644
index 0000000000..1f77e35d5d
--- /dev/null
+++ b/windows/manage/appv-create-a-connection-group.md
@@ -0,0 +1,58 @@
+---
+title: How to Create a Connection Group (Windows 10)
+description: How to Create a Connection Group
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Create a Connection Group
+
+
+Use these steps to create a connection group by using the App-V Management Console. To use PowerShell to create connection groups, see [How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md).
+
+When you place packages in a connection group, their package root paths are merged. If you remove packages, only the remaining packages maintain the merged root.
+
+**To create a connection group**
+
+1.  In the App-V Management Console, select **CONNECTION GROUPS** to display the Connection Groups library.
+
+2.  Select **ADD CONNECTION GROUP** to create a new connection group.
+
+3.  In the **New Connection Group** pane, type a description for the group.
+
+4.  Click **EDIT** in the **CONNECTED PACKAGES** pane to add a new application to the connection group.
+
+5.  In the **PACKAGES Entire Library** pane, select the application to be added, and click the arrow to add the application.
+
+    To remove an application, select the application to be removed in the **PACKAGES IN** pane and click the arrow.
+
+    To reprioritize the applications in your connection group, use the arrows in the **PACKAGES IN** pane.
+
+    **Important**  
+    By default, the Active Directory Domain Services access configurations that are associated with a specific application are not added to the connection group. To transfer the Active Directory access configuration, select **ADD PACKAGE ACCESS TO GROUP ACCESS**, which is located in the **PACKAGES IN** pane.
+
+     
+
+6.  After adding all the applications and configuring Active Directory access, click **Apply**.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+[Managing Connection Groups](appv-managing-connection-groups.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/manage/appv-create-a-custom-configuration-file-with-the-management-console.md
new file mode 100644
index 0000000000..5ae5d599c7
--- /dev/null
+++ b/windows/manage/appv-create-a-custom-configuration-file-with-the-management-console.md
@@ -0,0 +1,48 @@
+---
+title: How to Create a Custom Configuration File by Using the App-V Management Console (Windows 10)
+description: How to Create a Custom Configuration File by Using the App-V Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Create a Custom Configuration File by Using the App-V Management Console
+
+
+You can use a dynamic configuration to customize an App-V package for a specific user. However, you must first create the dynamic user configuration (.xml) file or the dynamic deployment configuration file before you can use the files. Creation of the file is an advanced manual operation. For general information about dynamic user configuration files, see, [About App-V Dynamic Configuration](appv-dynamic-configuration.md).
+
+Use the following procedure to create a Dynamic User Configuration file by using the App-V Management console.
+
+**To create a Dynamic User Configuration file**
+
+1.  Right-click the name of the package that you want to view and select **Edit active directory access** to view the configuration that is assigned to a given user group. Alternatively, select the package, and click **Edit**.
+
+2.  Using the list of **AD Entities with Access**, select the AD group that you want to customize. Select **Custom** from the drop-down list, if it is not already selected. A link named **Edit** will be displayed.
+
+3.  Click **Edit**. The Dynamic User Configuration that is assigned to the AD Group will be displayed.
+
+4.  Click **Advanced**, and then click **Export Configuration**. Type in a filename and click **Save**. Now you can edit the file to configure a package for a user.
+
+    **Note**  
+    To export a configuration while running on Windows Server, you must disable "IE Enhanced Security Configuration". If this is enabled and set to block downloads, you cannot download anything from the App-V Server.
+
+     
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-create-a-package-accelerator-with-powershell.md b/windows/manage/appv-create-a-package-accelerator-with-powershell.md
new file mode 100644
index 0000000000..0694929374
--- /dev/null
+++ b/windows/manage/appv-create-a-package-accelerator-with-powershell.md
@@ -0,0 +1,55 @@
+---
+title: How to Create a Package Accelerator by Using PowerShell (Windows 10)
+description: How to Create a Package Accelerator by Using PowerShell
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Create a Package Accelerator by Using PowerShell
+
+
+App-V package accelerators automatically sequence large, complex applications. Additionally, when you apply an App-V package accelerator, you are not always required to manually install an application to create the virtualized package.
+
+**To create a package accelerator**
+
+1.  Install the App-V sequencer. For more information about installing the sequencer see [How to Install the Sequencer](appv-install-the-sequencer.md).
+
+2.  To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. Use the **New-AppvPackageAccelerator** cmdlet.
+
+3.  To create a package accelerator, make sure that you have the .appv package to create an accelerator from, the installation media or installation files, and optionally a read me file for consumers of the accelerator to use. The following parameters are required to use the package accelerator cmdlet:
+
+    -   **InstalledFilesPath** - specifies the application installation path.
+
+    -   **Installer** – specifies the path to the application installer media
+
+    -   **InputPackagePath** – specifies the path to the .appv package
+
+    -   **Path** – specifies the output directory for the package.
+
+    The following example displays how you can create a package accelerator with an .appv package and the installation media:
+
+    **New-AppvPackageAccelerator -InputPackagePath &lt;path to the .appv file&gt; -Installer &lt;path to the installer executable&gt; -Path &lt;directory of the output path&gt;**
+
+    Additional optional parameters that can be used with the **New-AppvPackageAccelerator** cmdlet are displayed in the following list:
+
+    -   **AcceleratorDescriptionFile** - specifies the path to user created package accelerator instructions. The package accelerator instructions are **.txt** or **.rtf** description files that will be packaged with the package created using the package accelerator.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-create-a-package-accelerator.md b/windows/manage/appv-create-a-package-accelerator.md
new file mode 100644
index 0000000000..d9a8f4a96a
--- /dev/null
+++ b/windows/manage/appv-create-a-package-accelerator.md
@@ -0,0 +1,107 @@
+---
+title: How to Create a Package Accelerator (Windows 10)
+description: How to Create a Package Accelerator
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Create a Package Accelerator
+
+
+App-V package accelerators automatically generate new virtual application packages.
+
+**Note**  
+You can use PowerShell to create a package accelerator. For more information see [How to Create a Package Accelerator by Using PowerShell](appv-create-a-package-accelerator-with-powershell.md).
+
+ 
+
+Use the following procedure to create a package accelerator.
+
+**Important**  
+Package Accelerators can contain password and user-specific information. Therefore you must save Package Accelerators and the associated installation media in a secure location, and you should digitally sign the Package Accelerator after you create it so that the publisher can be verified when the App-V Package Accelerator is applied.
+
+ 
+
+**Important**  
+Before you begin the following procedure, you should perform the following:
+
+-   Copy the virtual application package that you will use to create the package accelerator locally to the computer running the sequencer.
+
+-   Copy all required installation files associated with the virtual application package to the computer running the sequencer.
+
+ 
+
+**To create a package accelerator**
+
+1.  **Important**  
+    The App-V Sequencer does not grant any license rights to the software application you are using to create the Package Accelerator. You must abide by all end user license terms for the application you are using. It is your responsibility to make sure the software application’s license terms allow you to create a Package Accelerator using App-V Sequencer.
+
+     
+
+    To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
+
+2.  To start the App-V **Create Package Accelerator** wizard, in the App-V sequencer console, click **Tools** / **Create Accelerator**.
+
+3.  On the **Select Package** page, to specify an existing virtual application package to use to create the Package Accelerator, click **Browse**, and locate the existing virtual application package (.appv file).
+
+    **Tip**  
+    Copy the files associated with the virtual application package you plan to use locally to the computer running the Sequencer.
+
+     
+
+    Click **Next**.
+
+4.  On the **Installation Files** page, to specify the folder that contains the installation files that you used to create the original virtual application package, click **Browse**, and then select the directory that contains the installation files.
+
+    **Tip**  
+    Copy the folder that contains the required installation files to the computer running the Sequencer.
+
+     
+
+5.  If the application is already installed on the computer running the sequencer, to specify the installation file, select **Files installed on local system**. To use this option, the application must already be installed in the default installation location.
+
+6.  On the **Gathering Information** page, review the files that were not found in the location specified on the **Installation Files** page of this wizard. If the files displayed are not required, select **Remove these files**, and then click **Next**. If the files are required, click **Previous** and copy the required files to the directory specified on the **Installation Files** page.
+
+    **Note**  
+    You must either remove the unrequired files, or click **Previous** and locate the required files to advance to the next page of this wizard.
+
+     
+
+7.  On the **Select Files** page, carefully review the files that were detected, and clear any file that should be removed from the package accelerator. Select only files that are required for the application to run successfully, and then click **Next**.
+
+8.  On the **Verify Applications** page, confirm that all installation files that are required to build the package are displayed. When the Package Accelerator is used to create a new package, all installation files displayed in the **Applications** pane are required to create the package.
+
+    If necessary, to add additional Installer files, click **Add**. To remove unnecessary installation files, select the Installer file, and then click **Delete**. To edit the properties associated with an installer, click **Edit**. The installation files specified in this step will be required when the Package Accelerator is used to create a new virtual application package. After you have confirmed the information displayed, click **Next**.
+
+9.  On the **Select Guidance** page, to specify a file that contains information about how the Package Accelerator, click **Browse**. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for the Package Accelerator to be successfully applied. The file you select must be in rich text (.rtf) or text file (.txt) format. Click **Next**.
+
+10. On the **Create Package Accelerator** page, to specify where to save the Package Accelerator, click **Browse** and select the directory.
+
+11. On the **Completion** page, to close the **Create Package Accelerator** wizard, click **Close**.
+
+    **Important**  
+    To help ensure that the package accelerator is as secure as possible, and so that the publisher can be verified when the package accelerator is applied, you should always digitally sign the package accelerator.
+
+     
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+[How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-create-a-virtual-application-package-package-accelerator.md b/windows/manage/appv-create-a-virtual-application-package-package-accelerator.md
new file mode 100644
index 0000000000..b502103844
--- /dev/null
+++ b/windows/manage/appv-create-a-virtual-application-package-package-accelerator.md
@@ -0,0 +1,101 @@
+---
+title: How to Create a Virtual Application Package Using an App-V Package Accelerator (Windows 10)
+description: How to Create a Virtual Application Package Using an App-V Package Accelerator
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Create a Virtual Application Package Using an App-V Package Accelerator
+
+
+**Important**  
+The App-V Sequencer does not grant any license rights to the software application that you use to create the Package Accelerator. You must abide by all end user license terms for the application that you use. It is your responsibility to make sure that the software application’s license terms allow you to create a Package Accelerator with the App-V Sequencer.
+
+ 
+
+Use the following procedure to create a virtual application package with the App-V Package Accelerator.
+
+**Note**  
+Before you start this procedure, copy the required Package Accelerator locally to the computer that runs the App-V Sequencer. You should also copy all required installation files for the package to a local directory on the computer that runs the Sequencer. This is the directory that you have to specify in step 5 of this procedure.
+
+ 
+
+**To create a virtual application package with an App-V Package Accelerator**
+
+1.  To start the App-V Sequencer, on the computer that runs the App-V Sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
+
+2.  To start the **Create New Package Wizard**, click **Create a New Virtual Application Package**. To create the package, select the **Create Package using a Package Accelerator** check box, and then click **Next**.
+
+3.  To specify the package accelerator that will be used to create the new virtual application package, click **Browse** on the **Select Package Accelerator** page. Click **Next**.
+
+    **Important**  
+    If the publisher of the package accelerator cannot be verified and does not contain a valid digital signature, then before you click **Run**, you must confirm that you trust the source of the package accelerator. Confirm your choice in the **Security Warning** dialog box.
+
+     
+
+4.  On the **Guidance** page, review the publishing guidance information that is displayed in the information pane. This information was added when the Package Accelerator was created and it contains guidance about how to create and publish the package. To export the guidance information to a text (.txt) file, click **Export** and specify the location where the file should be saved, and then click **Next**.
+
+5.  On the **Select Installation Files** page, click **Make New Folder** to create a local folder that contains all required installation files for the package, and specify where the folder should be saved. You must also specify a name to be assigned to the folder. You must then copy all required installation files to the location that you specified. If the folder that contains the installation files already exists on the computer that runs the Sequencer, click **Browse** to select the folder.
+
+    Alternatively, if you have already copied the installation files to a directory on this computer, click **Make New Folder**, browse to the folder that contains the installation files, and then click **Next**.
+
+    **Note**  
+    You can specify the following types of supported installation files:
+
+    -   Windows Installer files (**.msi**)
+
+    -   Cabinet files (.cab)
+
+    -   Compressed files with a .zip file name extension
+
+    -   The actual application files
+
+    The following file types are not supported: **.msp** and **.exe** files. If you specify an **.exe** file, you must extract the installation files manually.
+
+     
+
+    If the package accelerator requires an application to be installed before you apply the Package Accelerator, and if you have already installed the required application, select **I have installed all applications**, and then click **Next** on the **Local Installation** page.
+
+6.  On the **Package Name** page, specify a name that will be associated with the package. The name that you specify identifies the package in the App-V Management Console. Click **Next**.
+
+7.  On the **Create Package** page, provide comments that will be associated with the package. The comments should contain identifying information about the package that you are creating. To confirm the location where the package is created, review the information that is displayed in **Save Location**. To compress the package, select **Compress Package**. Select the **Compress Package** check box if the package will be streamed across the network, or when the package size exceeds 4 GB.
+
+    To create the package, click **Create**. After the package is created, click **Next**.
+
+8.  On the **Configure Software** page, to enable the Sequencer to configure the applications that are contained in the package, select **Configure Software**. In this step you can configure any associated tasks that must be completed in order to run the application on the target computers. For example, you can configure any associated license agreements.
+
+    If you select **Configure Software**, the following items can be configured using the Sequencer as part of this step:
+
+    -   **Load Package**. The Sequencer loads the files that are associated with the package. It can take several seconds to an hour to decode the package.
+
+    -   **Run Each Program**. Optionally run the programs that are contained in the package. This step is helpful to complete any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at once, select at least one program, and then click **Run All**. To run specific programs, select the program or programs that you want to run, and then click **Run Selected**. Complete the required configuration tasks, and then close the applications. It can take several minutes for all programs to run. Click **Next**.
+
+    -   **Save Package**. The Sequencer saves the package.
+
+    -   **Primary Feature Block**. The Sequencer optimizes the package for streaming by rebuilding the primary feature block.
+
+    If you do not want to configure the applications, click **Skip this step**, and to go to step 9 of this procedure, and then click **Next**.
+
+9.  On the **Completion** page, after you review the information that is displayed in the **Virtual Application Package Report** pane, click **Close**.
+
+    The package is now available in the Sequencer. To edit the package properties, click **Edit \[Package Name\]**. For more information about how to modify a package, see [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md).
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-create-and-use-a-project-template.md b/windows/manage/appv-create-and-use-a-project-template.md
new file mode 100644
index 0000000000..fd57dc07d8
--- /dev/null
+++ b/windows/manage/appv-create-and-use-a-project-template.md
@@ -0,0 +1,70 @@
+---
+title: How to Create and Use a Project Template (Windows 10)
+description: How to Create and Use a Project Template
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Create and Use a Project Template
+
+
+You can use an App-V project template to save commonly applied settings associated with an existing virtual application package. These settings can then be applied when you create new virtual application packages in your environment. Using a project template can streamline the process of creating virtual application packages.
+
+**Note**  
+You can, and often should apply an App-V project template during a package upgrade. For example, if you sequenced an application with a custom exclusion list, it is recommended that an associated template is created and saved for later use while upgrading the sequenced application.
+
+ 
+
+App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications.
+
+Use the following procedures to create and apply a new template.
+
+**To create a project template**
+
+1.  To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
+
+2.  **Note**  
+    If the virtual application package is currently open in the App-V Sequencer console, skip to step 3 of this procedure.
+
+     
+
+    To open the existing virtual application package that contains the settings you want to save with the App-V project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**.
+
+3.  In the App-V Sequencer console, to save the template file, click **File** / **Save As Template**. After you have reviewed the settings that will be saved with the new template, click **OK**. Specify a name that will be associated with the new App-V project template. Click Save.
+
+    The new App-V project template is saved in the directory specified in step 3 of this procedure.
+
+**To apply a project template**
+
+1.  **Important**  
+    Creating a virtual application package using a project template in conjunction with a Package Accelerator is not supported.
+
+     
+
+    To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
+
+2.  To create or upgrade a new virtual application package by using an App-V project template, click **File** / **New From Template**.
+
+3.  To select the project template that you want to use, browse to the directory where the project template is saved, select the project template, and then click **Open**.
+
+    Create the new virtual application package. The settings saved with the specified template will be applied to the new virtual application package that you are creating.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-creating-and-managing-virtualized-applications.md b/windows/manage/appv-creating-and-managing-virtualized-applications.md
new file mode 100644
index 0000000000..e04c94fc76
--- /dev/null
+++ b/windows/manage/appv-creating-and-managing-virtualized-applications.md
@@ -0,0 +1,211 @@
+---
+title: Creating and Managing App-V Virtualized Applications (Windows 10)
+description: Creating and Managing App-V Virtualized Applications
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Creating and Managing App-V Virtualized Applications
+
+
+After you have properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application.
+
+**Note**  
+For more information about configuring the App-V sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx).
+
+**Note**  
+The App-V Sequencer cannot sequence applications with filenames matching "CO_&lt;x&gt;" where x is any numeral. Error 0x8007139F will be generated.
+
+## Sequencing an application
+
+
+You can use the App-V Sequencer to perform the following tasks:
+
+-   Create virtual packages that can be deployed to computers running the App-V client.
+
+-   Upgrade existing packages. You can expand an existing package onto the computer running the sequencer and then upgrade the application to create a newer version.
+
+-   Edit configuration information associated with an existing package. For example, you can add a shortcut or modify a file type association.
+
+    **Note**  
+    You must create shortcuts and save them to an available network location to allow roaming. If a shortcut is created and saved in a private location, the package must be published locally to the computer running the App-V client.
+ 
+-   Convert existing virtual packages.
+
+The sequencer uses the **%TMP% \\ Scratch** or **%TEMP% \\ Scratch** directory and the **Temp** directory to store temporary files during sequencing. On the computer that runs the sequencer, you should configure these directories with free disk space equivalent to the estimated application installation requirements. Configuring the temp directories and the Temp directory on different hard drive partitions can help improve performance during sequencing.
+
+When you use the sequencer to create a new virtual application, the following listed files are created. These files comprise the App-V package.
+
+-   .msi file. This Windows Installer (.msi) file is created by the sequencer and is used to install the virtual package on target computers.
+
+-   Report.xml file. In this file, the sequencer saves all issues, warnings, and errors that were discovered during sequencing. It displays the information after the package has been created. You can us this report for diagnosing and troubleshooting.
+
+-   .appv file. This is the virtual application file.
+
+-   Deployment configuration file. The deployment configuration file determines how the virtual application will be deployed to target computers.
+
+-   User configuration file. The user configuration file determines how the virtual application will run on target computers.
+
+**Important**  
+You must configure the %TMP% and %TEMP% folders that the package converter uses to be a secure location and directory. A secure location is only accessible by an administrator. Additionally, when you sequence the package you should save the package to a location that is secure, or make sure that no other user is allowed to be logged in during the conversion and monitoring process. 
+
+The **Options** dialog box in the sequencer console contains the following tabs:
+
+-   **General**. Use this tab to enable Microsoft Updates to run during sequencing. Select **Append Package Version to Filename** to configure the sequence to add a version number to the virtualized package that is being sequenced. Select **Always trust the source of Package Accelerators** to create virtualized packages using a package accelerator without being prompted for authorization.
+
+    **Important**  
+    Package Accelerators created using App-V 4.6 are not supported by App-V.     
+
+-   **Parse Items**. This tab displays the associated file path locations that will be parsed or tokenized into in the virtual environment. Tokens are useful for adding files using the **Package Files** tab in **Advanced Editing**.
+
+-   **Exclusion Items**. Use this tab to specify which folders and directories should not be monitored during sequencing. To add local application data that is saved in the Local App Data folder in the package, click **New** and specify the location and the associated **Mapping Type**. This option is required for some packages.
+
+App-V supports applications that include Microsoft Windows Services. If an application includes a Windows service, the Service will be included in the sequenced virtual package as long as it is installed while being monitored by the sequencer. If a virtual application creates a Windows service when it initially runs, then later, after installation, the application must be run while the sequencer is monitoring so that the Windows Service will be added to the package. Only Services that run under the Local System account are supported. Services that are configured for AutoStart or Delayed AutoStart are started before the first virtual application in a package runs inside the package’s Virtual Environment. Windows Services that are configured to be started on demand by an application are started when the virtual application inside the package starts the Service via API call.
+
+[How to Sequence a New Application with App-V](appv-sequence-a-new-application.md)
+
+## <a href="" id="---------app-v-5-1-shell-extension-support"></a> App-V shell extension support
+
+
+App-V supports shell extensions. Shell extensions will be detected and embedded in the package during sequencing.
+
+Shell extensions are embedded in the package automatically during the sequencing process. When the package is published, the shell extension gives users the same functionality as if the application were locally installed.
+
+**Requirements for using shell extensions:**
+
+-   Packages that contain embedded shell extensions must be published globally. The application requires no additional setup or configuration on the client to enable the shell extension functionality.
+
+-   The “bitness” of the application, Sequencer, and App-V client must match, or the shell extensions won’t work. For example:
+
+    -   The version of the application is 64-bit.
+
+    -   The Sequencer is running on a 64-bit computer.
+
+    -   The package is being delivered to a 64-bit App-V client computer.
+
+The following table lists the supported shell extensions:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Handler</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Context menu handler</p></td>
+<td align="left"><p>Adds menu items to the context menu. It is called before the context menu is displayed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Drag-and-drop handler</p></td>
+<td align="left"><p>Controls the action where right-click, drag and drop and modifies the context menu that appears.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Drop target handler</p></td>
+<td align="left"><p>Controls the action after a data object is dragged and dropped over a drop target such as a file.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Data object handler</p></td>
+<td align="left"><p>Controls the action after a file is copied to the clipboard or dragged and dropped over a drop target. It can provide additional clipboard formats to the drop target.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Property sheet handler</p></td>
+<td align="left"><p>Replaces or adds pages to the property sheet dialog box of an object.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Infotip handler</p></td>
+<td align="left"><p>Allows retrieving flags and infotip information for an item and displaying it inside a pop-up tooltip upon mouse hover.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Column handler</p></td>
+<td align="left"><p>Allows creating and displaying custom columns in <strong>Windows Explorer Details view</strong>. It can be used to extend sorting and grouping.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Preview handler</p></td>
+<td align="left"><p>Enables a preview of a file to be displayed in the Windows Explorer Preview pane.</p></td>
+</tr>
+</tbody>
+</table>
+
+## Copy on Write (CoW) file extension support
+
+Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it is being used.
+
+The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V client. All other files and directories can be modified.
+
+| File Type  	|             	|             	|            	|            	|            	|
+|------------	|-------------	|-------------	|------------	|------------	|------------	|
+| .acm       	| .asa        	| .asp        	| .aspx      	| .ax        	| .bat       	|
+| .cer       	| .chm        	| .clb        	| .cmd       	| .cnt       	| .cnv       	|
+| .com       	| .cpl        	| .cpx        	| .crt       	| .dll       	| .drv       	|
+| .esc       	| .exe        	| .fon        	| .grp       	| .hlp       	| .hta       	|
+| .ime       	| .inf        	| .ins        	| .isp       	| .its       	| .js        	|
+| .jse       	| .lnk        	| .msc        	| .msi       	| .msp       	| .mst       	|
+| .mui       	| .nls        	| .ocx        	| .pal       	| .pcd       	| .pif       	|
+| .reg       	| .scf        	| .scr        	| .sct       	| .shb       	| .shs       	|
+| .sys       	| .tlb        	| .tsp        	| .url       	| .vb        	| .vbe       	|
+| .vbs       	| .vsmacros   	| .ws         	| .wsf       	| .wsh       	|            	|
+
+
+## Modifying an existing virtual application package
+
+
+You can use the sequencer to modify an existing package. The computer on which you do this should match the chip architecture of the computer you used to create the application. For example, if you initially sequenced a package using a computer running a 64-bit operating system, you should modify the package using a computer running a 64-bit operating system.
+
+[How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md)
+
+## Creating a project template
+
+
+A .appvt file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings.
+
+App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you cannot use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template:
+
+A template can specify and store multiple settings as follows:
+
+-   **Advanced Monitoring Options**. Enables Microsoft Update to run during monitoring. Saves allow local interaction option settings
+
+-   **General Options**. Enables the use of **Windows Installer**, **Append Package Version to Filename**.
+
+-   **Exclusion Items.** Contains the Exclusion pattern list.
+
+[How to Create and Use a Project Template](appv-create-and-use-a-project-template.md)
+
+## Creating a package accelerator
+
+
+**Note**  
+Package accelerators created using a previous version of App-V must be recreated using App-V.
+
+You can use App-V package accelerators to automatically generate a new virtual application packages. After you have successfully created a package accelerator, you can reuse and share the package accelerator.
+
+In some situations, to create the package accelerator, you might have to install the application locally on the computer that runs the sequencer. In such cases, you should first try to create the package accelerator with the installation media. If multiple missing files are required, you should install the application locally to the computer that runs the sequencer, and then create the package accelerator.
+
+After you have successfully created a Package Accelerator, you can reuse and share the Package Accelerator. Creating App-V Package Accelerators is an advanced task. Package Accelerators can contain password and user-specific information. Therefore you must save Package Accelerators and the associated installation media in a secure location, and you should digitally sign the Package Accelerator after you create it so that the publisher can be verified when the App-V Package Accelerator is applied.
+
+[How to Create a Package Accelerator](appv-create-a-package-accelerator.md)
+
+[How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md)
+
+## Sequencer error reporting
+
+
+The App-V Sequencer can detect common sequencing issues during sequencing. The **Installation Report** page at the end of the sequencing wizard displays diagnostic messages categorized into **Errors**, **Warnings**, and **Info** depending on the severity of the issue.
+
+You can also find additional information about sequencing errors using the Windows Event Viewer.
+
+
+## <a href="" id="other-resources-for-the-app-v-5-1-sequencer-"></a>Other resources for the App-V sequencer
+
+
+-   [Operations for App-V](appv-operations.md)
+
diff --git a/windows/manage/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/manage/appv-customize-virtual-application-extensions-with-the-management-console.md
new file mode 100644
index 0000000000..3ec5082a93
--- /dev/null
+++ b/windows/manage/appv-customize-virtual-application-extensions-with-the-management-console.md
@@ -0,0 +1,45 @@
+---
+title: How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console (Windows 10)
+description: How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console
+
+
+Use the following procedure to customize the virtual application extensions for an Active Directory (AD) group.
+
+**To customize virtual applications extensions for an AD group**
+
+1.  To view the package that you want to configure, open the App-V Management Console. To view the configuration that is assigned to a given user group, select the package, and right-click the package name and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane.
+
+2.  To customize an AD group, you can find the group from the list of **AD Entities with Access**. Then, using the drop-down box in the **Assigned Configuration** pane, select **Custom**, and then click **EDIT**.
+
+3.  To disable all extensions for a given application, clear **ENABLE**.
+
+    To add a new shortcut for the selected application, right-click the application in the **SHORTCUTS** pane, and select **Add new shortcut**. To remove a shortcut, right-click the application in the **SHORTCUTS** pane, and select **Remove Shortcut**. To edit an existing shortcut, right-click the application, and select **Edit Shortcut**.
+
+4.  To view any other application extensions, click **Advanced**, and click **Export Configuration**. Type in a filename and click **Save**. You can view all application extensions that are associated with the package using the configuration file.
+
+5.  To edit additional application extensions, modify the configuration file and click **Import and Overwrite this Configuration**. Select the modified file and click **Open**. In the dialog, click **Overwrite** to complete the process.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-delete-a-connection-group.md b/windows/manage/appv-delete-a-connection-group.md
new file mode 100644
index 0000000000..41661c8b51
--- /dev/null
+++ b/windows/manage/appv-delete-a-connection-group.md
@@ -0,0 +1,39 @@
+---
+title: How to Delete a Connection Group (Windows 10)
+description: How to Delete a Connection Group
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Delete a Connection Group
+
+
+Use the following procedure to delete an existing App-V connection group.
+
+**To delete a connection group**
+
+1.  Open the App-V Management Console and select **CONNECTION GROUPS**.
+
+2.  Right-click the connection group to be removed, and select **delete**.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+[Managing Connection Groups](appv-managing-connection-groups.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-delete-a-package-with-the-management-console.md b/windows/manage/appv-delete-a-package-with-the-management-console.md
new file mode 100644
index 0000000000..da05ce9efb
--- /dev/null
+++ b/windows/manage/appv-delete-a-package-with-the-management-console.md
@@ -0,0 +1,37 @@
+---
+title: How to Delete a Package in the Management Console (Windows 10)
+description: How to Delete a Package in the Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Delete a Package in the Management Console
+
+
+Use the following procedure to delete an App-V package.
+
+**To delete a package in the Management Console**
+
+1.  To view the package you want to delete, open the App-V Management Console and select **Packages**. Select the package to be removed.
+
+2.  Click or right-click the package. Select **Delete** to remove the package.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-deploy-appv-databases-with-sql-scripts.md b/windows/manage/appv-deploy-appv-databases-with-sql-scripts.md
new file mode 100644
index 0000000000..a01fb30d6a
--- /dev/null
+++ b/windows/manage/appv-deploy-appv-databases-with-sql-scripts.md
@@ -0,0 +1,183 @@
+---
+title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10)
+description: How to Deploy the App-V Databases by Using SQL Scripts
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Deploy the App-V Databases by Using SQL Scripts
+
+Use the following instructions to use SQL scripts, rather than the Windows Installer, to:
+
+-   Install the App-V databases
+
+-   Upgrade the App-V databases to a later version
+
+> [!NOTE]  
+> If you have already deployed an App-V 5.0 SP3 database or later, the SQL scripts are not required to upgrade to App-V.
+
+## How to install the App-V databases by using SQL scripts
+
+1.  Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software.
+
+2.  Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location.
+
+3.  From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts.
+
+    Example: appv\_server\_setup.exe /layout c:\\_<temporary location path>_
+
+4.  Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate readme.txt file for instructions:
+
+    | Database | Location of readme.txt file to use 
+    | - | - |
+    | Management database | ManagementDatabase subfolder |
+    | Reporting database | ReportingDatabase subfolder |
+
+> [!CAUTION]  
+> The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders.
+
+> [!IMPORTANT]  
+> The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
+> The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340). **Step 1** is not required for versions of App-V later than App-V 5.0 SP3.
+
+### Updated management database README file content
+
+``` syntax
+***********************************************************************************************************
+Before you install and use the Application Virtualization Database Scripts, you must:
+
+- Review the license terms.
+- Print and retain a copy of the license terms for your records.
+
+By running the App-V you agree to such license terms. If you do not accept them, do not use the software.
+***********************************************************************************************************
+
+Steps to install "AppVManagement" schema in SQL SERVER.
+
+## PREREQUISITES:
+
+ 1. Review the installation package.  The following files MUST exist:
+
+    SQL files
+    ---------
+    Database.sql
+    CreateTables.sql
+    CreateStoredProcs.sql
+    UpdateTables.sql
+    Permissions.sql
+
+ 2. Ensure the target SQL Server instance and SQL Server Agent service are running.
+
+ 3. If you are not running the scripts directly on the server, ensure the 
+    necessary SQL Server client software is installed and available from
+    the specified location.  Specifically, the "osql" command must be supported for these scripts to run.
+
+## PREPARATION:
+
+ 1. Review the database.sql file and modify as necessary.  Although the
+    defaults are likely sufficient, it is suggested that the following
+    settings be reviewed:
+
+    DATABASE - ensure name is satisfactory - default is "AppVManagement".   
+
+ 2. Review the Permissions.sql file and provide all the necessary account information
+    for setting up read and write access on the database. Note: Default settings in the file will not work.
+
+## INSTALLATION:
+
+ 1. Run the database.sql against the "master" database.  Your user 
+    credential must have the ability to create databases.
+    This script will create the database.
+
+ 2. Run the following scripts against the "AppVManagement" database using the 
+    same account as above in order.
+
+    CreateTables.sql
+    CreateStoredProcs.sql
+    UpdateTables.sql
+    Permissions.sql 
+
+```
+
+### Updated reporting database README file content
+
+``` syntax
+***********************************************************************************************************
+Before you install and use the Application Virtualization Database Scripts, you must:
+
+- Review the license terms.
+- Print and retain a copy of the license terms for your records.
+
+By running the App-V you agree to such license terms. If you do not accept them, do not use the software.
+***********************************************************************************************************
+
+Steps to install "AppVReporting" schema in SQL SERVER.
+
+## PREREQUISITES:
+
+ 1. Review the installation package.  The following files MUST exist:
+
+    SQL files
+    ---------
+    Database.sql
+    UpgradeDatabase.sql
+    CreateTables.sql
+    CreateReportingStoredProcs.sql
+    CreateStoredProcs.sql
+    CreateViews.sql
+    Permissions.sql
+    ScheduleReportingJob.sql
+
+ 2. Ensure the target SQL Server instance and SQL Server Agent service are running.
+
+ 3. If you are not running the scripts directly on the server, ensure the 
+    necessary SQL Server client software is installed and executable from
+    the location you have chosen.  Specifically, the "osql" command must be supported for these scripts to run.
+
+## PREPARATION:
+
+ 1. Review the database.sql file and modify as necessary.  Although the
+    defaults are likely sufficient, it is suggested that the following
+    settings be reviewed:
+
+    DATABASE - ensure name is satisfactory - default is "AppVReporting".   
+
+ 2. Review the Permissions.sql file and provide all the necessary account information
+    for setting up read and write access on the database. Note: Default settings
+    in the file will not work.
+
+ 3. Review the ScheduleReportingJob.sql file and make sure that the stored proc schedule
+    time is acceptable. The default stored proc schedule time is at 12.01 AM (line 84). 
+    If this time is not suitable, you can change this to a more suitable time. The time is in the format HHMMSS.
+
+## INSTALLATION:
+
+ 1. Run the database.sql against the "master" database.  Your user 
+    credential must have the ability to create databases.
+    This script will create the database.
+
+ 2. If upgrading the database, run UpgradeDatabase.sql This will upgrade database schema.
+
+ 2. Run the following scripts against the "AppVReporting" database using the 
+    same account as above in order.
+    
+    CreateTables.sql
+    CreateReportingStoredProcs.sql
+    CreateStoredProcs.sql
+    CreateViews.sql
+    Permissions.sql
+    ScheduleReportingJob.sql
+```
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Deploying the App-V Server](appv-deploying-the-appv-server.md)
+- [How to Deploy the App-V Server](appv-deploy-the-appv-server.md)
diff --git a/windows/manage/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/manage/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
new file mode 100644
index 0000000000..b681e20927
--- /dev/null
+++ b/windows/manage/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -0,0 +1,41 @@
+---
+title: How to deploy App-V Packages Using Electronic Software Distribution (Windows 10)
+description: How to deploy App-V Packages Using Electronic Software Distribution
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# How to deploy App-V packages using electronic software distribution
+
+You can use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
+
+For component requirements and options for using an ESD to deploy App-V packages, see [Planning to Deploy App-V with an Electronic Software Distribution System](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md).
+
+Use one of the following methods to publish packages to App-V client computers with an ESD:
+
+| Method | Description |
+| - | - |
+| Functionality provided by a third-party ESD | Use the functionality in a third-party ESD.| 
+| Stand-alone Windows Installer | Install the application on the target client computer by using the associated Windows Installer (.msi) file that is created when you initially sequence an application. The Windows Installer file contains the associated App-V package file information used to configure a package and copies the required package files to the client. |
+| Windows PowerShell | Use Windows PowerShell cmdlets to deploy virtualized applications. For more information about using PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md).| 
+
+ 
+
+**To deploy App-V packages by using an ESD**
+
+1.  Install the App-V Sequencer on a computer in your environment. For more information about installing the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
+
+2.  Use the App-V Sequencer to create virtual application. For information about creating a virtual application, see [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md).
+
+3.  After you create the virtual application, deploy the package by using your ESD solution.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Operations for App-V](appv-operations.md)
diff --git a/windows/manage/appv-deploy-the-appv-server-with-a-script.md b/windows/manage/appv-deploy-the-appv-server-with-a-script.md
new file mode 100644
index 0000000000..919248523e
--- /dev/null
+++ b/windows/manage/appv-deploy-the-appv-server-with-a-script.md
@@ -0,0 +1,789 @@
+---
+title: How to Deploy the App-V Server Using a Script (Windows 10)
+description: How to Deploy the App-V Server Using a Script
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Deploy the App-V Server Using a Script
+
+
+In order to complete the **appv\_server\_setup.exe** Server setup successfully using the command line, you must specify and combine multiple parameters.
+
+**To Install the App-V server using a script**
+
+-   Use the following tables for more information about installing the App-V server using the command line.
+
+    **Note**  
+    The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**.
+
+     
+
+    **Common parameters and Examples**
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>To Install the Management server and Management database on a local machine.</p></td>
+    <td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
+    <ul>
+    <li><p>/MANAGEMENT_SERVER</p></li>
+    <li><p>/MANAGEMENT_ADMINACCOUNT</p></li>
+    <li><p>/MANAGEMENT_WEBSITE_NAME</p></li>
+    <li><p>/MANAGEMENT_WEBSITE_PORT</p></li>
+    <li><p>/DB_PREDEPLOY_MANAGEMENT</p></li>
+    <li><p>/MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></li>
+    <li><p>/MANAGEMENT_DB_NAME</p></li>
+    </ul>
+    <p>To use a custom instance of Microsoft SQL Server, use the following parameters:</p>
+    <ul>
+    <li><p>/MANAGEMENT_SERVER</p></li>
+    <li><p>/MANAGEMENT_ADMINACCOUNT</p></li>
+    <li><p>/MANAGEMENT_WEBSITE_NAME</p></li>
+    <li><p>/MANAGEMENT_WEBSITE_PORT</p></li>
+    <li><p>/DB_PREDEPLOY_MANAGEMENT</p></li>
+    <li><p>/MANAGEMENT_DB_CUSTOM_SQLINSTANCE</p></li>
+    <li><p>/MANAGEMENT_DB_NAME</p></li>
+    </ul>
+    <p>Using a custom instance of Microsoft SQL Server example:</p>
+    <p>/appv_server_setup.exe /QUIET</p>
+    <p>/MANAGEMENT_SERVER</p>
+    <p>/MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”</p>
+    <p>/MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”</p>
+    <p>/MANAGEMENT_WEBSITE_PORT=”8080”</p>
+    <p>/DB_PREDEPLOY_MANAGEMENT</p>
+    <p>/MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
+    <p>/MANAGEMENT_DB_NAME=”AppVManagement”</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>To Install the Management server using an existing Management database on a local machine.</p></td>
+    <td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
+    <ul>
+    <li><p>/MANAGEMENT_SERVER</p></li>
+    <li><p>/MANAGEMENT_ADMINACCOUNT</p></li>
+    <li><p>/MANAGEMENT_WEBSITE_NAME</p></li>
+    <li><p>/MANAGEMENT_WEBSITE_PORT</p></li>
+    <li><p>/EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL</p></li>
+    <li><p>/EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></li>
+    <li><p>/EXISTING_MANAGEMENT_DB_NAME</p></li>
+    </ul>
+    <p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
+    <ul>
+    <li><p>/MANAGEMENT_SERVER</p></li>
+    <li><p>/MANAGEMENT_ADMINACCOUNT</p></li>
+    <li><p>/MANAGEMENT_WEBSITE_NAME</p></li>
+    <li><p>/MANAGEMENT_WEBSITE_PORT</p></li>
+    <li><p>/EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL</p></li>
+    <li><p>/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE</p></li>
+    <li><p>/EXISTING_MANAGEMENT_DB_NAME</p></li>
+    </ul>
+    <p>Using a custom instance of Microsoft SQL Server example:</p>
+    <p>/appv_server_setup.exe /QUIET</p>
+    <p>/MANAGEMENT_SERVER</p>
+    <p>/MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”</p>
+    <p>/MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”</p>
+    <p>/MANAGEMENT_WEBSITE_PORT=”8080”</p>
+    <p>/EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL</p>
+    <p>/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName”</p>
+    <p>/EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>To install the Management server using an existing Management database on a remote machine.</p></td>
+    <td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
+    <ul>
+    <li><p>/MANAGEMENT_SERVER</p></li>
+    <li><p>/MANAGEMENT_ADMINACCOUNT</p></li>
+    <li><p>/MANAGEMENT_WEBSITE_NAME</p></li>
+    <li><p>/MANAGEMENT_WEBSITE_PORT</p></li>
+    <li><p>/EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME</p></li>
+    <li><p>/EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></li>
+    <li><p>/EXISTING_MANAGEMENT_DB_NAME</p></li>
+    </ul>
+    <p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
+    <ul>
+    <li><p>/MANAGEMENT_SERVER</p></li>
+    <li><p>/MANAGEMENT_ADMINACCOUNT</p></li>
+    <li><p>/MANAGEMENT_WEBSITE_NAME</p></li>
+    <li><p>/MANAGEMENT_WEBSITE_PORT</p></li>
+    <li><p>/EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME</p></li>
+    <li><p>/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE</p></li>
+    <li><p>/EXISTING_MANAGEMENT_DB_NAME</p></li>
+    </ul>
+    <p>Using a custom instance of Microsoft SQL Server example:</p>
+    <p>/appv_server_setup.exe /QUIET</p>
+    <p>/MANAGEMENT_SERVER</p>
+    <p>/MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”</p>
+    <p>/MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”</p>
+    <p>/MANAGEMENT_WEBSITE_PORT=”8080”</p>
+    <p>/EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME=”SqlServermachine.domainName”</p>
+    <p>/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName”</p>
+    <p>/EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>To Install the Management database and the Management Server on the same computer.</p></td>
+    <td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
+    <ul>
+    <li><p>/DB_PREDEPLOY_MANAGEMENT</p></li>
+    <li><p>/MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></li>
+    <li><p>/MANAGEMENT_DB_NAME</p></li>
+    <li><p>/MANAGEMENT_SERVER_MACHINE_USE_LOCAL</p></li>
+    <li><p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
+    </ul>
+    <p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
+    <ul>
+    <li><p>/DB_PREDEPLOY_MANAGEMENT</p></li>
+    <li><p>/MANAGEMENT_DB_CUSTOM_SQLINSTANCE</p></li>
+    <li><p>/MANAGEMENT_DB_NAME</p></li>
+    <li><p>/MANAGEMENT_SERVER_MACHINE_USE_LOCAL</p></li>
+    <li><p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
+    </ul>
+    <p>Using a custom instance of Microsoft SQL Server example:</p>
+    <p>/appv_server_setup.exe /QUIET</p>
+    <p>/DB_PREDEPLOY_MANAGEMENT</p>
+    <p>/MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
+    <p>/MANAGEMENT_DB_NAME=”AppVManagement”</p>
+    <p>/MANAGEMENT_SERVER_MACHINE_USE_LOCAL</p>
+    <p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>To install the Management database on a different computer than the Management server.</p></td>
+    <td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
+    <ul>
+    <li><p>/DB_PREDEPLOY_MANAGEMENT</p></li>
+    <li><p>/MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></li>
+    <li><p>/MANAGEMENT_DB_NAME</p></li>
+    <li><p>/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT</p></li>
+    <li><p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
+    </ul>
+    <p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
+    <ul>
+    <li><p>/DB_PREDEPLOY_MANAGEMENT</p></li>
+    <li><p>/MANAGEMENT_DB_CUSTOM_SQLINSTANCE</p></li>
+    <li><p>/MANAGEMENT_DB_NAME</p></li>
+    <li><p>/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT</p></li>
+    <li><p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
+    </ul>
+    <p>Using a custom instance of Microsoft SQL Server example:</p>
+    <p>/appv_server_setup.exe /QUIET</p>
+    <p>/DB_PREDEPLOY_MANAGEMENT</p>
+    <p>/MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
+    <p>/MANAGEMENT_DB_NAME=”AppVManagement”</p>
+    <p>/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount”</p>
+    <p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>To Install the publishing server.</p></td>
+    <td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
+    <ul>
+    <li><p>/PUBLISHING_SERVER</p></li>
+    <li><p>/PUBLISHING_MGT_SERVER</p></li>
+    <li><p>/PUBLISHING_WEBSITE_NAME</p></li>
+    <li><p>/PUBLISHING_WEBSITE_PORT</p></li>
+    </ul>
+    <p>Using a custom instance of Microsoft SQL Server example:</p>
+    <p>/appv_server_setup.exe /QUIET</p>
+    <p>/PUBLISHING_SERVER</p>
+    <p>/PUBLISHING_MGT_SERVER=”http://ManagementServerName:ManagementPort”</p>
+    <p>/PUBLISHING_WEBSITE_NAME=”Microsoft AppV Publishing Service”</p>
+    <p>/PUBLISHING_WEBSITE_PORT=”8081”</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>To Install the Reporting server and Reporting database on a local machine.</p></td>
+    <td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
+    <ul>
+    <li><p>/REPORTING _SERVER</p></li>
+    <li><p>/REPORTING _WEBSITE_NAME</p></li>
+    <li><p>/REPORTING _WEBSITE_PORT</p></li>
+    <li><p>/DB_PREDEPLOY_REPORTING</p></li>
+    <li><p>/REPORTING _DB_SQLINSTANCE_USE_DEFAULT</p></li>
+    <li><p>/REPORTING _DB_NAME</p></li>
+    </ul>
+    <p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
+    <ul>
+    <li><p>/REPORTING _SERVER</p></li>
+    <li><p>/REPORTING _ADMINACCOUNT</p></li>
+    <li><p>/REPORTING _WEBSITE_NAME</p></li>
+    <li><p>/REPORTING _WEBSITE_PORT</p></li>
+    <li><p>/DB_PREDEPLOY_REPORTING</p></li>
+    <li><p>/REPORTING _DB_CUSTOM_SQLINSTANCE</p></li>
+    <li><p>/REPORTING _DB_NAME</p></li>
+    </ul>
+    <p>Using a custom instance of Microsoft SQL Server example:</p>
+    <ul>
+    <li><p>/appv_server_setup.exe /QUIET</p></li>
+    <li><p>/REPORTING_SERVER</p></li>
+    <li><p>/REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”</p></li>
+    <li><p>/REPORTING_WEBSITE_PORT=”8082”</p></li>
+    <li><p>/DB_PREDEPLOY_REPORTING</p></li>
+    <li><p>/REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p></li>
+    <li><p>/REPORTING_DB_NAME=”AppVReporting”</p></li>
+    </ul></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>To Install the Reporting server and using an existing Reporting database on a local machine.</p></td>
+    <td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
+    <ul>
+    <li><p>/REPORTING _SERVER</p></li>
+    <li><p>/REPORTING _WEBSITE_NAME</p></li>
+    <li><p>/REPORTING _WEBSITE_PORT</p></li>
+    <li><p>/EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL</p></li>
+    <li><p>/EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT</p></li>
+    <li><p>/EXISTING_REPORTING _DB_NAME</p></li>
+    </ul>
+    <p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
+    <ul>
+    <li><p>/REPORTING _SERVER</p></li>
+    <li><p>/REPORTING _ADMINACCOUNT</p></li>
+    <li><p>/REPORTING _WEBSITE_NAME</p></li>
+    <li><p>/REPORTING _WEBSITE_PORT</p></li>
+    <li><p>/EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL</p></li>
+    <li><p>/EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE</p></li>
+    <li><p>/EXISTING_REPORTING _DB_NAME</p></li>
+    </ul>
+    <p>Using a custom instance of Microsoft SQL Server example:</p>
+    <p>/appv_server_setup.exe /QUIET</p>
+    <p>/REPORTING_SERVER</p>
+    <p>/REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”</p>
+    <p>/REPORTING_WEBSITE_PORT=”8082”</p>
+    <p>/EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL</p>
+    <p>/EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
+    <p>/EXITING_REPORTING_DB_NAME=”AppVReporting”</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>To Install the Reporting server using an existing Reporting database on a remote machine.</p></td>
+    <td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
+    <ul>
+    <li><p>/REPORTING _SERVER</p></li>
+    <li><p>/REPORTING _WEBSITE_NAME</p></li>
+    <li><p>/REPORTING _WEBSITE_PORT</p></li>
+    <li><p>/EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME</p></li>
+    <li><p>/EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT</p></li>
+    <li><p>/EXISTING_REPORTING _DB_NAME</p></li>
+    </ul>
+    <p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
+    <ul>
+    <li><p>/REPORTING _SERVER</p></li>
+    <li><p>/REPORTING _ADMINACCOUNT</p></li>
+    <li><p>/REPORTING _WEBSITE_NAME</p></li>
+    <li><p>/REPORTING _WEBSITE_PORT</p></li>
+    <li><p>/EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME</p></li>
+    <li><p>/EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE</p></li>
+    <li><p>/EXISTING_REPORTING _DB_NAME</p></li>
+    </ul>
+    <p>Using a custom instance of Microsoft SQL Server example:</p>
+    <p>/appv_server_setup.exe /QUIET</p>
+    <p>/REPORTING_SERVER</p>
+    <p>/REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”</p>
+    <p>/REPORTING_WEBSITE_PORT=”8082”</p>
+    <p>/EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME=”SqlServerMachine.DomainName”</p>
+    <p>/EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
+    <p>/EXITING_REPORTING_DB_NAME=”AppVReporting”</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>To install the Reporting database on the same computer as the Reporting server.</p></td>
+    <td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
+    <ul>
+    <li><p>/DB_PREDEPLOY_REPORTING</p></li>
+    <li><p>/REPORTING _DB_SQLINSTANCE_USE_DEFAULT</p></li>
+    <li><p>/REPORTING _DB_NAME</p></li>
+    <li><p>/REPORTING_SERVER_MACHINE_USE_LOCAL</p></li>
+    <li><p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
+    </ul>
+    <p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
+    <ul>
+    <li><p>/DB_PREDEPLOY_REPORTING</p></li>
+    <li><p>/REPORTING _DB_CUSTOM_SQLINSTANCE</p></li>
+    <li><p>/REPORTING _DB_NAME</p></li>
+    <li><p>/REPORTING_SERVER_MACHINE_USE_LOCAL</p></li>
+    <li><p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
+    </ul>
+    <p>Using a custom instance of Microsoft SQL Server example:</p>
+    <p>/appv_server_setup.exe /QUIET</p>
+    <p>/DB_PREDEPLOY_REPORTING</p>
+    <p>/REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
+    <p>/REPORTING_DB_NAME=”AppVReporting”</p>
+    <p>/REPORTING_SERVER_MACHINE_USE_LOCAL</p>
+    <p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>To install the Reporting database on a different computer than the Reporting server.</p></td>
+    <td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
+    <ul>
+    <li><p>/DB_PREDEPLOY_REPORTING</p></li>
+    <li><p>/REPORTING _DB_SQLINSTANCE_USE_DEFAULT</p></li>
+    <li><p>/REPORTING _DB_NAME</p></li>
+    <li><p>/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT</p></li>
+    <li><p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
+    </ul>
+    <p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
+    <ul>
+    <li><p>/DB_PREDEPLOY_REPORTING</p></li>
+    <li><p>/REPORTING _DB_CUSTOM_SQLINSTANCE</p></li>
+    <li><p>/REPORTING _DB_NAME</p></li>
+    <li><p>/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT</p></li>
+    <li><p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
+    </ul>
+    <p>Using a custom instance of Microsoft SQL Server example:</p>
+    <p>/appv_server_setup.exe /QUIET</p>
+    <p>/DB_PREDEPLOY_REPORTING</p>
+    <p>/REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
+    <p>/REPORTING_DB_NAME=”AppVReporting”</p>
+    <p>/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount”</p>
+    <p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    **Parameter Definitions**
+
+    **General Parameters**
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Parameter</th>
+    <th align="left">Information</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>/QUIET</p></td>
+    <td align="left"><p>Specifies silent install.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/UNINSTALL</p></td>
+    <td align="left"><p>Specifies an uninstall.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/LAYOUT</p></td>
+    <td align="left"><p>Specifies layout action. This extracts the MSIs and script files to a folder without actually installing the product. No value is expected.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/LAYOUTDIR</p></td>
+    <td align="left"><p>Specifies the layout directory. Takes a string. For example, /LAYOUTDIR=”C:\Application Virtualization Server”</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/INSTALLDIR</p></td>
+    <td align="left"><p>Specifies the installation directory. Takes a string. E.g. /INSTALLDIR=”C:\Program Files\Application Virtualization\Server”</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/MUOPTIN</p></td>
+    <td align="left"><p>Enables Microsoft Update. No value is expected</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/ACCEPTEULA</p></td>
+    <td align="left"><p>Accepts the license agreement. This is required for an unattended installation. Example usage: <strong>/ACCEPTEULA</strong> or <strong>/ACCEPTEULA=1</strong>.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    **Management Server Installation Parameters**
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Parameter</th>
+    <th align="left">Information</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>/MANAGEMENT_SERVER</p></td>
+    <td align="left"><p>Specifies that the management server will be installed. No value is expected</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/MANAGEMENT_ADMINACCOUNT</p></td>
+    <td align="left"><p>Specifies the account that will be allowed to Administrator access to the management server This account can be an individual user account or a group. Example usage: <strong>/MANAGEMENT_ADMINACCOUNT=”mydomain\admin”</strong>. If <strong>/MANAGEMENT_SERVER</strong> is not specified, this will be ignored. Specifies the account that will be allowed to Administrator access to the management server. This can be a user account or a group. For example, <strong>/MANAGEMENT_ADMINACCOUNT=&quot;mydomain\admin&quot;</strong>.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/MANAGEMENT_WEBSITE_NAME</p></td>
+    <td align="left"><p>Specifies name of the website that will be created for the management service. For example, /MANAGEMENT_WEBSITE_NAME=”Microsoft App-V Management Service”</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>MANAGEMENT_WEBSITE_PORT</p></td>
+    <td align="left"><p>Specifies the port number that will be used by the management service will use. For example, /MANAGEMENT_WEBSITE_PORT=82.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    **Parameters for the Management Server Database**
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Parameter</th>
+    <th align="left">Information</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>/DB_PREDEPLOY_MANAGEMENT</p></td>
+    <td align="left"><p>Specifies that the management database will be installed. You must have sufficient database permissions to complete this installation. No value is expected</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></td>
+    <td align="left"><p>Indicates that the default SQL instance should be used. No value is expected.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/MANAGEMENT_DB_ CUSTOM_SQLINSTANCE</p></td>
+    <td align="left"><p>Specifies the name of the custom SQL instance that should be used to create a new database. Example usage: <strong>/MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”MYSQLSERVER”</strong>. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/MANAGEMENT_DB_NAME</p></td>
+    <td align="left"><p>Specifies the name of the new management database that should be created. Example usage: <strong>/MANAGEMENT_DB_NAME=”AppVMgmtDB”</strong>. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/MANAGEMENT_SERVER_MACHINE_USE_LOCAL</p></td>
+    <td align="left"><p>Indicates if the management server that will be accessing the database is installed on the local server. Switch parameter so no value is expected.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT</p></td>
+    <td align="left"><p>Specifies the machine account of the remote machine that the management server will be installed on. Example usage: <strong>/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”domain\computername”</strong></p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT</p></td>
+    <td align="left"><p>Indicates the Administrator account that will be used to install the management server. Example usage: <strong>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT =”domain\alias”</strong></p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    **Parameters for Installing Publishing Server**
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Parameter</th>
+    <th align="left">Information</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>/PUBLISHING_SERVER</p></td>
+    <td align="left"><p>Specifies that the Publishing Server will be installed. No value is expected</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/PUBLISHING_MGT_SERVER</p></td>
+    <td align="left"><p>Specifies the URL to Management Service the Publishing server will connect to. Example usage: <strong>http://&lt;management server name&gt;:&lt;Management server port number&gt;</strong>. If /PUBLISHING_SERVER is not used, this parameter will be ignored</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/PUBLISHING_WEBSITE_NAME</p></td>
+    <td align="left"><p>Specifies name of the website that will be created for the publishing service. For example, /PUBLISHING_WEBSITE_NAME=”Microsoft App-V Publishing Service”</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/PUBLISHING_WEBSITE_PORT</p></td>
+    <td align="left"><p>Specifies the port number used by the publishing service. For example, /PUBLISHING_WEBSITE_PORT=83</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    **Parameters for Reporting Server**
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Parameter</th>
+    <th align="left">Information</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>/REPORTING_SERVER</p></td>
+    <td align="left"><p>Specifies that the Reporting Server will be installed. No value is expected</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/REPORTING_WEBSITE_NAME</p></td>
+    <td align="left"><p>Specifies name of the website that will be created for the Reporting Service. E.g. /REPORTING_WEBSITE_NAME=&quot;Microsoft App-V ReportingService&quot;</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/REPORTING_WEBSITE_PORT</p></td>
+    <td align="left"><p>Specifies the port number that the Reporting Service will use. E.g. /REPORTING_WEBSITE_PORT=82</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    **Parameters for using an Existing Reporting Server Database**
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Parameter</th>
+    <th align="left">Information</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>/EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL</p></td>
+    <td align="left"><p>Indicates that the Microsoft SQL Server is installed on the local server. Switch parameter so no value is expected.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME</p></td>
+    <td align="left"><p>Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_REPORTING_DB_ REMOTE_SQL_SERVER_NAME=&quot;mycomputer1&quot;</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/EXISTING_ REPORTING _DB_SQLINSTANCE_USE_DEFAULT</p></td>
+    <td align="left"><p>Indicates that the default SQL instance is to be used. Switch parameter so no value is expected.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/EXISTING_ REPORTING_DB_CUSTOM_SQLINSTANCE</p></td>
+    <td align="left"><p>Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /EXISTING_REPORTING_DB_ CUSTOM_SQLINSTANCE=&quot;MYSQLSERVER&quot;</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/EXISTING_ REPORTING _DB_NAME</p></td>
+    <td align="left"><p>Specifies the name of the existing Reporting database that should be used. Takes a string. E.g. /EXISITING_REPORTING_DB_NAME=&quot;AppVReporting&quot;</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    **Parameters for installing Reporting Server Database**
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Parameter</th>
+    <th align="left">Information</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>/DB_PREDEPLOY_REPORTING</p></td>
+    <td align="left"><p>Specifies that the Reporting Database will be installed. DBA permissions are required for this installation. No value is expected</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/REPORTING_DB_SQLINSTANCE_USE_DEFAULT</p></td>
+    <td align="left"><p>Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /REPORTING_DB_ CUSTOM_SQLINSTANCE=&quot;MYSQLSERVER&quot;</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/REPORTING_DB_NAME</p></td>
+    <td align="left"><p>Specifies the name of the new Reporting database that should be created. Takes a string. E.g. /REPORTING_DB_NAME=&quot;AppVMgmtDB&quot;</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/REPORTING_SERVER_MACHINE_USE_LOCAL</p></td>
+    <td align="left"><p>Indicates that the Reporting server that will be accessing the database is installed on the local server. Switch parameter so no value is expected.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT</p></td>
+    <td align="left"><p>Specifies the machine account of the remote machine that the Reporting server will be installed on. Takes a string. E.g. /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT = &quot;domain\computername&quot;</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT</p></td>
+    <td align="left"><p>Indicates the Administrator account that will be used to install the App-V Reporting Server. Takes a string. E.g. /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT = &quot;domain\alias&quot;</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    **Parameters for using an existing Management Server Database**
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Parameter</th>
+    <th align="left">Information</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>/EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL</p></td>
+    <td align="left"><p>Indicates that the SQL Server is installed on the local server. Switch parameter so no value is expected.If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME</p></td>
+    <td align="left"><p>Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_MANAGEMENT_DB_ REMOTE_SQL_SERVER_NAME=&quot;mycomputer1&quot;</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/EXISTING_ MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></td>
+    <td align="left"><p>Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE</p></td>
+    <td align="left"><p>Specifies the name of the custom SQL instance that will be used. Example usage <strong>/EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”AppVManagement”</strong>. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/EXISTING_MANAGEMENT_DB_NAME</p></td>
+    <td align="left"><p>Specifies the name of the existing management database that should be used. Example usage: <strong>/EXISITING_MANAGEMENT_DB_NAME=”AppVMgmtDB”</strong>. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.</p>
+    <p></p>
+    <p><strong>Have a suggestion for App-V</strong>? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). <strong>Got an App-V issue?</strong> Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+## Related topics
+
+
+[Deploying the App-V Server](appv-deploying-the-appv-server.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-deploy-the-appv-server.md b/windows/manage/appv-deploy-the-appv-server.md
new file mode 100644
index 0000000000..3838c1812c
--- /dev/null
+++ b/windows/manage/appv-deploy-the-appv-server.md
@@ -0,0 +1,116 @@
+---
+title: How to Deploy the App-V Server (Windows 10)
+description: How to Deploy the App-V Server
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# How to Deploy the App-V server
+
+Use the following procedure to install the App-V server..
+
+**Before you start:**
+
+-   Ensure that you’ve installed prerequisite software. See [App-V Prerequisites](appv-prerequisites.md).
+
+-   Review the server section of [App-V security considerations](appv-security-considerations.md).
+
+-   Specify a port where each component will be hosted.
+
+-   Add firewall rules to allow incoming requests to access the specified ports.
+
+-   If you use SQL scripts, instead of the Windows Installer, to set up the Management database or Reporting database, you must run the SQL scripts before installing the Management Server or Reporting Server. See [How to Deploy the App-V Databases by Using SQL Scripts](appv-deploy-appv-databases-with-sql-scripts.md).
+
+**To install the App-V server**
+
+1.  Copy the App-V server installation files to the computer on which you want to install it.
+
+2.  Start the App-V server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**.
+
+3.  Review and accept the license terms, and choose whether to enable Microsoft updates.
+
+4.  On the **Feature Selection** page, select all of the following components.
+
+    | Component | Description |
+    | - | - |
+    | Management server | Provides overall management functionality for the App-V infrastructure. |
+    | Management database | Facilitates database predeployments for App-V management. |
+    | Publishing server | Provides hosting and streaming functionality for virtual applications. |
+    | Reporting server | Provides App-V reporting services. |
+    | Reporting database | Facilitates database predeployments for App-V reporting. |
+
+5.  On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line.
+
+6.  On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below.
+
+    | Method | What you need to do |
+    | - | - |
+    | You are using a custom Microsoft SQL Server instance. | Select **Use the custom instance**, and type the name of the instance.<br/>Use the format **INSTANCENAME**. The assumed installation location is the local computer.<br/>Not supported: A server name using the format **ServerName**\\**INSTANCE**.|
+    | You are using a custom database name. | Select **Custom configuration** and type the database name.<br/>The database name must be unique, or the installation will fail.|
+
+7.  On the **Configure** page, accept the default value **Use this local computer**.
+
+    > [!NOTE]  
+    > If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
+
+8.  On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below.
+
+    | Method | What you need to do |
+    | - | - |
+    | You are using a custom Microsoft SQL Server instance. | Select **Use the custom instance**, and type the name of the instance.<br/>Use the format **INSTANCENAME**. The assumed installation location is the local computer.<br/>Not supported: A server name using the format **ServerName**\\**INSTANCE**.|
+    | You are using a custom database name. | Select **Custom configuration** and type the database name.<br/>The database name must be unique, or the installation will fail.|
+
+
+9.  On the **Configure** page, accept the default value: **Use this local computer**.
+
+    > [!NOTE]  
+    > If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
+
+
+10. On the **Configure** (Management Server Configuration) page, specify the following:
+
+    |  Item to configure | Description and examples |
+    | - | - |
+    Type the AD group with sufficient permissions to manage the App-V environment. | Example: MyDomain\MyUser<br/>After installation, you can add additional users or groups by using the Management console. However, global security groups and Active Directory Domain Services (AD DS) distribution groups are not supported. You must use <strong>Domain local</strong> or <strong>Universal</strong> groups are required to perform this action.|
+    | **Website name**: Specify the custom name that will be used to run the publishing service.<br/>If you do not have a custom name, do not make any changes.|
+    |**Port binding**: Specify a unique port number that will be used by App-V. | Example: **12345**<br/>Ensure that the port specified is not being used by another website. |
+
+11. On the **Configure Publishing Server Configuration** page, specify the following:
+
+    | Item to configure | Description and examples |
+    | - | - |
+    | Specify the URL for the management service. | Example: http://localhost:12345 |
+    | **Website name**: Specify the custom name that will be used to run the publishing service.| If you do not have a custom name, do not make any changes. |
+    | **Port binding**: Specify a unique port number that will be used by App-V. | Example: 54321<br/>Ensure that the port specified is not being used by another website. |
+
+12. On the **Reporting Server** page, specify the following:
+
+    | Item to configure | Description and examples |
+    | - | - |
+    | **Website name**: Specify the custom name that will be used to run the Reporting Service. | If you do not have a custom name, do not make any changes. |
+    | **Port binding**: Specify a unique port number that will be used by App-V. | Example: 55555<br/>Ensure that the port specified is not being used by another website. |
+
+13. To start the installation, click **Install** on the **Ready** page, and then click **Close** on the **Finished** page.
+
+14. To verify that the setup completed successfully, open a web browser, and type the following URL:
+
+    **http://\<_Management server machine name_\>:\<_Management service port number_\>/console.html**.
+
+    Example: **http://localhost:12345/console.html**. If the installation succeeded, the App-V Management console is displayed with no errors.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Deploying App-V](appv-deploying-appv.md)
+
+- [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](appv-install-the-management-and-reporting-databases-on-separate-computers.md)
+
+- [How to Install the Publishing Server on a Remote Computer](appv-install-the-publishing-server-on-a-remote-computer.md)
+
+- [How to Deploy the App-V Server Using a Script](appv-deploy-the-appv-server-with-a-script.md)
diff --git a/windows/manage/appv-deploying-appv.md b/windows/manage/appv-deploying-appv.md
new file mode 100644
index 0000000000..4afd68b171
--- /dev/null
+++ b/windows/manage/appv-deploying-appv.md
@@ -0,0 +1,47 @@
+---
+title: Deploying App-V (Windows 10)
+description: Deploying App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Deploying App-V
+
+App-V supports a number of different deployment options. This section of the App-V Administrator’s Guide includes information you should consider about the deployment of App-V and step-by-step procedures to help you successfully perform the tasks that you must complete at different stages of your deployment.
+
+## App-V Deployment Information
+
+
+-   [Deploying the App-V Sequencer and Client](appv-deploying-the-appv-sequencer-and-client.md)
+
+    This section describes how to install the App-V sequencer which is used to virtualize applications, and the App-V client which runs on target computers to facilitate virtualized packages.
+
+-   [Deploying the App-V Server](appv-deploying-the-appv-server.md)
+
+    This section provides information about installing the App-V management, publishing, database and reporting severs.
+
+-   [App-V Deployment Checklist](appv-deployment-checklist.md)
+
+    This section provides a deployment checklist that can be used to assist with installing App-V.
+
+## Other Resources for Deploying App-V
+
+
+-   [Application Virtualization (App-V) overview](appv-for-windows.md)
+
+-   [Getting Started with App-V](appv-getting-started.md)
+
+-   [Planning for App-V](appv-planning-for-appv.md)
+
+-   [Operations for App-V](appv-operations.md)
+
+-   [Troubleshooting App-V](appv-troubleshooting.md)
+
+-   [Technical Reference for App-V](appv-technical-reference.md)
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
diff --git a/windows/manage/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/manage/appv-deploying-microsoft-office-2010-wth-appv.md
new file mode 100644
index 0000000000..694046b16c
--- /dev/null
+++ b/windows/manage/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -0,0 +1,293 @@
+---
+title: Deploying Microsoft Office 2010 by Using App-V (Windows 10)
+description: Deploying Microsoft Office 2010 by Using App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Deploying Microsoft Office 2010 by Using App-V
+
+
+You can create Office 2010 packages for Microsoft Application Virtualization (App-V) using one of the following methods:
+
+-   Application Virtualization (App-V) Sequencer
+
+-   Application Virtualization (App-V) Package Accelerator
+
+## App-V support for Office 2010
+
+
+The following table shows the App-V versions, methods of Office package creation, supported licensing, and supported deployments for Office 2010.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Supported item</th>
+<th align="left">Level of support</th>
+</tr>
+</thead>
+<tbody>
+<tr class="even">
+<td align="left"><p>Package creation</p></td>
+<td align="left"><ul>
+<li><p>Sequencing</p></li>
+<li><p>Package Accelerator</p></li>
+<li><p>Office Deployment Kit</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Supported licensing</p></td>
+<td align="left"><p>Volume Licensing</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Supported deployments</p></td>
+<td align="left"><ul>
+<li><p>Desktop</p></li>
+<li><p>Personal VDI</p></li>
+<li><p>RDS</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Creating Office 2010 App-V using the sequencer
+
+
+Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. Microsoft has provided a detailed recipe through a Knowledge Base article. To create an Office 2010 package on App-V, refer to the following link for detailed instructions:
+
+[How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330676)
+
+## Creating Office 2010 App-V packages using package accelerators
+
+
+Office 2010 App-V packages can be created through package accelerators. Microsoft has provided package accelerators for creating Office 2010 on Windows 10, Windows 8 and Windows 7. To create Office 2010 packages on App-V using Package accelerators, refer to the following pages to access the appropriate package accelerator:
+
+-   [App-V 5.0 Package Accelerator for Office Professional Plus 2010 – Windows 8](http://go.microsoft.com/fwlink/p/?LinkId=330677)
+
+-   [App-V 5.0 Package Accelerator for Office Professional Plus 2010 – Windows 7](http://go.microsoft.com/fwlink/p/?LinkId=330678)
+
+For detailed instructions on how to create virtual application packages using App-V package accelerators, see [How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md).
+
+## Deploying the Microsoft Office package for App-V
+
+
+You can deploy Office 2010 packages by using any of the following App-V deployment methods:
+
+-   System Center Configuration Manager
+
+-   App-V server
+
+-   Stand-alone through PowerShell commands
+
+## Office App-V package management and customization
+
+
+Office 2010 packages can be managed like any other App-V packages through known package management mechanisms. No special instructions are needed, for example, to add, publish, unpublish, or remove Office packages.
+
+## Microsoft Office integration with Windows
+
+
+The following table provides a full list of supported integration points for Office 2010.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Extension Point</th>
+<th align="left">Description</th>
+<th align="left">Office 2010</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Lync meeting Join Plug-in for Firefox and Chrome</p></td>
+<td align="left"><p>User can join Lync meetings from Firefox and Chrome</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Sent to OneNote Print Driver</p></td>
+<td align="left"><p>User can print to OneNote</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>OneNote Linked Notes</p></td>
+<td align="left"><p>OneNote Linked Notes</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Send to OneNote Internet Explorer Add-In</p></td>
+<td align="left"><p>User can send to OneNote from IE</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Firewall Exception for Lync and Outlook</p></td>
+<td align="left"><p>Firewall Exception for Lync and Outlook</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>MAPI Client</p></td>
+<td align="left"><p>Native apps and add-ins can interact with virtual Outlook through MAPI</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>SharePoint Plugin for Firefox</p></td>
+<td align="left"><p>User can use SharePoint features in Firefox</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Mail Control Panel Applet</p></td>
+<td align="left"><p>User gets the mail control panel applet in Outlook</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Primary Interop Assemblies</p></td>
+<td align="left"><p>Support managed add-ins</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Office Document Cache Handler</p></td>
+<td align="left"><p>Allows Document Cache for Office applications</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Outlook Protocol Search handler</p></td>
+<td align="left"><p>User can search in outlook</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Active X Controls:</p></td>
+<td align="left"><p>For more information on ActiveX controls, refer to [ActiveX Control API Reference](http://go.microsoft.com/fwlink/p/?LinkId=331361).</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>   Groove.SiteClient</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>   PortalConnect.PersonalSite</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>   SharePoint.openDocuments</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>   SharePoint.ExportDatabase</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>   SharePoint.SpreadSheetLauncher</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>   SharePoint.StssyncHander</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>   SharePoint.DragUploadCtl</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>   SharePoint.DragDownloadCtl</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>   Sharpoint.OpenXMLDocuments</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>   Sharepoint.ClipboardCtl</p></td>
+<td align="left"><p>Active X control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>   WinProj.Activator</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>   Name.NameCtrl</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>   STSUPld.CopyCtl</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>   CommunicatorMeetingJoinAx.JoinManager</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>   LISTNET.Listnet</p></td>
+<td align="left"><p>Active X Control</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>   OneDrive Pro Browser Helper</p></td>
+<td align="left"><p>Active X Control]</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>OneDrive Pro Icon Overlays</p></td>
+<td align="left"><p>Windows explorer shell icon overlays when users look at folders OneDrive Pro folders</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Additional resources
+
+
+**Office 2013 App-V Packages Additional Resources**
+
+[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](http://go.microsoft.com/fwlink/p/?LinkId=330680)
+
+**Office 2010 App-V Packages**
+
+[Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330681)
+
+[Known issues when you create or use an App-V 5.0 Office 2010 package](http://go.microsoft.com/fwlink/p/?LinkId=330682)
+
+[How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330676)
+
+**Connection Groups**
+
+[Deploying Connection Groups in Microsoft App-V v5](http://go.microsoft.com/fwlink/p/?LinkId=330683)
+
+[Managing Connection Groups](appv-managing-connection-groups.md)
+
+**Dynamic Configuration**
+
+[About App-V Dynamic Configuration](appv-dynamic-configuration.md)
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
diff --git a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
new file mode 100644
index 0000000000..b092b860ba
--- /dev/null
+++ b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
@@ -0,0 +1,895 @@
+---
+title: Deploying Microsoft Office 2013 by Using App-V (Windows 10)
+description: Deploying Microsoft Office 2013 by Using App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Deploying Microsoft Office 2013 by Using App-V
+
+
+Use the information in this article to use Microsoft Application Virtualization (App-V), or later versions, to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V.
+
+This topic contains the following sections:
+
+-   [What to know before you start](#bkmk-before-you-start)
+
+-   [Creating an Office 2013 package for App-V with the Office Deployment Tool](#bkmk-create-office-pkg)
+
+-   [Publishing the Office package for App-V](#bkmk-pub-pkg-office)
+
+-   [Customizing and managing Office App-V packages](#bkmk-custmz-manage-office-pkgs)
+
+## <a href="" id="bkmk-before-you-start"></a>What to know before you start
+
+
+Before you deploy Office 2013 by using App-V, review the following planning information.
+
+### <a href="" id="bkmk-supp-vers-coexist"></a>Supported Office versions and Office coexistence
+
+Use the following table to get information about supported versions of Office and about running coexisting versions of Office.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Information to review</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Planning for Using App-V with Office](appv-planning-for-using-appv-with-office.md#bkmk-office-vers-supp-appv)</p></td>
+<td align="left"><ul>
+<li><p>Supported versions of Office</p></li>
+<li><p>Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)</p></li>
+<li><p>Office licensing options</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Planning for Using App-V with Office](appv-planning-for-using-appv-with-office.md#bkmk-plan-coexisting)</p></td>
+<td align="left"><p>Considerations for installing different versions of Office on the same computer</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-pkg-pub-reqs"></a>Packaging, publishing, and deployment requirements
+
+Before you deploy Office by using App-V, review the following requirements.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task</th>
+<th align="left">Requirement</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Packaging</p></td>
+<td align="left"><ul>
+<li><p>All of the Office applications that you want to deploy to users must be in a single package.</p></li>
+<li><p>In App-V and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.</p></li>
+<li><p>If you are deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#bkmk-deploy-visio-project).</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Publishing</p></td>
+<td align="left"><ul>
+<li><p>You can publish only one Office package to each client computer.</p></li>
+<li><p>You must publish the Office package globally. You cannot publish to the user.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:</p>
+<ul>
+<li><p>Office 365 ProPlus</p></li>
+<li><p>Visio Pro for Office 365</p></li>
+<li><p>Project Pro for Office 365</p></li>
+</ul></td>
+<td align="left"><p>You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).</p>
+<p>You don’t use shared computer activation if you’re deploying a volume licensed product, such as:</p>
+<ul>
+<li><p>Office Professional Plus 2013</p></li>
+<li><p>Visio Professional 2013</p></li>
+<li><p>Project Professional 2013</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Excluding Office applications from a package
+
+The following table describes the recommended methods for excluding specific Office applications from a package.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Use the <strong>ExcludeApp</strong> setting when you create the package by using the Office Deployment Tool.</p></td>
+<td align="left"><ul>
+<li><p>Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.</p></li>
+<li><p>For more information, see [ExcludeApp element](http://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Modify the DeploymentConfig.xml file</p></td>
+<td align="left"><ul>
+<li><p>Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.</p></li>
+<li><p>For more information, see [Disabling Office 2013 applications](#bkmk-disable-office-apps).</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-create-office-pkg"></a>Creating an Office 2013 package for App-V with the Office Deployment Tool
+
+
+Complete the following steps to create an Office 2013 package for App-V or later.
+
+**Important**  
+In App-V and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
+
+ 
+
+### Review prerequisites for using the Office Deployment Tool
+
+The computer on which you are installing the Office Deployment Tool must have:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Prerequisite</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Prerequisite software</p></td>
+<td align="left"><p>.Net Framework 4</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Supported operating systems</p></td>
+<td align="left"><ul>
+<li><p>64-bit version of Windows 8 or later</p></li>
+<li><p>64-bit version of Windows 7</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+In this topic, the term “Office 2013 App-V package” refers to subscription licensing and volume licensing.
+
+ 
+
+### Create Office 2013 App-V Packages Using Office Deployment Tool
+
+You create Office 2013 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2013 App-V package with Volume Licensing or Subscription Licensing.
+
+Create Office 2013 App-V packages on 64-bit Windows computers. Once created, the Office 2013 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers.
+
+### Download the Office Deployment Tool
+
+Office 2013 App-V Packages are created using the Office Deployment Tool, which generates an Office 2013 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation:
+
+1.  Download the [Office Deployment Tool for Click-to-Run](http://www.microsoft.com/download/details.aspx?id=36778).
+
+2.  Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
+
+    Example: \\\\Server\\Office2013
+
+3.  Check that a setup.exe and a configuration.xml file exist and are in the location you specified.
+
+### Download Office 2013 applications
+
+After you download the Office Deployment Tool, you can use it to get the latest Office 2013 applications. After getting the Office applications, you create the Office 2013 App-V package.
+
+The XML file that is included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included.
+
+1.  **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
+
+    1.  Open the sample XML file in Notepad or your favorite text editor.
+
+    2.  With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2013 applications. The following is a basic example of the configuration.xml file:
+
+        ``` syntax
+        <Configuration>
+           <Add SourcePath= ”\\Server\Office2013” OfficeClientEdition="32" >
+            <Product ID="O365ProPlusRetail ">
+              <Language ID="en-us" />
+            </Product>
+            <Product ID="VisioProRetail">
+              <Language ID="en-us" />
+            </Product>
+          </Add>  
+        </Configuration>
+        ```
+
+        **Note**  
+        The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
+
+         
+
+        The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
+
+        <table>
+        <colgroup>
+        <col width="33%" />
+        <col width="33%" />
+        <col width="33%" />
+        </colgroup>
+        <thead>
+        <tr class="header">
+        <th align="left">Input</th>
+        <th align="left">Description</th>
+        <th align="left">Example</th>
+        </tr>
+        </thead>
+        <tbody>
+        <tr class="odd">
+        <td align="left"><p>Add element</p></td>
+        <td align="left"><p>Specifies the products and languages to include in the package.</p></td>
+        <td align="left"><p>N/A</p></td>
+        </tr>
+        <tr class="even">
+        <td align="left"><p>OfficeClientEdition (attribute of Add element)</p></td>
+        <td align="left"><p>Specifies the edition of Office 2013 product to use: 32-bit or 64-bit. The operation fails if <strong>OfficeClientEdition</strong> is not set to a valid value.</p></td>
+        <td align="left"><p><strong>OfficeClientEdition</strong>=&quot;32&quot;</p>
+        <p><strong>OfficeClientEdition</strong>=&quot;64&quot;</p></td>
+        </tr>
+        <tr class="odd">
+        <td align="left"><p>Product element</p></td>
+        <td align="left"><p>Specifies the application. Project 2013 and Visio 2013 must be specified here as an added product to be included in the applications.</p></td>
+        <td align="left"><p><code>Product ID =&quot;O365ProPlusRetail &quot;</code></p>
+        <p><code>Product ID =&quot;VisioProRetail&quot;</code></p>
+        <p><code>Product ID =&quot;ProjectProRetail&quot;</code></p>
+        <p><code>Product ID =&quot;ProPlusVolume&quot;</code></p>
+        <p><code>Product ID =&quot;VisioProVolume&quot;</code></p>
+        <p><code>Product ID = &quot;ProjectProVolume&quot;</code></p></td>
+        </tr>
+        <tr class="even">
+        <td align="left"><p>Language element</p></td>
+        <td align="left"><p>Specifies the language supported in the applications</p></td>
+        <td align="left"><p><code>Language ID=&quot;en-us&quot;</code></p></td>
+        </tr>
+        <tr class="odd">
+        <td align="left"><p>Version (attribute of Add element)</p></td>
+        <td align="left"><p>Optional. Specifies a build to use for the package</p>
+        <p>Defaults to latest advertised build (as defined in v32.CAB at the Office source).</p></td>
+        <td align="left"><p><code>15.1.2.3</code></p></td>
+        </tr>
+        <tr class="even">
+        <td align="left"><p>SourcePath (attribute of Add element)</p></td>
+        <td align="left"><p>Specifies the location in which the applications will be saved to.</p></td>
+        <td align="left"><p><code>Sourcepath = &quot;\\Server\Office2013”</code></p></td>
+        </tr>
+        </tbody>
+        </table>
+
+         
+
+        After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
+
+2.  **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2013 applications that will later be converted into an App-V package. Below is an example command with description of details:
+
+    ``` syntax
+    \\server\Office2013\setup.exe /download \\server\Office2013\Customconfig.xml
+    ```
+
+    In the example:
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><strong>\\server\Office2013</strong></p></td>
+    <td align="left"><p>is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>Setup.exe</strong></p></td>
+    <td align="left"><p>is the Office Deployment Tool.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><strong>/download</strong></p></td>
+    <td align="left"><p>downloads the Office 2013 applications that you specify in the customConfig.xml file. These bits can be later converted in an Office 2013 App-V package with Volume Licensing.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>\\server\Office2013\Customconfig.xml</strong></p></td>
+    <td align="left"><p>passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \\Server\Office2013.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+### Convert the Office applications into an App-V package
+
+After you download the Office 2013 applications through the Office Deployment Tool, use the Office Deployment Tool to convert them into an Office 2013 App-V package. Complete the steps that correspond to your licensing model.
+
+**Summary of what you’ll need to do:**
+
+-   Create the Office 2013 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8, and Windows 10 computers.
+
+-   Create an Office App-V package for either Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
+
+    The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Product ID</th>
+<th align="left">Volume Licensing</th>
+<th align="left">Subscription Licensing</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Office 2013</strong></p></td>
+<td align="left"><p>ProPlusVolume</p></td>
+<td align="left"><p>O365ProPlusRetail</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Office 2013 with Visio 2013</strong></p></td>
+<td align="left"><p>ProPlusVolume</p>
+<p>VisioProVolume</p></td>
+<td align="left"><p>O365ProPlusRetail</p>
+<p>VisioProRetail</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Office 2013 with Visio 2013 and Project 2013</strong></p></td>
+<td align="left"><p>ProPlusVolume</p>
+<p>VisioProVolume</p>
+<p>ProjectProVolume</p></td>
+<td align="left"><p>O365ProPlusRetail</p>
+<p>VisioProRetail</p>
+<p>ProjectProRetail</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**How to convert the Office applications into an App-V package**
+
+1.  In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Parameter</th>
+    <th align="left">What to change the value to</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>SourcePath</p></td>
+    <td align="left"><p>Point to the Office applications downloaded earlier.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>ProductID</p></td>
+    <td align="left"><p>Specify the type of licensing, as shown in the following examples:</p>
+    <ul>
+    <li><p>Subscription Licensing</p>
+    <pre class="syntax" space="preserve"><code>&lt;Configuration&gt;
+       &lt;Add SourcePath= &quot;\\server\Office 2013&quot; OfficeClientEdition=&quot;32&quot; &gt;
+        &lt;Product ID=&quot;O365ProPlusRetail&quot;&gt;
+          &lt;Language ID=&quot;en-us&quot; /&gt;
+        &lt;/Product&gt;
+        &lt;Product ID=&quot;VisioProRetail&quot;&gt;
+          &lt;Language ID=&quot;en-us&quot; /&gt;
+        &lt;/Product&gt;
+      &lt;/Add&gt;  
+    &lt;/Configuration&gt; </code></pre>
+    <p>In this example, the following changes were made to create a package with Subscription licensing:</p>
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><strong>SourcePath</strong></p></td>
+    <td align="left"><p>is the path, which was changed to point to the Office applications that were downloaded earlier.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>Product ID</strong></p></td>
+    <td align="left"><p>for Office was changed to <code>O365ProPlusRetail</code>.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><strong>Product ID</strong></p></td>
+    <td align="left"><p>for Visio was changed to <code>VisioProRetail</code>.</p></td>
+    </tr>
+    </tbody>
+    </table>
+    <p> </p>
+    <p></p></li>
+    <li><p>Volume Licensing</p>
+    <pre class="syntax" space="preserve"><code>&lt;Configuration&gt;
+       &lt;Add SourcePath= &quot;\\Server\Office2013&quot; OfficeClientEdition=&quot;32&quot; &gt;
+        &lt;Product ID=&quot;ProPlusVolume&quot;&gt;
+          &lt;Language ID=&quot;en-us&quot; /&gt;
+        &lt;/Product&gt;
+        &lt;Product ID=&quot;VisioProVolume&quot;&gt;
+          &lt;Language ID=&quot;en-us&quot; /&gt;
+        &lt;/Product&gt;
+      &lt;/Add&gt;  
+    &lt;/Configuration&gt;</code></pre>
+    <p>In this example, the following changes were made to create a package with Volume licensing:</p>
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><strong>SourcePath</strong></p></td>
+    <td align="left"><p>is the path, which was changed to point to the Office applications that were downloaded earlier.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>Product ID</strong></p></td>
+    <td align="left"><p>for Office was changed to <code>ProPlusVolume</code>.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><strong>Product ID</strong></p></td>
+    <td align="left"><p>for Visio was changed to <code>VisioProVolume</code>.</p></td>
+    </tr>
+    </tbody>
+    </table>
+    <p> </p>
+    <p></p></li>
+    </ul></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>ExcludeApp (optional)</p></td>
+    <td align="left"><p>Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>PACKAGEGUID (optional)</p></td>
+    <td align="left"><p>By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.</p>
+    <p>An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2013 for some users, and create another package with Office 2013 and Visio 2013 for another set of users.</p>
+    <div class="alert">
+    <strong>Note</strong>  
+    <p>Even if you use unique package IDs, you can still deploy only one App-V package to a single device.</p>
+    </div>
+    <div>
+     
+    </div></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+2.  Use the /packager command to convert the Office applications to an Office 2013 App-V package.
+
+    For example:
+
+    ``` syntax
+    \\server\Office2013\setup.exe /packager \\server\Office2013\Customconfig.xml  \\server\share\Office2013AppV
+    ```
+
+    In the example:
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><strong>\\server\Office2013</strong></p></td>
+    <td align="left"><p>is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>Setup.exe</strong></p></td>
+    <td align="left"><p>is the Office Deployment Tool.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><strong>/packager</strong></p></td>
+    <td align="left"><p>creates the Office 2013 App-V package with Volume Licensing as specified in the customConfig.xml file.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>\\server\Office2013\Customconfig.xml</strong></p></td>
+    <td align="left"><p>passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><strong>\\server\share\Office 2013AppV</strong></p></td>
+    <td align="left"><p>specifies the location of the newly created Office App-V package.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
+
+    -   **App-V Packages** – contains an Office 2013 App-V package and two deployment configuration files.
+
+    -   **WorkingDir**
+
+    **Note**  
+    To troubleshoot any issues, see the log files in the %temp% directory (default).
+
+     
+
+3.  Verify that the Office 2013 App-V package works correctly:
+
+    1.  Publish the Office 2013 App-V package, which you created globally, to a test computer, and verify that the Office 2013 shortcuts appear.
+
+    2.  Start a few Office 2013 applications, such as Excel or Word, to ensure that your package is working as expected.
+
+## <a href="" id="bkmk-pub-pkg-office"></a>Publishing the Office package for App-V
+
+
+Use the following information to publish an Office package.
+
+### Methods for publishing Office App-V packages
+
+Deploy the App-V package for Office 2013 by using the same methods you use for any other package:
+
+-   System Center Configuration Manager
+
+-   App-V Server
+
+-   Stand-alone through PowerShell commands
+
+### Publishing prerequisites and requirements
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Prerequisite or requirement</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Enable PowerShell scripting on the App-V clients</p></td>
+<td align="left"><p>To publish Office 2013 packages, you must run a script.</p>
+<p>Package scripts are disabled by default on App-V clients. To enable scripting, run the following PowerShell command:</p>
+<pre class="syntax" space="preserve"><code>Set-AppvClientConfiguration –EnablePackageScripts 1</code></pre></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Publish the Office 2013 package globally</p></td>
+<td align="left"><p>Extension points in the Office App-V package require installation at the computer level.</p>
+<p>When you publish at the computer level, no prerequisite actions or redistributables are needed, and the Office 2013 package globally enables its applications to work like natively installed Office, eliminating the need for administrators to customize packages.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### How to publish an Office package
+
+Run the following command to publish an Office package globally:
+
+-   `Add-AppvClientPackage <Path_to_AppV_Package> | Publish-AppvClientPackage –global`
+
+-   From the Web Management Console on the App-V Server, you can add permissions to a group of computers instead of to a user group to enable packages to be published globally to the computers in the corresponding group.
+
+## <a href="" id="bkmk-custmz-manage-office-pkgs"></a>Customizing and managing Office App-V packages
+
+
+To manage your Office App-V packages, use the same operations as you would for any other package, but there are a few exceptions, as outlined in the following sections.
+
+-   [Enabling Office plug-ins by using connection groups](#bkmk-enable-office-plugins)
+
+-   [Disabling Office 2013 applications](#bkmk-disable-office-apps)
+
+-   [Disabling Office 2013 shortcuts](#bkmk-disable-shortcuts)
+
+-   [Managing Office 2013 package upgrades](#bkmk-manage-office-pkg-upgrd)
+
+-   [Managing Office 2013 licensing upgrades](#bkmk-manage-office-lic-upgrd)
+
+-   [Deploying Visio 2013 and Project 2013 with Office](#bkmk-deploy-visio-project)
+
+### <a href="" id="bkmk-enable-office-plugins"></a>Enabling Office plug-ins by using connection groups
+
+Use the steps in this section to enable Office plug-ins with your Office package. To use Office plug-ins, you must use the App-V Sequencer to create a separate package that contains just the plug-ins. You cannot use the Office Deployment Tool to create the plug-ins package. You then create a connection group that contains the Office package and the plug-ins package, as described in the following steps.
+
+**To enable plug-ins for Office App-V packages**
+
+1.  Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet.
+
+2.  Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins.
+
+3.  Create an App-V package that includes the desired plug-ins.
+
+4.  Add a Connection Group through App-V server, System Center Configuration Manager, or a PowerShell cmdlet.
+
+5.  Add the Office 2013 App-V package and the plug-ins package you sequenced to the Connection Group you created.
+
+    **Important**  
+    The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2013 App-V package first, and then add the plug-in App-V package.
+
+     
+
+6.  Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2013 App-V package.
+
+7.  Verify that the Deployment Configuration File of the plug-in package has the same settings that the Office 2013 App-V package has.
+
+    Since the Office 2013 App-V package is integrated with the operating system, the plug-in package settings should match. You can search the Deployment Configuration File for “COM Mode” and ensure that your plug-ins package has that value set as “Integrated” and that both "InProcessEnabled" and "OutOfProcessEnabled" match the settings of the Office 2013 App-V package you published.
+
+8.  Open the Deployment Configuration File and set the value for **Objects Enabled** to **false**.
+
+9.  If you made any changes to the Deployment Configuration file after sequencing, ensure that the plug-in package is published with the file.
+
+10. Ensure that the Connection Group you created is enabled onto your desired computer. The Connection Group created will likely “pend” if the Office 2013 App-V package is in use when the Connection Group is enabled. If that happens, you have to reboot to successfully enable the Connection Group.
+
+11. After you successfully publish both packages and enable the Connection Group, start the target Office 2013 application and verify that the plug-in you published and added to the connection group works as expected.
+
+### <a href="" id="bkmk-disable-office-apps"></a>Disabling Office 2013 applications
+
+You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you will save the changes, add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications.
+
+**Note**  
+To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](http://technet.microsoft.com/library/jj219426.aspx).
+
+ 
+
+**To disable an Office 2013 application**
+
+1.  Open a Deployment Configuration File with a text editor such as **Notepad** and search for “Applications."
+
+2.  Search for the Office application you want to disable, for example, Access 2013.
+
+3.  Change the value of "Enabled" from "true" to "false."
+
+4.  Save the Deployment Configuration File.
+
+5.  Add the Office 2013 App-V Package with the new Deployment Configuration File.
+
+    ``` syntax
+    <Application Id="[{AppVPackageRoot)]\officefl5\INFOPATH.EXE" Enabled="true">
+      <VisualElements>
+        <Name>InfoPath Filler 2013</Name>
+        <Icon />
+        <Description />
+      </VisualElements>
+    </Application>
+    <Application Id="[{AppVPackageRoot}]\officel5\lync.exe" Enabled="true">
+      <VisualElements>
+        <Name>Lync 2013</Name>
+        <Icon />
+        <Description />
+      </VisualElements>
+    </Application>
+    <Application Id="[(AppVPackageRoot}]\office15\MSACCESS.EXE" Enabled="true">
+      <VisualElements>
+        <Name>Access 2013</Name>
+        <Icon />
+        <Description />
+      </VisualElements>
+    </Application>
+    ```
+
+6.  Re-add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications.
+
+### <a href="" id="bkmk-disable-shortcuts"></a>Disabling Office 2013 shortcuts
+
+You may want to disable shortcuts for certain Office applications instead of unpublishing or removing the package. The following example shows how to disable shortcuts for Microsoft Access.
+
+**To disable shortcuts for Office 2013 applications**
+
+1.  Open a Deployment Configuration File in Notepad and search for “Shortcuts”.
+
+2.  To disable certain shortcuts, delete or comment out the specific shortcuts you don’t want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems &lt;shortcut&gt; &lt;/shortcut&gt; intact to disable the Microsoft Access shortcut.
+
+    ``` syntax
+    Shortcuts 
+
+    -->
+     <Shortcuts Enabled="true">
+      <Extensions>
+        <Extension Category="AppV.Shortcut">
+          <Shortcut>
+           <File>[{Common Programs}]\Microsoft Office 2013\Access 2013.lnk</File>
+           <Target>[{AppvPackageRoot}])office15\MSACCESS.EXE</Target>
+           <Icon>[{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico</Icon>
+           <Arguments />
+           <WorkingDirectory />
+           <AppuserModelId>Microsoft.Office.MSACCESS.EXE.15</AppUserModelId>
+           <AppUsermodelExcludeFroeShowInNewInstall>true</AppUsermodelExcludeFroeShowInNewInstall>
+           <Description>Build a professional app quickly to manage data.</Description>
+           <ShowCommand>l</ShowCommand>
+           <ApplicationId>[{AppVPackageRoot}]\officel5\MSACCESS.EXE</ApplicationId>
+        </Shortcut>
+    ```
+
+3.  Save the Deployment Configuration File.
+
+4.  Republish Office 2013 App-V Package with new Deployment Configuration File.
+
+Many additional settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document.
+
+### <a href="" id="bkmk-manage-office-pkg-upgrd"></a>Managing Office 2013 package upgrades
+
+To upgrade an Office 2013 package, use the Office Deployment Tool. To upgrade a previously deployed Office 2013 package, perform the following steps.
+
+**How to upgrade a previously deployed Office 2013 package**
+
+1.  Create a new Office 2013 package through the Office Deployment Tool that uses the most recent Office 2013 application software. The most recent Office 2013 bits can always be obtained through the download stage of creating an Office 2013 App-V Package. The newly created Office 2013 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
+
+    **Note**  
+    Office App-V packages have two Version IDs:
+
+    -   An Office 2013 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
+
+    -   A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2013 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2013 package.
+
+     
+
+2.  Globally publish the newly created Office 2013 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2013 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
+
+3.  Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
+
+### <a href="" id="bkmk-manage-office-lic-upgrd"></a>Managing Office 2013 licensing upgrades
+
+If a new Office 2013 App-V Package has a different license than the Office 2013 App-V Package currently deployed. For instance, the Office 2013 package deployed is a subscription based Office 2013 and the new Office 2013 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade:
+
+**How to upgrade an Office 2013 License**
+
+1.  Unpublish the already deployed Office 2013 Subscription Licensing App-V package.
+
+2.  Remove the unpublished Office 2013 Subscription Licensing App-V package.
+
+3.  Restart the computer.
+
+4.  Add the new Office 2013 App-V Package Volume Licensing.
+
+5.  Publish the added Office 2013 App-V Package with Volume Licensing.
+
+An Office 2013 App-V Package with your chosen licensing will be successfully deployed.
+
+### <a href="" id="bkmk-deploy-visio-project"></a>Deploying Visio 2013 and Project 2013 with Office
+
+The following table describes the requirements and options for deploying Visio 2013 and Project 2013 with Office.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>How do I package and publish Visio 2013 and Project 2013 with Office?</p></td>
+<td align="left"><p>You must include Visio 2013 and Project 2013 in the same package with Office.</p>
+<p>If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the [Virtualizing Microsoft Office 2013 for Application Virtualization (App-V) 5.0](https://technet.microsoft.com/en-us/itpro/mdop/solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions#bkmk-pkg-pub-reqs).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>How can I deploy Visio 2013 and Project 2013 to specific users?</p></td>
+<td align="left"><p>Use one of the following methods:</p>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">If you want to...</th>
+<th align="left">...then use this method</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Create two different packages and deploy each one to a different group of users</p></td>
+<td align="left"><p>Create and deploy the following packages:</p>
+<ul>
+<li><p>A package that contains only Office - deploy to computers whose users need only Office.</p></li>
+<li><p>A package that contains Office, Visio, and Project - deploy to computers whose users need all three applications.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>If you want only one package for the whole organization, or if you have users who share computers:</p></td>
+<td align="left"><p>Follows these steps:</p>
+<ol>
+<li><p>Create a package that contains Office, Visio, and Project.</p></li>
+<li><p>Deploy the package to all users.</p></li>
+<li><p>Use [Microsoft AppLocker](http://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.</p></li>
+</ol></td>
+</tr>
+</tbody>
+</table>
+<p> </p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Additional resources
+
+
+**Office 2013 App-V Packages Additional Resources**
+
+[Office Deployment Tool for Click-to-Run](http://go.microsoft.com/fwlink/p/?LinkID=330672)
+
+[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](http://go.microsoft.com/fwlink/p/?LinkId=330680)
+
+**Office 2010 App-V Packages**
+
+[Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330681)
+
+[Known issues when you create or use an App-V 5.0 Office 2010 package](http://go.microsoft.com/fwlink/p/?LinkId=330682)
+
+[How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330676)
+
+**Connection Groups**
+
+[Deploying Connection Groups in Microsoft App-V v5](http://go.microsoft.com/fwlink/p/?LinkId=330683)
+
+[Managing Connection Groups](appv-managing-connection-groups.md)
+
+**Dynamic Configuration**
+
+[About App-V Dynamic Configuration](appv-dynamic-configuration.md)
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/manage/appv-deploying-packages-with-electronic-software-distribution-solutions.md
new file mode 100644
index 0000000000..40d840f195
--- /dev/null
+++ b/windows/manage/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@@ -0,0 +1,52 @@
+---
+title: Deploying App-V Packages by Using Electronic Software Distribution (ESD)
+description: Deploying App-V Packages by Using Electronic Software Distribution (ESD)
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Deploying App-V Packages by Using Electronic Software Distribution (ESD)
+
+
+You can deploy App-V packages using an Electronic Software Distribution (ESD) solution. For information about planning to deploy App-V packages with an ESD, see [Planning to Deploy App-V with an Electronic Software Distribution System](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md).
+
+To deploy App-V packages with Microsoft System Center 2012 Configuration Manager, see [Introduction to Application Management in Configuration Manager](http://go.microsoft.com/fwlink/?LinkId=281816)
+
+## How to deploy virtualized packages using an ESD
+
+
+Describes the methods you can use to deploy App-V packages by using an ESD
+
+[How to deploy App-V Packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md)
+
+## How to Enable Only Administrators to Publish Packages by Using an ESD
+
+
+Explains how to configure the App-V client to enable only administrators to publish and unpublish packages when you’re using an ESD.
+
+[How to Enable Only Administrators to Publish Packages by Using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md)
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Other resources for using an ESD and App-V
+
+
+Use the following link for more information about [App-V and Citrix Integration](http://go.microsoft.com/fwlink/?LinkId=330294 ) (http://go.microsoft.com/fwlink/?LinkId=330294).
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-deploying-the-appv-sequencer-and-client.md b/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
new file mode 100644
index 0000000000..19cb04b5f4
--- /dev/null
+++ b/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
@@ -0,0 +1,97 @@
+---
+title: Deploy the App-V Sequencer and Client (Windows 10)
+description: Deploying the App-V Sequencer and Client
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Deploying the App-V Sequencer and Client
+
+The App-V Sequencer and client enable administrators to virtualize and run virtualized applications.
+
+## Enable the client
+
+
+The App-V client is the component that runs a virtualized application on a target computer. The client enables users to interact with icons and to double-click file types, so that they can start a virtualized application. The client can also obtain the virtual application content from the management server.
+
+> [!NOTE]  
+> In Windows 10, version 1607, App-V is included with the OS. You only need to enable it.
+
+[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
+
+## Client Configuration Settings
+
+
+The App-V client stores its configuration in the registry. You can gather some useful information about the client if you understand the format of data in the registry. You can also configure many client actions by changing registry entries.
+
+[About Client Configuration Settings](appv-client-configuration-settings.md)
+
+## Configure the client by using the ADMX template and Group Policy
+
+You can use Group Policy to configure the client settings for the App-V client and the Remote Desktop Services client.
+
+
+Perform the following steps on the computer that you will use to manage Group Policy. This is typically the Domain Controller.
+
+1.  Save the **.admx** file to the following directory: **Windows \\ PolicyDefinitions**
+
+2.  Save the **.adml** file to the following directory: **Windows \\ PolicyDefinitions \\ <Language Directory>**
+
+After you have completed the preceding steps, you can manage the App-V client configuration settings with the **Group Policy Management** console.
+
+The App-V client also stores its configuration in the registry. You can gather some useful information about the client if you understand the format of the data in the registry. You can also configure many client actions by changing registry entries.
+
+[How to Modify App-V Client Configuration Using the ADMX Template and Group Policy](appv-modify-client-configuration-with-the-admx-template-and-group-policy.md)
+
+## Deploy the client by using the Shared Content Store mode
+
+The App-V Shared Content Store (SCS) mode enables the SCS App-V clients to run virtualized applications without saving any of the associated package data locally. All required virtualized package data is transmitted across the network; therefore, you should only use the SCS mode in environments with a fast connection. Both the Remote Desktop Services (RDS) and the standard version of the App-V client are supported with SCS mode.
+
+> [!IMPORTANT]  
+> If the App-V client is configured to run in the SCS mode, the location where the App-V packages are streamed from must be available, otherwise, the virtualized package will fail. Additionally, we do not recommend deployment of virtualized applications to computers that run the App-V client in the SCS mode across the internet.
+
+Additionally, the SCS is not a physical location that contains virtualized packages. It is a mode that allows the App-V client to stream the required virtualized package data across the network.
+
+The SCS mode is helpful in the following scenarios:
+
+-   Virtual desktop infrastructure (VDI) deployments
+
+-   Remote Desktop Services deployments
+
+To use SCS in your environment, you must enable the App-V client to run in SCS mode. This setting should be specified during installation. By default, the client is not configured to use SCS mode. You should install the client by using the suggested procedure if you plan to use SCS. However, you can configure an existing App-V client to run in SCS mode by entering the following Windows PowerShell command on the computer that runs the App-V client:
+
+```
+set-AppvClientConfiguration -SharedContentStoreMode 1
+```
+
+There might be cases when the administrator pre-loads some virtual applications on the computer that runs the App-V client in SCS mode. This can be accomplished with Windows PowerShell commands to add, publish, and mount the package. For example, if a package is pre-loaded on all computers, the administrator could add, publish, and mount the package by using Windows PowerShell commands. The package would not stream across the network because it would be locally stored.
+
+[How to Install the App-V Client for Shared Content Store Mode](appv-install-the-appv-client-for-shared-content-store-mode.md)
+
+## Deploy the Sequencer
+
+The Sequencer is a tool that is used to convert standard applications into virtual packages for deployment to computers that run the App-V client. The Sequencer helps provide a simple and predictable conversion process with minimal changes to prior sequencing workflows. In addition, the Sequencer allows users to more easily configure applications to enable connections of virtualized applications.
+
+For a list of changes in the App-V Sequencer, see [About App-V](appv-about-appv.md).
+
+[How to Install the Sequencer](appv-install-the-sequencer.md)
+
+## App-V Client and Sequencer logs
+
+
+You can use the App-V Sequencer log information to help troubleshoot the Sequencer installation and operational events while using App-V. The Sequencer-related log information can be reviewed with the **Event Viewer**. The following line displays the specific path for Sequencer-related events:
+
+**Event Viewer \\ Applications and Services Logs \\ Microsoft \\ App V**. Sequencer-related events are prepended with **AppV\_Sequencer**. Client-related events are prepended with **AppV\_Client**.
+
+## Other resources for deploying the Sequencer and client
+
+- [Deploying App-V](appv-deploying-appv.md)
+- [Planning for App-V](appv-planning-for-appv.md)
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
diff --git a/windows/manage/appv-deploying-the-appv-server.md b/windows/manage/appv-deploying-the-appv-server.md
new file mode 100644
index 0000000000..309a23843c
--- /dev/null
+++ b/windows/manage/appv-deploying-the-appv-server.md
@@ -0,0 +1,106 @@
+---
+title: Deploying the App-V Server (Windows 10)
+description: Deploying the App-V Server
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Deploying the App-V Server
+
+You can install the App-V server features by using different deployment configurations, which are described in this topic. Before you install the server features, review the server section of [App-V Security Considerations](appv-security-considerations.md). 
+
+For information about deploying the App-V Server, see [About App-V](appv-about-appv.md).
+
+>**Important**<br>Before you install and configure the App-V servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports. The installer does not modify firewall settings.
+
+## Download and install App-V server components
+
+App-V offers the following five server components, each of which serves a specific purpose in an App-V environment. 
+
+- **Management server.** Use the App-V management server and console to manage your App-V infrastructure. See [Administering App-V with the management console](appv-administering-virtual-applications-with-the-management-console.md) for more information about the management server.
+
+    >**Note**<br>If you are using App-V with your electronic software distribution solution, you don’t need to use the management server and console. However, you can still take advantage of the reporting and streaming capabilities in App-V.
+    
+- **Management database.** Use the App-V management database to facilitate database pre-deployments for App-V management. See [How to deploy the App-V server components](appv-deploy-the-appv-server.md) for more information about the management database.
+ 
+- **Publishing server.** Use the App-V publishing server to host and stream virtual applications. The publishing server supports the HTTP and HTTPS protocols and does not require a database connection. See [How to install the App-V publishing server](appv-install-the-publishing-server-on-a-remote-computer.md) for more information about configuring the publishing server.
+
+- **Reporting server.** Use the App-V reporting server to generate reports that help you manage your App-V infrastructure. The reporting server requires a connection to the reporting database. See [About App-V reporting](appv-reporting.md) for more information about the reporting capabilities in App-V.
+
+- **Reporting database.** Use the App-V reporting database to facilitate database pre-deployments for App-V reporting. See [How to deploy the App-V server](appv-deploy-the-appv-server.md) for more information about the reporting database.
+
+All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from:
+
+-   The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/en-us/subscriptions/downloads/default.aspx#FileId=65215) You must have a MSDN subscription to download the MDOP ISO package from the MSDN subscriptions site.
+
+-   The [Volume Licensing Service Center](https://www.microsoft.com/en-us/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home).
+
+    >**Note**<br>If you're already using App-V 5.x, you don't need to re-deploy the App-V server components as they haven't changed since App-V 5.0 was released.
+
+In large organizations, you might want to install more than one instance of the server components to get:
+
+- Fault tolerance for situations when one of the servers is unavailable.
+
+- High availability to balance server requests. We recommend using a network load balancer to achieve this.
+
+- Scalability to support a high load. For example, you can install additional servers behind a network load balancer.
+
+## App-V standalone deployment
+The App-V standalone deployment provides a good topology for a small deployment or a test environment. When you use this type of implementation, all server components are deployed to a single computer. The services and associated databases will compete for the resources on the computer that runs the App-V components. Therefore, you should not use this topology for larger deployments.
+
+- [How to Deploy the App-V Server](appv-deploy-the-appv-server.md)
+
+- [How to Deploy the App-V Server Using a Script](appv-deploy-the-appv-server-with-a-script.md)
+
+##  App-V Server distributed deployment
+The distributed deployment topology can support a large App-V client base and it allows you to more easily manage and scale your environment. When you use this type of deployment, the App-V Server components are deployed across multiple computers, based on the structure and requirements of the organization.
+
+- [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](appv-install-the-management-and-reporting-databases-on-separate-computers.md)
+
+- [How to install the Management Server on a Standalone Computer and Connect it to the Database](appv-install-the-management-server-on-a-standalone-computer.md)
+
+- [How to Deploy the App-V Server Using a Script](appv-deploy-the-appv-server-with-a-script.md)
+
+- [How to Install the Publishing Server on a Remote Computer](appv-install-the-publishing-server-on-a-remote-computer.md)
+
+- [How to install the Management Server on a Standalone Computer and Connect it to the Database](appv-install-the-management-server-on-a-standalone-computer.md)
+
+## Using an Enterprise Software Distribution (ESD) solution and App-V
+You can also deploy the App-V clients and packages by using an ESD without having to deploy App-V. The full capabilities for integration will vary depending on the ESD that you use.
+
+>**Note**<br>The App-V reporting server and reporting database can still be deployed alongside the ESD to collect the reporting data from the App-V clients. However, the other three server components should not be deployed, because they will conflict with the ESD functionality.
+
+[Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md)
+
+## App-V Server logs
+You can use App-V server log information to help troubleshoot the server installation and operational events while using App-V. The server-related log information can be reviewed with the **Event Viewer**. The following line displays the specific path for Server-related events:
+
+**Event Viewer \\ Applications and Services Logs \\ Microsoft \\ App V**
+
+Associated setup logs are saved in the following directory:
+
+**%temp%**
+
+## App-V reporting
+App-V reporting allows App-V clients to collect data and then send it back to be stored in a central repository. You can use this information to get a better view of the virtual application usage within your organization. The following list displays some of the types of information the App-V client collects:
+
+-   Information about the computer that runs the App-V client.
+
+-   Information about virtualized packages on a specific computer that runs the App-V client.
+
+-   Information about package open and shutdown for a specific user.
+
+The reporting information will be maintained until it is successfully sent to the reporting server database. After the data is in the database, you can use Microsoft SQL Server Reporting Services to generate any necessary reports.
+
+If you want to retrieve report information, you must use Microsoft SQL Server Reporting Services (SSRS) which is available with Microsoft SQL. SSRS is not installed when you install the App-V reporting server and it must be deployed separately to generate the associated reports.
+
+For more information, see  [About App-V Reporting](appv-reporting.md) and [How to Enable Reporting on the App-V Client by Using PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md).
+
+## Other resources for the App-V server
+- [Deploying App-V](appv-deploying-appv.md)
+
+## Have a suggestion for App-V?
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
diff --git a/windows/manage/appv-deployment-checklist.md b/windows/manage/appv-deployment-checklist.md
new file mode 100644
index 0000000000..2def234fd2
--- /dev/null
+++ b/windows/manage/appv-deployment-checklist.md
@@ -0,0 +1,76 @@
+---
+title: App-V Deployment Checklist (Windows 10)
+description: App-V Deployment Checklist
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# App-V Deployment Checklist
+
+
+This checklist can be used to help you during an App-V deployment.
+
+> [!NOTE]
+> This checklist outlines the recommended steps and a high-level list of items to consider when deploying App-V features. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left"></th>
+<th align="left">Task</th>
+<th align="left">References</th>
+<th align="left">Notes</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>Complete the planning phase to prepare the computing environment for App-V deployment.</p></td>
+<td align="left"><p>[App-V Planning Checklist](appv-planning-checklist.md)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>Review the App-V supported configurations information to make sure selected client and server computers are supported for App-V feature installation.</p></td>
+<td align="left"><p>[App-V Supported Configurations](appv-supported-configurations.md)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>Run App-V Setup to deploy the required App-V features for your environment.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Keep track of the names of the servers and associated URLs created during installation. This information will be used throughout the installation process.</p>
+</div>
+<div>
+ 
+</div></td>
+<td align="left"><p></p>
+<ul>
+<li><p>[How to Install the Sequencer](appv-install-the-sequencer.md)</p></li>
+<li><p>[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)</p></li>
+<li><p>[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)</p></li>
+</ul></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+[Deploying App-V](appv-deploying-appv.md)
diff --git a/windows/manage/appv-dynamic-configuration.md b/windows/manage/appv-dynamic-configuration.md
new file mode 100644
index 0000000000..9f39eb5a86
--- /dev/null
+++ b/windows/manage/appv-dynamic-configuration.md
@@ -0,0 +1,742 @@
+---
+title: About App-V Dynamic Configuration (Windows 10)
+description: About App-V Dynamic Configuration
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# About App-V Dynamic Configuration
+
+You can use the dynamic configuration to customize an App-V package for a user. Use the following information to create or edit an existing dynamic configuration file.
+
+When you edit the dynamic configuration file it customizes how an App-V package will run for a user or group. This helps to provide a more convenient method for package customization by removing the need to re-sequence packages using the desired settings, and provides a way to keep package content and custom settings independent.
+
+## Advanced: Dynamic Configuration
+
+
+Virtual application packages contain a manifest that provides all the core information for the package. This information includes the defaults for the package settings and determines settings in the most basic form (with no additional customization). If you want to adjust these defaults for a particular user or group, you can create and edit the following files:
+
+-   User Configuration file
+
+-   Deployment configuration file
+
+The previous .xml files specify package settings and allow for packages to be customized without directly affecting the packages. When a package is created, the sequencer automatically generates default deployment and user configuration .xml files using the package manifest data. Therefore, these automatically generated configuration files simply reflect the default settings that the package innately as from how things were configured during sequencing. If you apply these configuration files to a package in the form generated by the sequencer, the packages will have the same default settings that came from their manifest. This provides you with a package-specific template to get started if any of the defaults must be changed.
+
+**Note**  
+The following information can only be used to modify sequencer generated configuration files to customize packages to meet specific user or group requirements.
+
+ 
+
+### Dynamic Configuration file contents
+
+All of the additions, deletions, and updates in the configuration files need to be made in relation to the default values specified by the package's manifest information. Review the following table:
+
+<table>
+<colgroup>
+<col width="100%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>User Configuration .xml file</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Deployment Configuration .xml file</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Package Manifest</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The previous table represents how the files will be read. The first entry represents what will be read last, therefore, its content takes precedence. Therefore, all packages inherently contain and provide default settings from the package manifest. If a deployment configuration .xml file with customized settings is applied, it will override the package manifest defaults. If a user configuration .xml file with customized settings is applied prior to that, it will override both the deployment configuration and the package manifest defaults.
+
+The following list displays more information about the two file types:
+
+-   **User Configuration File (UserConfig)** – Allows you to specify or modify custom settings for a package. These settings will be applied for a specific user when the package is deployed to a computer running the App-V client.
+
+-   **Deployment Configuration File (DeploymentConfig)** – Allows you to specify or modify the default settings for a package. These settings will be applied for all users when a package is deployed to a computer running the App-V client.
+
+To customize the settings for a package for a specific set of users on a computer or to make changes that will be applied to local user locations such as HKCU, the UserConfig file should be used. To modify the default settings of a package for all users on a machine or to make changes that will be applied to global locations such as HKEY\_LOCAL\_MACHINE and the all users folder, the DeploymentConfig file should be used.
+
+The UserConfig file provides configuration settings that can be applied to a single user without affecting any other users on a client:
+
+-   Extensions that will be integrated into the native system per user:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM
+
+-   Virtual Subsystems:- Application Objects, Environment variables, Registry modifications, Services and Fonts
+
+-   Scripts (User context only)
+
+The DeploymentConfig file provides configuration settings in two sections, one relative to the machine context and one relative to the user context providing the same capabilities listed in the UserConfig list above:
+
+-   All UserConfig settings above
+
+-   Extensions that can only be applied globally for all users
+
+-   Virtual Subsystems that can be configured for global machine locations e.g. registry
+
+-   Product Source URL
+
+-   Scripts (Machine context only)
+
+-   Controls to Terminate Child Processes
+
+### File structure
+
+The structure of the App-V Dynamic Configuration file is explained in the following section.
+
+### Dynamic User Configuration file
+
+**Header** - the header of a dynamic user configuration file is as follows:
+
+```
+<?xml version="1.0" encoding="utf-8"?>
+<UserConfiguration PackageId="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration">
+```
+
+The **PackageId** is the same value as exists in the Manifest file.
+
+**Body** - the body of the Dynamic User Configuration file can include all the app extension points that are defined in the Manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body:
+
+**Applications** - All app-extensions that are contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored.
+
+```
+    <UserConfiguration PackageId="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration">
+    <Applications>
+    <!-- No new application can be defined in policy. AppV Client will ignore any application ID that is not also in the Manifest file -->
+    <Application Id="{a56fa627-c35f-4a01-9e79-7d36aed8225a}" Enabled="false">
+    </Application>
+    </Applications>
+    …
+    </UserConfiguration>
+```
+
+**Subsystems** - AppExtensions and other subsystems are arranged as subnodes under the <Subsystems>:
+
+```
+    <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration">
+    <Subsystems>
+    ..
+    </Subsystems>
+    ..
+    </UserConfiguration>
+```
+
+Each subsystem can be enabled/disabled using the “**Enabled**” attribute. Below are the various subsystems and usage samples.
+
+**Extensions:**
+
+Some subsystems (Extension Subsystems) control Extensions. Those subsystems are:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM
+
+Extension Subsystems can be enabled and disabled independently of the content.  Thus if Shortcuts are enabled, The client will use the shortcuts contained within the manifest by default. Each Extension Subsystem can contain an <Extensions> node. If this child element is present, the client will ignore the content in the Manifest file for that subsystem and only use the content in the configuration file.
+
+Example using the shortcuts subsystem:
+
+**Example 1**<br>If the user defined this in either the dynamic or deployment config file:
+
+```
+                                     <Shortcuts  Enabled="true">
+                                                 <Extensions
+                                                  ...
+                                                 </Extensions>
+                                     </Shortcuts>
+```
+
+Content in the manifest will be ignored.   
+
+**Example 2**<br>If the user defined only the following:
+
+                                    `<Shortcuts  Enabled="true"/>`
+    
+Then the content in the Manifest will be integrated during publishing.
+
+**Example 3**<br>If the user defines the following
+
+```
+                           <Shortcuts  Enabled="true">
+                                                 <Extensions/>
+                                     </Shortcuts>
+```
+
+Then all the shortcuts within the manifest will still be ignored. There will be no shortcuts integrated.
+
+The supported Extension Subsystems are:
+
+**Shortcuts:** This controls shortcuts that will be integrated into the local system. Below is a sample with 2 shortcuts:
+
+```
+    <Subsystems>
+    <Shortcuts Enabled="true">
+      <Extensions>
+        <Extension Category="AppV.Shortcut">
+          <Shortcut>
+            <File>\[{Common Programs}\]\\Microsoft Contoso\\Microsoft ContosoApp Filler 2010.lnk</File>
+            <Target>\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE</Target>
+            <Icon>\[{Windows}\]\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\inficon.exe</Icon>
+            <Arguments />
+            <WorkingDirectory />
+            <AppUserModelId>ContosoApp.Filler.3</AppUserModelId>
+            <Description>Fill out dynamic forms to gather and reuse information throughout the organization using Microsoft ContosoApp.</Description>
+            <Hotkey>0</Hotkey>
+            <ShowCommand>1</ShowCommand>
+            <ApplicationId>\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE</ApplicationId>
+          </Shortcut>
+      </Extension>
+      <Extension Category="AppV.Shortcut">
+        <Shortcut>
+          <File>\[{AppData}\]\\Microsoft\\Contoso\\Recent\\Templates.LNK</File>
+          <Target>\[{AppData}\]\\Microsoft\\Templates</Target>
+          <Icon />
+          <Arguments />
+          <WorkingDirectory />
+          <AppUserModelId />
+          <Description />
+          <Hotkey>0</Hotkey>
+          <ShowCommand>1</ShowCommand>
+          <!-- Note the ApplicationId is optional -->
+        </Shortcut>
+      </Extension>
+     </Extensions>
+    </Shortcuts>
+```
+
+**File-Type Associations:** Associates File-types with programs to open by default as well as setup the context menu. (MIME types can also be setup using this susbsystem). Sample File-type Association is below:
+
+```
+    <FileTypeAssociations Enabled="true">
+    <Extensions>
+      <Extension Category="AppV.FileTypeAssociation">
+        <FileTypeAssociation>
+          <FileExtension MimeAssociation="true">
+          <Name>.docm</Name>
+          <ProgId>contosowordpad.DocumentMacroEnabled.12</ProgId>
+          <PerceivedType>document</PerceivedType>
+          <ContentType>application/vnd.ms-contosowordpad.document.macroEnabled.12</ContentType>
+          <OpenWithList>
+            <ApplicationName>wincontosowordpad.exe</ApplicationName>
+          </OpenWithList>
+         <OpenWithProgIds>
+            <ProgId>contosowordpad.8</ProgId>
+          </OpenWithProgIds>
+          <ShellNew>
+            <Command />
+            <DataBinary />
+            <DataText />
+            <FileName />
+            <NullFile>true</NullFile>
+            <ItemName />
+            <IconPath />
+            <MenuText />
+            <Handler />
+          </ShellNew>
+        </FileExtension>
+        <ProgId>
+           <Name>contosowordpad.DocumentMacroEnabled.12</Name>
+            <DefaultIcon>\[{Windows}\]\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\contosowordpadicon.exe,15</DefaultIcon>
+            <Description>Blah Blah Blah</Description>
+            <FriendlyTypeName>\[{FOLDERID\_ProgramFilesX86}\]\\Microsoft Contoso 14\\res.dll,9182</FriendlyTypeName>
+            <InfoTip>\[{FOLDERID\_ProgramFilesX86}\]\\Microsoft Contoso 14\\res.dll,1424</InfoTip>
+            <EditFlags>0</EditFlags>
+            <ShellCommands>
+              <DefaultCommand>Open</DefaultCommand>
+              <ShellCommand>
+                 <ApplicationId>{e56fa627-c35f-4a01-9e79-7d36aed8225a}</ApplicationId>
+                 <Name>Edit</Name>
+                 <FriendlyName>&Edit</FriendlyName>
+                 <CommandLine>"\[{PackageRoot}\]\\Contoso\\WINcontosowordpad.EXE" /vu "%1"</CommandLine>
+              </ShellCommand>
+              </ShellCommand>
+                <ApplicationId>{e56fa627-c35f-4a01-9e79-7d36aed8225a}</ApplicationId>
+                <Name>Open</Name>
+                <FriendlyName>&Open</FriendlyName>
+                <CommandLine>"\[{PackageRoot}\]\\Contoso\\WINcontosowordpad.EXE" /n "%1"</CommandLine>
+                <DropTargetClassId />
+                <DdeExec>
+                  <Application>mscontosowordpad</Application>
+                  <Topic>ShellSystem</Topic>
+                  <IfExec>\[SHELLNOOP\]</IfExec>
+                  <DdeCommand>\[SetForeground\]\[ShellNewDatabase "%1"\]</DdeCommand>
+                </DdeExec>
+              </ShellCommand>
+            </ShellCommands>
+          </ProgId>
+         </FileTypeAssociation>
+       </Extension>
+      </Extensions>
+      </FileTypeAssociations>
+```
+
+**URL Protocols**: This controls the URL Protocols that are integrated into the local registry of the client machine e.g. “mailto:”.
+
+```
+    <URLProtocols Enabled="true">
+    <Extensions>
+    <Extension Category="AppV.URLProtocol">
+    <URLProtocol>
+      <Name>mailto</Name>
+      <ApplicationURLProtocol>
+      <DefaultIcon>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE,-9403</DefaultIcon>
+      <EditFlags>2</EditFlags>
+      <Description />
+      <AppUserModelId />
+      <FriendlyTypeName />
+      <InfoTip />
+    <SourceFilter />
+      <ShellFolder />
+      <WebNavigableCLSID />
+      <ExplorerFlags>2</ExplorerFlags>
+      <CLSID />
+      <ShellCommands>
+      <DefaultCommand>open</DefaultCommand>
+      <ShellCommand>
+      <ApplicationId>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationId>
+      <Name>open</Name>
+      <CommandLine>\[{ProgramFilesX86}\\Microsoft Contoso\\Contoso\\contosomail.EXE" -c OEP.Note /m "%1"</CommandLine>
+      <DropTargetClassId />
+      <FriendlyName />
+      <Extended>0</Extended>
+      <LegacyDisable>0</LegacyDisable>
+      <SuppressionPolicy>2</SuppressionPolicy>
+       <DdeExec>
+      <NoActivateHandler />
+      <Application>contosomail</Application>
+      <Topic>ShellSystem</Topic>
+      <IfExec>\[SHELLNOOP\]</IfExec>
+      <DdeCommand>\[SetForeground\]\[ShellNewDatabase "%1"\]</DdeCommand>
+      </DdeExec>
+      </ShellCommand>
+      </ShellCommands>
+      </ApplicationURLProtocol>
+      </URLProtocol>
+      </Extension>
+      </Extension>
+      </URLProtocols>
+```
+
+**Software Clients**: Allows the app to register as an Email client, news reader, media player and makes the app visible in the Set Program Access and Computer Defaults UI. In most cases you should only need to enable and disable it. There is also a control to enable and disable the email client specifically if you want the other clients still enabled except for that client.
+
+```
+    <SoftwareClients Enabled="true">
+      <ClientConfiguration EmailEnabled="false" />
+    </SoftwareClients>
+```
+
+**AppPaths**: If an application for example contoso.exe is registered with an apppath name of “myapp”, it allows you type “myapp” under the run menu and it will open contoso.exe.
+
+```
+    <AppPaths Enabled="true">
+    <Extensions>
+    <Extension Category="AppV.AppPath">
+    <AppPath>
+      <ApplicationId>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationId>
+      <Name>contosomail.exe</Name>
+      <ApplicationPath>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationPath>
+      <PATHEnvironmentVariablePrefix />
+      <CanAcceptUrl>false</CanAcceptUrl>
+      <SaveUrl />
+    </AppPath>
+    </Extension>
+    </Extensions>
+    </AppPaths>
+```
+
+**COM**: Allows an Application register Local COM servers. Mode can be Integration, Isolated or Off. When Isol.
+
+`    <COM Mode="Isolated"/>`
+
+**Other Settings**:
+
+In addition to Extensions, other subsystems can be enabled/disabled and edited:
+
+**Virtual Kernel Objects**:
+
+`    <Objects Enabled="false" />`
+
+**Virtual Registry**: Used if you want to set a registry in the Virtual Registry within HKCU
+
+```
+    <Registry Enabled="true">
+    <Include>
+    <Key Path="\\REGISTRY\\USER\\\[{AppVCurrentUserSID}\]\\Software\\ABC">
+    <Value Type="REG\_SZ" Name="Bar" Data="NewValue" />
+     </Key>
+      <Key Path="\\REGISTRY\\USER\\\[{AppVCurrentUserSID}\]\\Software\\EmptyKey" />
+     </Include>
+    <Delete>
+      </Registry>
+```
+
+**Virtual File System**
+
+`          <FileSystem Enabled="true" />`
+
+**Virtual Fonts**
+
+`          <Fonts Enabled="false" />`
+
+**Virtual Environment Variables**
+
+```
+    <EnvironmentVariables Enabled="true">
+    <Include>
+           <Variable Name="UserPath" Value="%path%;%UserProfile%" />
+           <Variable Name="UserLib" Value="%UserProfile%\\ABC" />
+           </Include>
+          <Delete>
+           <Variable Name="lib" />
+            </Delete>
+            </EnvironmentVariables>
+```
+
+**Virtual services**
+
+`          <Services Enabled="false" />`
+
+**UserScripts** – Scripts can be used to setup or alter the virtual environment as well as execute scripts at time of deployment or removal, before an application executes, or they can be used to “clean up” the environment after the application terminates. Please reference a sample User configuration file that is output by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used.
+
+### Dynamic Deployment Configuration file
+
+**Header** - The header of a Deployment Configuration file is as follows:
+
+```
+<?xml version="1.0" encoding="utf-8"?><DeploymentConfiguration PackageId="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration">
+```
+
+The **PackageId** is the same value as exists in the manifest file.
+
+**Body** - The body of the deployment configuration file includes two sections:
+
+-   User Configuration section –allows the same content as the User Configuration file described in the previous section. When the package is published to a user, any appextensions configuration settings in this section will override corresponding settings in the Manifest within the package unless a user configuration file is also provided. If a UserConfig file is also provided, it will be used instead of the User settings in the deployment configuration file. If the package is published globally, then only the contents of the deployment configuration file will be used in combination with the manifest.
+
+-   Machine Configuration section–contains information that can be configured only for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS.
+
+```
+<DeploymentConfiguration PackageId="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration">
+<UserConfiguration>
+  ..
+</UserConfiguration>
+<MachineConfiguration>
+..
+</MachineConfiguration>
+..
+</MachineConfiguration>
+</DeploymentConfiguration>
+```
+
+**User Configuration** - use the previous **Dynamic User Configuration file** section for information on settings that are provided in the user configuration section of the Deployment Configuration file.
+
+Machine Configuration - the Machine configuration section of the Deployment Configuration File is used to configure information that can be set only for an entire machine, not for a specific user on the computer. For example, HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. There are four subsections allowed in under this element
+
+1.  **Subsystems** - AppExtensions and other subsystems are arranged as subnodes under <Subsystems>:
+
+```
+    <MachineConfiguration>
+      <Subsystems>
+      ..
+      </Subsystems>
+    ..
+    </MachineConfiguration>
+```
+
+The following section displays the various subsystems and usage samples.
+
+**Extensions**:
+
+Some subsystems (Extension Subsystems) control Extensions which can only apply to all users. The subsystem is application capabilities. Because this can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The same rules for controls and settings that apply to the Extensions in the User Configuration also apply to those in the MachineConfiguration section.
+
+**Application Capabilities**: Used by default programs in windows operating system Interface. Allows an application to register itself as capable of opening certain file extensions, as a contender for the start menu internet browser slot, as capable of opening certain windows MIME types.  This extension also makes the virtual application visible in the Set Default Programs UI.:
+
+```
+    <ApplicationCapabilities Enabled="true">
+      <Extensions>
+       <Extension Category="AppV.ApplicationCapabilities">
+        <ApplicationCapabilities>
+         <ApplicationId>\[{PackageRoot}\]\\LitView\\LitViewBrowser.exe</ApplicationId>
+         <Reference>
+          <Name>LitView Browser</Name>
+          <Path>SOFTWARE\\LitView\\Browser\\Capabilities</Path>
+         </Reference>
+       <CapabilityGroup>
+        <Capabilities>
+         <Name>@\[{ProgramFilesX86}\]\\LitView\\LitViewBrowser.exe,-12345</Name>
+         <Description>@\[{ProgramFilesX86}\]\\LitView\\LitViewBrowser.exe,-12346</Description>
+         <Hidden>0</Hidden>
+         <EMailSoftwareClient>Lit View E-Mail Client</EMailSoftwareClient>
+         <FileAssociationList>
+          <FileAssociation Extension=".htm" ProgID="LitViewHTML" />
+          <FileAssociation Extension=".html" ProgID="LitViewHTML" />
+          <FileAssociation Extension=".shtml" ProgID="LitViewHTML" />
+         </FileAssociationList>
+         <MIMEAssociationList>
+          <MIMEAssociation Type="audio/mp3" ProgID="LitViewHTML" />
+          <MIMEAssociation Type="audio/mpeg" ProgID="LitViewHTML" />
+         </MIMEAssociationList>
+        <URLAssociationList>
+          <URLAssociation Scheme="http" ProgID="LitViewHTML.URL.http" />
+         </URLAssociationList>
+         </Capabilities>
+      </CapabilityGroup>
+       </ApplicationCapabilities>
+      </Extension>
+    </Extensions>
+    </ApplicationCapabilities>
+```
+
+**Other Settings**:
+
+In addition to Extensions, other subsystems can be edited:
+
+**Machine Wide Virtual Registry**: Used when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine
+
+```
+    <Registry>
+    <Include>
+      <Key Path="\\REGISTRY\\Machine\\Software\\ABC">
+        <Value Type="REG\_SZ" Name="Bar" Data="Baz" />
+       </Key>
+      <Key Path="\\REGISTRY\\Machine\\Software\\EmptyKey" />
+     </Include>
+    <Delete>
+    </Registry>
+```
+
+**Machine Wide Virtual Kernel Objects**
+
+```
+    <Objects>
+    <NotIsolate>
+       <Object Name="testObject" />
+     </NotIsolate>
+    </Objects>
+```
+
+**ProductSourceURLOptOut**: Indicates whether the URL for the package can be modified globally through PackageSourceRoot (to support branch office scenarios). Default is false and the setting change takes effect on the next launch.
+
+```
+    <MachineConfiguration>
+      .. 
+      <ProductSourceURLOptOut Enabled="true" />
+      ..
+    </MachineConfiguration>
+```
+
+**MachineScripts** – Package can be configured to execute scripts at time of deployment, publishing or removal. Please reference a sample deployment configuration file that is generated by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used
+
+**TerminateChildProcess**:- An application executable can be specified, whose child processes will be terminated when the application exe process is terminated.
+
+```
+    <MachineConfiguration>
+      ..   
+      <TerminateChildProcesses>
+        <Application Path="\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE" />
+        <Application Path="\[{PackageRoot}\]\\LitView\\LitViewBrowser.exe" />
+        <Application Path="\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE" />
+      </TerminateChildProcesses>
+      ..
+    </MachineConfiguration>
+```
+
+### Scripts
+
+The following table describes the various script events and the context under which they can be run.
+
+<table style="width:100%;">
+<colgroup>
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Script Execution Time</th>
+<th align="left">Can be specified in Deployment Configuration</th>
+<th align="left">Can be specified in User Configuration</th>
+<th align="left">Can run in the Virtual Environment of the package</th>
+<th align="left">Can be run in the context of a specific application</th>
+<th align="left">Runs in system/user context: (Deployment Configuration, User Configuration)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>AddPackage</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>(SYSTEM, N/A)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>PublishPackage</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>(SYSTEM, User)</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>UnpublishPackage</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>(SYSTEM, User)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>RemovePackage</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>(SYSTEM, N/A)</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>StartProcess</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>(User, User)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>ExitProcess</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>(User, User)</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>StartVirtualEnvironment</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>(User, User)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>TerminateVirtualEnvironment</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>(User, User)</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Using multiple scripts on a single event trigger
+
+App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V for Windows 10. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is installed as part of the App-V client installation.
+
+**How to use multiple scripts on a single event trigger:**
+
+For each script that you want to run, pass that script as an argument to the ScriptRunner.exe application. The application then runs each script separately, along with the arguments that you specify for each script. Use only one script (ScriptRunner.exe) per trigger.
+
+**Note**  
+We recommended that you run the multi-script line from a command prompt first to make sure that all arguments are built correctly before adding them to the deployment configuration file.
+
+ 
+
+**Example script and parameter descriptions**
+
+Using the following example file and table, modify the deployment or user configuration file to add the scripts that you want to run.
+
+``` syntax
+<MachineScripts>
+ <AddPackage>
+   <Path>ScriptRunner.exe</Path>
+   <Arguments>
+   -appvscript script1.exe arg1 arg2 –appvscriptrunnerparameters –wait –timeout=10
+   -appvscript script2.vbs arg1 arg2
+   -appvscript script3.bat arg1 arg2 –appvscriptrunnerparameters –wait –timeout=30 –rollbackonerror
+   </Arguments>
+   <Wait timeout=”40” RollbackOnError=”true”/>
+ </AddPackage>
+</MachineScripts>
+```
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Parameter in the example file</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><code><AddPackage></code></p></td>
+<td align="left"><p>Name of the event trigger for which you are running a script, such as adding a package or publishing a package.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><code><Path>ScriptRunner.exe</Path></code></p></td>
+<td align="left"><p>The script launcher application that is installed as part of the App-V client installation.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Although ScriptRunner.exe is installed as part of the App-V client, the location of the App-V client must be in %path% or ScriptRunner will not run. ScriptRunner.exe is typically located in the C:\Program Files\Microsoft Application Virtualization\Client folder.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><pre class="syntax" space="preserve"><code><Arguments>
+-appvscript script1.exe arg1 arg2 –appvscriptrunnerparameters –wait –timeout=10
+
+-appvscript script2.vbs arg1 arg2
+
+-appvscript script3.bat arg1 arg2 –appvscriptrunnerparameters –wait –timeout=30 -rollbackonerror
+</Arguments></code></pre></td>
+<td align="left"><p><code>-appvscript</code> - Token that represents the actual script that you want to run.</p>
+<p><code>script1.exe</code> – Name of the script that you want to run.</p>
+<p><code>arg1 arg2</code> – Arguments for the script that you want to run.</p>
+<p><code>-appvscriptrunnerparameters</code> – Token that represents the execution options for <code>script1.exe</code></p>
+<p><code>-wait</code> – Token that informs ScriptRunner to wait for execution of <code>script1.exe</code> to complete before proceeding to the next script.</p>
+<p><code>-timeout=x</code> – Token that informs ScriptRunner to stop running the current script after <code>x</code> number of seconds. All other specified scripts will still run.</p>
+<p><code>-rollbackonerror</code> – Token that informs ScriptRunner to stop running all scripts that haven't yet run and to roll back an error to the App-V client.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><code><Wait timeout=”40” RollbackOnError=”true”/></code></p></td>
+<td align="left"><p>Waits for overall completion of ScriptRunner.exe.</p>
+<p>Set the timeout value for the overall runner to be greater than or equal to the sum of the timeout values on the individual scripts.</p>
+<p>If any individual script reported an error and rollbackonerror was set to <code>true</code>, then ScriptRunner would report the error to App-V client.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ScriptRunner will run any script whose file type is associated with an application installed on the computer. If the associated application is missing, or the script’s file type is not associated with any application on the computer, the script will not run.
+
+### Create a Dynamic Configuration file using an App-V Manifest file
+
+You can create the Dynamic Configuration file using one of three methods: either manually, using the App-V Management Console or sequencing a package, which will be generated with 2 sample files.
+
+For more information about how to create the file using the App-V Management Console see, [How to Create a Custom Configuration File by Using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md).
+
+To create the file manually, the information above in previous sections can be combined into a single file. We recommend you use files generated by the sequencer.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+[How to Apply the Deployment Configuration File by Using PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)
+
+[How to Apply the User Configuration File by Using PowerShell](appv-apply-the-user-configuration-file-with-powershell.md)
+
+[Operations for App-V](appv-operations.md)
diff --git a/windows/manage/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/manage/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
new file mode 100644
index 0000000000..bf8851078f
--- /dev/null
+++ b/windows/manage/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
@@ -0,0 +1,36 @@
+---
+title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10)
+description: How to Enable Only Administrators to Publish Packages by Using an ESD
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Enable Only Administrators to Publish Packages by Using an ESD
+
+
+Starting in App-V 5.0 SP3, you can configure the App-V client so that only administrators (not end users) can publish or unpublish packages. In earlier versions of App-V, you could not prevent end users from performing these tasks.
+
+**To enable only administrators to publish or unpublish packages**
+
+1.  Navigate to the following Group Policy Object node:
+
+    **Computer Configuration &gt; Policies &gt; Administrative Templates &gt; System &gt; App-V &gt; Publishing**.
+
+2.  Enable the **Require publish as administrator** Group Policy setting.
+
+    To alternatively use PowerShell to set this item, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/manage/appv-enable-reporting-on-the-appv-client-with-powershell.md
new file mode 100644
index 0000000000..7451d59112
--- /dev/null
+++ b/windows/manage/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -0,0 +1,87 @@
+---
+title: How to Enable Reporting on the App-V Client by Using PowerShell (Windows 10)
+description: How to Enable Reporting on the App-V Client by Using PowerShell
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Enable Reporting on the App-V Client by Using PowerShell
+
+
+Use the following procedure to configure the App-V for reporting.
+
+**To configure the computer running the App-V client for reporting**
+
+1.  Enable the App-V client. For more information, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md).
+
+2.  After you have enabled the App-V client, use the **Set-AppvClientConfiguration** PowerShell to configure appropriate Reporting Configuration settings:
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>ReportingEnabled</p></td>
+    <td align="left"><p>Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>ReportingServerURL</p></td>
+    <td align="left"><p>Specifies the location on the reporting server where client information is saved. For example, http://&lt;reportingservername&gt;:&lt;reportingportnumber&gt;.</p>
+    <div class="alert">
+    <strong>Note</strong>  
+    <p>This is the port number that was assigned during the Reporting Server setup</p>
+    </div>
+    <div>
+     
+    </div></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Reporting Start Time</p></td>
+    <td align="left"><p>This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>ReportingRandomDelay</p></td>
+    <td align="left"><p>Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>ReportingInterval</p></td>
+    <td align="left"><p>Specifies the retry interval that the client will use to resend data to the reporting server.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>ReportingDataCacheLimit</p></td>
+    <td align="left"><p>Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>ReportingDataBlockSize</p></td>
+    <td align="left"><p>Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+3.  After the appropriate settings have been configured, the computer running the App-V client will automatically collect data and will send the data back to the reporting server.
+
+    Additionally, administrators can manually send the data back in an on-demand manner using the **Send-AppvClientReport** PowerShell cmdlet.
+
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md)
diff --git a/windows/manage/appv-enable-the-app-v-desktop-client.md b/windows/manage/appv-enable-the-app-v-desktop-client.md
new file mode 100644
index 0000000000..fe8bc4ffdc
--- /dev/null
+++ b/windows/manage/appv-enable-the-app-v-desktop-client.md
@@ -0,0 +1,41 @@
+---
+title: Enable the App-V desktop client (Windows 10)
+description: Enable the App-V desktop client
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Enable the App-V desktop client
+
+The App-V client is the component that runs virtualized applications on user devices. The client enables users to interact with icons and file names to start virtualized applications. The client can also get virtual application content from the management server.
+
+With Windows 10, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell.
+
+**To enable the App-V client with Group Policy:**
+
+1.  Open the device’s **Local Group Policy Editor**.
+
+2.  Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **App-V**.
+
+3.  Run **Enables App-V Client** and then select **Enabled** on the screen that appears.
+
+4.  Restart the device.
+
+**To enable the App-V client with Windows PowerShell:**
+
+1.  Open Windows PowerShell.
+
+2.  Type `Enable-Appv` and press Enter.
+
+3.  Restart the device.
+
+4.  To verify that the App-V client is enabled on the device, enter **AppvClientEnabled** or **Get-AppvStatus** in Windows PowerShell.
+
+See [Using the client management console](appv-using-the-client-management-console.md) for information about configuring the App-V client.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
diff --git a/windows/manage/appv-evaluating-appv.md b/windows/manage/appv-evaluating-appv.md
new file mode 100644
index 0000000000..20d2eba290
--- /dev/null
+++ b/windows/manage/appv-evaluating-appv.md
@@ -0,0 +1,51 @@
+---
+title: Evaluating App-V (Windows 10)
+description: Evaluating App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Evaluating App-V
+
+
+Before you deploy pp-V into a production environment, you should evaluate it in a lab environment. You can use the information in this topic to set up App-V in a lab environment for evaluation purposes only.
+
+## Configure lab computers for App-V Evaluation
+
+Use the following link for information about setting up the App-V sequencer on a computer in your lab environment.
+
+### Installing the App-V Sequencer and Creating Packages
+
+Use the following links for information about setting up the App-V sequencer and creating packages in your lab environment.
+
+-   [How to Install the Sequencer](appv-install-the-sequencer.md)
+
+-   [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md)
+
+### Configuring the App-V Server
+
+Use the following links for information about setting up the App-V server in your lab environment.
+
+-   [How to Deploy the App-V Server](appv-deploy-the-appv-server.md)
+
+-   [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md)
+
+### Installing the App-V Client
+
+Use the following link for more information about creating and managing virtualized packages in your lab environment.
+
+-   [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
+
+-   [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Getting Started with App-V](appv-getting-started.md)
diff --git a/windows/manage/appv-for-windows.md b/windows/manage/appv-for-windows.md
new file mode 100644
index 0000000000..d127094cb6
--- /dev/null
+++ b/windows/manage/appv-for-windows.md
@@ -0,0 +1,62 @@
+---
+title: Application Virtualization (App-V) (Windows 10)
+description: Application Virtualization (App-V)
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Application Virtualization (App-V) for Windows 10 overview
+
+
+The topics in this section provides information and step-by-step procedures to help you administer App-V and its components. This information will be valuable for system administrators who manage large installations with many servers and clients and for support personnel who interact directly with the computers or the end users.
+
+[Getting Started with App-V](appv-getting-started.md)  
+
+- [About App-V](appv-about-appv.md)
+- [Evaluating App-V](appv-evaluating-appv.md)
+- [High Level Architecture for App-V](appv-high-level-architecture.md)
+- [Accessibility for App-V](appv-accessibility.md)
+
+[Planning for App-V](appv-planning-for-appv.md)  
+
+- [Preparing Your Environment for App-V](appv-preparing-your-environment.md)
+- [App-V Prerequisites](appv-prerequisites.md)
+- [Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
+- [App-V Supported Configurations](appv-supported-configurations.md)
+- [App-V Planning Checklist](appv-planning-checklist.md)
+
+[Deploying App-V](appv-deploying-appv.md)  
+
+- [Deploying the App-V Sequencer and Client](appv-deploying-the-appv-sequencer-and-client.md)
+- [Deploying the App-V Server](appv-deploying-the-appv-server.md)
+- [App-V Deployment Checklist](appv-deployment-checklist.md)
+- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
+- [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
+
+[Operations for App-V](appv-operations.md)  
+
+- [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md)
+- [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md)
+- [Managing Connection Groups](appv-managing-connection-groups.md)
+- [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md)
+- [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
+- [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md)
+- [Maintaining App-V](appv-maintaining-appv.md)
+- [Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md)
+
+[Troubleshooting App-V](appv-troubleshooting.md)  
+
+[Technical Reference for App-V](appv-technical-reference.md)  
+
+- [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
+- [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
+- [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
+- [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md)
+
+### Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
diff --git a/windows/manage/appv-getting-started.md b/windows/manage/appv-getting-started.md
new file mode 100644
index 0000000000..2e33f78295
--- /dev/null
+++ b/windows/manage/appv-getting-started.md
@@ -0,0 +1,78 @@
+---
+title: Getting Started with App-V (Windows 10)
+description: Getting Started with App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Getting Started with App-V
+
+Microsoft Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally.
+
+With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise). If you are new to Windows 10 and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. For information about what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md).
+
+If you’re already using App-V, performing an in-place upgrade to Windows 10 on user devices automatically installs the App-V client and migrates users’ App-V applications and settings. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md).
+
+>**Important**
+You can upgrade your existing App-V installation to App-V for Windows from App-V versions 5.0 SP2 and higher only. If you are using an earlier version of App-V, you’ll need to upgrade from that version to App-V 5.0 SP2 before you upgrade.
+
+For information about previous versions of App-V, see [MDOP Information Experience](https://technet.microsoft.com/itpro/mdop/index).
+
+## Getting started with App-V for Windows 10 (new installations)
+
+To start using App-V to deliver virtual applications to users, you’ll need to download, enable, and install server- and client-side components. The following table provides information about the App-V for Windows 10 components and where to find them.
+
+<!--App-V Remote Desktop Services (RDS) client once had its own row in the table below, and could have its own row again. As of 7/29/2016, it's in the same row as App-V client --> 
+
+| Component  | What it does     | Where to find it     |
+|------------|--|------|
+| App-V server components         | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For information about the server components, see [Deploying the App-V Server](#_Deploying_the_App-V). | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/en-us/subscriptions/downloads/default.aspx#FileId=65215). <br>You must have a MSDN subscription to download the MDOP ISO package.<br>See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components. |
+| App-V client and App-V Remote Desktop Services (RDS) client       | The App-V client is the component that runs virtualized applications on user devices. The client enables users to interact with icons and file names to start virtualized applications. | The App-V client is automatically installed with Windows 10. <br>For information about enabling the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md).           |
+| App-V sequencer      | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must be running the App-V client to allow users to interact with virtual applications.    | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows 10, version 1607](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit).  |
+
+For more information about these elements, see [High Level Architecture for App-V](appv-high-level-architecture.md).
+
+If you are new to this product, we recommend that you read the documentation thoroughly. Before you deploy it to a production environment, we also recommend that you validate your deployment plan in a test network environment. You might also consider taking a class about relevant technologies. For information about Microsoft training opportunities, see the [Microsoft Training Overview](https://www.microsoft.com/en-us/learning/default.aspx).
+
+## Getting started with App-V
+
+
+-   [About App-V](appv-about-appv.md)
+
+    Provides a high-level overview of App-V and how it can be used in your organization.
+
+-   [Evaluating App-V](appv-evaluating-appv.md)
+
+    Provides information about how you can best evaluate App-V for use in your organization.
+
+-   [High Level Architecture for App-V](appv-high-level-architecture.md)
+
+    Provides a description of the App-V features and how they work together.
+
+-   [Accessibility for App-V](appv-accessibility.md)
+
+    Provides information about features and services that make this product and its corresponding documentation more accessible for people with disabilities.
+
+## <a href="" id="other-resources-for-this-product-"></a>Other resources for this product
+
+
+-   [Application Virtualization (App-V) overview](appv-for-windows.md)
+
+-   [Planning for App-V](appv-planning-for-appv.md)
+
+-   [Deploying App-V](appv-deploying-appv.md)
+
+-   [Operations for App-V](appv-operations.md)
+
+-   [Troubleshooting App-V](appv-troubleshooting.md)
+
+-   [Technical Reference for App-V](appv-technical-reference.md)
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
diff --git a/windows/manage/appv-high-level-architecture.md b/windows/manage/appv-high-level-architecture.md
new file mode 100644
index 0000000000..396b92d811
--- /dev/null
+++ b/windows/manage/appv-high-level-architecture.md
@@ -0,0 +1,82 @@
+---
+title: High Level Architecture for App-V (Windows 10)
+description: High Level Architecture for App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# High Level Architecture for App-V
+
+
+Use the following information to help you simplify you Microsoft Application Virtualization (App-V) deployment.
+
+## Architecture Overview
+
+
+A typical App-V implementation consists of the following elements.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Element</th>
+<th align="left">More information</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>App-V Management Server</p></td>
+<td align="left"><p>The App-V Management server provides overall management functionality for the App-V infrastructure. Additionally, you can install more than one instance of the management server in your environment which provides the following benefits:</p>
+<ul>
+<li><p>Fault Tolerance and High Availability – Installing and configuring the App-V Management server on two separate computers can help in situations when one of the servers is unavailable or offline.</p>
+<p>You can also help increase App-V availability by installing the Management server on multiple computers. In this scenario, a network load balancer should also be considered so that server requests are balanced.</p></li>
+<li><p>Scalability – You can add additional management servers as necessary to support a high load, for example you can install multiple servers behind a load balancer.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V Publishing Server</p></td>
+<td align="left"><p>The App-V publishing server provides functionality for virtual application hosting and streaming. The publishing server does not require a database connection and supports the following protocols:</p>
+<ul>
+<li><p>HTTP, and HTTPS</p></li>
+</ul>
+<p>You can also help increase App-V availability by installing the Publishing server on multiple computers. A network load balancer should also be considered so that server requests are balanced.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>App-V Reporting Server</p></td>
+<td align="left"><p>The App-V Reporting server enables authorized users to run and view existing App-V reports and ad hoc reports that can help them manage the App-V infrastructure. The Reporting server requires a connection to the App-V reporting database. You can also help increase App-V availability by installing the Reporting server on multiple computers. A network load balancer should also be considered so that server requests are balanced.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V Client</p></td>
+<td align="left"><p>The App-V client enables packages created using App-V to run on target computers.</p></td>
+</tr>
+</tbody>
+</table>
+
+
+**Note**  
+If you are using App-V with Electronic Software Distribution (ESD) you are not required to use the App-V Management server. However, you can still utilize the reporting and streaming functionality of App-V.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Getting Started with App-V](appv-getting-started.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md b/windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md
new file mode 100644
index 0000000000..fb6da496d4
--- /dev/null
+++ b/windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md
@@ -0,0 +1,29 @@
+---
+title: How to Install the App-V Client for Shared Content Store Mode (Windows 10)
+description: How to Install the App-V Client for Shared Content Store Mode
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Install the App-V Client for Shared Content Store Mode
+
+
+Use the following procedure to install the Microsoft Application Virtualization (App-V) client so that it uses the App-V Shared Content Store (SCS) mode. You should ensure that all required prerequisites are installed on the computer you plan to install to. Use the following link to see [App-V Prerequisites](appv-prerequisites.md).
+
+**Enable the App-V client for SCS mode**
+
+1.  In the Group Policy Management Console, navigate to **Computer Configuration** > **Administrative Templates** > **System** > **App-V** > **Streaming**.
+
+2.  Enable the **Set the Shared Content Mode (SCS) mode** setting.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Deploying the App-V Sequencer and Client](appv-deploying-the-appv-sequencer-and-client.md)
diff --git a/windows/manage/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/manage/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
new file mode 100644
index 0000000000..7bb1ffa822
--- /dev/null
+++ b/windows/manage/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
@@ -0,0 +1,390 @@
+---
+title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell (Windows 10)
+description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell
+
+
+Use the following PowerShell procedure to convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by Microsoft SQL Server when running SQL scripts.
+
+Before attempting this procedure, you should read and understand the information and examples displayed in the following list:
+
+-   **.INPUTS** – The account or accounts used to convert to SID format. This can be a single account name or an array of account names.
+
+-   **.OUTPUTS** - A list of account names with the corresponding SID in standard and hexadecimal formats.
+
+-   **Examples** -
+
+    **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List**.
+
+    **$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")**
+
+    **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200**
+
+    \#&gt;
+
+**To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs)**
+
+1.  Copy the following script into a text editor and save it as a PowerShell script file, for example **ConvertToSIDs.ps1**.
+
+2.  To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**.
+
+    ``` syntax
+    <#
+    ```
+
+    ``` syntax
+    .SYNOPSIS
+    ```
+
+    ``` syntax
+    This PowerShell script will take an array of account names and try to convert each of them to the corresponding SID in standard and hexadecimal formats.
+    ```
+
+    ``` syntax
+    .DESCRIPTION
+    ```
+
+    ``` syntax
+    This is a PowerShell script that converts any number of Active Directory (AD) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by SQL server when running SQL scripts.
+    ```
+
+    ``` syntax
+    .INPUTS
+    ```
+
+    ``` syntax
+    The account(s) to convert to SID format. This can be a single account name or an array of account names. Please see examples below.
+    ```
+
+    ``` syntax
+    .OUTPUTS
+    ```
+
+    ``` syntax
+    A list of account names with the corresponding SID in standard and hexadecimal formats
+    ```
+
+    ``` syntax
+    .EXAMPLE
+    ```
+
+    ``` syntax
+    .\ConvertToSID.ps1 DOMAIN\user_account1 DOMAIN\machine_account1$ DOMAIN\user_account2 | Format-List
+    ```
+
+    ``` syntax
+    .EXAMPLE
+    ```
+
+    ``` syntax
+    $accountsArray = @("DOMAIN\user_account1", "DOMAIN\machine_account1$", "DOMAIN_user_account2")
+    ```
+
+    ``` syntax
+    .\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\SIDs.txt -Width 200
+    ```
+
+    ``` syntax
+#>
+    ```
+
+    ``` syntax
+    ```
+
+    []()  
+
+    []()  
+
+    ``` syntax
+    function ConvertSIDToHexFormat
+    ```
+
+    {
+
+       param(\[System.Security.Principal.SecurityIdentifier\]$sidToConvert)
+
+    ``` syntax
+    ```
+
+    ``` syntax
+       $sb = New-Object System.Text.StringBuilder
+    ```
+
+    ``` syntax
+        [int] $binLength = $sidToConvert.BinaryLength
+    ```
+
+    ``` syntax
+        [Byte[]] $byteArray = New-Object Byte[] $binLength
+    ```
+
+    ``` syntax
+       $sidToConvert.GetBinaryForm($byteArray, 0)
+    ```
+
+    ``` syntax
+       foreach($byte in $byteArray)
+    ```
+
+    ``` syntax
+       {
+    ```
+
+    ``` syntax
+       $sb.Append($byte.ToString("X2")) |Out-Null
+    ```
+
+    ``` syntax
+       }
+    ```
+
+    ``` syntax
+       return $sb.ToString()
+    ```
+
+    ``` syntax
+    }
+    ```
+
+    ``` syntax
+     [string[]]$myArgs = $args
+    ```
+
+    ``` syntax
+    if(($myArgs.Length -lt 1) -or ($myArgs[0].CompareTo("/?") -eq 0))
+    ```
+
+    {
+
+    ``` syntax
+     [string]::Format("{0}====== Description ======{0}{0}" +
+    ```
+
+    ``` syntax
+    "  Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" +
+    ```
+
+    ``` syntax
+                   "  Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" +
+    ```
+
+    ``` syntax
+                   "  The output is written to the console in the format 'Account name    SID as string   SID as hexadecimal'{0}" +
+    ```
+
+    ``` syntax
+                   "  And can be written out to a file using standard PowerShell redirection{0}" +
+    ```
+
+    ``` syntax
+                   "  Please specify user accounts in the format 'DOMAIN\username'{0}" + 
+    ```
+
+    ``` syntax
+                   "  Please specify machine accounts in the format 'DOMAIN\machinename$'{0}" +
+    ```
+
+    ``` syntax
+                   "  For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" + 
+    ```
+
+    ``` syntax
+                   "{0}====== Arguments ======{0}" +
+    ```
+
+    ``` syntax
+                   "{0}  /?    Show this help message", [Environment]::NewLine) 
+    ```
+
+    ``` syntax
+    {
+    ```
+
+    ``` syntax
+    else
+    ```
+
+    ``` syntax
+    {  
+        #If an array was passed in, try to split it
+    ```
+
+    ``` syntax
+        if($myArgs.Length -eq 1)
+    ```
+
+    ``` syntax
+        {
+    ```
+
+    ``` syntax
+            $myArgs = $myArgs.Split(' ')
+    ```
+
+    ``` syntax
+        }
+    ```
+
+    ``` syntax
+
+        #Parse the arguments for account names
+    ```
+
+    ``` syntax
+        foreach($accountName in $myArgs)
+    ```
+
+    ``` syntax
+        {    
+    ```
+
+    ``` syntax
+            [string[]] $splitString = $accountName.Split('\')  # We're looking for the format "DOMAIN\Account" so anything that does not match, we reject
+    ```
+
+    ``` syntax
+            if($splitString.Length -ne 2)
+    ```
+
+    ``` syntax
+            {
+    ```
+
+    ``` syntax
+                $message = [string]::Format("{0} is not a valid account name. Expected format 'Domain\username' for user accounts or 'DOMAIN\machinename$' for machine accounts.", $accountName)
+    ```
+
+    ``` syntax
+                Write-Error -Message $message
+    ```
+
+    ``` syntax
+                continue
+    ```
+
+    ``` syntax
+            }
+    ```
+
+    ``` syntax
+            
+    ```
+
+    ``` syntax
+            #Convert any account names to SIDs
+    ```
+
+    ``` syntax
+            try
+    ```
+
+    ``` syntax
+            {
+    ```
+
+    ``` syntax
+                [System.Security.Principal.NTAccount] $account = New-Object System.Security.Principal.NTAccount($splitString[0], $splitString[1])
+    ```
+
+    ``` syntax
+                [System.Security.Principal.SecurityIdentifier] $SID = [System.Security.Principal.SecurityIdentifier]($account.Translate([System.Security.Principal.SecurityIdentifier]))
+    ```
+
+    ``` syntax
+            }
+    ```
+
+    ``` syntax
+            catch [System.Security.Principal.IdentityNotMappedException]
+    ```
+
+    ``` syntax
+            {
+    ```
+
+    ``` syntax
+                $message = [string]::Format("Failed to translate account object '{0}' to a SID. Please verify that this is a valid user or machine account.", $account.ToString())
+    ```
+
+    ``` syntax
+                Write-Error -Message $message
+    ```
+
+    ``` syntax
+                continue
+    ```
+
+    ``` syntax
+            }
+    ```
+
+    ``` syntax
+
+            #Convert regular SID to binary format used by SQL
+    ```
+
+    ``` syntax
+            $hexSIDString = ConvertSIDToHexFormat $SID
+    ```
+
+    ``` syntax
+            
+            $SIDs = New-Object PSObject
+    ```
+
+    ``` syntax
+            $SIDs | Add-Member NoteProperty Account $accountName
+    ```
+
+    ``` syntax
+            $SIDs | Add-Member NoteProperty SID $SID.ToString()
+    ```
+
+    ``` syntax
+            $SIDs | Add-Member NoteProperty Hexadecimal $hexSIDString
+    ```
+
+    ``` syntax
+
+            Write-Output $SIDs
+    ```
+
+    ``` syntax
+        }
+    ```
+
+    ``` syntax
+    }
+    ```
+
+3.  Run the script you saved in step one of this procedure passing the accounts to convert as arguments.
+
+    For example,
+
+    **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List” or “$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")**
+
+    **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200”**
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/manage/appv-install-the-management-and-reporting-databases-on-separate-computers.md
new file mode 100644
index 0000000000..f9978a7b46
--- /dev/null
+++ b/windows/manage/appv-install-the-management-and-reporting-databases-on-separate-computers.md
@@ -0,0 +1,117 @@
+---
+title: How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services (Windows 10)
+description: How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services
+
+
+Use the following procedure to install the database server and management server on different computers. The computer you plan to install the database server on must be running a supported version of Microsoft SQL or the installation will fail.
+
+**Note**  
+After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases.
+
+ 
+
+**To install the management database and the management server on separate computers**
+
+1.  Copy the App-V server installation files to the computer on which you want to install it on. To start the App-V server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
+
+2.  On the **Getting Started** page, review and accept the license terms, and click **Next**.
+
+3.  On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
+
+4.  On the **Feature Selection** page, select the components you want to install by selecting the **Management Server Database** checkbox and click **Next**.
+
+5.  On the **Installation Location** page, accept the default location and click **Next**.
+
+6.  On the initial **Create New Management Server Database page**, accept the default selections if appropriate, and click **Next**.
+
+    If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.
+
+    If you are using a custom database name, then select **Custom configuration** and type the database name.
+
+7.  On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
+
+    **Note**  
+    If you plan to deploy the management server on the same computer you must select **Use this local computer**.
+
+     
+
+    Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
+
+8.  To start the installation, click **Install**.
+
+**To install the reporting database and the reporting server on separate computers**
+
+1.  Copy the App-V server installation files to the computer on which you want to install it on. To start the App-V server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
+
+2.  On the **Getting Started** page, review and accept the license terms, and click **Next**.
+
+3.  On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
+
+4.  On the **Feature Selection** page, select the components you want to install by selecting the **Reporting Server Database** checkbox and click **Next**.
+
+5.  On the **Installation Location** page, accept the default location and click **Next**.
+
+6.  On the initial **Create New Reporting Server Database** page, accept the default selections if appropriate, and click **Next**.
+
+    If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.
+
+    If you are using a custom database name, then select **Custom configuration** and type the database name.
+
+7.  On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
+
+    **Note**  
+    If you plan to deploy the reporting server on the same computer you must select **Use this local computer**.
+
+     
+
+    Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
+
+8.  To start the installation, click **Install**.
+
+**To install the management and reporting databases using App-V database scripts**
+
+1.  Copy the App-V server installation files to the computer on which you want to install it on.
+
+2.  To extract the App-V database scripts, open a command prompt and specify the location where the installation files are saved and run the following command:
+
+    **appv\_server\_setup.exe** **/LAYOUT** **/LAYOUTDIR=”InstallationExtractionLocation”**.
+
+3.  After the extraction has been completed, to access the App-V database scripts and instructions readme file:
+
+    -   The App-V Management Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Management Database**.
+
+    -   The App-V Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**.
+
+4.  For each database, copy the scripts to a share and modify them following the instructions in the readme file.
+
+    **Note**  
+    For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md).
+
+     
+
+5.  Run the scripts on the computer running Microsoft SQL Server.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Deploying App-V](appv-deploying-appv.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-install-the-management-server-on-a-standalone-computer.md b/windows/manage/appv-install-the-management-server-on-a-standalone-computer.md
new file mode 100644
index 0000000000..de8e7c0416
--- /dev/null
+++ b/windows/manage/appv-install-the-management-server-on-a-standalone-computer.md
@@ -0,0 +1,62 @@
+---
+title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10)
+description: How to install the Management Server on a Standalone Computer and Connect it to the Database
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to install the Management Server on a Standalone Computer and Connect it to the Database
+
+
+Use the following procedure to install the management server on a standalone computer and connect it to the database.
+
+**To install the management server on a standalone computer and connect it to the database**
+
+1.  Copy the App-V server installation files to the computer on which you want to install it on. To start the App-V server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
+
+2.  On the **Getting Started** page, review and accept the license terms, and click **Next**.
+
+3.  On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
+
+4.  On the **Feature Selection** page, select the **Management Server** checkbox and click **Next**.
+
+5.  On the **Installation Location** page, accept the default location and click **Next**.
+
+6.  On the **Configure Existing Management Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL SQL, for example **SqlServerMachine**.
+
+    **Note**  
+    If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
+
+     
+
+    For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
+
+    Specify the **SQL Server Database name** that this management server will use, for example **AppvManagement**.
+
+7.  On the **Configure Management Server Configuration** page, specify the AD group or account that will connect to the management console for administrative purposes for example **MyDomain\\MyUser** or **MyDomain\\AdminGroup**. The account or AD group you specify will be enabled to manage the server through the management console. You can add additional users or groups using the management console after installation
+
+    Specify the **Website Name** that you want to use for the management service. Accept the default if you do not have a custom name. For the **Port Binding**, specify a unique port number to be used, for example **12345**.
+
+8.  Click **Install**.
+
+9.  To confirm that the setup has completed successfully, open a web browser, and type the following URL: http://managementserver:portnumber/Console. If the installation was successful, you should see the **Management Console** appear without any error messages or warnings being displayed.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Deploying App-V](appv-deploying-appv.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/manage/appv-install-the-publishing-server-on-a-remote-computer.md
new file mode 100644
index 0000000000..f9f66a2120
--- /dev/null
+++ b/windows/manage/appv-install-the-publishing-server-on-a-remote-computer.md
@@ -0,0 +1,79 @@
+---
+title: How to Install the Publishing Server on a Remote Computer (Windows 10)
+description: How to Install the Publishing Server on a Remote Computer
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Install the Publishing Server on a Remote Computer
+
+
+Use the following procedure to install the publishing server on a separate computer. Before you perform the following procedure, ensure the database and management server are available.
+
+**To install the publishing server on a separate computer**
+
+1.  Copy the App-V server installation files to the computer on which you want to install it on. To start the App-V server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
+
+2.  On the **Getting Started** page, review and accept the license terms, and click **Next**.
+
+3.  On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
+
+4.  On the **Feature Selection** page, select the **Publishing Server** checkbox and click **Next**.
+
+5.  On the **Installation Location** page, accept the default location and click **Next**.
+
+6.  On the **Configure Publishing Server Configuration** page, specify the following items:
+
+    -   The URL for the management service that the publishing server will connect to. For example, **http://ManagementServerName:12345**.
+
+    -   Specify the website name that you want to use for the publishing service. Accept the default if you do not have a custom name.
+
+    -   For the **Port Binding**, specify a unique port number that will be used by App-V, for example **54321**.
+
+7.  On the **Ready to Install** page, click **Install**.
+
+8.  After the installation is complete, the publishing server must be registered with the management server. In the App-V management console, use the following steps to register the server:
+
+    1.  Open the App-V management server console.
+
+    2.  In the left pane, select **Servers**, and then select **Register New Server**.
+
+    3.  Type the name of this server and a description (if required) and click **Add**.
+
+9.  To verify if the publishing server is running correctly, you should import a package to the management server, entitle the package to an AD group, and publish the package. Using an internet browser, open the following URL: **http://publishingserver:pubport**. If the server is running correctly information similar to the following will be displayed:
+
+    `<Publishing Protocol="1.0">`
+
+    `  <Packages>`
+
+    `  <Package PackageId="28115343-06e2-44dc-a327-3a0b9b868bda" VersionId="5d03c08f-51dc-4026-8cf9-15ebe3d65a72" PackageUrl="\\server\share\file.appv" />`
+
+    `  </Packages>`
+
+    `  <NoGroup>`
+
+    `  <Package PackageId="28115343-06e2-44dc-a327-3a0b9b868bda" />`
+
+    `  </NoGroup>`
+
+    `</Publishing>`
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Deploying App-V](appv-deploying-appv.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/manage/appv-install-the-reporting-server-on-a-standalone-computer.md
new file mode 100644
index 0000000000..5fbc775cc8
--- /dev/null
+++ b/windows/manage/appv-install-the-reporting-server-on-a-standalone-computer.md
@@ -0,0 +1,71 @@
+---
+title: How to install the Reporting Server on a Standalone Computer and Connect it to the Database (Windows 10)
+description: How to install the Reporting Server on a Standalone Computer and Connect it to the Database
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to install the Reporting Server on a Standalone Computer and Connect it to the Database
+
+
+Use the following procedure to install the reporting server on a standalone computer and connect it to the database.
+
+**Important**  
+Before performing the following procedure you should read and understand [About App-V Reporting](appv-reporting.md).
+
+ 
+
+**To install the reporting server on a standalone computer and connect it to the database**
+
+1.  Copy the App-V server installation files to the computer on which you want to install it on. To start the App-V server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
+
+2.  On the **Getting Started** page, review and accept the license terms, and click **Next**.
+
+3.  On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
+
+4.  On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**.
+
+5.  On the **Installation Location** page, accept the default location and click **Next**.
+
+6.  On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**.
+
+    **Note**  
+    If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
+
+     
+
+    For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
+
+    Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
+
+7.  On the **Configure Reporting Server Configuration** page.
+
+    -   Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
+
+    -   For the **Port binding**, specify a unique port number that will be used by App-V, for example **55555**. You should also ensure that the port specified is not being used by another website.
+
+8.  Click **Install**.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[About App-V Reporting](appv-reporting.md)
+
+[Deploying App-V](appv-deploying-appv.md)
+
+[How to Enable Reporting on the App-V Client by Using PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-install-the-sequencer.md b/windows/manage/appv-install-the-sequencer.md
new file mode 100644
index 0000000000..19d09c9a09
--- /dev/null
+++ b/windows/manage/appv-install-the-sequencer.md
@@ -0,0 +1,58 @@
+---
+title: Install the App-V Sequencer (Windows 10)
+description: Install the App-V Sequencer
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Install the App-V Sequencer
+
+Use the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. Those devices must be running the App-V client to allow users to interact with virtual applications.
+
+The App-V Sequencer is included in the Windows 10 Assessment and Deployment Kit (Windows ADK).
+
+> [!NOTE]  
+> The computer that will run the sequencer must not have the App-V client enabled on it. As a best practice, choose a computer with the same hardware and software configurations as the computers that will run the virtual applications. The sequencing process is resource intensive, so make sure that the computer that runs the Sequencer has plenty of memory, a fast processor, and a fast hard drive.
+
+To install the App-V Sequencer:
+
+1.  Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
+
+2.  Click or press the **Get Windows ADK for Windows 10** button on the page to start the ADK installer. Make sure that **Microsoft Application Virtualization (App-V) Sequencer** is selected during the installation.
+
+    ![Selecting APP-V features in ADK](images/app-v-in-adk.png)
+
+3.  To open the Sequencer, from the **Start** menu, select **Microsoft Application Virtualization (App-V) Sequencer** .
+
+See [Creating and managing virtual applications](appv-creating-and-managing-virtualized-applications.md) and the [Application Virtualization Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx) for information about creating virtual applications with the Sequencer.
+
+## Command-line options for installing the sequencer
+
+You can also use the command line to install the App-V sequencer. The following list displays information about options for installing the sequencer using the command line and **appv\_sequencer\_setup.exe**:
+
+| **Command**       | **Description**  |
+|-------------------|------------------|
+| /INSTALLDIR       | Specifies the installation directory.  |
+| /Log   | Specifies where the installation log will be saved, the default location is **%Temp%**. For example, **C:\\Logs\\ log.log**.    |
+| /q     | Specifies a quiet or silent installation.      |
+| /Uninstall        | Specifies the removal of the sequencer.  |
+| /ACCEPTEULA       | Accepts the license agreement. This is required for an unattended installation. Example usage: **/ACCEPTEULA** or **/ACCEPTEULA=1**.         |
+| /LAYOUT           | Specifies the associated layout action. It also extracts the Windows Installer (.msi) and script files to a folder without installing App-V. No value is expected. |
+| /LAYOUTDIR        | Specifies the layout directory. Requires a string value. Example usage:**/LAYOUTDIR=”C:\\Application Virtualization Client”**.    |
+| /? Or /h or /help | Displays associated help.   |
+
+## To troubleshoot the App-V sequencer installation
+
+For more information regarding the sequencer installation, you can view the error log in the **%temp%** folder. To review the log files, click **Start**, type **%temp%**, and then look for the **appv\_ log**.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
diff --git a/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
new file mode 100644
index 0000000000..110f5d08a1
--- /dev/null
+++ b/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -0,0 +1,223 @@
+---
+title: How to Load the PowerShell Cmdlets and Get Cmdlet Help (Windows 10)
+description: How to Load the PowerShell Cmdlets and Get Cmdlet Help
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Load the PowerShell Cmdlets and Get Cmdlet Help
+
+
+What this topic covers:
+
+-   [Requirements for using PowerShell cmdlets](#bkmk-reqs-using-posh)
+
+-   [Loading the PowerShell cmdlets](#bkmk-load-cmdlets)
+
+-   [Getting help for the PowerShell cmdlets](#bkmk-get-cmdlet-help)
+
+-   [Displaying the help for a PowerShell cmdlet](#bkmk-display-help-cmdlet)
+
+## <a href="" id="bkmk-reqs-using-posh"></a>Requirements for using PowerShell cmdlets
+
+
+Review the following requirements for using the App-V PowerShell cmdlets:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Requirement</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Users can run App-V Server cmdlets only if you grant them access by using one of the following methods:</p></td>
+<td align="left"><ul>
+<li><p><strong>When you are deploying and configuring the App-V Server</strong>:</p>
+<p>Specify an Active Directory group or individual user that has permissions to manage the App-V environment. See [How to Deploy the App-V Server](appv-deploy-the-appv-server.md).</p></li>
+<li><p><strong>After you’ve deployed the App-V Server</strong>:</p>
+<p>Use the App-V Management console to add an additional Active Directory group or user. See [How to Add or Remove an Administrator by Using the Management Console](appv-add-or-remove-an-administrator-with-the-management-console.md).</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Cmdlets that require an elevated command prompt</p></td>
+<td align="left"><ul>
+<li><p>Add-AppvClientPackage</p></li>
+<li><p>Remove-AppvClientPackage</p></li>
+<li><p>Set-AppvClientConfiguration</p></li>
+<li><p>Add-AppvClientConnectionGroup</p></li>
+<li><p>Remove-AppvClientConnectionGroup</p></li>
+<li><p>Add-AppvPublishingServer</p></li>
+<li><p>Remove-AppvPublishingServer</p></li>
+<li><p>Send-AppvClientReport</p></li>
+<li><p>Set-AppvClientMode</p></li>
+<li><p>Set-AppvClientPackage</p></li>
+<li><p>Set-AppvPublishingServer</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Cmdlets that end users can run, unless you configure them to require an elevated command prompt</p></td>
+<td align="left"><ul>
+<li><p>Publish-AppvClientPackage</p></li>
+<li><p>Unpublish-AppvClientPackage</p></li>
+</ul>
+<p>To configure these cmdlets to require an elevated command prompt, use one of the following methods:</p>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Method</th>
+<th align="left">More resources</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Run the <strong>Set-AppvClientConfiguration</strong> cmdlet with the <strong>-RequirePublishAsAdmin</strong> parameter.</p></td>
+<td align="left"><ul>
+<li><p>[How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md#bkmk-admin-only-posh-topic-cg)</p></li>
+<li><p>[How to Manage App-V Packages Running on a Stand-Alone Computer by Using PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Enable the “Require publish as administrator” Group Policy setting for App-V Clients.</p></td>
+<td align="left"><p>[How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md#bkmk-admin-pub-pkg-only-posh)</p></td>
+</tr>
+</tbody>
+</table>
+<p> </p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-load-cmdlets"></a>Loading the PowerShell cmdlets
+
+
+To load the PowerShell cmdlet modules:
+
+1.  Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
+
+2.  Type one of the following commands to load the cmdlets for the module you want:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">App-V component</th>
+<th align="left">Command to type</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>App-V Server</p></td>
+<td align="left"><p>Import-Module AppvServer</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V Sequencer</p></td>
+<td align="left"><p>Import-Module AppvSequencer</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>App-V Client</p></td>
+<td align="left"><p>Import-Module AppvClient</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-get-cmdlet-help"></a>Getting help for the PowerShell cmdlets
+
+
+Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Format</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>As a downloadable module</p></td>
+<td align="left"><p>To download the latest help after downloading the cmdlet module:</p>
+<ol>
+<li><p>Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).</p></li>
+<li><p>Type one of the following commands to load the cmdlets for the module you want:</p></li>
+</ol>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">App-V component</th>
+<th align="left">Command to type</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>App-V Server</p></td>
+<td align="left"><p>Update-Help -Module AppvServer</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V Sequencer</p></td>
+<td align="left"><p>Update-Help -Module AppvSequencer</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>App-V Client</p></td>
+<td align="left"><p>Update-Help -Module AppvClient</p></td>
+</tr>
+</tbody>
+</table>
+<p> </p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>On TechNet as web pages</p></td>
+<td align="left"><p>See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](http://technet.microsoft.com/library/dn520245.aspx).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-display-help-cmdlet"></a>Displaying the help for a PowerShell cmdlet
+
+
+To display help for a specific PowerShell cmdlet:
+
+1.  Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
+
+2.  Type **Get-Help** &lt;*cmdlet*&gt;, for example, **Get-Help Publish-AppvClientPackage**.
+
+**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-maintaining-appv.md b/windows/manage/appv-maintaining-appv.md
new file mode 100644
index 0000000000..6cf35b1731
--- /dev/null
+++ b/windows/manage/appv-maintaining-appv.md
@@ -0,0 +1,48 @@
+---
+title: Maintaining App-V (Windows 10)
+description: Maintaining App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Maintaining App-V
+
+
+After you have completed all the necessary planning, and then deployment of App-V, you can use the following information to maintain the App-V infrastructure.
+
+## <a href="" id="move-the-app-v-5-1-server-"></a>Move the App-V Server
+
+
+The App-V server connects to the App-V database. Therefore you can install the management component to any computer on the network and then connect it to the App-V database.
+
+[How to Move the App-V Server to Another Computer](appv-move-the-appv-server-to-another-computer.md)
+
+## <a href="" id="determine-if-an-app-v-5-1-application-is-running-virtualized-"></a>Determine if an App-V Application is Running Virtualized
+
+
+Independent software vendors (ISV) who want to determine if an application is running virtualized with App-V or above, should open a named object called **AppVVirtual-&lt;PID&gt;** in the default namespace. For example, Windows API **GetCurrentProcessId()** can be used to obtain the current process's ID, for example 4052, and then if a named Event object called **AppVVirtual-4052** can be successfully opened using **OpenEvent()** in the default namespace for read access, then the application is virtual. If the **OpenEvent()** call fails, the application is not virtual.
+
+Additionally, ISV’s who want to explicitly virtualize or not virtualize calls on specific API’s with App-V and above, can use the **VirtualizeCurrentThread()** and **CurrentThreadIsVirtualized()** functions implemented in the AppEntSubsystems32.dll module. These provide a way of hinting at a downstream component that the call should or should not be virtualized.
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Other resources for maintaining App-V
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/manage/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
new file mode 100644
index 0000000000..9386a9d9b2
--- /dev/null
+++ b/windows/manage/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
@@ -0,0 +1,294 @@
+---
+title: How to Manage App-V Packages Running on a Stand-Alone Computer by Using PowerShell (Windows 10)
+description: How to Manage App-V Packages Running on a Stand-Alone Computer by Using PowerShell
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Manage App-V Packages Running on a Stand-Alone Computer by Using PowerShell
+
+
+The following sections explain how to perform various management tasks on a stand-alone client computer by using PowerShell:
+
+-   [To return a list of packages](#bkmk-return-pkgs-standalone-posh)
+
+-   [To add a package](#bkmk-add-pkgs-standalone-posh)
+
+-   [To publish a package](#bkmk-pub-pkg-standalone-posh)
+
+-   [To publish a package to a specific user](#bkmk-pub-pkg-a-user-standalone-posh)
+
+-   [To add and publish a package](#bkmk-add-pub-pkg-standalone-posh)
+
+-   [To unpublish an existing package](#bkmk-unpub-pkg-standalone-posh)
+
+-   [To unpublish a package for a specific user](#bkmk-unpub-pkg-specfc-use)
+
+-   [To remove an existing package](#bkmk-remove-pkg-standalone-posh)
+
+-   [To enable only administrators to publish or unpublish packages](#bkmk-admins-pub-pkgs)
+
+-   [Understanding pending packages (UserPending and GlobalPending)](#bkmk-understd-pend-pkgs)
+
+## <a href="" id="bkmk-return-pkgs-standalone-posh"></a>To return a list of packages
+
+
+Use the following information to return a list of packages that are entitled to a specific user:
+
+**Cmdlet**: Get-AppvClientPackage
+
+**Parameters**: -Name -Version -PackageID -VersionID
+
+**Example**: Get-AppvClientPackage –Name “ContosoApplication” -Version 2
+
+## <a href="" id="bkmk-add-pkgs-standalone-posh"></a>To add a package
+
+
+Use the following information to add a package to a computer.
+
+**Important**  
+This example only adds a package. It does not publish the package to the user or the computer.
+
+ 
+
+**Cmdlet**: Add-AppvClientPackage
+
+**Example**: $Contoso = Add-AppvClientPackage \\\\path\\to\\appv\\package.appv
+
+## <a href="" id="bkmk-pub-pkg-standalone-posh"></a>To publish a package
+
+
+Use the following information to publish a package that has been added to a specific user or globally to any user on the computer.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Publishing method</th>
+<th align="left">Cmdlet and example</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Publishing to the user</p></td>
+<td align="left"><p><strong>Cmdlet</strong>: Publish-AppvClientPackage</p>
+<p><strong>Example</strong>: Publish-AppvClientPackage “ContosoApplication”</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Publishing globally</p></td>
+<td align="left"><p><strong>Cmdlet</strong>: Publish-AppvClientPackage</p>
+<p><strong>Example</strong>: Publish-AppvClientPackage “ContosoApplication” -Global</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-pub-pkg-a-user-standalone-posh"></a>To publish a package to a specific user
+
+
+**Note**  
+You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
+
+ 
+
+An administrator can publish a package to a specific user by specifying the optional **–UserSID** parameter with the **Publish-AppvClientPackage** cmdlet, where **-UserSID** represents the end user’s security identifier (SID).
+
+To use this parameter:
+
+-   You can run this cmdlet from the user or administrator session.
+
+-   You must be logged in with administrative credentials to use the parameter.
+
+-   The end user must be logged in.
+
+-   You must provide the end user’s security identifier (SID).
+
+**Cmdlet**: Publish-AppvClientPackage
+
+**Example**: Publish-AppvClientPackage “ContosoApplication” -UserSID S-1-2-34-56789012-3456789012-345678901-2345
+
+## <a href="" id="bkmk-add-pub-pkg-standalone-posh"></a>To add and publish a package
+
+
+Use the following information to add a package to a computer and publish it to the user.
+
+**Cmdlet**: Add-AppvClientPackage
+
+**Example**: Add-AppvClientPackage \\\\path\\to\\appv\\package.appv | Publish-AppvClientPackage
+
+## <a href="" id="bkmk-unpub-pkg-standalone-posh"></a>To unpublish an existing package
+
+
+Use the following information to unpublish a package which has been entitled to a user but not remove the package from the computer.
+
+**Cmdlet**: Unpublish-AppvClientPackage
+
+**Example**: Unpublish-AppvClientPackage “ContosoApplication”
+
+## <a href="" id="bkmk-unpub-pkg-specfc-use"></a>To unpublish a package for a specific user
+
+
+**Note**  
+You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
+
+ 
+
+An administrator can unpublish a package for a specific user by using the optional **–UserSID** parameter with the **Unpublish-AppvClientPackage** cmdlet, where **-UserSID** represents the end user’s security identifier (SID).
+
+To use this parameter:
+
+-   You can run this cmdlet from the user or administrator session.
+
+-   You must be logged in with administrative credentials to use the parameter.
+
+-   The end user must be logged in.
+
+-   You must provide the end user’s security identifier (SID).
+
+**Cmdlet**: Unpublish-AppvClientPackage
+
+**Example**: Unpublish-AppvClientPackage “ContosoApplication” -UserSID S-1-2-34-56789012-3456789012-345678901-2345
+
+## <a href="" id="bkmk-remove-pkg-standalone-posh"></a>To remove an existing package
+
+
+Use the following information to remove a package from the computer.
+
+**Cmdlet**: Remove-AppvClientPackage
+
+**Example**: Remove-AppvClientPackage “ContosoApplication”
+
+**Note**  
+App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [To add and publish a package](#bkmk-add-pub-pkg-standalone-posh). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](http://go.microsoft.com/fwlink/?LinkId=324466).
+
+ 
+
+## <a href="" id="bkmk-admins-pub-pkgs"></a>To enable only administrators to publish or unpublish packages
+
+
+**Note**  
+**This feature is supported starting in App-V 5.0 SP3.**
+
+ 
+
+Use the following cmdlet and parameter to enable only administrators (not end users) to publish or unpublish packages:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Cmdlet</strong></p></td>
+<td align="left"><p>Set-AppvClientConfiguration</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Parameter</strong></p></td>
+<td align="left"><p>-RequirePublishAsAdmin</p>
+<p>Parameter values:</p>
+<ul>
+<li><p>0 - False</p></li>
+<li><p>1 - True</p></li>
+</ul>
+<p><strong>Example:</strong>: Set-AppvClientConfiguration –RequirePublishAsAdmin1</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+To use the App-V Management console to set this configuration, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md).
+
+## <a href="" id="bkmk-understd-pend-pkgs"></a>Understanding pending packages (UserPending and GlobalPending)
+
+
+**Starting in App-V 5.0 SP2**: If you run a PowerShell cmdlet that affects a package that is currently in use, the task that you are trying to perform is placed in a pending state. For example, if you try to publish a package when an application in that package is being used, and then run **Get-AppvClientPackage**, the pending status appears in the cmdlet output as follows:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Cmdlet output item</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>UserPending</p></td>
+<td align="left"><p>Indicates whether the listed package has a pending task that is being applied to the user:</p>
+<ul>
+<li><p>True</p></li>
+<li><p>False</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>GlobalPending</p></td>
+<td align="left"><p>Indicates whether the listed package has a pending task that is being applied globally to the computer:</p>
+<ul>
+<li><p>True</p></li>
+<li><p>False</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The pending task will run later, according to the following rules:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task type</th>
+<th align="left">Applicable rule</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>User-based task, e.g., publishing a package to a user</p></td>
+<td align="left"><p>The pending task will be performed after the user logs off and then logs back on.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Globally based task, e.g., enabling a connection group globally</p></td>
+<td align="left"><p>The pending task will be performed when the computer is shut down and then restarted.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For more information about pending tasks, see [About App-V 5.0 SP2](https://technet.microsoft.com/en-us/itpro/mdop/appv-v5/about-app-v-50-sp2.md#bkmk-pkg-upgr-pendg-tasks).
+
+**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+[Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
new file mode 100644
index 0000000000..b54a3e959a
--- /dev/null
+++ b/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -0,0 +1,146 @@
+---
+title: How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell (Windows 10)
+description: How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell
+
+
+An App-V connection group allows you to run all the virtual applications as a defined set of packages in a single virtual environment. For example, you can virtualize an application and its plug-ins by using separate packages, but run them together in a single connection group.
+
+A connection group XML file defines the connection group that runs on the computer where you’ve installed the App-V client. For information about the connection group XML file and how to configure it, see [About the Connection Group File](appv-connection-group-file.md).
+
+This topic explains the following procedures:
+
+-   [To add and publish the App-V packages in the connection group](#bkmk-add-pub-pkgs-in-cg)
+
+-   [To add and enable the connection group on the App-V client](#bkmk-add-enable-cg-on-clt)
+
+-   [To enable or disable a connection group for a specific user](#bkmk-enable-cg-for-user-poshtopic)
+
+-   [To allow only administrators to enable connection groups](#bkmk-admin-only-posh-topic-cg)
+
+**To add and publish the App-V packages in the connection group**
+
+1.  To add and publish the App-V packages to the computer running the App-V client, type the following command:
+
+    Add-AppvClientPackage –path c:\\tmpstore\\quartfin.appv | Publish-AppvClientPackage
+
+2.  Repeat **step 1** of this procedure for each package in the connection group.
+
+**To add and enable the connection group on the App-V client**
+
+1.  Add the connection group by typing the following command:
+
+    Add-AppvClientConnectionGroup –path c:\\tmpstore\\financ.xml
+
+2.  Enable the connection group by typing the following command:
+
+    Enable-AppvClientConnectionGroup –name “Financial Applications”
+
+    When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.
+
+**To enable or disable a connection group for a specific user**
+
+1.  Review the parameter description and requirements:
+
+    -   The parameter enables an administrator to enable or disable a connection group for a specific user.
+
+    -   You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
+
+    -   You can run this cmdlet from the user or administrator session.
+
+    -   You must be logged in with administrative credentials to use the parameter.
+
+    -   The end user must be logged in.
+
+    -   You must provide the end user’s security identifier (SID).
+
+2.  Use the following cmdlets, and add the optional **–UserSID** parameter, where **-UserSID** represents the end user’s security identifier (SID):
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Cmdlet</th>
+    <th align="left">Examples</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Enable-AppVClientConnectionGroup</p></td>
+    <td align="left"><p>Enable-AppVClientConnectionGroup “ConnectionGroupA” -UserSID S-1-2-34-56789012-3456789012-345678901-2345</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Disable -AppVClientConnectionGroup</p></td>
+    <td align="left"><p>Disable -AppVClientConnectionGroup “ConnectionGroupA” -UserSID S-1-2-34-56789012-3456789012-345678901-2345</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+**To allow only administrators to enable connection groups**
+
+1.  Review the description and requirement for using this cmdlet:
+
+    -   Use this cmdlet and parameter to configure the App-V client to allow only administrators (not end users) to enable or disable connection groups.
+
+    -   You must be using at least App-V 5.0 SP3 to use this cmdlet.
+
+2.  Run the following cmdlet and parameter:
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Cmdlet</th>
+    <th align="left">Parameter and values</th>
+    <th align="left">Example</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Set-AppvClientConfiguration</p></td>
+    <td align="left"><p>–RequirePublishAsAdmin</p>
+    <ul>
+    <li><p>0 - False</p></li>
+    <li><p>1 - True</p></li>
+    </ul></td>
+    <td align="left"><p>Set-AppvClientConfiguration –RequirePublishAsAdmin1</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+[Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-managing-connection-groups.md b/windows/manage/appv-managing-connection-groups.md
new file mode 100644
index 0000000000..f702b6c319
--- /dev/null
+++ b/windows/manage/appv-managing-connection-groups.md
@@ -0,0 +1,76 @@
+---
+title: Managing Connection Groups (Windows 10)
+description: Managing Connection Groups
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Managing Connection Groups
+
+
+Connection groups enable the applications within a package to interact with each other in the virtual environment, while remaining isolated from the rest of the system. By using connection groups, administrators can manage packages independently and can avoid having to add the same application multiple times to a client computer.
+
+**Note**  
+In some previous versions of App-V, connection groups were referred to as Dynamic Suite Composition.
+
+ 
+
+**In this topic:**
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)</p></td>
+<td align="left"><p>Describes the connection group virtual environment.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[About the Connection Group File](appv-connection-group-file.md)</p></td>
+<td align="left"><p>Describes the connection group file.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[How to Create a Connection Group](appv-create-a-connection-group.md)</p></td>
+<td align="left"><p>Explains how to create a new connection group.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)</p></td>
+<td align="left"><p>Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[How to Delete a Connection Group](appv-delete-a-connection-group.md)</p></td>
+<td align="left"><p>Explains how to delete a connection group.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[How to Publish a Connection Group](appv-publish-a-connection-group.md)</p></td>
+<td align="left"><p>Explains how to publish a connection group.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Other resources for App-V connection groups
+
+
+-   [Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-migrating-to-appv-from-a-previous-version.md b/windows/manage/appv-migrating-to-appv-from-a-previous-version.md
new file mode 100644
index 0000000000..87958fb0dd
--- /dev/null
+++ b/windows/manage/appv-migrating-to-appv-from-a-previous-version.md
@@ -0,0 +1,300 @@
+---
+title: Migrating to App-V from a Previous Version (Windows 10)
+description: Migrating to App-V from a Previous Version
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Migrating to App-V from a Previous Version
+
+
+With Microsoft Application Virtualization (App-V), you can migrate your existing App-V 4.6 or App-V 5.0 infrastructure to the more flexible, integrated, and easier to manage App-V infrastructure.
+However, you cannot migrate directly from App-V 4.x to App-V, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md)  
+
+**Note**  
+App-V packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and therefore, there is no need to convert App-V 5.0 packages to App-V packages.
+
+For more information about the differences between App-V 4.6 and App-V, see the **Differences between App-4.6 and App-V 5.0 section** of [About App-V 5.0](https://technet.microsoft.com/en-us/itpro/mdop/appv-v5/about-app-v-50).
+
+ 
+
+## <a href="" id="bkmk-pkgconvimprove"></a>Improvements to the App-V Package Converter
+
+
+You can now use the package converter to convert App-V 4.6 packages that contain scripts, and registry information and scripts from source .osd files are now included in package converter output.
+
+You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom-AppvLegacyPackage` cmdlet to specify which .osd files’ information is converted and placed within the new package.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">New in App-V</th>
+<th align="left">Prior to App-V</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:</p>
+<ul>
+<li><p>environment variables</p></li>
+<li><p>shortcuts</p></li>
+<li><p>file type associations</p></li>
+<li><p>registry information</p></li>
+<li><p>scripts</p></li>
+</ul>
+<p>You can now choose to add information from a subset of the .osd files in the source directory to the package using the <code>-OSDsToIncludeInPackage</code> parameter.</p></td>
+<td align="left"><p>Registry information and scripts included in .osd files associated with a package were not included in package converter output.</p>
+<p>The package converter would populate the new package with information from all of the .osd files in the source directory.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Example conversion statement
+
+To understand the new process, review the following example `ConvertFrom-AppvLegacyPackage` package converter statement.
+
+**If the source directory (\\\\OldPkgStore\\ContosoApp) includes the following:**
+
+-   ContosoApp.sft
+
+-   ContosoApp.msi
+
+-   ContosoApp.sprj
+
+-   ContosoApp\_manifest.xml
+
+-   X.osd
+
+-   Y.osd
+
+-   Z.osd
+
+**And you run this command:**
+
+``` syntax
+ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\ 
+-DestinationPath \\NewPkgStore\ContosoApp\
+-OSDsToIncludeInPackage X.osd,Y.osd
+```
+
+**The following is created in the destination directory (\\\\NewPkgStore\\ContosoApp):**
+
+-   ContosoApp.appv
+
+-   ContosoApp.msi
+
+-   ContosoApp\_DeploymentConfig.xml
+
+-   ContosoApp\_UserConfig.xml
+
+-   X\_Config.xml
+
+-   Y\_Config.xml
+
+-   Z\_Config.xml
+
+**In the above example:**
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">These Source directory files…</th>
+<th align="left">…are converted to these Destination directory files…</th>
+<th align="left">…and will contain these items</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><ul>
+<li><p>X.osd</p></li>
+<li><p>Y.osd</p></li>
+<li><p>Z.osd</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>X_Config.xml</p></li>
+<li><p>Y_Config.xml</p></li>
+<li><p>Z_Config.xml</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>Environment variables</p></li>
+<li><p>Shortcuts</p></li>
+<li><p>File type associations</p></li>
+<li><p>Registry information</p></li>
+<li><p>Scripts</p></li>
+</ul></td>
+<td align="left"><p>Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.</p>
+<p>In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><ul>
+<li><p>X.osd</p></li>
+<li><p>Y.osd</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>ContosoApp.appv</p></li>
+<li><p>ContosoApp_DeploymentConfig.xml</p></li>
+<li><p>ContosoApp_UserConfig.xml</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>Environment variables</p></li>
+<li><p>Shortcuts</p></li>
+<li><p>File type associations</p></li>
+</ul></td>
+<td align="left"><p>The information from the .osd files specified in the <code>-OSDsToIncludeInPackage</code> parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.</p>
+<p>In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the <code>-OSDsToIncludeInPackage</code> parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Converting packages created using a prior version of App-V
+
+
+Use the package converter utility to upgrade virtual application packages created using versions of App-V prior to App-V 5.0. The package converter uses PowerShell to convert packages and can help automate the process if you have many packages that require conversion.
+
+**Important**  
+After you convert an existing package you should test the package prior to deploying the package to ensure the conversion process was successful.
+
+ 
+
+**What to know before you convert existing packages**
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Issue</th>
+<th align="left">Workaround</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Virtual packages using DSC are not linked after conversion.</p></td>
+<td align="left"><p>Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Environment variable conflicts are detected during conversion.</p></td>
+<td align="left"><p>Resolve any conflicts in the associated <strong>.osd</strong> file.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Hard-coded paths are detected during conversion.</p></td>
+<td align="left"><p>Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+When converting a package check for failing files or shortcuts. Locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path.
+
+**Note**  
+It is recommended that you use the App-V sequencer for converting critical applications or applications that need to take advantage of features. See, [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md).
+
+If a converted package does not open after you convert it, it is also recommended that you re-sequence the application using the App-V sequencer.
+
+ 
+
+[How to Convert a Package Created in a Previous Version of App-V](appv-convert-a-package-created-in-a-previous-version-of-appv.md)
+
+## Migrating Clients
+
+
+The following table displays the recommended method for upgrading clients.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task</th>
+<th align="left">More Information</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Upgrade your environment to the latest version of App-V 4.6</p></td>
+<td align="left"><p>[Application Virtualization Deployment and Upgrade Considerations](https://technet.microsoft.com/en-us/itpro/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Sequence and roll out App-V packages. As needed, unpublish App-V 4.6 packages.</p></td>
+<td align="left"><p>[How to Sequence a New Application with App-V](appv-sequence-a-new-application.md).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+You must be running the latest version of App-V 4.6 to use coexistence mode. Additionally, when you sequence a package, you must configure the Managing Authority setting, which is in the **User Configuration** is located in the **User Configuration** section.
+
+ 
+
+## Migrating the App-V Server Full Infrastructure
+
+
+There is no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task</th>
+<th align="left">More Information</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Upgrade your environment to the latest version of App-V 4.6.</p></td>
+<td align="left"><p>[Application Virtualization Deployment and Upgrade Considerations](https://technet.microsoft.com/en-us/itpro/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Deploy App-V version of the client.</p></td>
+<td align="left"><p>[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Install App-V server.</p></td>
+<td align="left"><p>[How to Deploy the App-V Server](appv-deploy-the-appv-server.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Migrate existing packages.</p></td>
+<td align="left"><p>See the <strong>Converting packages created using a prior version of App-V</strong> section of this article.</p></td>
+</tr>
+</tbody>
+</table>
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Other resources for performing App-V migration tasks
+
+- [Operations for App-V](appv-operations.md)
+
+- [A simplified Microsoft App-V Management Server upgrade procedure](http://go.microsoft.com/fwlink/p/?LinkId=786330)
diff --git a/windows/manage/appv-modify-an-existing-virtual-application-package.md b/windows/manage/appv-modify-an-existing-virtual-application-package.md
new file mode 100644
index 0000000000..b3b9a5bea2
--- /dev/null
+++ b/windows/manage/appv-modify-an-existing-virtual-application-package.md
@@ -0,0 +1,178 @@
+---
+title: How to Modify an Existing Virtual Application Package (Windows 10)
+description: How to Modify an Existing Virtual Application Package
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Modify an Existing Virtual Application Package
+
+
+This topic explains how to:
+
+-   [Update an application in an existing virtual application package](#bkmk-update-app-in-pkg)
+
+-   [Modify the properties associated with an existing virtual application package](#bkmk-chg-props-in-pkg)
+
+-   [Add a new application to an existing virtual application package](#bkmk-add-app-to-pkg)
+
+**Before you update a package:**
+
+-   Ensure that you’ve installed the Microsoft Application Virtualization (App-V) Sequencer, which is required for modifying a virtual application package. To install the App-V Sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
+
+-   Save the .appv file in a secure location and always trust the source before trying to open the package for editing.
+
+-   The Managing Authority section is erroneously removed from the deployment configuration file when you update a package. Before starting the update, copy the Managing Authority section from the existing deployment configuration file, and then paste the copied section into the new configuration file after the conversion is complete.
+
+-   If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured.
+
+**Update an application in an existing virtual application package**
+
+1.  On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
+
+2.  In the App-V Sequencer, click **Modify an Existing Virtual Application Package** &gt; **Next**.
+
+3.  On the **Select Task** page, click **Update Application in Existing Package** &gt; **Next**.
+
+4.  On the **Select Package** page, click **Browse** to locate the virtual application package that contains the application to update, and then click **Next**.
+
+5.  On the **Prepare Computer** page, review the issues that could cause the application update to fail or cause the updated application to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** &gt; **Next**.
+
+    **Important**  
+    If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.
+
+     
+
+6.  On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
+
+7.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
+
+    **Note**  
+    The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
+
+     
+
+8.  On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**.
+
+9.  On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**.
+
+    **Note**  
+    You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
+
+     
+
+10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.
+
+    To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful to identify the application version and provide other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. Click **Create**.
+
+11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer.
+
+**Modify the properties associated with an existing virtual application package**
+
+1.  On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
+
+2.  In the App-V Sequencer, click **Modify an Existing Virtual Application Package** &gt; **Next**.
+
+3.  On the **Select Task** page, click **Edit Package** &gt; **Next**.
+
+4.  On the **Select Package** page, click **Browse** to locate the virtual application package that contains the application properties to modify, and then click **Edit**.
+
+5.  In the App-V Sequencer console, perform any of the following tasks as needed:
+
+    -   Import and export the manifest file.
+
+    -   Enable or disable Browser Helper Objects.
+
+    -   Import or export a VFS file.
+
+    -   Import a directory into the virtual file system.
+
+    -   Import and export virtual registry keys.
+
+    -   View package properties.
+
+    -   View associated package files.
+
+    -   Edit registry settings.
+
+    -   Review additional package settings (except operating system file properties).
+
+    -   Set virtualized registry key state (override or merge).
+
+    -   Set virtualized folder state.
+
+    -   Add or edit shortcuts and file type associations.
+
+        **Note**  
+        To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
+
+         
+
+6.  When you finish changing the package properties, click **File** &gt; **Save** to save the package.
+
+**Add a new application to an existing virtual application package**
+
+1.  On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
+
+2.  In the App-V Sequencer, click **Modify an Existing Virtual Application Package** &gt; **Next**.
+
+3.  On the **Select Task** page, click **Add New Application** &gt; **Next**.
+
+4.  On the **Select Package** page, click **Browse** to locate the virtual application package to which you will add the application, and then click **Next**.
+
+5.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail or cause the revised package to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** &gt; **Next**.
+
+    **Important**  
+    If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
+
+     
+
+6.  On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
+
+7.  On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** &gt; **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package.
+
+    **Note**  
+    The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
+
+     
+
+8.  On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.
+
+9.  On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information, and then click **Next** to open the **Customize** page.
+
+10. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 13 of this procedure. If you want to perform the following described customization, click **Customize**.
+
+    If you are customizing, prepare the virtual package for streaming, and then click **Next**. Streaming improves the experience when the virtual application package is run on target computers.
+
+11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
+
+    **Note**  
+    You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
+
+     
+
+12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**.
+
+    To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful for providing application versions and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. The uncompressed package size is displayed. Click **Create**.
+
+13. On the **Completion** page, click **Close**. The package is now available in the sequencer.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-modify-client-configuration-with-powershell.md b/windows/manage/appv-modify-client-configuration-with-powershell.md
new file mode 100644
index 0000000000..0d76bd1169
--- /dev/null
+++ b/windows/manage/appv-modify-client-configuration-with-powershell.md
@@ -0,0 +1,43 @@
+---
+title: How to Modify Client Configuration by Using PowerShell (Windows 10)
+description: How to Modify Client Configuration by Using PowerShell
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Modify Client Configuration by Using PowerShell
+
+
+Use the following procedure to configure the App-V client configuration.
+
+**To modify App-V client configuration using PowerShell**
+
+1.  To configure the client settings using PowerShell, use the **Set-AppvClientConfiguration** cmdlet. For more information about installing PowerShell, and a list of cmdlets see, [How to Load the PowerShell Cmdlets and Get Cmdlet Help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md).
+
+2.  To modify the client configuration, open a PowerShell Command prompt and run the following cmdlet **Set-AppvClientConfiguration** with any required parameters. For example:
+
+    `$config = Get-AppvClientConfiguration`
+
+    `Set-AppcClientConfiguration $config`
+
+    `Set-AppcClientConfiguration –Name1 MyConfig –Name2 “xyz”`
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md b/windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md
new file mode 100644
index 0000000000..a71950444f
--- /dev/null
+++ b/windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md
@@ -0,0 +1,23 @@
+---
+title: How to Modify App-V Client Configuration Using the ADMX Template and Group Policy (Windows 10)
+description: How to Modify App-V Client Configuration Using the ADMX Template and Group Policy
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# How to Modify App-V client configuration using the ADMX template and Group Policy
+
+You can use Group Policy to configure App-V client settings by using the Group Policy Management Console under **Computer Configuration** > **Policies** > **Administrative Templates** > **System** > **App-V**.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Deploying App-V](appv-deploying-appv.md)
+
+- [About Client Configuration Settings](appv-client-configuration-settings.md)
diff --git a/windows/manage/appv-move-the-appv-server-to-another-computer.md b/windows/manage/appv-move-the-appv-server-to-another-computer.md
new file mode 100644
index 0000000000..dbbb6a80a6
--- /dev/null
+++ b/windows/manage/appv-move-the-appv-server-to-another-computer.md
@@ -0,0 +1,40 @@
+---
+title: How to Move the App-V Server to Another Computer (Windows 10)
+description: How to Move the App-V Server to Another Computer
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Move the App-V Server to Another Computer
+
+
+Use the following information to create a new management server console in your environment.
+
+## To create a new management server console
+
+
+The following list displays the steps necessary to create a new management server console:
+
+1.  Install the management server on a computer in your environment. For more information about installing the management server see [Deploying the App-V Server](appv-deploying-the-appv-server.md).
+
+2.  After you have completed the installation, use the following link to connect it to the App-V database - [How to install the Management Server on a Standalone Computer and Connect it to the Database](appv-install-the-management-server-on-a-standalone-computer.md).
+
+**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-operations.md b/windows/manage/appv-operations.md
new file mode 100644
index 0000000000..96cdf448fb
--- /dev/null
+++ b/windows/manage/appv-operations.md
@@ -0,0 +1,75 @@
+---
+title: Operations for App-V (Windows 10)
+description: Operations for App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Operations for App-V
+
+
+This section of the Microsoft Application Virtualization (App-V) Administrator’s Guide includes information about the various types of App-V administration and operating tasks that are typically performed by an administrator. This section also includes step-by-step procedures to help you successfully perform those tasks.
+
+## Operations Information
+
+
+-   [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md)
+
+    Describes how to create, modify, and convert virtualized packages.
+
+-   [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md)
+
+    Describes how to use the App-V Management console to perform tasks such as sequencing an application, changing a package, using a project template, and using a package accelerator.
+
+-   [Managing Connection Groups](appv-managing-connection-groups.md)
+
+    Describes how connection groups enable virtualized applications to communicate with each other in the virtual environment; explains how to create, publish, and delete them; and describes how connection groups can help you better manage your virtualized applications.
+
+-   [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md)
+
+    Describes how to deploy App-V packages by using an ESD.
+
+-   [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
+
+    Describes how perform client configuration tasks using the client management console.
+
+-   [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md)
+
+    Provides instructions for migrating to App-V from a previous version.
+
+-   [Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md)
+
+    Describes the set of Windows PowerShell cmdlets available for administrators performing various App-V server tasks.
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Other Resources for App-V Operations
+
+
+-   [Application Virtualization (App-V) overview](appv-for-windows.md)
+
+-   [Getting Started with App-V](appv-getting-started.md)
+
+-   [Planning for App-V](appv-planning-for-appv.md)
+
+-   [Deploying App-V](appv-deploying-appv.md)
+
+-   [Troubleshooting App-V](appv-troubleshooting.md)
+
+-   [Technical Reference for App-V](appv-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-performance-guidance.md b/windows/manage/appv-performance-guidance.md
new file mode 100644
index 0000000000..d5e0a70918
--- /dev/null
+++ b/windows/manage/appv-performance-guidance.md
@@ -0,0 +1,761 @@
+---
+title: Performance Guidance for Application Virtualization (Windows 10)
+description: Performance Guidance for Application Virtualization
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Performance Guidance for Application Virtualization
+
+
+Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
+
+Implementing multiple methods can help you improve the end-user experience. However, your environment may not support all methods.
+
+You should read and understand the following information before reading this document.
+
+-   [Application Virtualization (App-V) overview](appv-for-windows.md)
+
+-   [App-V 5 SP2 Application Publishing and Client Interaction](http://go.microsoft.com/fwlink/?LinkId=395206)
+
+-   [Microsoft Application Virtualization Sequencing Guide](http://go.microsoft.com/fwlink/?LinkId=269953)
+
+**Note**  
+Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk **\*** review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
+
+ 
+
+Finally, this document will provide you with the information to configure the computer running App-V client and the environment for optimal performance. Optimize your virtual application packages for performance using the sequencer, and to understand how to use User Experience Virtualization (UE-V) or other user environment management technologies to provide the optimal user experience with App-V in both Remote Desktop Services (RDS) and non-persistent virtual desktop infrastructure (VDI).
+
+To help determine what information is relevant to your environment you should review each section’s brief overview and applicability checklist.
+
+## <a href="" id="---------app-v-5-1-in-stateful--non-persistent-deployments"></a> App-V in stateful\* non-persistent deployments
+
+
+This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This is achieved by uniquely addressing the often long-running App-V publishing refresh. As you will discover the basis of the approach, the fastest publishing refresh, is one that doesn’t have to actually do anything. A number of conditions must be met and steps followed to provide the optimal user experience.
+
+Use the information in the following section for more information:
+
+[Usage Scenarios](#bkmk-us) - As you review the two scenarios, keep in mind that these are the approach extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users and/or virtual applications packages.
+
+-   Optimized for Performance – To provide the optimal experience, you can expect the base image to include some of the App-V virtual application package. This and other requirements are discussed.
+
+-   Optimized for Storage – If you are concerned with the storage impact, following this scenario will help address those concerns.
+
+[Preparing your Environment](#bkmk-pe)
+
+-   Steps to Prepare the Base Image – Whether in a non-persistent VDI or RDSH environment, only a few steps must be completed in the base image to enable this approach.
+
+-   Use UE-V 2.1 as the User Profile Management (UPM) solution for the App-V approach – the cornerstone of this approach is the ability of a UEM solution to persist the contents of just a few registry and file locations. These locations constitute the user integrations\*. Be sure to review the specific requirements for the UPM solution.
+
+[User Experience Walk-through](#bkmk-uewt)
+
+-   Walk-through – This is a step-by-step walk-through of the App-V and UE-V operations and the expectations users should have.
+
+-   Outcome – This describes the expected results.
+
+[Impact to Package Lifecycle](#bkmk-plc)
+
+[Enhancing the VDI Experience through Performance Optimization/Tuning](#bkmk-evdi)
+
+### <a href="" id="applicability-checklist-"></a>Applicability Checklist
+
+Deployment Environment
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>Non-Persistent VDI or RDSH.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>User Experience Virtualization (UE-V), other UPM solutions or User Profile Disks (UPD).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Expected Configuration
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>User Experience Virtualization (UE-V) with the App-V user state template enabled or User Profile Management (UPM) software. Non-UE-V UPM software must be capable of triggering on Login or Process/Application Start and Logoff.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>App-V Shared Content Store (SCS) is configured or can be configured.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+IT Administration
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>Admin may need to update the VM base image regularly to ensure optimal performance or Admin may need to manage multiple images for different user groups.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-us"></a>Usage Scenario
+
+As you review the two scenarios, keep in mind that these approach the extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users, virtual application packages, or both.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Optimized for Performance</th>
+<th align="left">Optimized for Storage</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>To provide the most optimal user experience, this approach leverages the capabilities of a UPM solution and requires additional image preparation and can incur some additional image management overhead.</p>
+<p>The following describes many performance improvements in stateful non-persistent deployments. For more information, see the <strong>Sequencing Steps to Optimize Packages for Publishing Performance</strong> and reference to <strong>App-V Sequencing Guide</strong> in the <strong>See Also section of this document</strong>.</p></td>
+<td align="left"><p>The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in very costly arrays; a slight alteration has been made to the approach. Do not pre-configure user-targeted virtual application packages in the base image.</p>
+<p>The impact of this alteration is detailed in the User Experience Walkthrough section of this document.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-pe"></a>Preparing your Environment
+
+The following table displays the required steps to prepare the base image and the UE-V or another UPM solution for the approach.
+
+**Prepare the Base Image**
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Optimized for Performance</th>
+<th align="left">Optimized for Storage</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p></p>
+<ul>
+<li><p>Install the App-V client version of the client.</p></li>
+<li><p>Install UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.</p></li>
+<li><p>Configure for Shared Content Store (SCS) mode. For more information see [How to Install the App-V Client for Shared Content Store Mode](appv-install-the-appv-client-for-shared-content-store-mode.md).</p></li>
+<li><p>Configure Preserve User Integrations on Login Registry DWORD.</p></li>
+<li><p>Pre-configure all user- and global-targeted packages for example, <strong>Add-AppvClientPackage</strong>.</p></li>
+<li><p>Pre-configure all user- and global-targeted connection groups for example, <strong>Add-AppvClientConnectionGroup</strong>.</p></li>
+<li><p>Pre-publish all global-targeted packages.</p>
+<p></p>
+<p>Alternatively,</p>
+<ul>
+<li><p>Perform a global publishing/refresh.</p></li>
+<li><p>Perform a user publishing/refresh.</p></li>
+<li><p>Un-publish all user-targeted packages.</p></li>
+<li><p>Delete the following user-Virtual File System (VFS) entries.</p></li>
+</ul>
+<p><code>AppData\Local\Microsoft\AppV\Client\VFS</code></p>
+<p><code>AppData\Roaming\Microsoft\AppV\Client\VFS</code></p></li>
+</ul></td>
+<td align="left"><p></p>
+<ul>
+<li><p>Install the App-V client version of the client.</p></li>
+<li><p>Install UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.</p></li>
+<li><p>Configure for Shared Content Store (SCS) mode. For more information see [How to Install the App-V Client for Shared Content Store Mode](appv-install-the-appv-client-for-shared-content-store-mode.md).</p></li>
+<li><p>Configure Preserve User Integrations on Login Registry DWORD.</p></li>
+<li><p>Pre-configure all global-targeted packages for example, <strong>Add-AppvClientPackage</strong>.</p></li>
+<li><p>Pre-configure all global-targeted connection groups for example, <strong>Add-AppvClientConnectionGroup</strong>.</p></li>
+<li><p>Pre-publish all global-targeted packages.</p>
+<p></p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Configurations** - For critical App-V Client configurations and for a little more context and how-to, review the following information:
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Configuration Setting</th>
+<th align="left">What does this do?</th>
+<th align="left">How should I use it?</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Shared Content Store (SCS) Mode</p>
+<ul>
+<li><p>Configurable in PowerShell using <strong>Set- AppvClientConfiguration</strong> –<strong>SharedContentStoreMode</strong>, or</p></li>
+<li><p>During installation of the App-V client.</p></li>
+</ul></td>
+<td align="left"><p>When running the shared content store only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM).</p>
+<p>This helps to conserve local storage and minimize disk I/O per second (IOPS).</p></td>
+<td align="left"><p>This is recommended when low-latency connections are available between the App-V Client endpoint and the SCS content server, SAN.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>PreserveUserIntegrationsOnLogin</p>
+<ul>
+<li><p>Configure in the Registry under <strong>HKEY_LOCAL_MACHINE</strong> \ <strong>Software</strong> \ <strong>Microsoft</strong> \ <strong>AppV</strong> \ <strong>Client</strong> \ <strong>Integration</strong>.</p></li>
+<li><p>Create the DWORD value <strong>PreserveUserIntegrationsOnLogin</strong> with a value of <strong>1</strong>.</p></li>
+<li><p>Restart the App-V client service or restart the computer running the App-V Client.</p></li>
+</ul></td>
+<td align="left"><p>If you have not pre-configured (<strong>Add-AppvClientPackage</strong>) a specific package and this setting is not configured, the App-V Client will de-integrate* the persisted user integrations, then re-integrate*.</p>
+<p>For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh.</p></td>
+<td align="left"><p>If you don’t plan to pre-configure every available user package in the base image, use this setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>MaxConcurrentPublishingRefresh</p>
+<ul>
+<li><p>Configure in the Registry under <strong>HKEY_LOCAL_MACHINE</strong> \<strong>Software</strong> \ <strong>Microsoft</strong> \ <strong>AppV</strong> \<strong>Client</strong> \ <strong>Publishing</strong>.</p></li>
+<li><p>Create the DWORD value <strong>MaxConcurrentPublishingrefresh</strong> with the desired maximum number of concurrent publishing refreshes.</p></li>
+<li><p>The App-V client service and computer do not need to be restarted.</p></li>
+</ul></td>
+<td align="left"><p>This setting determines the number of users that can perform a publishing refresh/sync at the same time. The default setting is no limit.</p></td>
+<td align="left"><p>Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync.</p>
+<p>If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they log in could take an indeterminate amount of time.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Configure UE-V solution for App-V Approach
+
+We recommend using Microsoft User Experience Virtualization (UE-V) to capture and centralize application settings and Windows operating system settings for a specific user. These settings are then applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. UE-V is optimized for RDS and VDI scenarios.
+
+For more information see [Getting Started With User Experience Virtualization 2.0](https://technet.microsoft.com/library/dn458926.aspx)
+
+In essence all that is required is to install the UE-V client and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](http://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information around UE-V templates see [The UE-V specific resource for acquiring and registering the template](https://technet.microsoft.com/library/dn458926.aspx).
+
+**Note**  
+Without performing an additional configuration step, the Microsoft User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
+
+UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user’s device will have the same set of applications installed to the same location and every .lnk file is valid for all the users’ devices. For example, UE-V would not currently support the following 2 scenarios, because the net result will be that the shortcut will be valid on one but not all devices.
+
+-   If a user has an application installed on one device with .lnk files enabled and the same native application installed on another device to a different installation root with .lnk files enabled.
+
+-   If a user has an application installed on one device but not another with .lnk files enabled.
+
+ 
+
+**Important**  
+This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
+
+ 
+
+Using the Microsoft Registry Editor (regedit.exe), navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **UEV** \\ **Agent** \\ **Configuration** \\ **ExcludedFileTypes** and remove **.lnk** from the excluded file types.
+
+**Configure other User Profile Management (UPM) solution for App-V Approach**
+
+The expectation in a stateful environment is that a UPM solution is implemented and can support persistence of user data across sessions and between logins.
+
+The requirements for the UPM solution are as follows.
+
+To enable an optimized login experience, for example the App-V approach for the user, the solution must be capable of:
+
+-   Persisting the below user integrations as part of the user profile/persona.
+
+-   Triggering a user profile sync on login (or application start), which can guarantee that all user integrations are applied before publishing/refresh begin, or,
+
+-   Attaching and detaching a user profile disk (UPD) or similar technology that contains the user integrations.
+
+    **Note**  
+    App-V is supported when using UPD only when the entire profile is stored on the user profile disk.
+
+    App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver does not handle UPD selected folders.
+
+     
+
+-   Capturing changes to the locations, which constitute the user integrations, prior to session logoff.
+
+With App-V when you add a publishing server (**Add-AppvPublishingServer**) you can configure synchronization, for example refresh during log on and/or after a specified refresh interval. In both cases a scheduled task is created.
+
+In previous versions of App-V, both scheduled tasks were configured using a VBScript that would initiate the user and global refresh. With Hotfix Package 4 for Application Virtualization 5.0 SP2 the user refresh on log on was initiated by **SyncAppvPublishingServer.exe**. This change was introduced to provide UPM solutions a trigger process. This process delays the publish /refresh to allow the UPM solution to apply the user integrations. It will exit once the publishing/refresh is complete.
+
+**User Integrations**
+
+Registry – HKEY\_CURRENT\_USER
+
+-   Path - Software\\Classes
+
+    Exclude: Local Settings, ActivatableClasses, AppX\*
+
+-   Path - Software\\Microsoft\\AppV
+
+-   Path- Software\\Microsoft\\Windows\\CurrentVersion\\App Paths
+
+**File Locations**
+
+-   Root – “Environment Variable” APPDATA
+
+    Path – Microsoft\\AppV\\Client\\Catalog
+
+-   Root – “Environment Variable” APPDATA
+
+    Path – Microsoft\\AppV\\Client\\Integration
+
+-   Root – “Environment Variable” APPDATA
+
+    Path - Microsoft\\Windows\\Start Menu\\Programs
+
+-   (To persist all desktop shortcuts, virtual and non-virtual)
+
+    Root - “KnownFolder” {B4BFCC3A-DB2C-424C-B029-7FE99A87C641}FileMask - \*.lnk
+
+**Microsoft User Experience Virtualization (UE-V)**
+
+Additionally, we recommend using Microsoft User Experience Virtualization (UE-V) to capture and centralize application settings and Windows operating system settings for a specific user. These settings are then applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
+
+For more information see [Getting Started With User Experience Virtualization 1.0](http://technet.microsoft.com/library/jj680015.aspx) and [Sharing Settings Location Templates with the UE-V Template Gallery](http://technet.microsoft.com/library/jj679972.aspx).
+
+### <a href="" id="bkmk-uewt"></a>User Experience Walk-through
+
+This following is a step-by-step walk-through of the App-V and UPM operations and the expectations users should expect.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Optimized for Performance</th>
+<th align="left">Optimized for Storage</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>After implementing this approach in the VDI/RDSH environment, on first login,</p>
+<ul>
+<li><p>(Operation) A user-publishing/refresh is initiated. (Expectation) If this is the first time a user has published virtual applications (e.g. non-persistent), this will take the usual duration of a publishing/refresh.</p></li>
+<li><p>(Operation) After the publishing/refresh, the UPM solution captures the user integrations. (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state.</p></li>
+</ul>
+<p>On subsequent logins:</p>
+<ul>
+<li><p>(Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.</p>
+<p>(Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (i.e., package entitlements change), some may go away.</p></li>
+<li><p>(Operation) Publishing/refresh will process un-publish and publish operations for changes in user package entitlements. (Expectation) If there are no entitlement changes, publishing1 will complete in seconds. Otherwise, the publishing/refresh will increase relative to the number and complexity* of virtual applications</p></li>
+<li><p>(Operation) UPM solution will capture user integrations again at logoff. (Expectation) Same as previous.</p></li>
+</ul>
+<p>¹ The publishing operation (<strong>Publish-AppVClientPackage</strong>) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps.</p></td>
+<td align="left"><p>After implementing this approach in the VDI/RDSH environment, on first login,</p>
+<ul>
+<li><p>(Operation) A user-publishing/refresh is initiated. (Expectation)</p>
+<ul>
+<li><p>If this is the first time a user has published virtual applications (e.g., non-persistent), this will take the usual duration of a publishing/refresh.</p></li>
+<li><p>First and subsequent logins will be impacted by pre-configuring of packages (add/refresh).</p>
+<p></p></li>
+</ul></li>
+<li><p>(Operation) After the publishing/refresh, the UPM solution captures the user integrations. (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state</p></li>
+</ul>
+<p>On subsequent logins:</p>
+<ul>
+<li><p>(Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.</p></li>
+<li><p>(Operation) Add/refresh must pre-configure all user targeted applications. (Expectation)</p>
+<ul>
+<li><p>This may increase the time to application availability significantly (on the order of 10’s of seconds).</p></li>
+<li><p>This will increase the publishing refresh time relative to the number and complexity* of virtual applications.</p>
+<p></p></li>
+</ul></li>
+<li><p>(Operation) Publishing/refresh will process un-publish and publish operations for changes to user package entitlements.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Outcome</th>
+<th align="left">Outcome</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p></p>
+<ul>
+<li><p>Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of login.</p></li>
+<li><p>The publishing/refresh will process changes to the users entitled virtual applications which impacts the experience.</p></li>
+</ul></td>
+<td align="left"><p>Because the add/refresh must re-configure all the virtual applications to the VM, the publishing refresh time on every login will be extended.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-plc"></a>Impact to Package Life Cycle
+
+Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (un-published) virtual application packages, it is recommended you update the base image to reflect these changes. To understand why review the following section:
+
+App-V 5.0 SP2 introduced the concept of pending states. In the past,
+
+-   If an administrator changed entitlements or created a new version of a package (upgraded) and during a publishing/refresh that package was in-use, the un-publish or publish operation, respectively, would fail.
+
+-   Now, if a package is in-use the operation will be pended. The un-publish and publish-pend operations will be processed on service restart or if another publish or un-publish command is issued. In the latter case, if the virtual application is in-use otherwise, the virtual application will remain in a pending state. For globally published packages, a restart (or service restart) often needed.
+
+In a non-persistent environment, it is unlikely these pended operations will be processed. The pended operations, for example tasks are captured under **HKEY\_CURRENT\_USER** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Client** \\ **PendingTasks**. Although this location is persisted by the UPM solution, if it is not applied to the environment prior to log on, it will not be processed.
+
+### <a href="" id="bkmk-evdi"></a>Enhancing the VDI Experience through Performance Optimization Tuning
+
+The following section contains lists with information about Microsoft documentation and downloads that may be useful when optimizing your environment for performance.
+
+**.NET NGEN Blog and Script (Highly Recommended)**
+
+About NGEN technology
+
+-   [How to speed up NGEN optimaztion](http://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx)
+
+-   [Script](http://aka.ms/DrainNGenQueue)
+
+**Windows Server and Server Roles**
+
+Server Performance Tuning Guidelines for
+
+-   [Microsoft Windows Server 2012 R2](http://msdn.microsoft.com/library/windows/hardware/dn529133.aspx)
+
+-   [Microsoft Windows Server 2012](http://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx)
+
+-   [Microsoft Windows Server 2008 R2](http://download.microsoft.com/download/6/B/2/6B2EBD3A-302E-4553-AC00-9885BBF31E21/Perf-tun-srv-R2.docx)
+
+**Server Roles**
+
+-   [Remote Desktop Virtualization Host](http://msdn.microsoft.com/library/windows/hardware/dn567643.aspx)
+
+-   [Remote Desktop Session Host](http://msdn.microsoft.com/library/windows/hardware/dn567648.aspx)
+
+-   [IIS Relevance: App-V Management, Publishing, Reporting Web Services](http://msdn.microsoft.com/library/windows/hardware/dn567678.aspx)
+
+-   [File Server (SMB) Relevance: If used for App-V Content Storage and Delivery in SCS Mode](http://technet.microsoft.com/library/jj134210.aspx)
+
+**Windows Client (Guest OS) Performance Tuning Guidance**
+
+-   [Microsoft Windows 7](http://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
+
+-   [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
+
+-   [Microsoft Windows 8](http://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
+
+-   [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
+
+## Sequencing Steps to Optimize Packages for Publishing Performance
+
+
+Several App-V features facilitate new scenarios or enable new customer deployment scenarios. These following features can impact the performance of the publishing and launch operations.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Step</th>
+<th align="left">Consideration</th>
+<th align="left">Benefits</th>
+<th align="left">Tradeoffs</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>No Feature Block 1 (FB1, also known as Primary FB)</p></td>
+<td align="left"><p>No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch.If there are network limitations, FB1 will:</p>
+<ul>
+<li><p>Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.</p></li>
+<li><p>Delay launch until the entire FB1 has been streamed.</p></li>
+</ul></td>
+<td align="left"><p>Stream faulting decreases the launch time.</p></td>
+<td align="left"><p>Virtual application packages with FB1 configured will need to be re-sequenced.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Removing FB1
+
+Removing FB1 does not require the original application installer. After completing the following steps, it is suggested that you revert the computer running the sequencer to a clean snapshot.
+
+**Sequencer UI** - Create a New Virtual Application Package.
+
+1.  Complete the sequencing steps up to Customize -&gt; Streaming.
+
+2.  At the Streaming step, do not select **Optimize the package for deployment over slow or unreliable network**.
+
+3.  If desired, move on to **Target OS**.
+
+**Modify an Existing Virtual Application Package**
+
+1.  Complete the sequencing steps up to Streaming.
+
+2.  Do not select **Optimize the package for deployment over a slow or unreliable network**.
+
+3.  Move to **Create Package**.
+
+**PowerShell** - Update an Existing Virtual Application Package.
+
+1.  Open an elevated PowerShell session.
+
+2.  Import-module **appvsequencer**.
+
+3.  **Update-AppvSequencerPackage** - **AppvPackageFilePath**
+
+    "C:\\Packages\\MyPackage.appv" -Installer
+
+    "C:\\PackageInstall\\PackageUpgrade.exe empty.exe" -OutputPath
+
+    "C:\\UpgradedPackages"
+
+    **Note**  
+    This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
+
+     
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Step</th>
+<th align="left">Considerations</th>
+<th align="left">Benefits</th>
+<th align="left">Tradeoffs</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>No SXS Install at Publish (Pre-Install SxS assemblies)</p></td>
+<td align="left"><p>Virtual Application packages do not need to be re-sequenced. SxS Assemblies can remain in the virtual application package.</p></td>
+<td align="left"><p>The SxS Assembly dependencies will not install at publishing time.</p></td>
+<td align="left"><p>SxS Assembly dependencies must be pre-installed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Creating a new virtual application package on the sequencer
+
+If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is installed as part of an application’s installation, SxS Assembly will be automatically detected and included in the package. The administrator will be notified and will have the option to exclude the SxS Assembly.
+
+**Client Side**:
+
+When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it is included in the package, a traditional Windows Insataller (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation will not occur.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Step</th>
+<th align="left">Considerations</th>
+<th align="left">Benefits</th>
+<th align="left">Tradeoffs</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Selectively Employ Dynamic Configuration files</p></td>
+<td align="left"><p>The App-V client must parse and process these Dynamic Configuration files.</p>
+<p>Be conscious of size and complexity (script execution, VREG inclusions/exclusions) of the file.</p>
+<p>Numerous virtual application packages may already have User- or computer–specific dynamic configurations files.</p></td>
+<td align="left"><p>Publishing times will improve if these files are used selectively or not at all.</p></td>
+<td align="left"><p>Virtual application packages would need to be reconfigured individually or via the App-V server management console to remove associated Dynamic Configuration files.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Disabling a Dynamic Configuration using Powershell
+
+-   For already published packages, you can use `Set-AppVClientPackage –Name Myapp –Path c:\Packages\Apps\MyApp.appv` without
+
+    **-DynamicDeploymentConfiguration** parameter
+
+-   Similarly, when adding new packages using `Add-AppVClientPackage –Path c:\Packages\Apps\MyApp.appv`, do not use the
+
+    **-DynamicDeploymentConfiguration** parameter.
+
+For documentation on How to Apply a Dynamic Configuration, see:
+
+-   [How to Apply the User Configuration File by Using PowerShell](appv-apply-the-user-configuration-file-with-powershell.md)
+
+-   [How to Apply the Deployment Configuration File by Using PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Step</th>
+<th align="left">Considerations</th>
+<th align="left">Benefits</th>
+<th align="left">Tradeoffs</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Account for Synchronous Script Execution during Package Lifecycle.</p></td>
+<td align="left"><p>If script collateral is embedded in the package, Add (Powershell) may be significantly slower.</p>
+<p>Running of scripts during virtual application launch (StartVirtualEnvironment, StartProcess) and/or Add+Publish will impact the perceived performance during one or more of these lifecycle operations.</p></td>
+<td align="left"><p>Use of Asynchronous (Non-Blocking) Scripts will ensure that the lifecycle operations complete efficiently.</p></td>
+<td align="left"><p>This step requires working knowledge of all virtual application packages with embedded script collateral, which have associated dynamic configurations files and which reference and run scripts synchronously.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Remove Extraneous Virtual Fonts from Package.</p></td>
+<td align="left"><p>The majority of applications investigated by the App-V product team contained a small number of fonts, typically fewer than 20.</p></td>
+<td align="left"><p>Virtual Fonts impact publishing refresh performance.</p></td>
+<td align="left"><p>Desired fonts will need to be enabled/installed natively. For instructions, see Install or uninstall fonts.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Determining what virtual fonts exist in the package
+
+-   Make a copy of the package.
+
+-   Rename Package\_copy.appv to Package\_copy.zip
+
+-   Open AppxManifest.xml and locate the following:
+
+    &lt;appv:Extension Category="AppV.Fonts"&gt;
+
+    &lt;appv:Fonts&gt;
+
+    &lt;appv:Font Path="\[{Fonts}\]\\private\\CalibriL.ttf" DelayLoad="true"&gt;&lt;/appv:Font&gt;
+
+    **Note**  
+    If there are fonts marked as **DelayLoad**, those will not impact first launch.
+
+     
+
+    &lt;/appv:Fonts&gt;
+
+### Excluding virtual fonts from the package
+
+Use the dynamic configuration file that best suits the user scope – deployment configuration for all users on computer, user configuration for specific user or users.
+
+-   Disable fonts with the deployment or user configuration.
+
+Fonts
+
+--&gt;
+
+&lt;Fonts Enabled="false" /&gt;
+
+&lt;!--
+
+## <a href="" id="bkmk-terms1"></a> App-V Performance Guidance Terminology
+
+
+The following terms are used when describing concepts and actions related to App-V performance optimization.
+
+-   **Complexity** – Refers to the one or more package characteristics that may impact performance during pre-configure (**Add-AppvClientPackage**) or integration (**Publish-AppvClientPackage**). Some example characteristics are: manifest size, number of virtual fonts, number of files.
+
+-   **De-Integrate** – Removes the user integrations
+
+-   **Re-Integrate** – Applies the user integrations.
+
+-   **Non-Persistent, Pooled** – Creates a computer running a virtual environment each time they log in.
+
+-   **Persistent, Personal** – A computer running a virtual environment that remains the same for every login.
+
+-   **Stateful** - For this document, implies that user integrations are persisted between sessions and a user environment management technology is used in conjunction with non-persistent RDSH or VDI.
+
+-   **Stateless** – Represents a scenario when no user state is persisted between sessions.
+
+-   **Trigger** – (or Native Action Triggers). UPM uses these types of triggers to initiate monitoring or synchronization operations.
+
+-   **User Experience** - In the context of App-V, the user experience, quantitatively, is the sum of the following parts:
+
+    -   From the point that users initiate a log-in to when they are able to manipulate the desktop.
+
+    -   From the point where the desktop can be interacted with to the point a publishing refresh begins (in PowerShell terms, sync) when using the App-V full server infrastructure. In standalone instances, it is when the **Add-AppVClientPackage** and **Publish-AppVClientPackage Powershell** commands are initiated.
+
+    -   From start to completion of the publishing refresh. In standalone instances, this is the first to last virtual application published.
+
+    -   From the point where the virtual application is available to launch from a shortcut. Alternatively, it is from the point at which the file type association is registered and will launch a specified virtual application.
+
+-   **User Profile Management** – The controlled and structured approach to managing user components associated with the environment. For example, user profiles, preference and policy management, application control and application deployment. You can use scripting or third-party solutions configure the environment as needed.
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Application Virtualization (App-V) overview](appv-for-windows.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-planning-checklist.md b/windows/manage/appv-planning-checklist.md
new file mode 100644
index 0000000000..91d7f0fe4e
--- /dev/null
+++ b/windows/manage/appv-planning-checklist.md
@@ -0,0 +1,81 @@
+---
+title: App-V Planning Checklist (Windows 10)
+description: App-V Planning Checklist
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# App-V Planning Checklist
+
+
+This checklist can be used to help you plan for preparing your organization for an App-V deployment.
+
+> [!NOTE]    
+> This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V deployment. It is recommended that you copy this checklist and customize it for your use.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left"></th>
+<th align="left">Task</th>
+<th align="left">References</th>
+<th align="left">Notes</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.</p></td>
+<td align="left"><p>[Getting Started with App-V](appv-getting-started.md)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>Plan for App-V 1.0 Deployment Prerequisites and prepare your computing environment.</p></td>
+<td align="left"><p>[App-V Prerequisites](appv-prerequisites.md)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>If you plan to use the App-V management server, plan for the required roles.</p></td>
+<td align="left"><p>[Planning for the App-V Server Deployment](appv-planning-for-appv-server-deployment.md)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>Plan for the App-V sequencer and client so you to create and run virtualized applications.</p></td>
+<td align="left"><p>[Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>If applicable, review the options and steps for migrating from a previous version of App-V.</p></td>
+<td align="left"><p>[Planning for Migrating from a Previous Version of App-V](appv-planning-for-migrating-from-a-previous-version-of-appv.md)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
+<td align="left"><p>Plan for running App-V clients using in shared content store mode.</p></td>
+<td align="left"><p>[How to Install the App-V Client for Shared Content Store Mode](appv-install-the-appv-client-for-shared-content-store-mode.md)</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+[Planning for App-V](appv-planning-for-appv.md)
diff --git a/windows/manage/appv-planning-folder-redirection-with-appv.md b/windows/manage/appv-planning-folder-redirection-with-appv.md
new file mode 100644
index 0000000000..ed2d892f9f
--- /dev/null
+++ b/windows/manage/appv-planning-folder-redirection-with-appv.md
@@ -0,0 +1,146 @@
+---
+title: Planning to Use Folder Redirection with App-V (Windows 10)
+description: Planning to Use Folder Redirection with App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Planning to Use Folder Redirection with App-V
+
+Microsoft Application Virtualization (App-V) supports the use of folder redirection, a feature that enables users and administrators to redirect the path of a folder to a new location.
+
+This topic contains the following sections:
+
+-   [Requirements for using folder redirection](#bkmk-folder-redir-reqs)
+
+-   [How to configure folder redirection for use with App-V](#bkmk-folder-redir-cfg)
+
+-   [How folder redirection works with App-V](#bkmk-folder-redir-works)
+
+-   [Overview of folder redirection](#bkmk-folder-redir-overview)
+
+## <a href="" id="bkmk-folder-redir-reqs"></a>Requirements and unsupported scenarios for using folder redirection
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Requirements</p></td>
+<td align="left"><p>To use %AppData% folder redirection, you must:</p>
+<ul>
+<li><p>Have an App-V package that has an AppData virtual file system (VFS) folder.</p></li>
+<li><p>Enable folder redirection and redirect users’ folders to a shared folder, typically a network folder.</p></li>
+<li><p>Roam both or neither of the following:</p>
+<ul>
+<li><p>Files under %appdata%\Microsoft\AppV\Client\Catalog</p></li>
+<li><p>Registry settings under HKEY_CURRENT_USER\Software\Microsoft\AppV\Client\Packages</p>
+<p>For more detail, see [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md#bkmk-clt-inter-roam-reqs).</p></li>
+</ul></li>
+<li><p>Ensure that the following folders are available to each user who logs into the computer that is running the App-V client:</p>
+<ul>
+<li><p>%AppData% is configured to the desired network location (with or without [Offline Files](http://technet.microsoft.com/library/cc780552.aspx) support).</p></li>
+<li><p>%LocalAppData% is configured to the desired local folder.</p></li>
+</ul></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Unsupported scenarios</p></td>
+<td align="left"><ul>
+<li><p>Configuring %LocalAppData% as a network drive.</p></li>
+<li><p>Redirecting the Start menu to a single folder for multiple users.</p></li>
+<li><p>If roaming AppData (%AppData%) is redirected to a network share that is not available, App-V applications will fail to launch, unless the unavailable network share has been enabled for Offline Files.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-folder-redir-cfg"></a>How to configure folder redirection for use with App-V
+
+
+Folder redirection can be applied to different folders, such as Desktop, My Documents, My Pictures, etc. However, the only folder that impacts the use of App-V applications is the user’s roaming AppData folder (%AppData%). You can apply folder redirection to any other supported folders without impacting App-V.
+
+## <a href="" id="bkmk-folder-redir-works"></a>How folder redirection works with App-V
+
+
+The following table describes how folder redirection works when %AppData% is redirected to a network and when you have met the requirements listed earlier in this article.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Virtual environment state</th>
+<th align="left">Action that occurs</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>When the virtual environment starts</p></td>
+<td align="left"><p>The virtual file system (VFS) AppData folder is mapped to the local AppData folder (%LocalAppData%) instead of to the user’s roaming AppData folder (%AppData%).</p>
+<ul>
+<li><p>LocalAppData contains a local cache of the user’s roaming AppData folder for the package in use. The local cache is located under:</p>
+<p><code>%LocalAppData%\Microsoft\AppV\Client\VFS\PackageGUID\AppData</code></p></li>
+<li><p>The latest data from the user’s roaming AppData folder is copied to and replaces the data currently in the local cache.</p></li>
+<li><p>While the virtual environment is running, data continues to be saved to the local cache. Data is served only out of %LocalAppData% and is not moved or synchronized with %AppData% until the end user shuts down the computer.</p></li>
+<li><p>Entries to the AppData folder are made using the user context, not the system context.</p></li>
+</ul>
+</td>
+</tr>
+<tr class="even">
+<td align="left"><p>When the virtual environment shuts down</p></td>
+<td align="left"><p>The local cached data in AppData (roaming) is zipped up and copied to the “real” roaming AppData folder in %AppData%. A time stamp, which indicates the last known upload, is simultaneously saved as a registry key under:</p>
+<p><code>HKCU\Software\Microsoft\AppV\Client\Packages\&lt;PACKAGE_GUID&gt;\AppDataTime</code></p>
+<p>To provide redundancy, App-V keeps the three most recent copies of the compressed data under %AppData%.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-folder-redir-overview"></a>Overview of folder redirection
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Purpose</p></td>
+<td align="left"><p>Enables end users to work with files, which have been redirected to another folder, as if the files still existed on the local drive.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Description</p></td>
+<td align="left"><p>Folder redirection allows users and administrators to redirect the path of a folder to a network location. The documents in the folder are available to the user from any computer on the network.</p>
+<ul>
+<li><p>Folder redirection allows users and administrators to redirect the path of a folder to a network location. The documents in the folder are available to the user from any computer on the network.</p></li>
+<li><p>The new location can be a folder on the local computer or a folder on a shared network.</p></li>
+<li><p>Folder redirection updates the files immediately, whereas roaming data is typically synchronized when the user logs in or logs off.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Usage example</p></td>
+<td align="left"><p>You can redirect the Documents folder, which is usually stored on the computer's local hard disk, to a network location. The user can access the documents in the folder from any computer on the network.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>More resources</p></td>
+<td align="left"><p>[Folder redirection overview](http://technet.microsoft.com/library/cc778976.aspx)</p></td>
+</tr>
+</tbody>
+</table>
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
diff --git a/windows/manage/appv-planning-for-appv-server-deployment.md b/windows/manage/appv-planning-for-appv-server-deployment.md
new file mode 100644
index 0000000000..982d10f933
--- /dev/null
+++ b/windows/manage/appv-planning-for-appv-server-deployment.md
@@ -0,0 +1,116 @@
+---
+title: Planning for the App-V Server Deployment (Windows 10)
+description: Planning for the App-V Server Deployment
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Planning for the App-V Server Deployment
+
+
+The Microsoft Application Virtualization (App-V) server infrastructure consists of a set of specialized features that can be installed on one or more server computers, based on the requirements of the enterprise.
+
+## Planning for App-V Server Deployment
+
+
+The App-V server consists of the following features:
+
+-   Management Server – provides overall management functionality for the App-V infrastructure.
+
+-   Management Database – facilitates database predeployments for App-V management.
+
+-   Publishing Server – provides hosting and streaming functionality for virtual applications.
+
+-   Reporting Server – provides App-V reporting services.
+
+-   Reporting Database – facilitates database predeployments for App-V reporting.
+
+The following list displays the recommended methods for installing the App-V server infrastructure:
+
+-   Install the App-V server. For more information, see [How to Deploy the App-V Server](appv-deploy-the-appv-server.md).
+
+-   Install the database, reporting, and management features on separate computers. For more information, see [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](appv-install-the-management-and-reporting-databases-on-separate-computers.md).
+
+-   Use Electronic Software Distribution (ESD). For more information, see [How to deploy App-V Packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md).
+
+-   Install all server features on a single computer.
+
+## <a href="" id="---------app-v-5-1-server-interaction"></a> App-V Server Interaction
+
+
+This section contains information about how the various App-V server roles interact with each other.
+
+The App-V Management Server contains the repository of packages and their assigned configurations. For Publishing Servers that are registered with the Management Server, the associated metadata is provided to the Publishing servers for use when publishing refresh requests are received from computers running the App-V Client. App-V publishing servers managed by a single management server can be serving different clients and can have different website names and port bindings. Additionally, all Publishing Servers managed by the same Management Server are replicas of each other.
+
+**Note**  
+The Management Server does not perform any load balancing. The associated metadata is simply passed to the publishing server for use when processing client requests.
+
+ 
+
+## Server-Related Protocols and External Features
+
+
+The following displays information about server-related protocols used by the App-V servers. The table also includes the reporting mechanism for each server type.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server Type</th>
+<th align="left">Protocols</th>
+<th align="left">External Features Needed</th>
+<th align="left">Reporting</th>
+<th align="left"></th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>IIS server</p></td>
+<td align="left"><p>HTTP</p>
+<p>HTTPS</p></td>
+<td align="left"><p>This server-protocol combination requires a mechanism to synchronize the content between the Management Server and the Streaming Server. When using HTTP or HTTPS, use an IIS server and a firewall to protect the server from exposure to the Internet.</p></td>
+<td align="left"><p>Internal</p></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>File</p></td>
+<td align="left"><p>SMB</p></td>
+<td align="left"><p>This server-protocol combination requires support to synchronize the content between the Management Server and the Streaming Server. Use a client computer with file sharing or streaming capability.</p></td>
+<td align="left"><p>Internal</p></td>
+<td align="left"></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
+
+[Deploying the App-V Server](appv-deploying-the-appv-server.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-planning-for-appv.md b/windows/manage/appv-planning-for-appv.md
new file mode 100644
index 0000000000..3ffee286de
--- /dev/null
+++ b/windows/manage/appv-planning-for-appv.md
@@ -0,0 +1,46 @@
+---
+title: Planning for App-V (Windows 10)
+description: Planning for App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Planning for App-V
+
+Use this information to plan how to deploy App-V so that it does not disrupt your users or the network.
+
+## Planning information
+
+-   [Preparing Your Environment for App-V](appv-preparing-your-environment.md)
+
+    This section describes the computing environment requirements and installation prerequisites that should be planned for before beginning App-V setup.
+
+-   [Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
+
+    This section describes the minimum hardware and software requirements necessary for App-V client, sequencer and server feature installations. Additionally, associated feature planning information is also displayed.
+
+-   [App-V Planning Checklist](appv-planning-checklist.md)
+
+    Planning checklist that can be used to assist in App-V deployment planning.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Other resources for App-V planning
+
+-   [Application Virtualization (App-V) overview](appv-for-windows.md)
+
+-   [Getting started with App-V](appv-getting-started.md)
+
+-   [Deploying App-V](appv-deploying-appv.md)
+
+-   [Operations for App-V](appv-operations.md)
+
+-   [Troubleshooting App-V](appv-troubleshooting.md)
+
+-   [Technical reference for App-V](appv-technical-reference.md)
diff --git a/windows/manage/appv-planning-for-high-availability-with-appv.md b/windows/manage/appv-planning-for-high-availability-with-appv.md
new file mode 100644
index 0000000000..9b84aeeb88
--- /dev/null
+++ b/windows/manage/appv-planning-for-high-availability-with-appv.md
@@ -0,0 +1,134 @@
+---
+title: Planning for High Availability with App-V Server (Windows 10)
+description: Planning for High Availability with App-V Server
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Planning for High Availability with App-V Server
+
+Microsoft Application Virtualization (App-V) system configurations can take advantage of options that maintain a high level of available service.
+
+Use the information in the following sections to help you understand the options to deploy App-V in a highly available configuration.
+
+-   [Support for Microsoft SQL Server clustering](#bkmk-sqlcluster)
+
+-   [Support for IIS Network Load Balancing](#bkmk-iisloadbal)
+
+-   [Support for clustered file servers when running (SCS) mode](#bkmk-clusterscsmode)
+
+-   [Support for Microsoft SQL Server Mirroring](#bkmk-sqlmirroring)
+
+-   [Support for Microsoft SQL Server Always On](#bkmk-sqlalwayson)
+
+## <a href="" id="bkmk-sqlcluster"></a>Support for Microsoft SQL Server clustering
+
+
+You can run the App-V Management database and Reporting database on computers that are running Microsoft SQL Server clusters. However, you must install the databases using scripts.
+
+For instructions, see [How to Deploy the App-V Databases by Using SQL Scripts](appv-deploy-appv-databases-with-sql-scripts.md).
+
+## <a href="" id="bkmk-iisloadbal"></a>Support for IIS Network Load Balancing
+
+
+You can use Internet Information Services (IIS) Network Load Balancing to configure a highly available environment for computers running the App-V Management, Publishing, and Reporting services which are deployed through IIS.
+
+Review the following for more information about configuring IIS and Network Load Balancing for computers running Windows Server operating systems:
+
+-   Provides information about configuring Internet Information Services (IIS) 7.0.
+
+    [Achieving High Availability and Scalability - ARR and NLB](http://www.iis.net/learn/extensions/configuring-application-request-routing-arr/achieving-high-availability-and-scalability-arr-and-nlb)
+
+-   Configuring Microsoft Windows Server
+
+    [Network Load Balancing Overview](https://technet.microsoft.com/library/hh831698(v=ws.11).aspx).
+
+    This information also applies to IIS Network Load Balancing (NLB) clusters in Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012.
+
+    **Note**  
+    The IIS Network Load Balancing functionality in Windows Server 2012 is generally the same as in Windows Server 2008 R2. However, some task details are changed in Windows Server 2012. For information on new ways to do tasks, see [Common Management Tasks and Navigation in Windows](https://technet.microsoft.com/library/hh831491.aspx).
+
+## <a href="" id="bkmk-clusterscsmode"></a>Support for clustered file servers when running SCS mode
+
+Running App-V Server in Share Content Store (SCS) mode with clustered file servers is supported.
+
+The following steps can be used to enable this configuration:
+
+-   Configure App-V to run in client SCS mode. For more information about configuring App-V SCS mode, see [How to Install the App-V Client for Shared Content Store Mode](appv-install-the-appv-client-for-shared-content-store-mode.md).
+
+-   Configure the file server cluster, configured in either the scale out mode (which started with Windows Server 2012) or the earlier clustering mode, with a virtual SAN.
+
+The following steps can be used to validate the configuration:
+
+1.  Add a package on the publishing server. For more information about adding a package, see [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md).
+
+2.  Perform a publishing refresh on the computer running the App-V client and open an application.
+
+3.  Switch cluster nodes mid-publishing refresh and mid-streaming to ensure failover works correctly.
+
+Review the following for more information about configuring Windows Server Failover clusters:
+
+-   [Create a Failover Cluster](https://technet.microsoft.com/library/dn505754(v=ws.11).aspx).
+
+-   [Use Cluster Shared Volumes in a Failover Cluster](https://technet.microsoft.com/library/jj612868(v=ws.11).aspx).
+
+## <a href="" id="bkmk-sqlmirroring"></a>Support for Microsoft SQL Server Mirroring
+
+Using Microsoft SQL Server mirroring, where the App-V management server database is mirrored utilizing two SQL Server instances, for App-V management server databases is supported.
+
+Review the following for more information about configuring Microsoft SQL Server Mirroring:
+
+-   [Prepare a Mirror Database for Mirroring (SQL Server)](https://technet.microsoft.com/library/ms189053.aspx)
+
+-   [Establish a Database Mirroring Session Using Windows Authentication (SQL Server Management Studio)](https://msdn.microsoft.com/library/ms188712.aspx)
+
+The following steps can be used to validate the configuration:
+
+1.  Initiate a Microsoft SQL Server Mirroring session.
+
+2.  Select **Failover** to designate a new master Microsoft SQL Server instance.
+
+3.  Verify that the App-V management server continues to function as expected after the failover.
+
+The connection string on the management server can be modified to include **failover partner = &lt;server2&gt;**. This will only help when the primary on the mirror has failed over to the secondary and the computer running the App-V client is doing a fresh connection (say after reboot).
+
+Use the following steps to modify the connection string to include **failover partner = &lt;server2&gt;**:
+
+**Important**  
+This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
+
+
+1.  Login to the management server and open **regedit**.
+
+2.  Navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Server** \\ **ManagementService**.
+
+3.  Modify the **MANAGEMENT\_SQL\_CONNECTION\_STRING** value with the **failover partner = &lt;server2&gt;**.
+
+4.  Restart management service using the IIS console.
+
+    **Note**  
+    Database Mirroring is on the list of Deprecated Database Engine Features for Microsoft SQL Server 2012 due to the **AlwaysOn** feature available starting with Microsoft SQL Server 2012.
+
+Click any of the following links for more information:
+
+-   [Prepare a Mirror Database for Mirroring (SQL Server)](https://technet.microsoft.com/library/ms189053.aspx).
+
+-   [Establish a Database Mirroring Session Using Windows Authentication (SQL Server Management Studio)](https://technet.microsoft.com/library/ms188712(v=sql.130).aspx).
+
+-   [Deprecated Database Engine Features in SQL Server 2012](https://msdn.microsoft.com/library/ms143729(v=sql.110).aspx).
+
+## <a href="" id="bkmk-sqlalwayson"></a>Support for Microsoft SQL Server Always On configuration
+
+The App-V management server database supports deployments to computers running Microsoft SQL Server with the **Always On** configuration. For more information, see [Always On Availability Groups (SQL Server)](https://technet.microsoft.com/library/hh510230.aspx).
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+[Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
diff --git a/windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md b/windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md
new file mode 100644
index 0000000000..1b58aa37ae
--- /dev/null
+++ b/windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md
@@ -0,0 +1,154 @@
+---
+title: Planning for Migrating from a Previous Version of App-V (Windows 10)
+description: Planning for Migrating from a Previous Version of App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Planning for Migrating from a Previous Version of App-V
+
+
+Use the following information to plan how to migrate to Microsoft Application Virtualization (App-V) from previous versions of App-V.
+
+## Migration requirements
+
+
+Before you start any upgrades, review the following requirements:
+
+-   If you are upgrading from a version earlier than 4.6 SP2, upgrade to version 4.6 SP2 or version 4.6 SP3 first before upgrading to App-V or later. In this scenario, upgrade the App-V clients first, and then upgrade the server components.
+
+-   App-V supports only packages that are created using App-V 5.0 or App-V, or packages that have been converted to the **.appv** format.
+
+-   If you are upgrading the App-V Server from App-V 5.0 SP1, see [About App-V](appv-about-appv.md#bkmk-migrate-to-51) for instructions.
+
+## Running the App-V client concurrently with App-V 4.6 SP2 or later
+
+
+You can run the App-V client concurrently on the same computer with the App-V 4.6 SP2 client or App-V 4.6 SP3 client.
+
+When you run coexisting App-V clients, you can:
+
+-   Convert an App-V 4.6 SP2 or 4.6 SP3 package to the App-V format and publish both packages, when you have both clients running.
+
+-   Define the migration policy for the converted package, which allows the converted App-V package to assume the file type associations and shortcuts from the App-V 4.6 SP2 package.
+
+### Supported coexistence scenarios
+
+The following table shows the supported App-V coexistence scenarios. We recommend that you install the latest available updates of a given release when you are running coexisting clients.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">App-V 4.6.x client type</th>
+<th align="left">App-V client type</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>App-V 4.6 SP2</p></td>
+<td align="left"><p>App-V</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V 4.6 SP2 RDS</p></td>
+<td align="left"><p>App-V RDS</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>App-V 4.6 SP3</p></td>
+<td align="left"><p>App-V</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V 4.6 SP3 RDS</p></td>
+<td align="left"><p>App-V RDS</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Requirements for running coexisting clients
+
+To run coexisting clients, you must:
+
+-   Install the App-V 4.6 SP2 or App-V 4.6 SP3 client before you install the App-V client.
+
+-   Enable the **Enable Migration Mode** Group Policy setting, which is in the **App-V** &gt; **Client Coexistence** node. To deploy the .admx template, see [How to Download and Deploy MDOP Group Policy (.admx) Templates](http://technet.microsoft.com/library/dn659707.aspx).
+
+**Note**  
+App-V packages can run side by side with App-V 4.X packages if you have coexisting installations of App-V and 4.X. However, App-V packages cannot interact with App-V 4.X packages in the same virtual environment.
+
+ 
+
+### Client downloads and documentation
+
+The following table provides links to the App-V 4.6.x client downloads and to the TechNet documentation about the releases. The downloads include the App-V “regular” and RDS clients. The TechNet documentation about the App-V client applies to both clients, unless stated otherwise.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">App-V version</th>
+<th align="left">Link to download the client</th>
+<th align="left">Link to TechNet documentation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>App-V 4.6 SP2</p></td>
+<td align="left"><p>[Microsoft Application Virtualization 4.6 Service Pack 2](http://www.microsoft.com/download/details.aspx?id=35513)</p></td>
+<td align="left"><p>[About Microsoft Application Virtualization 4.6 SP2](http://technet.microsoft.com/library/jj680847.aspx)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V 4.6 SP3</p></td>
+<td align="left"><p>[Microsoft Application Virtualization 4.6 Service Pack 3](http://www.microsoft.com/download/details.aspx?id=41187)</p></td>
+<td align="left"><p>[About Microsoft Application Virtualization 4.6 SP3](http://technet.microsoft.com/library/dn511019.aspx)</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For more information about how to configure App-V client coexistence, see:
+
+-   [App-V 5.0 Coexistence and Migration](http://technet.microsoft.com/windows/jj835811.aspx)
+
+## <a href="" id="converting--previous-version--packages-using-the-package-converter-"></a>Converting “previous-version” packages using the package converter
+
+
+Before migrating a package, created using App- 4.6 SP2 or earlier, to App-V, review the following requirements:
+
+-   You must convert the package to the **.appv** file format.
+
+-   The Package Converter supports only the direct conversion of packages that were created by using App-V 4.5 and later. To use the package converter on a package that was created using a previous version, you must use an App-V 4.5 or later version of the sequencer to upgrade the package, and then you can perform the package conversion.
+
+For more information about using the package converter to convert a package, see [How to Convert a Package Created in a Previous Version of App-V](appv-convert-a-package-created-in-a-previous-version-of-appv.md). After you convert the file, you can deploy it to target computers that run the App-V client.
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-planning-for-sequencer-and-client-deployment.md b/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
new file mode 100644
index 0000000000..7da2d52c61
--- /dev/null
+++ b/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
@@ -0,0 +1,72 @@
+---
+title: Planning for the App-V Sequencer and Client Deployment (Windows 10)
+description: Planning for the App-V Sequencer and Client Deployment
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Planning for the App-V Sequencer and Client Deployment
+
+
+Before you can use App-V, you must install the App-V Sequencer, enable the App-V client, and optionally the App-V shared content store. The following sections address planning for these installations.
+
+## Planning for App-V Sequencer deployment
+
+
+App-V uses a process called sequencing to create virtualized applications and application packages. Sequencing requires the use of a computer that runs the App-V Sequencer.
+
+> [!NOTE]  
+> For information about the new functionality of App-V sequencer, see the **Sequencer Improvements** section of [About App-V](appv-about-appv.md).
+
+
+The computer that runs the App-V sequencer must meet the minimum system requirements. For a list of these requirements, see [App-V Supported Configurations](appv-supported-configurations.md).
+
+Ideally, you should install the sequencer on a computer running as a virtual machine. This enables you to more easily revert the computer running the sequencer to a “clean” state before sequencing another application. When you install the sequencer using a virtual machine, you should perform the following steps:
+
+1.  Install all associated sequencer prerequisites.
+
+2.  Install the sequencer.
+
+3.  Take a “snapshot” of the environment.
+
+> [!IMPORTANT]  
+>You should have your corporate security team review and approve the sequencing process plan. For security reasons, you should keep the sequencer operations in a lab that is separate from the production environment. The separation arrangement can be as simple or as comprehensive as necessary, based on your business requirements. The sequencing computers must be able to connect to the corporate network to copy finished packages to the production servers. However, because the sequencing computers are typically operated without antivirus protection, they must not be on the corporate network unprotected. For example, you might be able to operate behind a firewall or on an isolated network segment. You might also be able to use virtual machines that are configured to share an isolated virtual network. Follow your corporate security policies to safely address these concerns.
+
+
+## Planning for App-V client deployment
+
+In Windows 10, version 1607, the App-V client is included with the operating system. For more info, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md).
+
+For a list of the client minimum requirements see [App-V Prerequisites](appv-prerequisites.md).
+
+
+## Planning for the App-V Shared Content Store (SCS)
+
+The App-V Shared Content Store mode allows the computer running the App-V client to run virtualized applications and none of the package contents is saved on the computer running the App-V client. Virtual applications are streamed to target computers only when requested by the client.
+
+The following list displays some of the benefits of using the App-V Shared Content Store:
+
+-   Reduced app-to-app and multi-user application conflicts and hence a reduced need for regression testing
+
+-   Accelerated application deployment by reduction of deployment risk
+
+-   Simplified profile management
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Other resources for the App-V deployment
+
+- [Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
+
+## Related topics
+
+- [How to Install the Sequencer](appv-install-the-sequencer.md)
+
+- [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
+
+- [How to Install the App-V Client for Shared Content Store Mode](appv-install-the-appv-client-for-shared-content-store-mode.md)
diff --git a/windows/manage/appv-planning-for-using-appv-with-office.md b/windows/manage/appv-planning-for-using-appv-with-office.md
new file mode 100644
index 0000000000..c272ff6893
--- /dev/null
+++ b/windows/manage/appv-planning-for-using-appv-with-office.md
@@ -0,0 +1,303 @@
+---
+title: Planning for Using App-V with Office (Windows 10)
+description: Planning for Using App-V with Office
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Planning for Using App-V with Office
+
+Use the following information to plan how to deploy Office by using Microsoft Application Virtualization (App-V). This article includes:
+
+-   [App-V support for Language Packs](#bkmk-lang-pack)
+
+-   [Supported versions of Microsoft Office](#bkmk-office-vers-supp-appv)
+
+-   [Planning for using App-V with coexisting versions of Office](#bkmk-plan-coexisting)
+
+-   [How Office integrates with Windows when you deploy use App-V to deploy Office](#bkmk-office-integration-win)
+
+## <a href="" id="bkmk-lang-pack"></a>App-V support for Language Packs
+
+You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office 2013 package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
+
+**Note**  
+Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.
+
+ 
+
+## <a href="" id="bkmk-office-vers-supp-appv"></a>Supported versions of Microsoft Office
+
+
+The following table lists the versions of Microsoft Office that App-V supports, methods of Office package creation, supported licensing, and supported deployments.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Supported Office Version</th>
+<th align="left">Package Creation</th>
+<th align="left">Supported Licensing</th>
+<th align="left">Supported Deployments</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Office 365 ProPlus</p>
+<p>Also supported:</p>
+<ul>
+<li><p>Visio Pro for Office 365</p></li>
+<li><p>Project Pro for Office 365</p></li>
+</ul></td>
+<td align="left"><p>Office Deployment Tool</p></td>
+<td align="left"><p>Subscription</p></td>
+<td align="left"><ul>
+<li><p>Desktop</p></li>
+<li><p>Personal VDI</p></li>
+<li><p>Pooled VDI</p></li>
+<li><p>RDS</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Office Professional Plus 2013</p>
+<p>Also supported:</p>
+<ul>
+<li><p>Visio Professional 2013</p></li>
+<li><p>Project Professional 2013</p></li>
+</ul></td>
+<td align="left"><p>Office Deployment Tool</p></td>
+<td align="left"><p>Volume Licensing</p></td>
+<td align="left"><ul>
+<li><p>Desktop</p></li>
+<li><p>Personal VDI</p></li>
+<li><p>Pooled VDI</p></li>
+<li><p>RDS</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-plan-coexisting"></a>Planning for using App-V with coexisting versions of Office
+
+
+You can install more than one version of Microsoft Office side by side on the same computer by using “Microsoft Office coexistence.” You can implement Office coexistence with combinations of all major versions of Office and with installation methods, as applicable, by using the Windows Installer-based (MSi) version of Office, Click-to-Run, and App-V. However, using Office coexistence is not recommended by Microsoft.
+
+Microsoft’s recommended best practice is to avoid Office coexistence completely to prevent compatibility issues. However, when you are migrating to a newer version of Office, issues occasionally arise that can’t be resolved immediately, so you can temporarily implement coexistence to help facilitate a faster migration to the latest product version. Using Office coexistence on a long-term basis is never recommended, and your organization should have a plan to fully transition in the immediate future.
+
+### Before you implement Office coexistence
+
+Before implementing Office coexistence, review the following Office documentation. Choose the article that corresponds to the newest version of Office for which you plan to implement coexistence.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Office version</th>
+<th align="left">Link to guidance</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Office 2013</p></td>
+<td align="left"><p>[Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office](http://support.microsoft.com/kb/2784668)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Office 2010</p></td>
+<td align="left"><p>[Information about how to use Office 2010 suites and programs on a computer that is running another version of Office](http://support.microsoft.com/kb/2121447)</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The Office documentation provides extensive guidance on coexistence for Windows Installer-based (MSi) and Click-to-Run installations of Office. This App-V topic on coexistence supplements the Office guidance with information that is more specific to App-V deployments.
+
+### Supported Office coexistence scenarios
+
+The following tables summarize the supported coexistence scenarios. They are organized according to the version and deployment method you’re starting with and the version and deployment method you are migrating to. Be sure to fully test all coexistence solutions before deploying them to a production audience.
+
+**Note**  
+Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.
+
+ 
+
+### Windows integrations & Office coexistence
+
+The Windows Installer-based and Click-to-Run Office installation methods integrate with certain points of the underlying Windows operating system. When you use coexistence, common operating system integrations between two Office versions can conflict, causing compatibility and user experience issues. With App-V, you can sequence certain versions of Office to exclude integrations, thereby “isolating” them from the operating system.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left"></th>
+<th align="left">Mode in which App-V can sequence this version of Office</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Office 2007</p></td>
+<td align="left"><p>Always non-integrated. App-V does not offer any operating system integrations with a virtualized version of Office 2007.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Office 2010</p></td>
+<td align="left"><p>Integrated and non-integrated mode.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Office 2013</p></td>
+<td align="left"><p>Always integrated. Windows operating system integrations cannot be disabled.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Microsoft recommends that you deploy Office coexistence with only one integrated Office instance. For example, if you’re using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://support.microsoft.com/kb/2830069).
+
+### Known limitations of Office coexistence scenarios
+
+The following sections describe some issues that you might encounter when using App-V to implement coexistence with Office.
+
+### Limitations common to Windows Installer-based/Click-to-Run and App-V Office coexistence scenarios
+
+The following limitations can occur when you install the following versions of Office on the same computer:
+
+-   Office 2010 by using the Windows Installer-based version
+
+-   Office 2013 by using App-V
+
+After you publish Office 2013 by using App-V side by side with an earlier version of the Windows Installer-based Office 2010 might also cause the Windows Installer to start. This is because the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer.
+
+To bypass the auto-registration operation for native Word 2010, follow these steps:
+
+1.  Exit Word 2010.
+
+2.  Start the Registry Editor by doing the following:
+
+    -   In Windows 7: Click **Start**, type **regedit** in the Start Search box, and then press Enter.
+
+    -   In Windows 8.1 or Windows 10, type **regedit** press Enter on the Start page and then press Enter.
+
+    If you are prompted for an administrator password or for a confirmation, type the password, or click **Continue**.
+
+3.  Locate and then select the following registry subkey:
+
+    ``` syntax
+    HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options
+    ```
+
+4.  On the **Edit** menu, click **New**, and then click **DWORD Value**.
+
+5.  Type **NoReReg**, and then press Enter.
+
+6.  Right-click **NoReReg** and then click **Modify**.
+
+7.  In the **Valuedata** box, type **1**, and then click **OK**.
+
+8.  On the File menu, click **Exit** to close Registry Editor.
+
+## <a href="" id="bkmk-office-integration-win"></a>How Office integrates with Windows when you use App-V to deploy Office
+
+
+When you deploy Office 2013 by using App-V, Office is fully integrated with the operating system, which provides end users with the same features and functionality as Office has when it is deployed without App-V.
+
+The Office 2013 App-V package supports the following integration points with the Windows operating system:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Extension Point</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Lync meeting Join Plug-in for Firefox and Chrome</p></td>
+<td align="left"><p>User can join Lync meetings from Firefox and Chrome</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Sent to OneNote Print Driver</p></td>
+<td align="left"><p>User can print to OneNote</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>OneNote Linked Notes</p></td>
+<td align="left"><p>OneNote Linked Notes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Send to OneNote Internet Explorer Add-In</p></td>
+<td align="left"><p>User can send to OneNote from IE</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Firewall Exception for Lync and Outlook</p></td>
+<td align="left"><p>Firewall Exception for Lync and Outlook</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>MAPI Client</p></td>
+<td align="left"><p>Native apps and add-ins can interact with virtual Outlook through MAPI</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>SharePoint Plug-in for Firefox</p></td>
+<td align="left"><p>User can use SharePoint features in Firefox</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Mail Control Panel Applet</p></td>
+<td align="left"><p>User gets the mail control panel applet in Outlook</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Primary Interop Assemblies</p></td>
+<td align="left"><p>Support managed add-ins</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Office Document Cache Handler</p></td>
+<td align="left"><p>Allows Document Cache for Office applications</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Outlook Protocol Search handler</p></td>
+<td align="left"><p>User can search in outlook</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Active X Controls</p></td>
+<td align="left"><p>For more information on ActiveX controls, refer to [ActiveX Control API Reference](https://msdn.microsoft.com/library/vs/alm/ms440037(v=office.14).aspx).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>OneDrive Pro Icon Overlays</p></td>
+<td align="left"><p>Windows Explorer shell icon overlays when users look at folders OneDrive Pro folders</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Shell extensions</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Shortcuts</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Search</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
diff --git a/windows/manage/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/manage/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
new file mode 100644
index 0000000000..f323d22bfb
--- /dev/null
+++ b/windows/manage/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
@@ -0,0 +1,28 @@
+---
+title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10)
+description: Planning to Deploy App-V with an Electronic Software Distribution System
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Planning to Deploy App-V with an electronic software distribution system
+
+If you are using an electronic software distribution system to deploy App-V packages, review the following planning considerations. For information about using System Center Configuration Manager to deploy App-V, see [Introduction to Application Management in Configuration Manager](http://go.microsoft.com/fwlink/?LinkId=281816).
+
+Review the following component and architecture requirements options that apply when you use an ESD to deploy App-V packages:
+
+| Deployment requirement or option | Description |
+| - | - |
+| The App-V Management server, Management database, and Publishing server are not required. | These functions are handled by the implemented ESD solution. |
+| You can deploy the App-V Reporting server and Reporting database side by side with the ESD. | The side-by-side deployment lets you to collect data and generate reports.<br/>If you enable the App-V client to send report information, and you are not using the App-V Reporting server, the reporting data is stored in associated .xml files. |
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
diff --git a/windows/manage/appv-planning-to-deploy-appv.md b/windows/manage/appv-planning-to-deploy-appv.md
new file mode 100644
index 0000000000..a18db4a671
--- /dev/null
+++ b/windows/manage/appv-planning-to-deploy-appv.md
@@ -0,0 +1,74 @@
+---
+title: Planning to Deploy App-V (Windows 10)
+description: Planning to Deploy App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Planning to Deploy App-V
+
+You should consider a number of different deployment configurations and prerequisites before you create your deployment plan for App-V. This section includes information that can help you gather the information that you must have to formulate a deployment plan that best meets your business requirements.
+
+## App-V supported configurations
+
+Describes the minimum hardware and operating system requirements for each App-V components. For information about software prerequisites that you must install before you install App-V, see [App-V Prerequisites](appv-prerequisites.md).
+
+[App-V Supported Configurations](appv-supported-configurations.md)
+
+## App-V capacity planning
+
+Describes the available options for scaling your App-V deployment.
+
+[App-V Capacity Planning](appv-capacity-planning.md)
+
+## Planning for high availability with App-V
+
+Describes the available options for ensuring high availability of App-V databases and services.
+
+[Planning for High Availability with App-V](appv-planning-for-high-availability-with-appv.md)
+
+## Planning to Deploy App-V with an Electronic Software Distribution System
+
+Describes the options and requirements for deploying App-V with an electronic software distribution system.
+
+[Planning to Deploy App-V with an Electronic Software Distribution System](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md)
+
+## Planning for the App-V Server deployment
+
+Describes the planning considerations for the App-V Server components and their functions.
+
+[Planning for the App-V Server Deployment](appv-planning-for-appv-server-deployment.md)
+
+## Planning for the App-V Sequencer and Client deployment
+
+Describes the planning considerations for the App-V Client and for the Sequencer software, which you use to create virtual applications and application packages.
+
+[Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md)
+
+## Planning for migrating from a previous version of App-V
+
+Describes the recommended path for migrating from previous versions of App-V, while ensuring that existing server configurations, packages and clients continue to work in your new App-V environment.
+
+[Planning for Migrating from a Previous Version of App-V](appv-planning-for-migrating-from-a-previous-version-of-appv.md)
+
+## Planning for using App-V with Office
+
+Describes the requirements for using App-V with Office and explains the supported scenarios, including information about coexisting versions of Office.
+
+[Planning for Using App-V with Office](appv-planning-for-using-appv-with-office.md)
+
+## Planning to use folder redirection with App-V
+
+Explains how folder redirection works with App-V.
+
+[Planning to Use Folder Redirection with App-V](appv-planning-folder-redirection-with-appv.md)
+
+## Other Resources for App-V Planning
+
+-   [Planning for App-V](appv-planning-for-appv.md)
+
+-   [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
diff --git a/windows/manage/appv-preparing-your-environment.md b/windows/manage/appv-preparing-your-environment.md
new file mode 100644
index 0000000000..1af564cc9d
--- /dev/null
+++ b/windows/manage/appv-preparing-your-environment.md
@@ -0,0 +1,33 @@
+---
+title: Preparing Your Environment for App-V (Windows 10)
+description: Preparing Your Environment for App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Preparing Your Environment for App-V
+
+There are a number of different deployment configurations and prerequisites that you must consider before you create your deployment plan for Microsoft Application Virtualization (App-V). This section includes information that can help you gather the information that you must have to formulate a deployment plan that best meets your business requirements.
+
+## App-V prerequisites
+
+-   [App-V Prerequisites](appv-prerequisites.md)
+
+    Lists the prerequisite software that you must install before installing App-V.
+
+## App-V security considerations
+
+-   [App-V Security Considerations](appv-security-considerations.md)
+
+    Describes accounts, groups, log files, and other considerations for securing your App-V environment.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Other resources for App-V planning
+
+-   [Planning for App-V](appv-planning-for-appv.md)
diff --git a/windows/manage/appv-prerequisites.md b/windows/manage/appv-prerequisites.md
new file mode 100644
index 0000000000..b8b112eea4
--- /dev/null
+++ b/windows/manage/appv-prerequisites.md
@@ -0,0 +1,658 @@
+---
+title: App-V Prerequisites (Windows 10)
+description: App-V Prerequisites
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# App-V Prerequisites
+
+
+Before installing App-V, ensure that you have installed all of the following required prerequisite software.
+
+For a list of supported operating systems and hardware requirements for the App-V Server, Sequencer, and Client, see [App-V Supported Configurations](appv-supported-configurations.md).
+
+## Summary of software preinstalled on each operating system
+
+
+The following table indicates the software that is already installed for different operating systems.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Operating system</th>
+<th align="left">Prerequisite description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows 10</p></td>
+<td align="left"><p>All of the prerequisite software is already installed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 8.1</p></td>
+<td align="left"><p>All of the prerequisite software is already installed.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>If you are running Windows 8, upgrade to Windows 8.1 before using App-V.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Server 2012</p></td>
+<td align="left"><p>The following prerequisite software is already installed:</p>
+<ul>
+<li><p>Microsoft .NET Framework 4.5</p></li>
+<li><p>Windows PowerShell 3.0</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Installing Windows PowerShell 3.0 requires a restart.</p>
+</div>
+<div>
+ 
+</div></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 7</p></td>
+<td align="left"><p>The prerequisite software is not already installed. You must install it before you can install App-V.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## App-V Server prerequisite software
+
+
+Install the required prerequisite software for the App-V Server components.
+
+### What to know before you start
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Account for installing the App-V Server</p></td>
+<td align="left"><p>The account that you use to install the App-V Server components must have:</p>
+<ul>
+<li><p>Administrative rights on the computer on which you are installing the components.</p></li>
+<li><p>The ability to query Active Directory Domain Services.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Port and firewall</p></td>
+<td align="left"><ul>
+<li><p>Specify a port where each component will be hosted.</p></li>
+<li><p>Add the associated firewall rules to allow incoming requests to the specified ports.</p></li>
+</ul>
+<p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Web Distributed Authoring and Versioning (WebDAV)</p></td>
+<td align="left"><p>WebDAV is automatically disabled for the Management Service.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Supported deployment scenarios</p></td>
+<td align="left"><ul>
+<li><p>A stand-alone deployment, where all components are deployed on the same server.</p></li>
+<li><p>A distributed deployment.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Unsupported deployment scenarios</p></td>
+<td align="left"><ul>
+<li><p>Installing side-by-side instances of multiple App-V Server versions on the same server.</p></li>
+<li><p>Installing the App-V server components on a computer that runs server core or domain controller.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Management server prerequisite software
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Prerequisites and required settings</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Supported version of SQL Server</p></td>
+<td align="left"><p>For supported versions, see [App-V Supported Configurations](appv-supported-configurations.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595)</p></td>
+<td align="left"><p>Installing Windows PowerShell 3.0 requires a restart.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Download and install [KB2533623](http://support.microsoft.com/kb/2533623)</p></td>
+<td align="left"><p>Applies to Windows 7 only.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>64-bit ASP.NET registration</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Server Web Server Role</p></td>
+<td align="left"><p>This role must be added to a server operating system that is supported for the Management server.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Web Server (IIS) Management Tools</p></td>
+<td align="left"><p>Click <strong>IIS Management Scripts and Tools</strong>.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Web Server Role Services</p></td>
+<td align="left"><p><strong>Common HTTP Features:</strong></p>
+<ul>
+<li><p>Static Content</p></li>
+<li><p>Default Document</p></li>
+</ul>
+<p><strong>Application Development:</strong></p>
+<ul>
+<li><p>ASP.NET</p></li>
+<li><p>.NET Extensibility</p></li>
+<li><p>ISAPI Extensions</p></li>
+<li><p>ISAPI Filters</p></li>
+</ul>
+<p><strong>Security:</strong></p>
+<ul>
+<li><p>Windows Authentication</p></li>
+<li><p>Request Filtering</p></li>
+</ul>
+<p><strong>Management Tools:</strong></p>
+<ul>
+<li><p>IIS Management Console</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default installation location</p></td>
+<td align="left"><p>%PROGRAMFILES%\Microsoft Application Virtualization Server</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Location of the Management database</p></td>
+<td align="left"><p>SQL Server database name, SQL Server database instance name, and database name.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Management console and Management database permissions</p></td>
+<td align="left"><p>A user or group that can access the Management console and database after the deployment is complete. Only these users or groups will have access to the Management console and database unless additional administrators are added by using the Management console.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Management service website name</p></td>
+<td align="left"><p>Name for the Management console website.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Management service port binding</p></td>
+<td align="left"><p>Unique port number for the Management service. This port cannot be used by another process on the computer.</p></td>
+</tr>
+</tbody>
+</table>
+
+> [!IMPORTANT]  
+> JavaScript must be enabled on the browser that opens the Web Management Console.
+
+### Management server database prerequisite software
+
+The Management database is required only if you are using the App-V Management server.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Prerequisites and required settings</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Default installation location</p></td>
+<td align="left"><p>%PROGRAMFILES%\Microsoft Application Virtualization Server</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Custom SQL Server instance name (if applicable)</p></td>
+<td align="left"><p>Format to use: <strong>INSTANCENAME</strong></p>
+<p>This format is based on the assumption that the installation is on the local computer.</p>
+<p>If you specify the name with the format <strong>SVR\INSTANCE</strong>, the installation will fail.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Custom database name (if applicable)</p></td>
+<td align="left"><p>Unique database name.</p>
+<p>Default: AppVManagement</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Management server location</p></td>
+<td align="left"><p>Machine account on which the Management server is deployed.</p>
+<p>Format to use: Domain\MachineAccount</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Management server installation administrator</p></td>
+<td align="left"><p>Account used to install the Management server.</p>
+<p>Format to use: Domain\AdministratorLoginName</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft SQL Server Service Agent</p></td>
+<td align="left"><p>Configure the Management database computer so that the Microsoft SQL Server Agent service is restarted automatically. For instructions, see [Configure SQL Server Agent to Restart Services Automatically](http://technet.microsoft.com/magazine/gg313742.aspx).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Publishing server prerequisite software
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Prerequisites and required settings</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>64-bit ASP.NET registration</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Web Server Role</p></td>
+<td align="left"><p>This role must be added to a server operating system that is supported for the Management server.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Web Server (IIS) Management Tools</p></td>
+<td align="left"><p>Click <strong>IIS Management Scripts and Tools</strong>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Web Server Role Services</p></td>
+<td align="left"><p><strong>Common HTTP Features:</strong></p>
+<ul>
+<li><p>Static Content</p></li>
+<li><p>Default Document</p></li>
+</ul>
+<p><strong>Application Development:</strong></p>
+<ul>
+<li><p>ASP.NET</p></li>
+<li><p>.NET Extensibility</p></li>
+<li><p>ISAPI Extensions</p></li>
+<li><p>ISAPI Filters</p></li>
+</ul>
+<p><strong>Security:</strong></p>
+<ul>
+<li><p>Windows Authentication</p></li>
+<li><p>Request Filtering</p></li>
+</ul>
+<p><strong>Management Tools:</strong></p>
+<ul>
+<li><p>IIS Management Console</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Default installation location</p></td>
+<td align="left"><p>%PROGRAMFILES%\Microsoft Application Virtualization Server</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Management service URL</p></td>
+<td align="left"><p>URL of the App-V Management service. This is the port with which the Publishing server communicates.</p>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Installation architecture</th>
+<th align="left">Format to use for the URL</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Management server and Publishing server are installed on the same server</p></td>
+<td align="left"><p>http://localhost:12345</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Management server and Publishing server are installed on different servers</p></td>
+<td align="left"><p>http://MyAppvServer.MyDomain.com</p></td>
+</tr>
+</tbody>
+</table>
+<p> </p>
+<p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Publishing service website name</p></td>
+<td align="left"><p>Name for the Publishing website.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Publishing service port binding</p></td>
+<td align="left"><p>Unique port number for the Publishing service. This port cannot be used by another process on the computer.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Reporting server prerequisite software
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Prerequisites and required settings</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Supported version of SQL Server</p></td>
+<td align="left"><p>For supported versions, see [App-V Supported Configurations](appv-supported-configurations.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>64-bit ASP.NET registration</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Server Web Server Role</p></td>
+<td align="left"><p>This role must be added to a server operating system that is supported for the Management server.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Web Server (IIS) Management Tools</p></td>
+<td align="left"><p>Click <strong>IIS Management Scripts and Tools</strong>.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Web Server Role Services</p></td>
+<td align="left"><p>To reduce the risk of unwanted or malicious data being sent to the Reporting server, you should restrict access to the Reporting Web Service per your corporate security policy.</p>
+<p><strong>Common HTTP Features:</strong></p>
+<ul>
+<li><p>Static Content</p></li>
+<li><p>Default Document</p></li>
+</ul>
+<p><strong>Application Development:</strong></p>
+<ul>
+<li><p>ASP.NET</p></li>
+<li><p>.NET Extensibility</p></li>
+<li><p>ISAPI Extensions</p></li>
+<li><p>ISAPI Filters</p></li>
+</ul>
+<p><strong>Security:</strong></p>
+<ul>
+<li><p>Windows Authentication</p></li>
+<li><p>Request Filtering</p></li>
+</ul>
+<p><strong>Management Tools:</strong></p>
+<ul>
+<li><p>IIS Management Console</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default installation location</p></td>
+<td align="left"><p>%PROGRAMFILES%\Microsoft Application Virtualization Server</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Reporting service website name</p></td>
+<td align="left"><p>Name for the Reporting website.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Reporting service port binding</p></td>
+<td align="left"><p>Unique port number for the Reporting service. This port cannot be used by another process on the computer.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Reporting database prerequisite software
+
+The Reporting database is required only if you are using the App-V Reporting server.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Prerequisites and required settings</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Default installation location</p></td>
+<td align="left"><p>%PROGRAMFILES%\Microsoft Application Virtualization Server</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Custom SQL Server instance name (if applicable)</p></td>
+<td align="left"><p>Format to use: <strong>INSTANCENAME</strong></p>
+<p>This format is based on the assumption that the installation is on the local computer.</p>
+<p>If you specify the name with the format <strong>SVR\INSTANCE</strong>, the installation will fail.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Custom database name (if applicable)</p></td>
+<td align="left"><p>Unique database name.</p>
+<p>Default: AppVReporting</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Reporting server location</p></td>
+<td align="left"><p>Machine account on which the Reporting server is deployed.</p>
+<p>Format to use: Domain\MachineAccount</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Reporting server installation administrator</p></td>
+<td align="left"><p>Account used to install the Reporting server.</p>
+<p>Format to use: Domain\AdministratorLoginName</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft SQL Server Service and Microsoft SQL Server Service Agent</p></td>
+<td align="left"><p>Configure these services to be associated with user accounts that have access to query AD DS.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## App-V client prerequisite software
+
+
+Install the following prerequisite software for the App-V client.
+
+> [!NOTE]
+> This is not required on Windows 10, version 1607.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Prerequisite</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595)</p>
+<p></p></td>
+<td align="left"><p>Installing PowerShell 3.0 requires a restart.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[KB2533623](http://support.microsoft.com/kb/2533623)</p></td>
+<td align="left"><p>Applies to Windows 7 only: Download and install the KB.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Remote Desktop Services client prerequisite software
+
+
+Install the following prerequisite software for the App-V Remote Desktop Services client.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Prerequisite</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595)</p>
+<p></p></td>
+<td align="left"><p>Installing PowerShell 3.0 requires a restart.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[KB2533623](http://support.microsoft.com/kb/2533623)</p></td>
+<td align="left"><p>Applies to Windows 7 only: Download and install the KB.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Sequencer prerequisite software
+
+
+**What to know before installing the prerequisites:**
+
+-   Best practice: The computer that runs the Sequencer should have the same hardware and software configurations as the computers that will run the virtual applications.
+
+-   The sequencing process is resource intensive, so make sure that the computer that runs the Sequencer has plenty of memory, a fast processor, and a fast hard drive. The system requirements of locally installed applications cannot exceed those of the Sequencer. For more information, see [App-V Supported Configurations](appv-supported-configurations.md).
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Prerequisite</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595)</p>
+<p></p></td>
+<td align="left"><p>Installing Windows PowerShell 3.0 requires a restart.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[KB2533623](http://support.microsoft.com/kb/2533623)</p></td>
+<td align="left"><p>Applies to Windows 7 only: Download and install the KB.</p></td>
+</tr>
+</tbody>
+</table>
+
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Planning for App-V](appv-planning-for-appv.md)
+- [App-V Supported Configurations](appv-supported-configurations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-publish-a-connection-group.md b/windows/manage/appv-publish-a-connection-group.md
new file mode 100644
index 0000000000..9f4e344c77
--- /dev/null
+++ b/windows/manage/appv-publish-a-connection-group.md
@@ -0,0 +1,39 @@
+---
+title: How to Publish a Connection Group (Windows 10)
+description: How to Publish a Connection Group
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Publish a Connection Group
+
+
+After you create a connection group, you must publish it to computers that run the App-V client.
+
+**To publish a connection group**
+
+1.  Open the App-V Management Console, and select **CONNECTION GROUPS**.
+
+2.  Right-click the connection group to be published, and select **publish**.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+[Managing Connection Groups](appv-managing-connection-groups.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-publish-a-packages-with-the-management-console.md b/windows/manage/appv-publish-a-packages-with-the-management-console.md
new file mode 100644
index 0000000000..d66b07c352
--- /dev/null
+++ b/windows/manage/appv-publish-a-packages-with-the-management-console.md
@@ -0,0 +1,56 @@
+---
+title: How to Publish a Package by Using the Management Console (Windows 10)
+description: How to Publish a Package by Using the Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Publish a Package by Using the Management Console
+
+
+Use the following procedure to publish an App-V package. Once you publish a package, computers that are running the App-V client can access and run the applications in that package.
+
+**Note**  
+The ability to enable only administrators to publish or unpublish packages (described below) is supported starting in App-V 5.0 SP3.
+
+ 
+
+**To publish an App-V package**
+
+1.  In the App-V Management console. Click or right-click the name of the package to be published. Select **Publish**.
+
+2.  Review the **Status** column to verify that the package has been published and is now available. If the package is available, the status **published** is displayed.
+
+    If the package is not published successfully, the status **unpublished** is displayed, along with error text that explains why the package is not available.
+
+**To enable only administrators to publish or unpublish packages**
+
+1.  Navigate to the following Group Policy Object node:
+
+    **Computer Configuration &gt; Policies &gt; Administrative Templates &gt; System &gt; App-V &gt; Publishing**.
+
+2.  Enable the **Require publish as administrator** Group Policy setting.
+
+    To alternatively use PowerShell to set this item, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+[How to Configure Access to Packages by Using the Management Console](appv-configure-access-to-packages-with-the-management-console.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/manage/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
new file mode 100644
index 0000000000..9b3b9d8b15
--- /dev/null
+++ b/windows/manage/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
@@ -0,0 +1,51 @@
+---
+title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10)
+description: How to Register and Unregister a Publishing Server by Using the Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Register and Unregister a Publishing Server by Using the Management Console
+
+
+You can register and unregister publishing servers that will synchronize with the App-V management server. You can also see the last attempt that the publishing server made to synchronize the information with the management server.
+
+Use the following procedure to register or unregister a publishing server.
+
+**To register a publishing server using the Management Console**
+
+1.  Connect to the Management Console and select **Servers**. For more information about how to connect to the Management Console, see [How to Connect to the Management Console](appv-connect-to-the-management-console.md).
+
+2.  A list of publishing servers that already synchronize with the management server is displayed. Click Register New Server to register a new server.
+
+3.  Type a computer name of a domain joined computer on the **Server Name** line, to specify a name for the server. You should also include a domain name, for example, **MyDomain\\TestServer**. Click **Check**.
+
+4.  Select the computer and click **Add** to add the computer to the list of servers. The new server will be displayed in the list.
+
+**To unregister a publishing server using the Management Console**
+
+1.  Connect to the Management Console and select **Servers**. For more information about how to connect to the Management Console, see [How to Connect to the Management Console](appv-connect-to-the-management-console.md).
+
+2.  A list of publishing servers that synchronize with the management server is displayed.
+
+3.  To unregister the server, right-click the computer name and select the computer name and select **unregister server**.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-release-notes-for-appv-for-windows.md b/windows/manage/appv-release-notes-for-appv-for-windows.md
new file mode 100644
index 0000000000..618d92d9da
--- /dev/null
+++ b/windows/manage/appv-release-notes-for-appv-for-windows.md
@@ -0,0 +1,162 @@
+---
+title: Release Notes for App-V (Windows 10)
+description: Release Notes for App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Release Notes for App-V for Windows 10, version 1607
+
+Applies to: Windows 10, version 1607
+
+Review these known issues in Microsoft Application Virtualization (App-V) for Windows.
+
+## Error occurs during publishing refresh between App-V 5.0 SP3 Management Server and App-V Client on Windows 10
+
+
+An error is generated during publishing refresh when synchronizing packages from the App-V 5.0 SP3 management server to an App-V client on Windows 10 . This error occurs because the App-V 5.0 SP3 server does not understand the Windows 10 operating system that is specified in the publishing URL. The issue is fixed for App-V publishing server, but is not backported to versions of App-V 5.0 SP3 or earlier.
+
+**Workaround**: Upgrade the App-V 5.0 management server to the App-V management server for Windows 10 clients.
+
+## Custom configurations do not get applied for packages that will be published globally if they are set using the App-V Server
+
+If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration will not be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each user’s profile. Globally published packages will not have access to this custom configuration.
+
+**Workaround**: Do one of the following:
+
+-   Assign the package to groups containing only user accounts. This will ensure that the package’s custom configuration is stored in each user’s profile and will be applied correctly.
+
+-   Create a custom deployment configuration file and apply it to the package on the client using the Add-AppvClientPackage cmdlet with the –DynamicDeploymentConfiguration parameter. See [About App-V Dynamic Configuration](appv-dynamic-configuration.md) for more information.
+
+-   Create a new package with the custom configuration using the App-V sequencer.
+
+## Server files not deleted after new App-V for Windows server installation
+
+
+If you uninstall the App-V 5.0 SP1 Server and then install the App-V Server, the installation fails, the wrong version of the Management server is installed, and an error message is returned. The issue occurs because the Server files are not being deleted when you uninstall App-V 5.0 SP1, so the installation process does an upgrade instead of a new installation.
+
+**Workaround**: Delete this registry key before you start installing App-V:
+
+Under HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall, locate and delete the installation GUID key that contains the DWORD value "DisplayName" with value data "Microsoft Application Virtualization (App-V) Server". This is the only key that should be deleted.
+
+## File type associations added manually are not saved correctly
+
+
+File type associations added to an application package manually using the Shortcuts and FTAs tab at the end of the application upgrade wizard are not saved correctly. They will not be available to the App-V Client or to the Sequencer when updating the saved package again.
+
+**Workaround**: To add a file type association, open the package for modification and run the update wizard. During the Installation step, add the new file type association through the operating system. The sequencer will detect the new association in the system registry and add it to the package’s virtual registry, where it will be available to the client.
+
+## When streaming packages in Shared Content Store (SCS) mode to a client that is also managed with AppLocker, additional data is written to the local disk.
+
+
+To decrease the amount of data written to a client’s local disk, you can enable SCS mode on the App-V Client to stream the contents of a package on demand. However, if AppLocker manages an application within the package, some data might be written to the client’s local disk that would not otherwise be written.
+
+**Workaround**: None
+
+## In the Management Console Add Package dialog box, the Browse button is not available when using Chrome or Firefox
+
+
+On the Packages page of the Management Console, if you click **Add or Upgrade** in the lower-right corner, the **Add Package** dialog box appears. If you are accessing the Management Console using Chrome or Firefox as your browser, you will not be able to browse to the location of the package.
+
+**Workaround**: Type or copy and paste the path to the package into the **Add Package** input field. If the Management Console has access to this path, you will be able to add the package. If the package is on a network share, you can browse to the location using File Explorer by doing these steps:
+
+1.  While pressing **Shift**, right-click on the package file
+
+2.  Select **Copy as path**
+
+3.  Paste the path into the **Add Package** dialog box input field
+
+## <a href="" id="upgrading-app-v-management-server-to-5-1-sometimes-fails-with-the-message--a-database-error-occurred-"></a>Upgrading App-V Management Server to 5.1 sometimes fails with the message “A database error occurred”
+
+
+If you install the App-V 5.0 SP1 Management Server, and then try to upgrade to App-V Server when multiple connection groups are configured and enabled, the following error is displayed: “A database error occurred. Reason: 'Invalid column name 'PackageOptional'. Invalid column name 'VersionOptional'.”
+
+**Workaround**: Run this command on your SQL database:
+
+`ALTER TABLE AppVManagement.dbo.PackageGroupMembers ADD PackageOptional bit NOT NULL DEFAULT 0, VersionOptional bit NOT NULL DEFAULT 0`
+
+where “AppVManagement” is the name of the database.
+
+## Users cannot open a package in a user-published connection group if you add or remove an optional package
+
+
+In environments that are running the RDS Client or that have multiple concurrent users per computer, logged-in users cannot open applications in packages that are in a user-published connection group if an optional package is added to or removed from the connection group.
+
+**Workaround**: Have users log out and then log back in.
+
+## Error message is erroneously displayed when the connection group is published only to the user
+
+
+When you run Repair-AppvClientConnectionGroup, the following error is displayed, even when the connection group is published only to the user: “Internal App-V Integration error: Package not integrated for the user. Please ensure that the package is added to the machine and published to the user.”
+
+**Workaround**: Do one of the following:
+
+-   Publish all packages in a connection group.
+
+    The problem arises when the connection group being repaired has packages that are missing or not available to the user (that is, not published globally or to the user). However, the repair will work if all of the connection group’s packages are available, so ensure that all packages are published.
+
+-   Repair packages individually using the Repair-AppvClientPackage command rather than the Repair-AppvClientConnectionGroup command.
+
+    Determine which packages are available to users and then run the Repair-AppvClientPackage command once for each package. Use PowerShell cmdlets to do the following:
+
+    1.  Get all the packages in a connection group.
+
+    2.  Check to see if each package is currently published.
+
+    3.  If the package is currently published, run Repair-AppvClientPackage on that package.
+
+## Icons not displayed properly in Sequencer
+
+
+Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons are not 16x16 or 32x32.
+
+**Workaround**: Only use icons that are 16x16 or 32x32.
+
+## InsertVersionInfo.sql script no longer required for the Management Database
+
+
+The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
+
+The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340).
+
+**Important**  
+**Step 1** is not required for versions of App-V later than App-V 5.0 SP3.
+
+ 
+
+## Microsoft Visual Studio 2012 not supported
+
+
+App-V does not support Visual Studio 2012.
+
+**Workaround**: None
+
+## Application filename restrictions for App-V Sequencer
+
+
+The App-V Sequencer cannot sequence applications with filenames matching "CO_&lt;x&gt;" where x is any numeral. Error 0x8007139F will be generated.
+
+**Workaround**: Use a different filename
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[About App-V](appv-about-appv.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-reporting.md b/windows/manage/appv-reporting.md
new file mode 100644
index 0000000000..a23ad9f73a
--- /dev/null
+++ b/windows/manage/appv-reporting.md
@@ -0,0 +1,322 @@
+---
+title: About App-V Reporting (Windows 10)
+description: About App-V Reporting
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# About App-V Reporting
+
+
+Microsoft Application Virtualization (App-V) includes a built-in reporting feature that helps you collect information about computers running the App-V client as well as information about virtual application package usage. You can use this information to generate reports from a centralized database.
+
+## <a href="" id="---------app-v-5-1-reporting-overview"></a> App-V Reporting Overview
+
+
+The following list displays the end–to-end high-level workflow for reporting in App-V.
+
+1.  The App-V Reporting server has the following prerequisites:
+
+    -   Internet Information Service (IIS) web server role
+
+    -   Windows Authentication role (under **IIS / Security**)
+
+    -   SQL Server installed and running with SQL Server Reporting Services (SSRS)
+
+    To confirm SQL Server Reporting Services is running, view `http://localhost/Reports` in a web browser as administrator on the server that will host App-V Reporting. The SQL Server Reporting Services Home page should display.
+
+2.  Install the App-V reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](appv-install-the-reporting-server-on-a-standalone-computer.md). Configure the time when the computer running the App-V client should send data to the reporting server.
+
+3.  If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at <http://go.microsoft.com/fwlink/?LinkId=397255>.
+
+    **Note**  
+    If you are using the Configuration Manager integration with App-V, most reports are generated from Configuration Manager rather than from App-V.
+
+     
+
+4.  After importing the App-V PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V client. This sample PowerShell cmdlet enables App-V reporting:
+
+    ``` syntax
+    Set-AppvClientConfiguration –reportingserverurl <url>:<port> -reportingenabled 1 – ReportingStartTime <0-23> - ReportingRandomDelay <#min>
+    ```
+
+    To immediately send App-V report data, run `Send-AppvClientReport` on the App-V client.
+
+    For more information about installing the App-V client with reporting enabled see [About Client Configuration Settings](appv-client-configuration-settings.md). To administer App-V Reporting with Windows PowerShell, see [How to Enable Reporting on the App-V Client by Using PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md).
+
+5.  After the reporting server receives the data from the App-V client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V client.
+
+6.  When the App-V client receives the success notification, it empties the data cache to conserve space.
+
+    **Note**  
+    By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
+
+     
+
+    If the App-V client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
+
+### <a href="" id="-------------app-v-5-1-reporting-server-frequently-asked-questions"></a> App-V reporting server frequently asked questions
+
+The following table displays answers to common questions about App-V reporting
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Question</th>
+<th align="left">More Information</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>What is the frequency that reporting information is sent to the reporting database?</p></td>
+<td align="left"><p>The frequency depends on how the reporting task is configured on the computer running the App-V client. You must configure the frequency / interval for sending the reporting data. App-V Reporting is not enabled by default.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>What information is stored in the reporting server database?</p></td>
+<td align="left"><p>The following list displays what is stored in the reporting database:</p>
+<ul>
+<li><p>The operating system running on the computer running the App-V client: host name, version, service pack, type - client/server, processor architecture.</p></li>
+<li><p>App-V Client information: version.</p></li>
+<li><p>Published package list: GUID, version GUID, name.</p></li>
+<li><p>Application usage information: name, version, streaming server, user (domain\alias), package version GUID, launch status and time, shutdown time.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>What is the average volume of information that is sent to the reporting server?</p></td>
+<td align="left"><p>It depends. The following list displays the three sets of the data sent to the reporting server:</p>
+<ol>
+<li><p>Operating system, and App-V client information. ~150 Bytes, every time this data is sent.</p></li>
+<li><p>Published package list. ~7 KB for 30 packages. This is sent only when the package list is updated with a publishing refresh, which is done infrequently; if there is no change, this information is not sent.</p></li>
+<li><p>Virtual application usage information – about 0.25KB per event. Opening and closing count as one event if both occur before sending the information. When sending using a scheduled task, only the data since the last successful upload is sent to the server. If sending manually through the PowerShell cmdlet, there is an optional argument that controls if the data needs to be re-sent next time around – that argument is <strong>DeleteOnSuccess</strong>.</p>
+<p></p>
+<p>So for example, if twenty applications are opened and closed and reporting information is scheduled to be sent daily, the typical daily traffic should be about 0.15KB + 20 x 0.25KB, or about 5KB/user</p></li>
+</ol></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Can reporting be scheduled?</p></td>
+<td align="left"><p>Yes. Besides manually sending reporting using PowerShell Cmdlets (<strong>Send-AppvClientReport</strong>), the task can be scheduled so it will happen automatically. There are two ways to schedule the reporting:</p>
+<ol>
+<li><p>Using PowerShell cmdlets - <strong>Set-AppvClientConfiguration</strong>. For example:</p>
+<p>Set-AppvClientConfiguration -ReportingEnabled 1 - ReportingServerURL http://any.com/appv-reporting</p>
+<p></p>
+<p>For a complete list of client configuration settings see [About Client Configuration Settings](appv-client-configuration-settings.md) and look for the following entries: <strong>ReportingEnabled</strong>, <strong>ReportingServerURL</strong>, <strong>ReportingDataCacheLimit</strong>, <strong>ReportingDataBlockSize</strong>, <strong>ReportingStartTime</strong>, <strong>ReportingRandomDelay</strong>, <strong>ReportingInterval</strong>.</p>
+<p></p></li>
+<li><p>By using Group Policy. If distributed using the domain controller, the settings are the same as previously listed.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Group Policy settings override local settings configured using PowerShell.</p>
+</div>
+<div>
+ 
+</div></li>
+</ol></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="---------app-v-5-1-client-reporting"></a> App-V Client Reporting
+
+
+To use App-V reporting you must install and configure the App-V client. After the client has been installed, use the **Set-AppVClientConfiguration** PowerShell cmdlet or the **ADMX Template** to configure reporting. The reporting feature cmdlets are available by using the following link and are prefaced by **Reporting**. For a complete list of client configuration settings see [About Client Configuration Settings](appv-client-configuration-settings.md). The following section provides examples of App-V client reporting configuration using PowerShell.
+
+### Configuring App-V Client reporting using PowerShell
+
+The following examples show how PowerShell parameters can configure the reporting features of the App-V client.
+
+**Note**  
+The following configuration task can also be configured using Group Policy settings in the App-V ADMX template. For more information about using the ADMX template, see [How to Modify App-V Client Configuration Using the ADMX Template and Group Policy](appv-modify-client-configuration-with-the-admx-template-and-group-policy.md).
+
+ 
+
+**To enable reporting and to initiate data collection on the computer running the App-V client**:
+
+`Set-AppVClientConfiguration –ReportingEnabled 1`
+
+**To configure the client to automatically send data to a specific reporting server**:
+
+``` syntax
+Set-AppVClientConfiguration –ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30
+```
+
+`-ReportingInterval 1 -ReportingRandomDelay 30`
+
+This example configures the client to automatically send the reporting data to the reporting server URL **http://MyReportingServer:MyPort/**. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
+
+**To limit the size of the data cache on the client**:
+
+`Set-AppvClientConfiguration –ReportingDataCacheLimit 100`
+
+Configures the maximum size of the reporting cache on the computer running the App-V client to 100 MB. If the cache limit is reached before the data is sent to the server, then the log rolls over and data will be overwritten as necessary.
+
+**To configure the data block size transmitted across the network between the client and the server**:
+
+`Set-AppvClientConfiguration –ReportingDataBlockSize 10240`
+
+Specifies the maximum data block that the client sends to 10240 MB.
+
+### Types of data collected
+
+The following table displays the types of information you can collect by using App-V reporting.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Client Information</th>
+<th align="left">Package Information</th>
+<th align="left">Application Usage</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Host Name</p></td>
+<td align="left"><p>Package Name</p></td>
+<td align="left"><p>Start and End Times</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V Client Version</p></td>
+<td align="left"><p>Package Version</p></td>
+<td align="left"><p>Run Status</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Processor Architecture</p></td>
+<td align="left"><p>Package Source</p></td>
+<td align="left"><p>Shutdown State</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Operating System Version</p></td>
+<td align="left"><p>Percent Cached</p></td>
+<td align="left"><p>Application Name</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Service Pack Level</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Application Version</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Operating System Type</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Username</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Connection Group</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The client collects and saves this data in an **.xml** format. The data cache is hidden by default and requires administrator rights to open the XML file.
+
+### Sending data to the server
+
+You can configure the computer that is running the App-V client to automatically send data to the specified reporting server. To specify the server use the **Set-AppvClientConfiguration** cmdlet with the following settings:
+
+-   ReportingEnabled
+
+-   ReportingServerURL
+
+-   ReportingStartTime
+
+-   ReportingInterval
+
+-   ReportingRandomDelay
+
+After you configure the previous settings, you must create a scheduled task. The scheduled task will contact the server specified by the **ReportingServerURL** setting and will initiate the transfer. If you want to manually send data outside of the scheduled times, use the following PowerShell cmdlet:
+
+`Send-AppVClientReport –URL http://MyReportingServer:MyPort/ -DeleteOnSuccess`
+
+If the reporting server has been previously configured, then the **–URL** parameter can be omitted. Alternatively, if the data should be sent to an alternate location, specify a different URL to override the configured **ReportingServerURL** for this data collection.
+
+The **-DeleteOnSuccess** parameter indicates that if the transfer is successful, then the data cache is cleared. If this is not specified, then the cache will not be cleared.
+
+### Manual Data Collection
+
+You can also use the **Send-AppVClientReport** cmdlet to manually collect data. This solution is helpful with or without an existing reporting server. The following list displays information about collecting data with or without a reporting server.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">With a Reporting Server</th>
+<th align="left">Without a Reporting Server</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>If you have an existing App-V reporting Server, create a customized scheduled task or script. Specify that the client send the data to the specified location with the desired frequency.</p></td>
+<td align="left"><p>If you do not have an existing App-V reporting Server, use the <strong>–URL</strong> parameter to send the data to a specified share. For example:</p>
+<p><code>Send-AppVClientReport –URL \\Myshare\MyData\ -DeleteOnSuccess</code></p>
+<p>The previous example will send the reporting data to <strong>\\MyShare\MyData\</strong> location indicated by the <strong>-URL</strong> parameter. After the data has been sent, the cache is cleared.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>If a location other than the Reporting Server is specified, the data is sent using <strong>.xml</strong> format with no additional processing.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Creating Reports
+
+To retrieve report information and create reports using App-V you must use one of the following methods:
+
+-   **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V reporting server. It must be deployed separately to generate the associated reports.
+
+    Use the following link for more information about using [Microsoft SQL Server Reporting Services](http://go.microsoft.com/fwlink/?LinkId=285596).
+
+-   **Scripting** – You can generate reports by scripting directly against the App-V reporting database. For example:
+
+    **Stored Procedure:**
+
+    **spProcessClientReport** is scheduled to run at midnight or 12:00 AM.
+
+    To run the Microsoft SQL Server Scheduled Stored procedure, the Microsoft SQL Server Agent must be running. You should ensure that the Microsoft SQL Server Agent is set to **AutoStart**. For more information see [Autostart SQL Server Agent (SQL Server Management Studio)](http://go.microsoft.com/fwlink/?LinkId=287045).
+
+    The stored procedure is also created when using the App-V database scripts.
+
+You should also ensure that the reporting server web service’s **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**.
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Deploying the App-V Server](appv-deploying-the-appv-server.md)
+
+[How to install the Reporting Server on a Standalone Computer and Connect it to the Database](appv-install-the-reporting-server-on-a-standalone-computer.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/manage/appv-running-locally-installed-applications-inside-a-virtual-environment.md
new file mode 100644
index 0000000000..cdd905e166
--- /dev/null
+++ b/windows/manage/appv-running-locally-installed-applications-inside-a-virtual-environment.md
@@ -0,0 +1,190 @@
+---
+title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10)
+description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
+
+
+You can run a locally installed application in a virtual environment, alongside applications that have been virtualized by using Microsoft Application Virtualization (App-V). You might want to do this if you:
+
+-   Want to install and run an application locally on client computers, but want to virtualize and run specific plug-ins that work with that local application.
+
+-   Are troubleshooting an App-V client package and want to open a local application within the App-V virtual environment.
+
+Use any of the following methods to open a local application inside the App-V virtual environment:
+
+-   [RunVirtual registry key](#bkmk-runvirtual-regkey)
+
+-   [Get-AppvClientPackage PowerShell cmdlet](#bkmk-get-appvclientpackage-posh)
+
+-   [Command line switch /appvpid:&lt;PID&gt;](#bkmk-cl-switch-appvpid)
+
+-   [Command line hook switch /appvve:&lt;GUID&gt;](#bkmk-cl-hook-switch-appvve)
+
+Each method accomplishes essentially the same task, but some methods may be better suited for some applications than others, depending on whether the virtualized application is already running.
+
+## <a href="" id="bkmk-runvirtual-regkey"></a>RunVirtual registry key
+
+
+To add a locally installed application to a package or to a connection group’s virtual environment, you add a subkey to the `RunVirtual` registry key in the Registry Editor, as described in the following sections.
+
+There is no Group Policy setting available to manage this registry key, so you have to use System Center Configuration Manager or another electronic software distribution (ESD) system, or manually edit the registry.
+
+### <a href="" id="bkmk-"></a>Supported methods of publishing packages when using RunVirtual
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">App-V version</th>
+<th align="left">Supported publishing methods</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>App-V 5.0 SP3 and App-V</p></td>
+<td align="left"><p>Published globally or to the user</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V 5.0 through App-V 5.0 SP2</p></td>
+<td align="left"><p>Published globally only</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Steps to create the subkey
+
+1.  Using the information in the following table, create a new registry key using the name of the executable file, for example, **MyApp.exe**.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Package publishing method</th>
+    <th align="left">Where to create the registry key</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Published globally</p></td>
+    <td align="left"><p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual</p>
+    <p><strong>Example</strong>: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Published to the user</p></td>
+    <td align="left"><p>HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual</p>
+    <p><strong>Example</strong>: HKEY_CURRENT_USER \SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Connection group can contain:</p>
+    <ul>
+    <li><p>Packages that are published just globally or just to the user</p></li>
+    <li><p>Packages that are published globally and to the user</p></li>
+    </ul></td>
+    <td align="left"><p>Either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER key, but all of the following must be true:</p>
+    <ul>
+    <li><p>If you want to include multiple packages in the virtual environment, you must include them in an enabled connection group.</p></li>
+    <li><p>Create only one subkey for one of the packages in the connection group. If, for example, you have one package that is published globally, and another package that is published to the user, you create a subkey for either of these packages, but not both. Although you create a subkey for only one of the packages, all of the packages in the connection group, plus the local application, will be available in the virtual environment.</p></li>
+    <li><p>The key under which you create the subkey must match the publishing method you used for the package.</p>
+    <p>For example, if you published the package to the user, you must create the subkey under <code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual</code>.</p></li>
+    </ul></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+2.  Set the new registry subkey’s value to the PackageId and VersionId of the package, separating the values with an underscore.
+
+    **Syntax**: &lt;PackageId&gt;\_&lt;VersionId&gt;
+
+    **Example**: 4c909996-afc9-4352-b606-0b74542a09c1\_be463724-Oct1-48f1-8604-c4bd7ca92fa
+
+    The application in the previous example would produce a registry export file (.reg file) like the following:
+
+    ``` syntax
+    Windows Registry Editor Version 5.00 
+    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual] 
+    @="" 
+    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe] 
+    @="aaaaaaaa-bbbb-cccc-dddd-eeeeeeee_11111111-2222-3333-4444-555555555
+    ```
+
+## <a href="" id="bkmk-get-appvclientpackage-posh"></a>Get-AppvClientPackage PowerShell cmdlet
+
+
+You can use the **Start-AppVVirtualProcess** cmdlet to retrieve the package name and then start a process within the specified package's virtual environment. This method lets you launch any command within the context of an App-V package, regardless of whether the package is currently running.
+
+Use the following example syntax, and substitute the name of your package for **&lt;Package&gt;**:
+
+`$AppVName = Get-AppvClientPackage <Package>`
+
+`Start-AppvVirtualProcess -AppvClientObject $AppVName cmd.exe`
+
+If you don’t know the exact name of your package, you can use the command line **Get-AppvClientPackage \*executable\***, where **executable** is the name of the application, for example: Get-AppvClientPackage \*Word\*.
+
+## <a href="" id="bkmk-cl-switch-appvpid"></a>Command line switch /appvpid:&lt;PID&gt;
+
+
+You can apply the **/appvpid:&lt;PID&gt;** switch to any command, which enables that command to run within a virtual process that you select by specifying its process ID (PID). Using this method launches the new executable in the same App-V environment as an executable that is already running.
+
+Example: `cmd.exe /appvpid:8108`
+
+To find the process ID (PID) of your App-V process, run the command **tasklist.exe** from an elevated command prompt.
+
+## <a href="" id="bkmk-cl-hook-switch-appvve"></a>Command line hook switch /appvve:&lt;GUID&gt;
+
+
+This switch lets you run a local command within the virtual environment of an App-V package. Unlike the **/appvid** switch, where the virtual environment must already be running, this switch enables you to start the virtual environment.
+
+Syntax: `cmd.exe /appvve:<PACKAGEGUID_VERSIONGUID>`
+
+Example: `cmd.exe /appvve:aaaaaaaa-bbbb-cccc-dddd-eeeeeeee_11111111-2222-3333-4444-55555555`
+
+To get the package GUID and version GUID of your application, run the **Get-AppvClientPackage** cmdlet. Concatenate the **/appvve** switch with the following:
+
+-   A colon
+
+-   Package GUID of the desired package
+
+-   An underscore
+
+-   Version ID of the desired package
+
+If you don’t know the exact name of your package, use the command line **Get-AppvClientPackage \*executable\***, where **executable** is the name of the application, for example: Get-AppvClientPackage \*Word\*.
+
+This method lets you launch any command within the context of an App-V package, regardless of whether the package is currently running.
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Technical Reference for App-V](appv-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-security-considerations.md b/windows/manage/appv-security-considerations.md
new file mode 100644
index 0000000000..79d71d971a
--- /dev/null
+++ b/windows/manage/appv-security-considerations.md
@@ -0,0 +1,145 @@
+---
+title: App-V Security Considerations (Windows 10)
+description: App-V Security Considerations
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# App-V Security Considerations
+
+
+This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
+
+**Important**  
+App-V is not a security product and does not provide any guarantees for a secure environment.
+
+ 
+
+## PackageStoreAccessControl (PSAC) feature has been deprecated
+
+
+Effective as of June, 2014, the PackageStoreAccessControl (PSAC) feature that was introduced in Microsoft Application Virtualization (App-V) 5.0 Service Pack 2 (SP2) has been deprecated in both single-user and multi-user environments.
+
+## General security considerations
+
+
+**Understand the security risks.** The most serious risk to App-V is that its functionality could be hijacked by an unauthorized user who could then reconfigure key data on App-V clients. The loss of App-V functionality for a short period of time due to a denial-of-service attack would not generally have a catastrophic impact.
+
+**Physically secure your computers**. Security is incomplete without physical security. Anyone with physical access to an App-V server could potentially attack the entire client base. Any potential physical attacks must be considered high risk and mitigated appropriately. App-V servers should be stored in a physically secure server room with controlled access. Secure these computers when administrators are not physically present by having the operating system lock the computer, or by using a secured screen saver.
+
+**Apply the most recent security updates to all computers**. To stay informed about the latest updates for operating systems, Microsoft SQL Server, and App-V, subscribe to the Security Notification service (<http://go.microsoft.com/fwlink/p/?LinkId=28819>).
+
+**Use strong passwords or pass phrases**. Always use strong passwords with 15 or more characters for all App-V and App-V administrator accounts. Never use blank passwords. For more information about password concepts, see the “Account Passwords and Policies” white paper on TechNet (<http://go.microsoft.com/fwlink/p/?LinkId=30009>).
+
+## Accounts and groups in App-V
+
+
+A best practice for user account management is to create domain global groups and add user accounts to them. Then, add the domain global accounts to the necessary App-V local groups on the App-V servers.
+
+**Note**  
+App-V client computer accounts that need to connect to the publishing server must be part of the publishing server’s **Users** local group. By default, all computers in the domain are part of the **Authorized Users** group, which is part of the **Users** local group.
+
+ 
+
+### <a href="" id="-------------app-v-5-1-server-security"></a> App-V server security
+
+No groups are created automatically during App-V Setup. You should create the following Active Directory Domain Services global groups to manage App-V server operations.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Group name</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>App-V Management Admin group</p></td>
+<td align="left"><p>Used to manage the App-V management server. This group is created during the App-V Management Server installation.</p>
+<div class="alert">
+<strong>Important</strong>  
+<p>There is no method to create the group using the management console after you have completed the installation.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Database read/write for Management Service account</p></td>
+<td align="left"><p>Provides read/write access to the management database. This account should be created during the App-V management database installation.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>App-V Management Service install admin account</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This is only required if management database is being installed separately from the service.</p>
+</div>
+<div>
+ 
+</div></td>
+<td align="left"><p>Provides public access to schema-version table in management database. This account should be created during the App-V management database installation.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V Reporting Service install admin account</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This is only required if reporting database is being installed separately from the service.</p>
+</div>
+<div>
+ 
+</div></td>
+<td align="left"><p>Public access to schema-version table in reporting database. This account should be created during the App-V reporting database installation.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Consider the following additional information:
+
+-   Access to the package shares - If a share exists on the same computer as the management Server, the **Network** service requires read access to the share. In addition, each App-V client computer must have read access to the package share.
+
+    **Note**  
+    In previous versions of App-V, package share was referred to as content share.
+
+     
+
+-   Registering publishing servers with Management Server - A publishing server must be registered with the Management server. For example, it must be added to the database, so that the Publishing server machine accounts are able to call into the Management service API.
+
+### <a href="" id="-------------app-v-5-1-package-security"></a> App-V package security
+
+The following will help you plan how to ensure that virtualized packages are secure.
+
+-   If an application installer applies an access control list (ACL) to a file or directory, then that ACL is not persisted in the package. When the package is deployed, if the file or directory is modified by a user it will either inherit the ACL in the **%userprofile%** or inherit the ACL of the target computer’s directory. The former case occurs if the file or directory does not exist in a virtual file system location; the latter case occurs if the file or directory exists in a virtual file system location, for example **%windir%**.
+
+## <a href="" id="---------app-v-5-1-log-files"></a> App-V log files
+
+
+During App-V Setup, setup log files are created in the **%temp%** folder of the installing user.
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Preparing Your Environment for App-V](appv-preparing-your-environment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-sequence-a-new-application.md b/windows/manage/appv-sequence-a-new-application.md
new file mode 100644
index 0000000000..dbae0de06b
--- /dev/null
+++ b/windows/manage/appv-sequence-a-new-application.md
@@ -0,0 +1,240 @@
+---
+title: How to Sequence a New Application with App-V (Windows 10)
+description: How to Sequence a New Application with App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Sequence a New Application with App-V
+
+In Windows 10, version 1607, the App-V Sequencer is included with the Windows ADK. For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md).
+
+**To review or do before you start sequencing**
+
+1.  Determine the type of virtualized application package you want to create:
+
+    | Application type | Description |
+    | - | - |
+    | Standard | Creates a package that contains an application or a suite of applications. This is the preferred option for most application types. |
+    | Add-on or plug-in | Creates a package that extends the functionality of a standard application, for example, a plug-in for Microsoft Excel. Additionally, you can use plug-ins for natively installed applications, or for another package that is linked by using connection groups. |
+    | Middleware | Creates a package that is required by a standard application, for example, Java. Middleware packages are used for linking to other packages by using connection groups. |
+
+2.  Copy all required installation files to the computer that is running the sequencer.
+
+3.  Make a backup image of your virtual environment before sequencing an application, and then revert to that image each time after you finish sequencing an application.
+
+4.  Review the following items:
+
+    -   If an application installer changes the security access to a new or existing file or directory, those changes are not captured in the package.
+
+    -   If short paths have been disabled for the virtualized package’s target volume, you must also sequence the package to a volume that was created and still has short-paths disabled. It cannot be the system volume.
+
+> [!NOTE]    
+> The App-V Sequencer cannot sequence applications with filenames matching "CO_<_x_>" where x is any numeral. Error 0x8007139F will be generated.
+
+**To sequence a new standard application**
+
+1.  On the computer that runs the sequencer, click **All Programs**, and then click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
+
+2.  In the sequencer, click **Create a New Virtual Application Package**. Select **Create Package (default)**, and then click **Next**.
+
+3.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
+
+    > [!IMPORTANT]  
+    > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
+
+4.  On the **Type of Application** page, click the **Standard Application (default)** check box, and then click **Next**.
+
+5.  On the **Select Installer** page, click **Browse** and specify the installation file for the application.
+
+    > [!NOTE]  
+    > If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package.
+
+
+    If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then click **Next**.
+
+
+6.  On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V Management Console.
+
+    Click **Next**.
+
+7.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process.
+
+    > [!IMPORTANT]  
+    > You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring.
+
+
+    Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** to locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
+
+8.  On the **Installation** page, wait while the sequencer configures the virtualized application package.
+
+9.  On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run.
+
+    > [!NOTE]  
+    > To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
+
+
+    Click **Next**.
+
+10. On the **Installation Report** page, you can review information about the virtualized application package you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**.
+
+11. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. To perform either of the following customizations, select **Customize**.
+
+    -   Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+
+    -   Specify the operating systems that can run this package.
+
+    Click **Next**.
+
+12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
+
+    > [!NOTE]  
+    > If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application.
+
+     
+
+13. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and select the operating systems that can run this package. Click **Next**.
+
+    > [!IMPORTANT]  
+    > Make sure that the operating systems you specify here are supported by the application you are sequencing.
+
+
+14. The **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**.
+
+    To save the package immediately, select **Save the package now** (default). Add optional **Comments** to be associated with the package. Comments are useful for identifying the program version and other information about the package.
+
+    > [!IMPORTANT]  
+    > The system does not support non-printable characters in **Comments** and **Descriptions**.
+
+     
+
+    The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+
+15. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then click **Close**. This information is also available in the **Report.xml** file that is located in the directory where the package was created.
+
+    The package is now available in the sequencer.
+
+    > [!IMPORTANT]  
+    > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
+
+     
+
+**To sequence an add-on or plug-in application**
+
+> [!NOTE]  
+>Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer.
+
+>For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that is running the sequencer. Also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package.
+
+1.  On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
+
+2.  In the sequencer, click **Create a New Virtual Application Package**, select **Create Package (default)**, and then click **Next**.
+
+3.  On the **Prepare Computer** page, review the issues that might cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
+
+    > [!IMPORTANT] 
+    > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
+
+
+4.  On the **Type of Application** page, select **Add-on or Plug-in**, and then click **Next**.
+
+5.  On the **Select Installer** page, click **Browse** and specify the installation file for the add-on or plug-in. If the add-on or plug-in does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
+
+6.  On the **Install Primary** page, ensure that the primary application is installed on the computer that runs the sequencer. Alternatively, you can expand an existing package that has been saved locally on the computer that runs the sequencer. To do this, click **Expand Package**, and then select the package. After you have expanded or installed the parent program, select **I have installed the primary parent program**.
+
+    Click **Next**.
+
+7.  On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will be displayed in the App-V 5.0 Management Console.
+
+    Click **Next**.
+
+8.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the plug-in or add-in application so the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**.
+
+9.  On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
+
+10. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**.
+
+    -   Optimize how the package will run across a slow or unreliable network.
+
+    -   Specify the operating systems that can run this package.
+
+    Click **Next**.
+
+11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**.
+
+    > [!NOTE]   
+    > If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**.
+
+     
+
+12. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box, and then select the operating systems that can run this package. Click **Next**.
+
+13. The **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor** check box. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**.
+
+    To save the package immediately, select **Save the package now**. Optionally, add a **Description** that will be associated with the package. Descriptions are useful for identifying the version and other information about the package.
+
+    > [!IMPORTANT]   
+    > The system does not support non-printable characters in Comments and Descriptions.
+
+     
+
+    The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+
+**To sequence a middleware application**
+
+1.  On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
+
+2.  In the sequencer, click **Create a New Virtual Application Package**, select **Create Package (default)**, and then click **Next**.
+
+3.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
+
+    > [!IMPORTANT] 
+    > If you are required to disable virus scanning software, you should first scan the computer that runs the App-V 5.0 Sequencer in order to ensure that no unwanted or malicious files can be added to the package.
+
+
+4.  On the **Type of Application** page, select **Middleware**, and then click **Next**.
+
+5.  On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
+
+6.  On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V 5.0 Management Console.
+
+    Click **Next**.
+
+7.  On the **Installation** page, when the sequencer and middleware application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**.
+
+8.  On the **Installation** page, wait while the sequencer configures the virtual application package.
+
+9.  On the **Installation Report** page, you can review information about the virtual application package that you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**.
+
+10. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box and select the operating systems that can run this package. Click **Next**.
+
+11. On the **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**.
+
+    To save the package immediately, select **Save the package now**. Optionally, add a **Description** to be associated with the package. Descriptions are useful for identifying the program version and other information about the package.
+
+    > [!IMPORTANT]   
+    > The system does not support non-printable characters in Comments and Descriptions.
+ 
+
+    The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+
+12. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then click **Close**. This information is also available in the **Report.xml** file that is located in the directory specified in step 11 of this procedure.
+
+    The package is now available in the sequencer. To edit the package properties, click **Edit \[Package Name\]**.
+
+    > [!IMPORTANT]    
+    > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
+
+     
+
+## Have a suggestion for App-V?
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Install the App-V Sequencer](appv-install-the-sequencer.md)
+- [Operations for App-V](appv-operations.md)
diff --git a/windows/manage/appv-sequence-a-package-with-powershell.md b/windows/manage/appv-sequence-a-package-with-powershell.md
new file mode 100644
index 0000000000..f35388deed
--- /dev/null
+++ b/windows/manage/appv-sequence-a-package-with-powershell.md
@@ -0,0 +1,64 @@
+---
+title: How to sequence a package by using Windows PowerShell (Windows 10)
+description: How to sequence a package by using Windows PowerShell
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Sequence a Package by using Windows PowerShell
+
+Use the following procedure to create a new App-V package using Windows PowerShell.
+
+> [!NOTE]   
+> Before you use this procedure you must copy the associated installer files to the computer running the sequencer and you have read and understand the sequencer section of [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md).
+
+ 
+**To create a new virtual application by using Windows PowerShell**
+
+1.  Install the App-V sequencer. For more information about installing the sequencer see [How to Install the Sequencer](appv-install-the-sequencer.md).
+
+2.  Click **Start** and type **Windows PowerShell**. Right-click **Windows PowerShell**, and select **Run as Administrator**.
+
+3.  Using the Windows PowerShell console, type the following: **import-module appvsequencer**.
+
+4.  To create a package, use the **New-AppvSequencerPackage** cmdlet. The following parameters are required to create a package:
+
+    -   **Name** - specifies the name of the package.
+
+    -   **PrimaryVirtualApplicationDirectory** - specifies the path to the directory that will be used to install the application. This path must exist.
+
+    -   **Installer** - specifies the path to the associated application installer.
+
+    -   **Path** - specifies the output directory for the package.
+
+    For example:
+
+    ```
+    New-AppvSequencerPackage –Name <name of package> -PrimaryVirtualApplicationDirectory <path to the package root> -Installer <path to the installer executable> -OutputPath <directory of the output path>
+    ```
+
+
+Wait for the sequencer to create the package. Creating a package by using Windows PowerShell can take time. If the package was not created successfully, an error will be returned.
+
+The following list displays additional optional parameters that can be used with **New-AppvSequencerPackage** cmdlet:
+
+-   AcceleratorFilePath – specifies the path to the accelerator .cab file to generate a package.
+
+-   InstalledFilesPath - specifies the path to where the local installed files of the application are saved.
+
+-   InstallMediaPath - specifies the path of the installation media
+
+-   TemplateFilePath - specifies the path to a template file if you want to customize the sequencing process.
+
+-   FullLoad - specifies that the package must be fully downloaded to the computer running the App-V before it can be opened.
+
+## Have a suggestion for App-V?
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md)
diff --git a/windows/manage/appv-supported-configurations.md b/windows/manage/appv-supported-configurations.md
new file mode 100644
index 0000000000..67662f89bd
--- /dev/null
+++ b/windows/manage/appv-supported-configurations.md
@@ -0,0 +1,657 @@
+---
+title: App-V Supported Configurations (Windows 10)
+description: App-V Supported Configurations
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# App-V Supported Configurations
+
+
+This topic specifies the requirements to install and run App-V in your environment.
+
+## App-V Server system requirements
+
+This section lists the operating system and hardware requirements for all of the App-V Server components.
+
+### Unsupported App-V Server scenarios
+
+The App-V Server does not support the following scenarios:
+
+-   Deployment to a computer that runs the Server Core installation option.
+
+-   Deployment to a computer that runs a previous version of App-V Server components. You can install App-V side by side with the App-V 4.5 Lightweight Streaming Server (LWS) server only. Deployment of App-V side by side with the App-V 4.5 Application Virtualization Management Service (HWS) server is not supported.
+
+-   Deployment to a computer that runs Microsoft SQL Server Express edition.
+
+-   Deployment to a domain controller.
+
+-   Short paths. If you plan to use a short path, you must create a new volume.
+
+### Management server operating system requirements
+
+The following table lists the operating systems that are supported for the App-V Management server installation.
+
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Operating system</th>
+<th align="left">Service Pack</th>
+<th align="left">System architecture</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
+<td align="left"><p>SP1</p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+> [!IMPORTANT]  
+> Deployment of the Management server role to a computer with Remote Desktop Services enabled is not supported.
+
+ 
+
+### Management server hardware requirements
+
+-   Processor—1.4 GHz or faster, 64-bit (x64) processor
+
+-   RAM—1 GB RAM (64-bit)
+
+-   Disk space—200 MB available hard disk space, not including the content directory
+
+### Management server database requirements
+
+The following table lists the SQL Server versions that are supported for the App-V Management database installation.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">SQL Server version</th>
+<th align="left">Service pack</th>
+<th align="left">System architecture</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Microsoft SQL Server 2014</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft SQL Server 2012</p></td>
+<td align="left"><p>SP2</p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft SQL Server 2008 R2</p></td>
+<td align="left"><p>SP3</p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Publishing server operating system requirements
+
+The following table lists the operating systems that are supported for the App-V Publishing server installation.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Operating system</th>
+<th align="left">Service Pack</th>
+<th align="left">System architecture</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
+<td align="left"><p>SP1</p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Publishing server hardware requirements
+
+App-V adds no additional requirements beyond those of Windows Server.
+
+-   Processor—1.4 GHz or faster, 64-bit (x64) processor
+
+-   RAM—2 GB RAM (64-bit)
+
+-   Disk space—200 MB available hard disk space, not including the content directory
+
+### Reporting server operating system requirements
+
+The following table lists the operating systems that are supported for the App-V Reporting server installation.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Operating system</th>
+<th align="left">Service Pack</th>
+<th align="left">System architecture</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
+<td align="left"><p>SP1</p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Reporting server hardware requirements
+
+App-V adds no additional requirements beyond those of Windows Server.
+
+-   Processor—1.4 GHz or faster, 64-bit (x64) processor
+
+-   RAM—2 GB RAM (64-bit)
+
+-   Disk space—200 MB available hard disk space
+
+### Reporting server database requirements
+
+The following table lists the SQL Server versions that are supported for the App-V Reporting database installation.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">SQL Server version</th>
+<th align="left">Service pack</th>
+<th align="left">System architecture</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Microsoft SQL Server 2014</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft SQL Server 2012</p></td>
+<td align="left"><p>SP2</p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft SQL Server 2008 R2</p></td>
+<td align="left"><p>SP3</p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## App-V client system requirements
+
+
+The following table lists the operating systems that are supported for the App-V client installation.
+
+> [!NOTE]  
+> App-V is included with Windows 10, version 1607 and later.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Operating system</th>
+<th align="left">Service pack</th>
+<th align="left">System architecture</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows 10, version 1511</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows 10, version 1507</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 8.1</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows 8</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows /p></td>
+<td align="left"><p>SP1</p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following App-V client installation scenarios are not supported, except as noted:
+
+-   Computers that run Windows Server
+
+-   Computers that run App-V 4.6 SP1 or earlier versions
+
+-   The App-V Remote Desktop services client is supported only for RDS-enabled servers
+
+### App-V client hardware requirements
+
+The following list displays the supported hardware configuration for the App-V client installation.
+
+-   Processor— 1.4 GHz or faster 32-bit (x86) or 64-bit (x64) processor
+
+-   RAM— 1 GB (32-bit) or 2 GB (64-bit)
+
+-   Disk— 100 MB for installation, not including the disk space that is used by virtualized applications.
+
+## Remote Desktop Services client system requirements
+
+
+The following table lists the operating systems that are supported for App-V Remote Desktop Services (RDS) client installation.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Operating system</th>
+<th align="left">Service Pack</th>
+<th align="left">System architecture</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2016</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
+<td align="left"><p>SP1</p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Remote Desktop Services client hardware requirements
+
+App-V adds no additional requirements beyond those of Windows Server.
+
+-   Processor—1.4 GHz or faster, 64-bit (x64) processor
+
+-   RAM—2 GB RAM (64-bit)
+
+-   Disk space—200 MB available hard disk space
+
+## Sequencer system requirements
+
+
+The following table lists the operating systems that are supported for the App-V Sequencer installation.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Operating system</th>
+<th align="left">Service pack</th>
+<th align="left">System architecture</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
+<td align="left"></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Windows Server 2012</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
+<td align="left"><p>SP1</p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Windows 10</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>32-bit and 64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows 8.1</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>32-bit and 64-bit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Windows 8</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>32-bit and 64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Windows 7</p></td>
+<td align="left"><p>SP1</p></td>
+<td align="left"><p>32-bit and 64-bit</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Sequencer hardware requirements
+
+See the Windows or Windows Server documentation for the hardware requirements. App-V adds no additional hardware requirements.
+
+## <a href="" id="bkmk-supp-ver-sccm"></a>Supported versions of System Center Configuration Manager
+
+
+The App-V client supports the following versions of System Center Configuration Manager:
+
+-   Microsoft System Center 2012 Configuration Manager
+
+-   System Center 2012 R2 Configuration Manager
+
+-   System Center 2012 R2 Configuration Manager SP1
+
+The following App-V and System Center Configuration Manager version matrix shows all officially supported combinations of App-V and Configuration Manager.
+
+<table>
+<colgroup>
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">App-V Version</th>
+<th align="left">System Center Configuration Manager 2007</th>
+<th align="left">System Center 2012 Configuration Manager</th>
+<th align="left">System Center 2012 Configuration Manager SP1</th>
+<th align="left">System Center 2012 R2 Configuration Manager</th>
+<th align="left">System Center 2012 R2 Configuration Manager SP1</th>
+<th align="left">System Center 2012 Configuration Manager SP2</th>
+<th align="left">System Center Configuration Manager Version 1511</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>App-V 4.5</p></td>
+<td align="left"><p>R2</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V 4.5 CU1</p></td>
+<td align="left"><p>R2</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>App-V 4.5 SP1</p></td>
+<td align="left"><p>R2</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V 4.5 SP2</p></td>
+<td align="left"><p>R2</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>App-V 4.6</p></td>
+<td align="left"><p>R2, SP1</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V 4.6 SP1</p></td>
+<td align="left"><p>R2, R3, SP2</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>App-V 4.6 SP2</p></td>
+<td align="left"><p>R2, R3, SP2</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V 4.6 SP3</p></td>
+<td align="left"><p>R2, R3, SP2</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>App-V 5.0</p></td>
+<td align="left"><p>MSI-Wrapper-Only</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V 5.0 SP1</p></td>
+<td align="left"><p>MSI-Wrapper Only</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>App-V 5.0 SP2</p></td>
+<td align="left"><p>MSI-Wrapper Only</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>2012 SP1 CU4</p>
+<p>App-V 5.0 HF5 or later</p></td>
+<td align="left"><p>2012 R2 CU1</p>
+<p>App-V 5.0 HF5 or later</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>With App-V 5.0 SP2 HF5 or later</p></td>
+<td align="left"><p>With App-V 5.0 SP2 HF5 or later</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V 5.0 SP2 HF4</p></td>
+<td align="left"><p>MSI-Wrapper Only</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>2012 SP1 CU4</p>
+<p>App-V 5.0 HF5 or later</p></td>
+<td align="left"><p>2012 R2 CU1</p>
+<p>App-V 5.0 HF5 or later</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Requires HF5 or later</p></td>
+<td align="left"><p>Requires HF5 or later</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>App-V 5.0 SP3</p></td>
+<td align="left"><p>MSI-Wrapper Only</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>2012 SP1 CU4</p></td>
+<td align="left"><p>2012 R2 CU1</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V</p></td>
+<td align="left"><p>MSI-Wrapper Only</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>2012 SP1 CU4</p></td>
+<td align="left"><p>2012 R2 CU1</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](http://technet.microsoft.com/library/jj822982.aspx).
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+- [Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
+- [App-V Prerequisites](appv-prerequisites.md)
diff --git a/windows/manage/appv-technical-reference.md b/windows/manage/appv-technical-reference.md
new file mode 100644
index 0000000000..713d772993
--- /dev/null
+++ b/windows/manage/appv-technical-reference.md
@@ -0,0 +1,45 @@
+---
+title: Technical Reference for App-V (Windows 10)
+description: Technical Reference for App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Technical Reference for App-V
+
+
+This section provides reference information related to managing App-V.
+
+## In This Section
+
+
+-   [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
+
+    Provides strategy and context for a number of performance optimization practices. Not all practices will be applicable although they are supported and have been tested. Using all suggested practices that are applicable to your organization will provide the optimal end-user experience.
+
+-   [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
+
+    Describes how the following App-V client operations affect the local operating system: App-V files and data storage locations, package registry, package store behavior, roaming registry and data, client application lifecycle management, integration of App-V packages, dynamic configuration, side-by-side assemblies, and client logging.
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Creating App-V 4.5 Databases Using SQL Scripting](https://technet.microsoft.com/en-us/itpro/mdop/solutions/creating-app-v-45-databases-using-sql-scripting)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/manage/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
new file mode 100644
index 0000000000..a39449b055
--- /dev/null
+++ b/windows/manage/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
@@ -0,0 +1,41 @@
+---
+title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10)
+description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
+
+
+Use the following procedure to transfer the access and default package configurations to another version of a package by using the management console.
+
+**To transfer access and configurations to another version of a package**
+
+1.  To view the package that you want to configure, open the App-V Management Console. Select the package to which you will transfer the new configuration, right-click the package and select **transfer default configuration from** or **transfer access and configurations from**, depending on the configuration that you want to transfer.
+
+2.  To transfer the configuration, in the **Select Previous Version** dialog box, select the package that contains the settings that you want to transfer, and then click **OK**.
+
+    If you select **transfer default configuration from**, then only the underlying dynamic deployment configuration will be transferred.
+
+    If you select **transfer access and configurations from**, then all access permissions, as well as the configuration settings, will be copied.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-troubleshooting.md b/windows/manage/appv-troubleshooting.md
new file mode 100644
index 0000000000..7a8e67b35c
--- /dev/null
+++ b/windows/manage/appv-troubleshooting.md
@@ -0,0 +1,92 @@
+---
+title: Troubleshooting App-V (Windows 10)
+description: Troubleshooting App-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Troubleshooting App-V
+
+
+Troubleshooting content is not included in the Administrator’s Guide for this product. Instead, you can find troubleshooting information for this product on the [TechNet Wiki](http://go.microsoft.com/fwlink/p/?LinkId=224905).
+
+## How to Find Troubleshooting Content
+
+
+You can use the following information to find troubleshooting or additional technical content for this product.
+
+### Search the MDOP Documentation
+
+The first step to find help content in the Administrator’s Guide is to search the MDOP documentation on TechNet.
+
+After you search the MDOP documentation, your next step would be to search the troubleshooting information for the product in the TechNet Wiki.
+
+**To search the MDOP product documentation**
+
+1.  Use a web browser to navigate to the [MDOP Information Experience](http://go.microsoft.com/fwlink/?LinkId=236032) TechNet home page.
+
+2.  Enter applicable search terms in the **Search TechNet with Bing** search box at the top of the MDOP Information Experience home page.
+
+3.  Review the search results for assistance.
+
+**To search the TechNet Wiki**
+
+1.  Use a web browser to navigate to the [TechNet Wiki](http://go.microsoft.com/fwlink/p/?LinkId=224905) home page.
+
+2.  Enter applicable search terms in the **Search TechNet Wiki** search box on the TechNet Wiki home page.
+
+3.  Review the search results for assistance.
+
+## How to Create a Troubleshooting Article
+
+
+If you have a troubleshooting tip or a best practice to share that is not already included in the MDOP OnlineHelp or TechNet Wiki, you can create your own TechNet Wiki articles.
+
+**To create a TechNet Wiki troubleshooting or best practices article**
+
+1.  Use a web browser to navigate to the [TechNet Wiki](http://go.microsoft.com/fwlink/p/?LinkId=224905) home page.
+
+2.  Log in with your Windows Live ID.
+
+3.  Review the **Getting Started** section to learn the basics of the TechNet Wiki and its articles.
+
+4.  Select **Post an article &gt;&gt;** at the bottom of the **Getting Started** section.
+
+5.  On the Wiki article **Add Page** page, select **Insert Template** from the toolbar, select the troubleshooting article template (**Troubleshooting.html**), and then click **Insert**.
+
+6.  Be sure to give the article a descriptive title and then overwrite the template information as needed to create your troubleshooting or best practice article.
+
+7.  After you review your article, be sure to include a tag that is named **Troubleshooting** and another for the product name. This helps others to find your content.
+
+8.  Click **Save** to publish the article to the TechNet Wiki.
+
+## Other resources for troubleshooting App-V
+
+
+-   [Application Virtualization (App-V) overview](appv-for-windows.md)
+
+-   [Getting Started with App-V](appv-getting-started.md)
+
+-   [Planning for App-V](appv-planning-for-appv.md)
+
+-   [Deploying App-V](appv-deploying-appv.md)
+
+-   [Operations for App-V](appv-operations.md)
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/manage/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
new file mode 100644
index 0000000000..f544dffb06
--- /dev/null
+++ b/windows/manage/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
@@ -0,0 +1,105 @@
+---
+title: Upgrading to App-V for Windows 10 from an existing installation (Windows 10)
+description: Upgrading to App-V for Windows 10 from an existing installation
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Upgrading to App-V for Windows 10 from an existing installation
+
+If you’re already using App-V and you’re planning to upgrade user devices to Windows 10, you need to make only the following few adjustments to your existing environment to start using App-V for Windows 10. 
+
+1. [Upgrade user devices to Windows 10](#upgrade-user-devices-to-windows-10). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings.
+
+2. [Verify that App-V applications and settings were migrated correctly](#verify-that-app-v-applications-and-settings-were-migrated-correctly).
+
+3. [Enable the in-box App-V client](#enable-the-in-box-app-v-client).
+
+4. [Configure the in-box App-V client to point to previously installed App-V server components](#configure-the-in-box-app-v-client-to-point-to-previously-installed-app-v-server-components).
+
+5. [Verify that the in-box App-V client can receive and launch .appv packages](#verify-that-the-in-box-app-v-client-can-receive-and-launch-appv-packages).
+
+These steps are explained in more detail below.
+
+## Upgrade user devices to Windows 10
+
+Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. See the [Windows 10 and Windows 10 Mobile document set](https://technet.microsoft.com/itpro/windows/index) for information about upgrading user devices to Windows 10. 
+
+## Verify that App-V applications and settings were migrated correctly
+
+After upgrading a user device to Windows 10, it’s important to verify that App-V applications and settings were migrated correctly during the upgrade. 
+
+To verify that the user’s App-V application packages were migrated correctly, type `Get-AppvClientPackage` in Windows PowerShell.
+
+To verify that the user’s App-V settings were migrated correctly, type `Get-AppvClientConfiguration` in Windows PowerShell.
+
+## Enable the in-box App-V client
+
+With Windows 10, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell. 
+
+**To enable the App-V client with Group Policy**:
+
+1. Open the device’s **Local Group Policy Editor**.
+
+2. Navigate to **Computer Configuration > Administrative Templates > System > App-V**. 
+
+3. Run **Enables App-V Client** and then select **Enabled** on the screen that appears.
+
+4. Restart the device.
+
+**To enable the App-V client with Windows PowerShell**:
+
+1. Open Windows PowerShell.
+
+2. Type `Enable-Appv` and press enter.
+
+3. Restart the device.
+
+4. To verify that the App-V client is enabled on the device, enter `AppvClientEnabled` or `Get-AppvStatus` in Windows PowerShell.
+
+## Configure the in-box App-V client to point to previously installed App-V server components
+
+Once you’ve enabled the in-box App-V client, you need to configure it to point to your existing App-V server components. You can configure the App-V client with Windows PowerShell cmdlets or with the device’s local Group Policy editor.
+
+**To modify client settings to point to an existing App-V publishing server with Windows PowerShell**
+
+Type the following cmdlet in a Windows PowerShell window: 
+
+`Add-AppvPublishingServer -Name AppVServer -URL http:// appvserver:2222` 
+
+**To modify client settings to point to an existing App-V publishing server with Group Policy** 
+
+1. Open the device’s **Local Group Policy Editor**.
+
+2. Navigate to **Computer Configuration > Administrative Templates > System > App-V > Publishing**.  
+
+3. Enter your existing App-V publishing server’s details in **Options** and then click or press **Apply**.
+
+<!-- For the following three items, we're looking for more detail from Chintan --> 
+
+Ensure newly added machine/ user is entitled to receive packages from the server configure in step #2.  
+
+Sync and verify packages and/or connection groups pushed by the App-V server function correctly.  
+
+Validate other package management commands (unpublish, remove etc.).
+
+<!-- ++++++++++++++++++++++++++++++ -->
+
+## Verify that the in-box App-V client can receive and launch .appv packages
+
+1. Add and publish a package using the following Windows PowerShell cmdlets: 
+
+    `Add-AppvClientPackage \\path\to\appv\package.appv | Publish-AppvClientPackage` 
+
+2. Launch the published package. 
+
+3. Unpublish an existing package use the following cmdlet: 
+
+    `Unpublish-AppvClientPackage "ContosoApplication"`
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
diff --git a/windows/manage/appv-using-the-client-management-console.md b/windows/manage/appv-using-the-client-management-console.md
new file mode 100644
index 0000000000..64affa5f4b
--- /dev/null
+++ b/windows/manage/appv-using-the-client-management-console.md
@@ -0,0 +1,91 @@
+---
+title: Using the App-V Client Management Console (Windows 10)
+description: Using the App-V Client Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Using the App-V Client Management Console
+
+
+This topic provides information about how you can configure and manage the Microsoft Application Virtualization (App-V) client.
+
+## Modify App-V client configuration
+
+
+The App-V client has associated settings that can be configured to determine how the client will run in your environment. You can manage these settings on the computer that runs the client or by using PowerShell or Group Policy. For more information about how to modify the client using PowerShell or Group Policy configuration see, [How to Modify Client Configuration by Using PowerShell](appv-modify-client-configuration-with-powershell.md).
+
+## <a href="" id="the-app-v-5-1-client-management-console-"></a>The App-V client management console
+
+
+You can obtain information about the App-V client or perform specific tasks by using the App-V client management console. Many of the tasks that you can perform in the client management console you can also perform by using PowerShell. The associated PowerShell cmdlets for each action are also displayed in the following table. For more information about how to use PowerShell, see [Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md).
+
+The client management console contains the following described main tabs.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Tab</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Overview</p></td>
+<td align="left"><p>The <strong>Overview</strong> tab contains the following elements:</p>
+<ul>
+<li><p>Update – Use the <strong>Update</strong> tile to refresh a virtualized application or to receive a new virtualized package.</p>
+<p>The <strong>Last Refresh</strong> displays the current version of the virtualized package.</p></li>
+<li><p>Download all virtual applications – Use the <strong>Download</strong> tile to download all of the packages provisioned to the current user.</p>
+<p>(Associated PowerShell cmdlet: <strong>Mount-AppvClientPackage</strong>)</p>
+<p></p></li>
+<li><p>Work Offline – Use this tile to disallow all automatic and manual virtual application updates.</p>
+<p>(Associated PowerShell cmdlet: <strong>Set-AppvPublishServer –UserRefreshEnabled –GlobalRefreshEnabled</strong>)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Virtual Apps</p></td>
+<td align="left"><p>The <strong>VIRTUAL APPS</strong> tab displays all of the packages that have been published to the user. You can also click a specific package and see all of the applications that are part of that package. This displays information about packages that are currently in use and how much of each package has been downloaded to the computer. You can also start and stop package downloads. Additionally, you can repair the user state. A repair will delete all user data that is associated with a package.</p>
+<p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>App Connection Groups</p></td>
+<td align="left"><p>The <strong>APP CONNECTION GROUPS</strong> tab displays all of the connection groups that are available to the current user. Click a specific connection group to see all of the packages that are part of the selected group. This displays information about connection groups that are already in use and how much of the connection group contents have been downloaded to the computer. Additionally, you can start and stop connection group downloads. You can use this section to initiate a repair. A repair will remove all of the user state that is associated a connection group.</p>
+<p>(Associated PowerShell cmdlets: Download - <strong>Mount-AppvClientConnectionGroup</strong>. Repair -<strong>AppvClientConnectionGroup</strong>.)</p>
+<p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+[How to Access the Client Management Console](appv-accessing-the-client-management-console.md)
+
+[How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/manage/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
new file mode 100644
index 0000000000..5a89f2304c
--- /dev/null
+++ b/windows/manage/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
@@ -0,0 +1,45 @@
+---
+title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10)
+description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
+
+
+Use the following procedure to view and configure default package extensions.
+
+**To view and configure default virtual application extensions**
+
+1.  To view the package that you want to configure, open the App-V Management Console. Select the package that you want to configure, right-click the package name and select **edit default configuration**.
+
+2.  To view the applications contained in the specified package, in the **Default Configuration** pane, click **Applications**. To view the shortcuts for that package, click **Shortcuts**. To view the file type associations for that package, click **File Types**.
+
+3.  To enable the application extensions, select **ENABLE**.
+
+    To enable shortcuts, select **ENABLE SHORTCUTS**. To add a new shortcut for the selected application, right-click the application in the **SHORTCUTS** pane and select **Add new shortcut**. To remove a shortcut, right-click the application in the **SHORTCUTS** pane and select **Remove Shortcut**. To edit an existing shortcut, right-click the application and select **Edit Shortcut**.
+
+4.  To view any other application extensions, click **Advanced** and click **Export Configuration**. Type in a filename and click **Save**. You can view all application extensions associated with the package using the configuration file.
+
+5.  To edit other application extensions, modify the configuration file and click **Import and Overwrite this Configuration**. Select the modified file and click **Open**. In the dialog box, click **Overwrite** to complete the process.
+
+    **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Operations for App-V](appv-operations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/appv-viewing-appv-server-publishing-metadata.md b/windows/manage/appv-viewing-appv-server-publishing-metadata.md
new file mode 100644
index 0000000000..abfc25f877
--- /dev/null
+++ b/windows/manage/appv-viewing-appv-server-publishing-metadata.md
@@ -0,0 +1,264 @@
+---
+title: Viewing App-V Server Publishing Metadata (Windows 10)
+description: Viewing App-V Server Publishing Metadata
+author: MaggiePucciEvans
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Viewing App-V Server Publishing Metadata
+
+
+Use this procedure to view publishing metadata, which can help you resolve publishing-related issues. You must be using the App-V Management server to use this procedure.
+
+This article contains the following information:
+
+-   [App-V requirements for viewing publishing metadata](#bkmk-51-reqs-pub-meta)
+
+-   [Syntax to use for viewing publishing metadata](#bkmk-syntax-view-pub-meta)
+
+-   [Query values for client operating system and version](#bkmk-values-query-pub-meta)
+
+-   [Definition of publishing metadata](#bkmk-whatis-pub-metadata)
+
+## <a href="" id="bkmk-51-reqs-pub-meta"></a>App-V requirements for viewing publishing metadata
+
+
+In App-V, you must provide the following values in the address when you query the App-V Publishing server for metadata:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Value</th>
+<th align="left">Additional details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>ClientVersion</strong></p></td>
+<td align="left"><p>If you omit the <strong>ClientVersion</strong> parameter from the query, the metadata excludes the features that were new in App-V 5.0 SP3.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>ClientOS</strong></p></td>
+<td align="left"><p>You have to provide this value only if you select specific client operating systems when you sequence the package. If you select the default (all operating systems), do not specify this value in the query.</p>
+<p>If you omit the <strong>ClientOS</strong> parameter from the query, only the packages that were sequenced to support any operating system appear in the metadata.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-syntax-view-pub-meta"></a>Query syntax for viewing publishing metadata
+
+
+The following table provides the syntax and query examples.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Version of App-V</th>
+<th align="left">Query syntax</th>
+<th align="left">Parameter descriptions</th>
+<th align="left">Example</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>App-V 5.0 SP3 and App-V</p></td>
+<td align="left"><p><code>http://&lt;PubServer&gt;:&lt;Publishing Port#&gt;/?ClientVersion=&lt;AppvClientVersion&gt;&amp;ClientOS=&lt;OSStringValue&gt;</code></p></td>
+<td align="left"><table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Parameter</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>&lt;PubServer&gt;</p></td>
+<td align="left"><p>Name of the App-V Publishing server.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>&lt;Publishing Port#&gt;</p></td>
+<td align="left"><p>Port to the App-V Publishing server, which you defined when you configured the Publishing server.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ClientVersion=&lt;AppvClientVersion&gt;</p></td>
+<td align="left"><p>Version of the App-V client. Refer to the following table for the correct value to use.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>ClientOS=&lt;OSStringValue&gt;</p></td>
+<td align="left"><p>Operating system of the computer that is running the App-V client. Refer to the following table for the correct value to use.</p></td>
+</tr>
+</tbody>
+</table>
+<p> </p>
+<p>To get the name of the Publishing server and the port number (http://&lt;PubServer&gt;:&lt;Publishing Port#&gt;) from the App-V Client, look at the URL configuration of the <strong>Get-AppvPublishingServer</strong> PowerShell cmdlet.</p></td>
+<td align="left"><p><code>http://pubsvr01:2718/?clientversion=5.0.10066.0&amp;clientos=WindowsClient_6.2_x64</code></p>
+<p>In the example:</p>
+<ul>
+<li><p>A Windows Server 2012 R2 named “pubsvr01” hosts the Publishing service.</p></li>
+<li><p>The Windows client is Windows 8.1 64-bit.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>App-V 5.0 through App-V 5.0 SP2</p></td>
+<td align="left"><p><code>http://&lt;PubServer&gt;:&lt;Publishing Port#&gt;/ </code></p>
+<div class="alert">
+<strong>Note</strong>  
+<p><strong>ClientVersion</strong> and <strong>ClientOS</strong> are supported only in App-V 5.0 SP3 and App-V.</p>
+</div>
+<div>
+ 
+</div></td>
+<td align="left"><p>See the information for App-V 5.0 SP3 and App-V.</p></td>
+<td align="left"><p><code>http://pubsvr01:2718</code></p>
+<p>In the example, A Windows Server 2012 R2 named “pubsvr01” hosts the Management and Publishing services.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-values-query-pub-meta"></a>Query values for client operating system and version
+
+
+In your publishing metadata query, enter the string values that correspond to the client operating system and version that you’re using.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Operating system</th>
+<th align="left">Architecture</th>
+<th align="left">Operating string string value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows 10</p></td>
+<td align="left"><p>64-bit</p></td>
+<td align="left"><p>WindowsClient_10.0_x64</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 10</p></td>
+<td align="left"><p>32-bit</p></td>
+<td align="left"><p>WindowsClient_10.0_x86</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows 8.1</p></td>
+<td align="left"><p>64-bit</p></td>
+<td align="left"><p>WindowsClient_6.2_x64</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 8.1</p></td>
+<td align="left"><p>32-bit</p></td>
+<td align="left"><p>WindowsClient_6.2_x86</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows 8</p></td>
+<td align="left"><p>64-bit</p></td>
+<td align="left"><p>WindowsClient_6.2_x64</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 8</p></td>
+<td align="left"><p>32-bit</p></td>
+<td align="left"><p>WindowsClient_6.2_x86</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Server 2012 R2</p></td>
+<td align="left"><p>64-bit</p></td>
+<td align="left"><p>WindowsServer_6.2_x64</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Server 2012 R2</p></td>
+<td align="left"><p>32-bit</p></td>
+<td align="left"><p>WindowsServer_6.2_x86</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Server 2012</p></td>
+<td align="left"><p>64-bit</p></td>
+<td align="left"><p>WindowsServer_6.2_x64</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Server 2012</p></td>
+<td align="left"><p>32-bit</p></td>
+<td align="left"><p>WindowsServer_6.2_x86</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows 7</p></td>
+<td align="left"><p>64-bit</p></td>
+<td align="left"><p>WindowsClient_6.1_x64</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 7</p></td>
+<td align="left"><p>32-bit</p></td>
+<td align="left"><p>WindowsClient_6.1_x86</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Server 2008 R2</p></td>
+<td align="left"><p>64-bit</p></td>
+<td align="left"><p>WindowsServer_6.1_x64</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Server 2008 R2</p></td>
+<td align="left"><p>32-bit</p></td>
+<td align="left"><p>WindowsServer_6.1_x86</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-whatis-pub-metadata"></a>Definition of publishing metadata
+
+
+When packages are published to a computer that is running the App-V client, metadata is sent to that computer indicating which packages and connection groups are being published. The App-V Client makes two separate requests for the following:
+
+-   Packages and connection groups that are entitled to the client computer.
+
+-   Packages and connection groups that are entitled to the current user.
+
+The Publishing server communicates with the Management server to determine which packages and connection groups are available to the requester. The Publishing server must be registered with the Management server in order for the metadata to be generated.
+
+You can view the metadata for each request in an Internet browser by using a query that is in the context of the specific user or computer.
+
+## Have a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
+## Related topics
+
+
+[Technical Reference for App-V](appv-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/assign-apps-to-employees.md b/windows/manage/assign-apps-to-employees.md
index adf354a31f..a329393689 100644
--- a/windows/manage/assign-apps-to-employees.md
+++ b/windows/manage/assign-apps-to-employees.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Assign apps to employees
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index fe90ebb58f..67f0217f4c 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -12,12 +12,32 @@ author: jdeckerMS
 
 This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+
+## August 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) | Updated sample XML for combined Start and taskbar layout |
+
+## RELEASE: Windows 10, version 1607
+
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: 
+
+- [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
+- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+- [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
+- [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
+- [Application Virtualization (App-V) for Windows 10](appv-for-windows.md)
+- [User Experience Virtualization (UE-V) for Windows 10](uev-for-windows.md)
+
 ## July 2016
 
 | New or changed topic | Description |
 | ---|---|
+| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | New |
 | [Windows 10 servicing options](introduction-to-windows-10-servicing.md)  | Added detailed content on servicing branches, moved from [Windows 10 servicing overview](../plan/windows-10-servicing-options.md). |
 
+
 ## June 2016
 
 | New or changed topic | Description |
diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/manage/changes-to-start-policies-in-windows-10.md
index 8697ff8945..ad0589981e 100644
--- a/windows/manage/changes-to-start-policies-in-windows-10.md
+++ b/windows/manage/changes-to-start-policies-in-windows-10.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Changes to Group Policy settings for Windows 10 Start
diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md
index 0539884199..175c61bf6e 100644
--- a/windows/manage/configure-devices-without-mdm.md
+++ b/windows/manage/configure-devices-without-mdm.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile, devices
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Configure devices without MDM
@@ -24,7 +25,7 @@ Sometimes mobile device management (MDM) isn't available to you for setting up a
 
 Rather than wiping a device and applying a new system image, in Windows 10 you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
 
-You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out. You can even send the provisioning package to someone in email.
+You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out. 
 
 Provisioning packages are simple for employees to install. And when they remove a provisioning package, policies that the package applied to their device are removed.
 
@@ -56,8 +57,8 @@ Provisioning packages are simple for employees to install. And when they remove
 
     Package might include company root certificate, Wi-Fi profiles, security policies, or company application.
 
-    **Note**  
-    Test to make sure that removing the provisioning package from a personal device removes everything that the package installed. Some settings are not reverted when a provisioning package is removed from the device.
+    > [!NOTE]  
+    > Test to make sure that removing the provisioning package from a personal device removes everything that the package installed. Some settings are not reverted when a provisioning package is removed from the device.
 
      
 
@@ -65,81 +66,93 @@ Provisioning packages are simple for employees to install. And when they remove
 
     Package might include computer name, company root certificate, Wi-Fi profile, or company application.
 
-    **Note**  
-    To return the **Start** menu to a specific state, you must reset the device. When you reset the device, you can apply the provisioning package during the first-run experience.
+    > [!NOTE]  
+    > To return the **Start** menu to a specific state, you must reset the device. When you reset the device, you can apply the provisioning package during the first-run experience.
 
      
 
 For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
 
-## Create package
+## Create a provisioning package 
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+When you run Windows ICD, you have several options for creating your package.
+
+![Simple or advanced provisioning](images/ICDstart-option.png).
+
+- Choose **Simple provisioning** to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. 
+- Choose **Provision school devices** to quickly create provisioning packages that configure settings and policies tailored for students. Learn more about using Windows ICD to provision student PCs (link tb added).
+- Choose **Advanced provisioning** to create provisioning packages in the advanced settings editor and include classic (Win32) and Universal Windows Platform (UWP) apps for deployment on end-user devices.
+
+> [!IMPORTANT]
+> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+### Using Simple provisioning
+
+1. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
+2. Click **Simple provisioning**.
+2. Name your project and click **Finish**.
+3. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
+4. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
+    - Home to Education
+    - Pro to Education
+    - Pro to Enterprise
+    - Enterprise to Education
+    - Mobile to Mobile Enterprise
+5.  Click **Set up network**.
+6. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
+7. Click **Enroll into Active Directory**.
+8. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
+    > [!WARNING]
+    > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
+    - Use a least-privileged domain account to join the device to the domain.
+    - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
+    - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
+9. Click **Finish**.
+10. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
+11. Click **Create**.
+
+
+
+### Using Advanced provisioning
 
 
-Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
 
 1.  Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
-
-2.  Choose **New provisioning package**.
-
+2.  Click **Advanced provisioning**.
+3. Choose **New provisioning package**.
 3.  Name your project, and click **Next**.
-
-4.  Choose **Common to all Windows editions**, **Common to all Windows desktop editions**, or **Common to all Windows mobile editions**, depending on the devices you intend to provision, and click **Next**.
-
+4.  Choose **All Windows editions**, **All Windows desktop editions**, or **All Windows mobile editions**, depending on the devices you intend to provision, and click **Next**.
 5.  On **New project**, click **Finish**. The workspace for your package opens.
-
 6.  Configure settings. [Learn more about specific settings in provisioning packages.]( http://go.microsoft.com/fwlink/p/?LinkId=615916)
-
 7.  On the **File** menu, select **Save.**
-
 8.  On the **Export** menu, select **Provisioning package**.
-
 9.  Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
-
 10. Set a value for **Package Version**.
-
-    **Tip**  
-    You can make changes to existing packages and change the version number to update previously applied packages.
-
-     
-
+    > [!TIP]  
+    > You can make changes to existing packages and change the version number to update previously applied packages.
+  
 11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
-
     -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
-
     -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
-
-        **Important**  
-        We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
-
-         
-
+       > [!IMPORTANT]  
+       > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
+        
 12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
-
     Optionally, you can click **Browse** to change the default output location.
-
 13. Click **Next**.
-
 14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
-
     If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-
 15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-
     If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-
     -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
     -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-
 16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
-
     -   Shared network folder
-
     -   SharePoint site
-
     -   Removable media (USB/SD)
-
     -   Email
-
     -   USB tether (mobile only)
 
 Learn more: [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651)
@@ -147,11 +160,11 @@ Learn more: [Build and apply a provisioning package](http://go.microsoft.com/fwl
 ## Apply package
 
 
-On a desktop computer, the employee goes to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in email, in local storage, on removable media, or at a URL.
+On a desktop computer, the employee goes to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in local storage, on removable media, or at a URL.
 
 ![add a package option](images/package.png)
 
-On a mobile device, the employee goes to **Settings** &gt; **Accounts** &gt; **Provisioning.** &gt; **Add a package**, and selects the package on removable media to install. The user can also add a provisioning package simply by double-tapping the .ppkg file in email.
+On a mobile device, the employee goes to **Settings** &gt; **Accounts** &gt; **Provisioning.** &gt; **Add a package**, and selects the package on removable media to install. 
 
 ![add provisioning package on phone](images/phoneprovision.png)
 
@@ -168,7 +181,7 @@ On a mobile device, the employee goes to **Settings** &gt; **Accounts** &gt; **P
 
 -   Optionally, keep packages when you reset a mobile device. When you reset a desktop, runtime packages are removed.
 
-    ![](images/resetdevice.png)
+    ![reset a device](images/resetdevice.png)
 
 ## Learn more
 
diff --git a/windows/manage/configure-mdm-provider-windows-store-for-business.md b/windows/manage/configure-mdm-provider-windows-store-for-business.md
index e621a59e02..d4c07de29f 100644
--- a/windows/manage/configure-mdm-provider-windows-store-for-business.md
+++ b/windows/manage/configure-mdm-provider-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Configure an MDM provider
diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
index 66f10dbf1e..377c8066cf 100644
--- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
+++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
@@ -1,6 +1,6 @@
 ---
 title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
-redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
+redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
 ---
 
 # Configure Windows 10 devices to stop data flow to Microsoft
diff --git a/windows/manage/configure-windows-10-taskbar.md b/windows/manage/configure-windows-10-taskbar.md
new file mode 100644
index 0000000000..b96590c3b1
--- /dev/null
+++ b/windows/manage/configure-windows-10-taskbar.md
@@ -0,0 +1,300 @@
+---
+title: Configure Windows 10 taskbar (Windows 10)
+description: Admins can pin apps to users' taskbars. 
+keywords: ["taskbar layout","pin apps"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+# Configure Windows 10 taskbar
+
+Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `<TaskbarLayout>` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar.
+
+> [!NOTE]
+> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout.
+
+You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](http://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path (the local path to the application). 
+
+If you specify an app to be pinned that is not installed on the computer, it won't appear on the taskbar.
+
+The order of apps in the xml file dictates order of apps on taskbar from left to right, to the right of any existing apps pinned by user.
+
+> [!NOTE]
+> In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
+
+The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
+
+![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
+
+
+## Configure taskbar (general)
+
+To configure the taskbar:
+1. Create the XML file.
+   * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `<CustomTaskbarLayoutCollection>` section from the following sample to the file.
+   * If you are only configuring the taskbar, use the following sample to create a layout modification XML file.
+2. Edit and save the XML file. You can use [AUMID](http://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path to identify the apps to pin to the taskbar.
+   * Use `<taskbar:UWA>` and [AUMID](http://go.microsoft.com/fwlink/p/?LinkId=614867) to pin Universal Windows Platform apps.
+   * Use `<taskbar:DesktopApp>` and Desktop Application Link Path to pin desktop applications. 
+3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
+
+### Tips for finding AUMID and Desktop Application Link Path
+
+In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. 
+
+The easiest way to find this data for an application is to:
+1.	Pin the application to the Start menu
+2. 	Open Windows PowerShell and run the `Export-StartLayout` cmdlet. 
+3.	Open the generated XML file. 
+4.	Look for an entry corresponding to the app you pinned .
+5.	Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`. 
+
+
+### Sample taskbar configuration XML
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<LayoutModificationTemplate
+    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
+    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
+    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
+    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
+    Version="1">
+  <CustomTaskbarLayoutCollection>
+    <defaultlayout:TaskbarLayout>
+      <taskbar:TaskbarPinList>
+        <taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
+        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
+      </taskbar:TaskbarPinList>
+    </defaultlayout:TaskbarLayout>
+ </CustomTaskbarLayoutCollection>
+</LayoutModificationTemplate>
+```
+### Sample taskbar configuration added to Start layout XML
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<LayoutModificationTemplate
+    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
+    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
+    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
+    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
+    Version="1">
+  <LayoutOptions StartTileGroupCellWidth="6" StartTileGroupsColumnCount="1" />
+  <DefaultLayoutOverride>
+    <StartLayoutCollection>
+      <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
+        <start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
+          <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
+          <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
+          <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+        </start:Group>        
+      </defaultlayout:StartLayout>
+    </StartLayoutCollection>
+  </DefaultLayoutOverride>
+    <CustomTaskbarLayoutCollection>
+      <defaultlayout:TaskbarLayout>
+        <taskbar:TaskbarPinList>
+          <taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
+          <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
+        </taskbar:TaskbarPinList>
+      </defaultlayout:TaskbarLayout>
+    </CustomTaskbarLayoutCollection>
+</LayoutModificationTemplate>
+```
+
+##Keep default apps and add your own
+
+The `<CustomTaskbarLayoutCollection>` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt.
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<LayoutModificationTemplate
+    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
+    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
+    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
+    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
+    Version="1">
+  <CustomTaskbarLayoutCollection>
+    <defaultlayout:TaskbarLayout>
+      <taskbar:TaskbarPinList>
+        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
+        <taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
+        <taskbar:DesktopApp DesktopApplicationLinkPath="%appdata%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
+      </taskbar:TaskbarPinList>
+    </defaultlayout:TaskbarLayout>
+  </CustomTaskbarLayoutCollection>
+</LayoutModificationTemplate>
+```
+**Before:**
+
+![default apps pinned to taskbar](images/taskbar-default.png)
+
+**After:**
+ 
+ ![additional apps pinned to taskbar](images/taskbar-default-plus.png)
+
+##Remove default apps and add your own
+
+By adding `PinListPlacement="Replace"` to `<CustomTaskbarLayoutCollection>`, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar.
+
+If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps.
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<LayoutModificationTemplate
+    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
+    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
+    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
+    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
+    Version="1">
+  <CustomTaskbarLayoutCollection PinListPlacement="Replace">
+    <defaultlayout:TaskbarLayout>
+      <taskbar:TaskbarPinList>
+        <taskbar:DesktopApp DesktopApplicationLinkPath=”%APPDATA%Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk”/>
+        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
+        <taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
+      </taskbar:TaskbarPinList>
+    </defaultlayout:TaskbarLayout>
+  </CustomTaskbarLayoutCollection>
+</LayoutModificationTemplate>
+
+```
+**Before:**
+
+![Taskbar with default apps](images/taskbar-default.png)
+
+**After:**
+
+![Taskbar with default apps removed](images/taskbar-default-removed.png)
+
+## Configure taskbar by country or region
+
+The following example shows you how to configure taskbars by country or region. When you specify one or more country or region in `<taskbar:TaskbarPinList>`, the pinned apps in that section are only pinned on computers that are configured for that country or region. When specifying taskbar configuration by country or region, the taskbar will concatenate pinlists together so long as the target computer meets the country or region requirements. If no country or region is specified for a `<TaskbarPinList>` node, it will apply to every country and region.
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<LayoutModificationTemplate
+    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
+    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
+    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
+    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
+    Version="1">
+
+  <CustomTaskbarLayoutCollection PinListPlacement="Replace">
+    <defaultlayout:TaskbarLayout region="US|UK">
+      <taskbar:TaskbarPinList >
+        <taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
+        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
+        <taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
+        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"/>
+        <taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
+      </taskbar:TaskbarPinList>
+    </defaultlayout:TaskbarLayout>
+    <defaultlayout:TaskbarLayout region="DE|FR">
+      <taskbar:TaskbarPinList>
+        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
+        <taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
+        <taskbar:UWA AppUserModelID="Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel" />
+        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"/>
+        <taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
+      </taskbar:TaskbarPinList>
+    </defaultlayout:TaskbarLayout>
+    <defaultlayout:TaskbarLayout>
+      <taskbar:TaskbarPinList>
+        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
+        <taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
+        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"/>
+        <taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
+      </taskbar:TaskbarPinList>
+    </defaultlayout:TaskbarLayout>
+  </CustomTaskbarLayoutCollection>
+</LayoutModificationTemplate>
+
+```
+
+When the preceding example XML is applied, the resulting taskbar for computers in the US or UK:
+
+![taskbar for US and UK locale](images/taskbar-region-usuk.png)
+
+The resulting taskbar for computers in Germany or France:
+
+![taskbar for DE and FR locale](images/taskbar-region-defr.png)
+
+The resulting taskbar for computers in any other country region:
+
+![taskbar for all other regions](images/taskbar-region-other.png)
+
+
+> [!NOTE]
+> [Look up country and region codes (use the ISO Short column)](http://go.microsoft.com/fwlink/p/?LinkId=786445)
+
+
+
+
+## Layout Modification Template schema definition
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+            xmlns:local="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
+            targetNamespace="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
+            elementFormDefault="qualified">
+
+  <xsd:complexType name="ct_PinnedUWA">
+    <xsd:attribute name="AppUserModelID" type="xsd:string" />
+  </xsd:complexType>
+
+  <xsd:complexType name="ct_PinnedDesktopApp">
+    <xsd:attribute name="DesktopApplicationID" type="xsd:string" />
+    <xsd:attribute name="DesktopApplicationLinkPath" type="xsd:string" />
+  </xsd:complexType>
+
+  <xsd:complexType name="ct_TaskbarPinList">
+    <xsd:sequence>
+      <xsd:choice minOccurs="1" maxOccurs="unbounded">
+        <xsd:element name="UWA" type="local:ct_PinnedUWA" />
+        <xsd:element name="DesktopApp" type="local:ct_PinnedDesktopApp" />
+      </xsd:choice>
+    </xsd:sequence>
+    <xsd:attribute name="Region" type="xsd:string" use="optional" />
+  </xsd:complexType>
+
+  <xsd:simpleType name="st_TaskbarPinListPlacement">
+    <xsd:restriction base="xsd:string">
+      <xsd:enumeration value="Append" />
+      <xsd:enumeration value="Replace" />
+    </xsd:restriction>
+  </xsd:simpleType>
+
+  <xsd:attributeGroup name="ag_SelectionAttributes">
+    <xsd:attribute name="SKU" type="xsd:string" use="optional"/>
+    <xsd:attribute name="Region" type="xsd:string" use="optional"/>
+  </xsd:attributeGroup>
+
+  <xsd:complexType name="ct_TaskbarLayout">
+    <xsd:sequence>
+      <xsd:element name="TaskbarPinList" type="local:ct_TaskbarPinList" minOccurs="1" maxOccurs="1" />
+    </xsd:sequence>
+    <xsd:attributeGroup ref="local:ag_SelectionAttributes"/>
+  </xsd:complexType>
+
+</xsd:schema>
+```
+
+## Related topics
+
+[Manage Windows 10 Start and taskbar layout ](windows-10-start-layout-options-and-policies.md)[Customize and export Start layout](customize-and-export-start-layout.md)
+
+[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+
+[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+
+[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
+
+
+
diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md
index 1d4f6b116f..9965ade8d5 100644
--- a/windows/manage/configure-windows-telemetry-in-your-organization.md
+++ b/windows/manage/configure-windows-telemetry-in-your-organization.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -15,36 +16,119 @@ author: brianlic-msft
 
 -   Windows 10
 -   Windows 10 Mobile
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
-Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services.
+At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating system’s development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how.
 
->**Note:**  This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server.
+To frame a discussion about telemetry, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows telemetry system in the following ways:
 
-It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers.
+-	**Control.** We offer customers control of the telemetry they share with us by providing easy-to-use management tools.
+-	**Transparency.** We provide information about the telemetry that Windows and Windows Server collects so our customers can make informed decisions.
+-	**Security.** We encrypt telemetry in transit from your device and protect that data at our secure data centers.
+-	**Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
+-	**No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows telemetry system.  Customer content inadvertently collected is kept confidential and not used for user targeting.
+-	**Benefits to you.** We collect Windows telemetry to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all of our customers.
 
-We understand that the privacy and security of our customers’ information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016.
+This article applies to Windows and Windows Server telemetry only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, telemetry controls, and so on. This article describes the types of telemetry we may gather, the ways you might manage it in your organization, and some examples of how telemetry can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
+
+
+Use this article to make informed decisions about how you might configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
 
 ## Overview
 
-In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using Settings &gt; Privacy, Group Policy, or MDM.
-
-Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers.
-
-Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers.
+In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM.
 
 For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
 
+## Understanding Windows telemetry
+
+Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
+
+The release cadence of Windows may be fast, so feedback is critical to its success. We rely on telemetry at each stage of the process to inform our decisions and prioritize our efforts. 
+
+### What is Windows telemetry?
+Windows telemetry is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
+
+- 	Keep Windows up to date
+-	Keep Windows secure, reliable, and performant
+-	Improve Windows – through the aggregate analysis of the use of Windows
+-	Personalize Windows engagement surfaces
+
+Here are some specific examples of Windows telemetry data:
+
+-	Type of hardware being used
+-	Applications installed and usage details
+-	Reliability information on device drivers
+
+### What is NOT telemetry?
+
+Telemetry can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not telemetry. For example, exchanging a user’s location for local weather or news is not an example of telemetry—it is functional data that the app or service requires to satisfy the user’s request.
+
+There are subtle differences between telemetry and functional data. Windows collects and sends telemetry in the background automatically. You can control how much information is gathered by setting the telemetry level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash).    On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
+
+If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+
+The following are specific examples of functional data:
+
+- Current location for weather
+- Bing searches
+- Wallpaper and desktop settings synced across multiple devices
+
+### Telemetry gives users a voice
+
+Windows and Windows Server telemetry gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
+
+### Drive higher app and driver quality
+
+Our ability to collect telemetry that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Telemetry helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
+
+A real-world example of how Windows telemetry helps us quickly identify and fix issues is a particular version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
+
+### Improve end-user productivity
+
+Windows telemetry also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
+
+-	**Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
+-	**Cortana.** We use telemetry to monitor the scalability of our cloud service, improving search performance.
+-	**Application switching.**  Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications.  After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later telemetry showed significantly higher usage of this feature.
+
+**These examples show how the use of telemetry data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
+
+
+### Insights into your own organization
+
+Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well.  Microsoft is in the process of developing a set of analytics customized for your internal use.  The first of these, called [Windows 10 Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md).
+
+#### Windows 10 Upgrade Analytics
+
+Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. 
+ 
+To better help customers through this difficult process, Microsoft developed Upgrade Analytics to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. 
+
+With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. 
+
+Use Upgrade Analytics to get:
+
+- A visual workflow that guides you from pilot to production
+- Detailed computer, driver, and application inventory
+- Powerful computer level search and drill-downs 
+- Guidance and insights into application and driver compatibility issues with suggested fixes 
+- Data driven application rationalization tools
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+- Data export to commonly used software deployment tools 
+
+The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
+
 ## How is telemetry data handled by Microsoft?
 
 ### Data collection
 
-Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
+Windows 10 and Windows Server 2016 includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
 
 1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
 2. Events are gathered using public operating system event logging and tracing APIs.
 3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.
-4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft and uses certificate pinning.
+4. The Connected User Experience and Telemetry component transmits the telemetry data.
 
 Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
 
@@ -56,46 +140,47 @@ All telemetry data is encrypted using SSL and uses certificate pinning during tr
 
 The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
 
-The Connected User Experience and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com.
+The following table defines the endpoints for telemetry services:
 
-The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information.
-
-[Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) connects to watson.telemetry.microsoft.com.
-
-[Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) connects to oca.telemetry.microsoft.com.
+| Service | Endpoint |
+| - | - |
+| Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com<br />settings-win.data.microsoft.com |
+| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
+| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
 
 ### Data use and access
 
-Data gathered from telemetry is used by Microsoft teams primarily to improve our customer experiences, and for security, health, quality, and performance analysis. The principle of least privileged guides access to telemetry data.  Only Microsoft personnel with a valid business need are permitted access to the telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that include aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
+The principle of least privileged access guides access to telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). Microsoft may share business reports with OEMs and third party partners that include aggregated and anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
 
 ### Retention
 
-Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Store purchase history. 
+Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Windows Store purchase history. 
 
 ## Telemetry levels
 
 
-This section explains the different telemetry levels in Windows 10, Windows Server 2016 Technical Preview, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016 Technical Preview.
+This section explains the different telemetry levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
 
 The telemetry data is categorized into four levels:
 
 -   **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
 
--   **Basic**. Basic device info, including: quality-related data, app compat, app usage data, and data from the **Security** level.
+-   **Basic**. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the **Security** level.
 
 -   **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
 
 -   **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
 
-The levels are cumulative and are illustrated in the following diagram. These levels apply to all editions of Windows Server 2016 Technical Preview.
+The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016.
 
 ![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png)
 
 ### Security level
 
-The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
+The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions.
 
-> **Note:**  If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
+> [!NOTE]  
+> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
 
 Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
 
@@ -103,18 +188,19 @@ Windows Server Update Services (WSUS) and System Center Configuration Manager fu
 
 The data gathered at this level includes:
 
--   **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+-   **Connected User Experience and Telemetry component settings**. If general telemetry data has been gathered and is queued, it is sent to Microsoft. Along with this telemetry, the Connected User Experience and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experience and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
 
 -   **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
 
-    >**Note:**  You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+    > [!NOTE]  
+    > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
 
      
 
 -   **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
 
-    **Note**  
-    This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
+    > [!NOTE]  
+    > This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
 
     Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
 
@@ -126,11 +212,11 @@ No user content, such as user files or communications, is gathered at the **Secu
 
 ### Basic level
 
-The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
+The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
 
 The data gathered at this level includes:
 
--   **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview instances in the ecosystem, including:
+-   **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include:
 
     -   Device attributes, such as camera resolution and display type
 
@@ -156,7 +242,7 @@ The data gathered at this level includes:
 
     -   **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
 
-    -   **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started
+    -   **App usage data**. Includes how an app is used, including how long an app is used, when the app has focus, and when the app is started
 
     -   **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
 
@@ -166,13 +252,13 @@ The data gathered at this level includes:
 
     -   **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
 
--   **Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
+-   **Windows Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
 
 ### Enhanced level
 
 The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
 
-This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
+This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
 
 The data gathered at this level includes:
 
@@ -202,15 +288,25 @@ However, before more data is gathered, Microsoft’s privacy governance team, in
 
 -   All crash dump types, including heap dumps and full dumps.
 
+## Enterprise management
+
+Sharing telemetry data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the telemetry level and managing specific components is the best option.
+
+Customers can set the telemetry level in both the user interface and with existing management tools. Users can change the telemetry level in the **Diagnostic and usage data** setting. In the Settings app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available.
+
+IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a telemetry level.  If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security telemetry level is available when managing the policy. Setting the telemetry level through policy overrides users’ choices. The remainder of this section describes how to do that.
+
+
 ### Manage your telemetry settings
 
 We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
 
->**Important:**  These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
+> [!IMPORTANT]  
+> These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
 
 You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
 
-The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced.**
+The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 is **Enhanced**.
 
 ### Configure the operating system telemetry level
 
@@ -218,14 +314,13 @@ You can configure your operating system telemetry settings using the management
 
 Use the appropriate value in the table below when you configure the management policy.
 
-| Value | Level    | Data gathered                                                                                                             |
-|-------|----------|---------------------------------------------------------------------------------------------------------------------------|
-| **0** | Security | Security data only.                                                                                                       |
-| **1** | Basic    | Security data, and basic system and quality data.                                                                         |
-| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data.                        |
-| **3** | Full     | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. |
+| Level    | Data gathered | Value |
+| - | - | -  |
+| Security | Security data only. | **0** |
+| Basic | Security data, and basic system and quality data. | **1** |
+| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** |
+| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
 
- 
 
 ### Use Group Policy to set the telemetry level
 
@@ -275,21 +370,35 @@ There are a few more settings that you can turn off that may send telemetry info
 
 -   Turn off **Linguistic Data Collection** in **Settings** &gt; **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
 
-    >**Note:**  Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
+    > [!NOTE]  
+    > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
 
-     
+## Additional resources
 
-## Examples of how Microsoft uses the telemetry data
+FAQs
 
+- [Cortana, Search, and privacy](http://windows.microsoft.com/en-us/windows-10/cortana-privacy-faq)
+- [Windows 10 feedback, diagnostics, and privacy](http://windows.microsoft.com/en-us/windows-10/feedback-diagnostics-privacy-faq)
+- [Windows 10 camera and privacy](http://windows.microsoft.com/en-us/windows-10/camera-privacy-faq)
+- [Windows 10 location service and privacy](http://windows.microsoft.com/en-us/windows-10/location-service-privacy)
+- [Microsoft Edge and privacy](http://windows.microsoft.com/en-us/windows-10/edge-privacy-faq)
+- [Windows 10 speech, inking, typing, and privacy](http://windows.microsoft.com/en-us/windows-10/speech-inking-typing-privacy-faq)
+- [Windows Hello and privacy](http://windows.microsoft.com/en-us/windows-10/windows-hello-privacy-faq)
+- [Wi-Fi Sense](http://windows.microsoft.com/en-us/windows-10/wi-fi-sense-faq)
+- [Windows Update Delivery Optimization](http://windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq)
 
-### Drive higher application and driver quality in the ecosystem
+Blogs
 
-Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications.
+- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
 
-### Reduce your total cost of ownership and downtime
+Privacy Statement
 
-Telemetry provides a view of which features and services customers use most. For example, the telemetry data provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates.
+- [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement)
 
-### Build features that address our customers’ needs
+TechNet
 
-Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers’ experiences and workloads. Some examples include customer usage of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft.
\ No newline at end of file
+- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+
+Web Pages
+
+- [Privacy at Microsoft](http://privacy.microsoft.com)
diff --git a/windows/manage/connect-to-remote-aadj-pc.md b/windows/manage/connect-to-remote-aadj-pc.md
new file mode 100644
index 0000000000..1c58be856c
--- /dev/null
+++ b/windows/manage/connect-to-remote-aadj-pc.md
@@ -0,0 +1,81 @@
+---
+title: Connect to remote Azure Active Directory-joined PC (Windows 10)
+description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
+ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
+keywords: ["MDM", "device management", "RDP", "AADJ"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: devices
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Connect to remote Azure Active Directory-joined PC
+
+
+**Applies to**
+
+-   Windows 10
+
+From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD).
+
+![Remote Desktop Connection client](images/rdp.png)
+
+## Set up
+
+- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
+- Ensure [Remote Credential Guard](../keep-secure/remote-credential-guard.md), a new feature in Windows 10, version 1607, is turned off on the client PC.
+- On the PC that you want to connect to:
+  1. Open system properties for the remote PC. 
+  2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. 
+
+   ![Allow remote connections to this computer](images/allow-rdp.png)
+
+  3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users, click **Select Users**.
+  4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
+
+ 
+## Supported configurations
+ 
+In organizations that have integrated Active Directory and Azure AD, you can connect from a domain-joined PC to an Azure AD-joined PC using:
+
+- Password
+- Smartcards
+- Windows Hello for Business, if the domain is managed by System Center Configuration Manager
+
+In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using:
+
+- Password
+- Smartcards
+- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription. 
+
+In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
+
+- Password
+- Smartcards
+- Windows Hello for Business, with or without an MDM subscription. 
+
+ 
+In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
+
+- Password
+- Windows Hello for Business, with or without an MDM subscription. 
+
+
+
+## Related topics
+
+[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop)
+
+
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/manage/customize-and-export-start-layout.md
index bd7b75c0fd..68d1056ac3 100644
--- a/windows/manage/customize-and-export-start-layout.md
+++ b/windows/manage/customize-and-export-start-layout.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Customize and export Start layout
@@ -49,12 +50,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a
 
 1.  Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display.
 
-    **Important**  
-    **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
-
-     
-
-2.  Create a new user account that you will use to customize the Start layout.
+   2.  Create a new user account that you will use to customize the Start layout.
 
 <a href="" id="bmk-customize-start"></a>
 **To customize Start**
@@ -91,6 +87,37 @@ When you have the Start layout that you want your users to see, use the [Export-
     In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
 
     Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet does not append the file name extension, and the policy settings require the extension.
+    
+    Example of a layout file produced by `Export-StartLayout`:
+
+    <span codelanguage="XML"></span>
+    <table>
+    <colgroup>
+    <col width="100%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">XML</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><pre><code>&lt;LayoutModificationTemplate Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
+      &lt;DefaultLayoutOverride&gt;
+        &lt;StartLayoutCollection&gt;
+          &lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot; xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot;&gt;
+            &lt;start:Group Name=&quot;Life at a glance&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot;&gt;
+              &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt;
+              &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI&quot; /&gt;
+              &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
+            &lt;/start:Group&gt;        
+          &lt;/defaultlayout:StartLayout&gt;
+        &lt;/StartLayoutCollection&gt;
+      &lt;/DefaultLayoutOverride&gt;
+    &lt;/LayoutModificationTemplate&gt;</code></pre></td>
+    </tr>
+    </tbody>
+    </table>
 
 ## Configure a partial Start layout
 
@@ -123,9 +150,11 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
 
 [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
 
-[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
 
-[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
 
 [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
index bf5aed9ec4..6c7c63c9cd 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
@@ -7,9 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
+localizationpriority: medium
 ---
 
-# Customize Windows 10 Start with Group Policy
+# Customize Windows 10 Start and taskbar with Group Policy
 
 
 **Applies to**
@@ -20,12 +21,12 @@ author: jdeckerMS
 
 -   [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
 
-In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
 
-This topic describes how to update Group Policy settings to display a customized Start layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start layout to users in a domain.
+This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain.
 
 **Warning**  
-When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
+When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps.
 
  
 
@@ -34,23 +35,23 @@ When a full Start layout is applied with this method, the users cannot pin, unpi
 ## Operating system requirements
 
 
-Start layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. Start layout control is not supported in Windows 10 Pro.
+Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, Version 1607. Start and taskbar layout control is not supported in Windows 10 Pro.
 
-The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841](http://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base.
+The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](http://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base.
 
 ## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
 
 
-Two features enable Start layout control:
+Three features enable Start and taskbar layout control:
 
--   The [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
+-   The [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. 
 
     **Note**  
     To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
 
-     
+-    [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include  `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration.
 
--   In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start layout from an .xml file when the policy is applied.
+-   In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start and taskbar layout from an .xml file when the policy is applied.
 
 **Note**  
 To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( http://go.microsoft.com/fwlink/p/?LinkId=620863).
@@ -60,29 +61,29 @@ To learn how customize Start to include your line-of-business apps when you depl
 ## <a href="" id="bkmk-domaingpodeployment"></a>Use Group Policy to apply a customized Start layout in a domain
 
 
-To apply the Start layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain.
+To apply the Start and taskbar layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain.
 
-The GPO applies the Start layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied.
+The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied.
 
 The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed.
 
-The .xml file with the Start layout must be located on shared network storage that is available to the users’ computers when they sign in and the users must have Read-only access to the file. If the file is not available at sign-in, Start is not customized during the session, and the user can make changes to Start.
+The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users’ computers when they sign in and the users must have Read-only access to the file. If the file is not available at sign-in, Start and the taskbar are not customized during the session, and the user can make changes to Start.
 
 For information about deploying GPOs in a domain, see [Working with Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=620889).
 
 ## <a href="" id="bkmk-localgpimport"></a>Use Group Policy to apply a customized Start layout on the local computer
 
 
-You can use the Local Group Policy Editor to provide a customized Start layout for any user who signs in on the local computer. To display the customized Start layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**.
+You can use the Local Group Policy Editor to provide a customized Start and taskbar layout for any user who signs in on the local computer. To display the customized Start and taskbar layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**.
 
 **Note**  
-This procedure applies the policy settings on the local computer only. For information about deploying the Start layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment), later in this topic.
+This procedure applies the policy settings on the local computer only. For information about deploying the Start and taskbar layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment), later in this topic.
 
 This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=620881). The guide was written for Windows Vista and the procedures still apply to Windows 10.
 
  
 
-This procedure adds the customized Start layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer.
+This procedure adds the customized Start and taskbar layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer.
 
 **To configure Start Layout policy settings in Local Group Policy Editor**
 
@@ -102,9 +103,9 @@ This procedure adds the customized Start layout to the user configuration, which
 
     1.  Select **Enabled**.
 
-    2.  Under **Options**, specify the path to the .xml file that contains the Start layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**.
+    2.  Under **Options**, specify the path to the .xml file that contains the Start and taskbar layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**.
 
-    3.  Optionally, enter a comment to identify the Start layout.
+    3.  Optionally, enter a comment to identify the Start and taskbar layout.
 
     **Important**  
     If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command:
@@ -116,16 +117,16 @@ This procedure adds the customized Start layout to the user configuration, which
 ## <a href="" id="bkmk-updatestartscreenlayout"></a>Update a customized Start layout
 
 
-After you use Group Policy to apply a customized Start layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp.
+After you use Group Policy to apply a customized Start and taskbar layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp.
 
 ## Related topics
 
 
-[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
 
 [Customize and export Start layout](customize-and-export-start-layout.md)
 
-[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
 
 [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 77d2d5abf5..2e17e4b129 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Customize Windows 10 Start with mobile device management (MDM)
@@ -22,6 +23,8 @@ author: jdeckerMS
 
 In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
 
+> **Note:** Customized taskbar configuration cannot be applied using MDM at this time.
+
 **Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
 
 **Warning**  
@@ -34,7 +37,7 @@ When a full Start layout is applied with this method, the users cannot pin, unpi
 
 Two features enable Start layout control:
 
--   The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
+-   The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. 
 
     **Note**  
     To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
@@ -126,13 +129,15 @@ This example uses Microsoft Intune to configure an MDM policy that applies a cus
 ## Related topics
 
 
-[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
 
 [Customize and export Start layout](customize-and-export-start-layout.md)
 
-[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
 
-[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
 
 [Use Windows 10 custom policies to manage device settings with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=616316)
 
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index cc0c54d783..2fcd71d6ad 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -7,9 +7,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
+localizationpriority: medium
 ---
 
-# Customize Windows 10 Start with ICD and provisioning packages
+# Customize Windows 10 Start and taskbar with ICD and provisioning packages
 
 
 **Applies to**
@@ -20,32 +21,37 @@ author: jdeckerMS
 
 -   [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
 
-In Windows 10 Enterprise and Windows 10 Education, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Enterprise and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
 
 **Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
 
 ## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
 
 
-Two features enable Start layout control:
+Three features enable Start and taskbar layout control:
 
--   The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
+-   The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. 
 
     **Note**  
     To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
 
-     
+-    [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include  `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration.
 
--   In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start layout.
+
+-   In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start and taskbar layout.
 
 ## <a href="" id="bkmk-domaingpodeployment"></a>Create a provisioning package that contains a customized Start layout
 
 
-Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start layout. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+> **Important**
+When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
 1.  Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+2. Choose **Advanced provisioning**.
+
 
-2.  Choose **New provisioning package**.
 
 3.  Name your project, and click **Next**.
 
@@ -93,11 +99,11 @@ Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/
 ## Related topics
 
 
-[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
 
 [Customize and export Start layout](customize-and-export-start-layout.md)
 
-[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
 
 [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 
diff --git a/windows/manage/device-guard-signing-portal.md b/windows/manage/device-guard-signing-portal.md
index 09c4d67158..e9dabd0581 100644
--- a/windows/manage/device-guard-signing-portal.md
+++ b/windows/manage/device-guard-signing-portal.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store, security
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Device Guard signing
diff --git a/windows/manage/diagnostics-for-mdm-devices.md b/windows/manage/diagnostics-for-mdm-devices.md
new file mode 100644
index 0000000000..32998541e9
--- /dev/null
+++ b/windows/manage/diagnostics-for-mdm-devices.md
@@ -0,0 +1,102 @@
+---
+title: Diagnostics for Windows 10 devices  (Windows 10)
+description: Device Policy State log in Windows 10, Version 1607, collects info about policies.
+keywords: ["mdm", "udiag", "device policy", "mdmdiagnostics"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Diagnostics for Windows 10 devices  
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+(which SKUs?)
+
+(this isn't really MDM-managed only, is it? It can be done locally/email?)
+
+Two new diagnostic tools for Windows 10, version 1607, help IT administrators diagnose and resolve issues with remote devices enrolled in mobile device management (MDM): the [Device Policy State Log](#device-policy-state-log) and [UDiag](#udiag). Windows 10 for desktop editions and Windows 10 Mobile make it simple for users to export log files that you can then analyze with these tools.
+
+## Export management log files
+
+Go to **Settings > Accounts > Work access > Export your management log files**.
+
+![Export your management log files](images/export-mgt-desktop.png)
+
+- On desktop devices, the file is saved to C:/Users/Public/Public Documents/MDMDiagnostics/MDMDiagReport.xml
+- On phones, the file is saved to *phone*/Documents/MDMDiagnostics/MDMDiagReport.xml
+
+The MDMDiagReport.xml can be used with [Device Policy State Log](#device-policy-state-log) and [UDiag](#udiag) to help you resolve issues.
+
+## Device Policy State Log
+
+The Device Policy State Log collects information on the state of policies applied to the device to help you determine which sources are applying policies or configurations to the device. Help desk personnel can use this log to diagnose and resolve issues with a remote device. 
+
+After you obtain the management log file from the user's device, run the mdmReportGenerator.ps1 script on log to create report. (download mdmReportGenerator.ps1 and mdmDiagnoseHelpers.psm1) This PowerShell script asks you to enter the name of the management log file and a name for the report that it will create, as shown in the following example:
+
+![Enter file name for input and output](images/mdm-diag-report-powershell.png)
+
+The script produces the report in html format. There are two sections to the report, Configuration and Policy Information. 
+
+ The configuration section lists the GUID of the sources that are applying configurations to the device.  
+
+ ![Configuration source Exachange ActiveSync](images/config-source.png)
+
+The policy information section displays information about the specific policies that are being enforced and on the device.  For each policy, you will see the Area grouping, the Policy name, its default and current value, and the configuration source. You can compare the configuration source GUID in the policy information section to the GUIDs in the configuration section to identify the source of the policy.
+
+![Policies applied by a configuration source](images/config-policy.png)
+
+
+## UDiag
+
+The UDiag tool applies rules to Event Tracing for Windows (ETW) files to help determine the root cause of an issue. 
+
+(download UDiag)
+
+To analyze MDMDiagReport.xml using UDiag
+1. Open UDiag, and select Device Management.
+2. Select your source for the log files ("cab of logs" or "directory of logs")
+
+Investigating log content, identifying patterns, and adding a root cause analysis to the database (Advanced users/providers) 
+
+1. While at the 'Root Causes List' panel, click the 'Diagnose' button at the bottom. 
+2. You will then be brought to the Diagnosis panel where you can investigate and tag root causes from the content
+  - Evidence Groups: When a set of logs are loaded into UDiag, the contents are processed (e.g. ETW) and organized into evidence groups. 
+  - Decision Tree View: This view shows the loaded decision tree for the current topic/topic area. When a decision node is selected, a user can modify the regular expression and add/edit/delete an RCA for that node. Any RCA matches found in the current log set will have an 'RCA' label that is either Red or Yellow.
+  - Evidence View: Selecting an evidence group loads its content into this evidence view. Use this view to investigate issues and determine root causes. Drag and drop lines from the Evidence View into the Decision Tree View, to build your root cause analysis pattern. ([Learn more about techniques for root cause analysis.](https://technet.microsoft.com/en-us/library/cc543298.aspx))
+
+
+
+ 	
+
+	Can admin pull logs without user action? [DK] Yes via the diagnostic log CSP
+
+	
+
+	"Run PowerShell script to process the file" – is that the user doing it? How can this workflow work in an enterprise where employees aren't computer-savvy? [DK] This is intended to be done by the help desk guy.  
+
+	Where did (user|admin) get mdmReportGenerator.ps1?  [DK] Publishing on DLC later this summer
+
+	In Viewing the report, how does the admin make sense of the source GUIDs? [DK] Correlates the value in the table with the entries at the top of the page. 
+
+	UDiag – where does admin get this? [DK] Publishing on DLC later this summer
+
+	Can admins create custom rule sets? [DK] Right now, no.  but open to feedback on this.
+
+	
+
+Link to [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx)
+
+[Diagnostics capability for devices managed by any MDM provider.](https://microsoft.sharepoint.com/teams/osg_core_ens/mgmt/OSMan Wiki/MDM Diagnostics - Generating and Processing Log files.aspx)
+
+[Redstone spec](https://microsoft.sharepoint.com/teams/specstore/_layouts/15/WopiFrame.aspx?sourcedoc=%7b7E8742A2-03A1-451C-BA07-F2573B044CBF%7d&file=DM%20-%20MDM%20Diagnostics-RS.docx&action=default&DefaultItemOpen=1)
+
+## Related topics
+
+[DiagnosticLog CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt219118.aspx)
+
+[Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120.aspx)
\ No newline at end of file
diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md
index f1077326eb..8a9777af29 100644
--- a/windows/manage/disconnect-your-organization-from-microsoft.md
+++ b/windows/manage/disconnect-your-organization-from-microsoft.md
@@ -1,4 +1,4 @@
 ---
 title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
-redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft
+redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
 ---
\ No newline at end of file
diff --git a/windows/manage/distribute-apps-from-your-private-store.md b/windows/manage/distribute-apps-from-your-private-store.md
index 500ff0c7b4..828dc965f4 100644
--- a/windows/manage/distribute-apps-from-your-private-store.md
+++ b/windows/manage/distribute-apps-from-your-private-store.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Distribute apps using your private store
@@ -25,15 +26,13 @@ You can make an app available in your private store when you acquire the app, or
 
 1.  Sign in to the [Store for Business](https://businessstore.microsoft.com).
 
-2.  Click an app and then click **Get the app** to acquire the app for your organization.
-
-3.  You'll have a few options for distributing the app -- choose **Add to your private store where all people in your organization can find and install it.**
+2.  Click an app, choose the license type, and then click **Get the app** to acquire the app for your organization.
 
     ![Image showing Distribute options for app in the Windows Store for Business.](images/wsfb-distribute.png)
 
-    It will take approximately twelve hours before the app is available in the private store.
+Windows Store for Business add the app to your **Inventory**. Click **Manage**, **Inventory** for app distribution options. 
 
-**To make an app in inventory available in your private store**
+**To make an app in Inventory available in your private store**
 
 1.  Sign in to the [Store for Business](https://businessstore.microsoft.com).
 
diff --git a/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md b/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
index ffdae6061d..8863d87a80 100644
--- a/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
+++ b/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Distribute apps to your employees from the Windows Store for Business
diff --git a/windows/manage/distribute-apps-with-management-tool.md b/windows/manage/distribute-apps-with-management-tool.md
index 102b4d6d01..891c3c0ccc 100644
--- a/windows/manage/distribute-apps-with-management-tool.md
+++ b/windows/manage/distribute-apps-with-management-tool.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Distribute apps with a management tool
diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md
index f6493b53b4..c1bc0b3a20 100644
--- a/windows/manage/distribute-offline-apps.md
+++ b/windows/manage/distribute-offline-apps.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Distribute offline apps
diff --git a/windows/manage/find-and-acquire-apps-overview.md b/windows/manage/find-and-acquire-apps-overview.md
index 4b4aab57ea..8faea40ea2 100644
--- a/windows/manage/find-and-acquire-apps-overview.md
+++ b/windows/manage/find-and-acquire-apps-overview.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Find and acquire apps
diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md
index 9904809076..37005acc03 100644
--- a/windows/manage/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: brianlic-msft
+localizationpriority: high
 ---
 
 # Group Policies that apply only to Windows 10 Enterprise and Education Editions
@@ -13,11 +14,22 @@ author: brianlic-msft
 
 -   Windows 10
 
-In Windows 10, version 1511, the following Group Policies apply only to Windows 10 Enterprise and Windows 10 Education.
+In Windows 10, version 1607, the following Group Policies apply only to Windows 10 Enterprise and Windows 10 Education.
 
 | Policy name | Policy path | Comments |
-| - | - | - |
-| Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). |
-| Start layout | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md)  |
-| Force a specific default lock screen image | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
- 
\ No newline at end of file
+| --- | --- | --- |
+| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
+| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
+| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
+| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
+| **Do not require CTRL+ALT+DEL** </br>combined with</br>**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon </br>and</br>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](set-up-a-device-for-anyone-to-use.md)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. </br></br>**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
+| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md |
+| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
+| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md)  |
+| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
+| **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](manage-access-to-private-store.md) |
+| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](manage-cortana-in-enterprise.md) |
+
+
+
+ 
diff --git a/windows/manage/guidelines-for-assigned-access-app.md b/windows/manage/guidelines-for-assigned-access-app.md
new file mode 100644
index 0000000000..2d776f2cf5
--- /dev/null
+++ b/windows/manage/guidelines-for-assigned-access-app.md
@@ -0,0 +1,104 @@
+---
+title: Guidelines for choosing an app for assigned access (Windows 10)
+description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
+ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
+keywords: ["kiosk", "lockdown", "assigned access"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Guidelines for choosing an app for assigned access (kiosk mode)
+
+
+**Applies to**
+
+-   Windows 10
+
+
+You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk.  Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
+
+The following guidelines may help you choose an appropriate Windows app for your assigned access experience in Windows 10, Version 1607.
+
+## General guidelines
+
+- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](https://msdn.microsoft.com/library/windows/hardware/mt228170.aspx#install_your_apps). 
+
+- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch. 
+
+
+## Guidelines for Windows apps that launch other apps
+
+Some Windows apps can launch other apps. Assigned access prevents Windows apps from launching other apps. 
+
+Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality.  
+
+## Guidelines for web browsers
+
+Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. 
+
+If you use a web browser as your assigned access app, consider the following tips: 
+
+- You can download browsers that are optimized to be used as a kiosk from the Microsoft Store.
+- You can use Group Policy to block access to the file system (network shares, local drives, and local folders) from Internet Explorer’s web address bar. 
+- You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
+   - [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/) 
+   - [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx)
+   - [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
+ 
+**To block access to the file system from Internet Explorer's web address bar**
+1.	On the Start screen, type the following:
+    `gpedit.msc`
+2.	Press **Enter** or click the gpedit icon to launch the group policy editor.
+3.	In the group policy editor, navigate to **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**.
+4.	Select **Remove Run menu from Start Menu**, select **Disabled**, and click **Apply**. Disabling this policy prevents users from entering the following into the Internet Explorer Address Bar:
+   - A UNC path (\\<server>\<share>)
+   - A local drive (C:\)
+   - A local folder (\temp)
+
+
+## Secure your information
+
+Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting this type of apps if they provide unnecessary data access.
+
+## App configuration
+
+Some apps may require additional configurations before they can be used appropriately in assigned access . For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. 
+Check the guidelines published by your selected app and do the setup accordingly. 
+
+## Develop your kiosk app
+
+Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above lock  . The kiosk app is actually running as an above lock screen app. 
+
+Follow the [best practices guidance for developing a kiosk app for assigned access](https://msdn.microsoft.com/library/windows/hardware/mt633799%28v=vs.85%29.aspx). 
+
+## Test your assigned access experience
+
+The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience.
+
+ ## Learn more
+
+[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
+
+## Related topics
+
+[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
+
+[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
+
+[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
+
+[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
+
+[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/how-it-pros-can-use-configuration-service-providers.md b/windows/manage/how-it-pros-can-use-configuration-service-providers.md
index bab2563813..a61e88337b 100644
--- a/windows/manage/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/manage/how-it-pros-can-use-configuration-service-providers.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Introduction to configuration service providers (CSPs) for IT pros
@@ -23,7 +24,7 @@ The CSPs are documented on the [Hardware Dev Center](http://go.microsoft.com/fwl
 **Note**  
 The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
 
- 
+ [See what's new for CSPs in Windows 10, version 1607.](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607)
 
 ## What is a CSP?
 
@@ -215,6 +216,7 @@ Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile E
 
 ## Related topics
 
+[What's new in MDM enrollment and management in Windows 10, version 1607](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607)
 
 [Lock down Windows 10](lock-down-windows-10.md)
 
diff --git a/windows/manage/images/ActionCenterXML.jpg b/windows/manage/images/ActionCenterXML.jpg
new file mode 100644
index 0000000000..b9832b2708
Binary files /dev/null and b/windows/manage/images/ActionCenterXML.jpg differ
diff --git a/windows/manage/images/AppsXML.jpg b/windows/manage/images/AppsXML.jpg
new file mode 100644
index 0000000000..ecc1869bb5
Binary files /dev/null and b/windows/manage/images/AppsXML.jpg differ
diff --git a/windows/manage/images/AppsXML.png b/windows/manage/images/AppsXML.png
new file mode 100644
index 0000000000..3981543264
Binary files /dev/null and b/windows/manage/images/AppsXML.png differ
diff --git a/windows/manage/images/ButtonsXML.jpg b/windows/manage/images/ButtonsXML.jpg
new file mode 100644
index 0000000000..238eca7e68
Binary files /dev/null and b/windows/manage/images/ButtonsXML.jpg differ
diff --git a/windows/manage/images/CSPRunnerXML.jpg b/windows/manage/images/CSPRunnerXML.jpg
new file mode 100644
index 0000000000..071b316a9e
Binary files /dev/null and b/windows/manage/images/CSPRunnerXML.jpg differ
diff --git a/windows/manage/images/ICDstart-option.PNG b/windows/manage/images/ICDstart-option.PNG
new file mode 100644
index 0000000000..1ba49bb261
Binary files /dev/null and b/windows/manage/images/ICDstart-option.PNG differ
diff --git a/windows/manage/images/MenuItemsXML.png b/windows/manage/images/MenuItemsXML.png
new file mode 100644
index 0000000000..cc681250bb
Binary files /dev/null and b/windows/manage/images/MenuItemsXML.png differ
diff --git a/windows/manage/images/SettingsXML.png b/windows/manage/images/SettingsXML.png
new file mode 100644
index 0000000000..98a324bdea
Binary files /dev/null and b/windows/manage/images/SettingsXML.png differ
diff --git a/windows/manage/images/StartGrid.jpg b/windows/manage/images/StartGrid.jpg
new file mode 100644
index 0000000000..36136f3201
Binary files /dev/null and b/windows/manage/images/StartGrid.jpg differ
diff --git a/windows/manage/images/StartGridPinnedApps.jpg b/windows/manage/images/StartGridPinnedApps.jpg
new file mode 100644
index 0000000000..fbade52f53
Binary files /dev/null and b/windows/manage/images/StartGridPinnedApps.jpg differ
diff --git a/windows/manage/images/TilesXML.png b/windows/manage/images/TilesXML.png
new file mode 100644
index 0000000000..cec52bbbf7
Binary files /dev/null and b/windows/manage/images/TilesXML.png differ
diff --git a/windows/manage/images/allow-rdp.png b/windows/manage/images/allow-rdp.png
new file mode 100644
index 0000000000..55c13b53bc
Binary files /dev/null and b/windows/manage/images/allow-rdp.png differ
diff --git a/windows/manage/images/app-v-in-adk.png b/windows/manage/images/app-v-in-adk.png
new file mode 100644
index 0000000000..a36ef9f00f
Binary files /dev/null and b/windows/manage/images/app-v-in-adk.png differ
diff --git a/windows/manage/images/checklistbox.gif b/windows/manage/images/checklistbox.gif
new file mode 100644
index 0000000000..8af13c51d1
Binary files /dev/null and b/windows/manage/images/checklistbox.gif differ
diff --git a/windows/manage/images/checkmark.png b/windows/manage/images/checkmark.png
index 04cc421e12..f9f04cd6bd 100644
Binary files a/windows/manage/images/checkmark.png and b/windows/manage/images/checkmark.png differ
diff --git a/windows/manage/images/choose-package.png b/windows/manage/images/choose-package.png
new file mode 100644
index 0000000000..2bf7a18648
Binary files /dev/null and b/windows/manage/images/choose-package.png differ
diff --git a/windows/manage/images/config-policy.png b/windows/manage/images/config-policy.png
new file mode 100644
index 0000000000..b9cba70af6
Binary files /dev/null and b/windows/manage/images/config-policy.png differ
diff --git a/windows/manage/images/config-source.png b/windows/manage/images/config-source.png
new file mode 100644
index 0000000000..58938bacf7
Binary files /dev/null and b/windows/manage/images/config-source.png differ
diff --git a/windows/manage/images/connect-aad.png b/windows/manage/images/connect-aad.png
new file mode 100644
index 0000000000..8583866165
Binary files /dev/null and b/windows/manage/images/connect-aad.png differ
diff --git a/windows/manage/images/crossmark.png b/windows/manage/images/crossmark.png
index 2b267dc802..69432ff71c 100644
Binary files a/windows/manage/images/crossmark.png and b/windows/manage/images/crossmark.png differ
diff --git a/windows/manage/images/deploymentworkflow.png b/windows/manage/images/deploymentworkflow.png
new file mode 100644
index 0000000000..b665a0bfea
Binary files /dev/null and b/windows/manage/images/deploymentworkflow.png differ
diff --git a/windows/manage/images/export-mgt-desktop.png b/windows/manage/images/export-mgt-desktop.png
new file mode 100644
index 0000000000..13349c3b4e
Binary files /dev/null and b/windows/manage/images/export-mgt-desktop.png differ
diff --git a/windows/manage/images/export-mgt-mobile.png b/windows/manage/images/export-mgt-mobile.png
new file mode 100644
index 0000000000..6a74c23e59
Binary files /dev/null and b/windows/manage/images/export-mgt-mobile.png differ
diff --git a/windows/manage/images/express-settings.png b/windows/manage/images/express-settings.png
new file mode 100644
index 0000000000..99e9c4825a
Binary files /dev/null and b/windows/manage/images/express-settings.png differ
diff --git a/windows/manage/images/funfacts.png b/windows/manage/images/funfacts.png
new file mode 100644
index 0000000000..71355ec370
Binary files /dev/null and b/windows/manage/images/funfacts.png differ
diff --git a/windows/manage/images/icd-adv-shared-pc.PNG b/windows/manage/images/icd-adv-shared-pc.PNG
new file mode 100644
index 0000000000..a8da5fa78a
Binary files /dev/null and b/windows/manage/images/icd-adv-shared-pc.PNG differ
diff --git a/windows/manage/images/icd-school.PNG b/windows/manage/images/icd-school.PNG
new file mode 100644
index 0000000000..e6a944a193
Binary files /dev/null and b/windows/manage/images/icd-school.PNG differ
diff --git a/windows/manage/images/icd-simple.PNG b/windows/manage/images/icd-simple.PNG
new file mode 100644
index 0000000000..7ae8a1728b
Binary files /dev/null and b/windows/manage/images/icd-simple.PNG differ
diff --git a/windows/manage/images/license-terms.png b/windows/manage/images/license-terms.png
new file mode 100644
index 0000000000..8dd34b0a18
Binary files /dev/null and b/windows/manage/images/license-terms.png differ
diff --git a/windows/manage/images/lockscreen.png b/windows/manage/images/lockscreen.png
new file mode 100644
index 0000000000..68c64e15ec
Binary files /dev/null and b/windows/manage/images/lockscreen.png differ
diff --git a/windows/manage/images/lockscreenpolicy.png b/windows/manage/images/lockscreenpolicy.png
new file mode 100644
index 0000000000..30b6a7ae9d
Binary files /dev/null and b/windows/manage/images/lockscreenpolicy.png differ
diff --git a/windows/manage/images/mdm-diag-report-powershell.PNG b/windows/manage/images/mdm-diag-report-powershell.PNG
new file mode 100644
index 0000000000..86f5b49211
Binary files /dev/null and b/windows/manage/images/mdm-diag-report-powershell.PNG differ
diff --git a/windows/manage/images/oma-uri-shared-pc.png b/windows/manage/images/oma-uri-shared-pc.png
new file mode 100644
index 0000000000..68f9fa3b32
Binary files /dev/null and b/windows/manage/images/oma-uri-shared-pc.png differ
diff --git a/windows/manage/images/oobe.jpg b/windows/manage/images/oobe.jpg
new file mode 100644
index 0000000000..53a5dab6bf
Binary files /dev/null and b/windows/manage/images/oobe.jpg differ
diff --git a/windows/manage/images/packageaddfileandregistrydata-global.png b/windows/manage/images/packageaddfileandregistrydata-global.png
new file mode 100644
index 0000000000..775e290a36
Binary files /dev/null and b/windows/manage/images/packageaddfileandregistrydata-global.png differ
diff --git a/windows/manage/images/packageaddfileandregistrydata-stream.png b/windows/manage/images/packageaddfileandregistrydata-stream.png
new file mode 100644
index 0000000000..0e1205c62b
Binary files /dev/null and b/windows/manage/images/packageaddfileandregistrydata-stream.png differ
diff --git a/windows/manage/images/packageaddfileandregistrydata.png b/windows/manage/images/packageaddfileandregistrydata.png
new file mode 100644
index 0000000000..603420e627
Binary files /dev/null and b/windows/manage/images/packageaddfileandregistrydata.png differ
diff --git a/windows/manage/images/prov.jpg b/windows/manage/images/prov.jpg
new file mode 100644
index 0000000000..1593ccb36b
Binary files /dev/null and b/windows/manage/images/prov.jpg differ
diff --git a/windows/manage/images/rdp.png b/windows/manage/images/rdp.png
new file mode 100644
index 0000000000..ac088d0b06
Binary files /dev/null and b/windows/manage/images/rdp.png differ
diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png
index 6b77ce6002..ada56513fc 100644
Binary files a/windows/manage/images/settings-table.png and b/windows/manage/images/settings-table.png differ
diff --git a/windows/manage/images/setupmsg.jpg b/windows/manage/images/setupmsg.jpg
new file mode 100644
index 0000000000..12935483c5
Binary files /dev/null and b/windows/manage/images/setupmsg.jpg differ
diff --git a/windows/manage/images/sign-in-prov.png b/windows/manage/images/sign-in-prov.png
new file mode 100644
index 0000000000..55c9276203
Binary files /dev/null and b/windows/manage/images/sign-in-prov.png differ
diff --git a/windows/manage/images/spotlight.png b/windows/manage/images/spotlight.png
new file mode 100644
index 0000000000..515269740b
Binary files /dev/null and b/windows/manage/images/spotlight.png differ
diff --git a/windows/manage/images/spotlight2.png b/windows/manage/images/spotlight2.png
new file mode 100644
index 0000000000..27401c1a2b
Binary files /dev/null and b/windows/manage/images/spotlight2.png differ
diff --git a/windows/manage/images/taskbar-blank.png b/windows/manage/images/taskbar-blank.png
new file mode 100644
index 0000000000..185027f2fd
Binary files /dev/null and b/windows/manage/images/taskbar-blank.png differ
diff --git a/windows/manage/images/taskbar-default-plus.png b/windows/manage/images/taskbar-default-plus.png
new file mode 100644
index 0000000000..8afcebac09
Binary files /dev/null and b/windows/manage/images/taskbar-default-plus.png differ
diff --git a/windows/manage/images/taskbar-default-removed.png b/windows/manage/images/taskbar-default-removed.png
new file mode 100644
index 0000000000..b3ff924e9f
Binary files /dev/null and b/windows/manage/images/taskbar-default-removed.png differ
diff --git a/windows/manage/images/taskbar-default.png b/windows/manage/images/taskbar-default.png
new file mode 100644
index 0000000000..41c6c72258
Binary files /dev/null and b/windows/manage/images/taskbar-default.png differ
diff --git a/windows/manage/images/taskbar-generic.png b/windows/manage/images/taskbar-generic.png
new file mode 100644
index 0000000000..6d47a6795a
Binary files /dev/null and b/windows/manage/images/taskbar-generic.png differ
diff --git a/windows/manage/images/taskbar-region-defr.png b/windows/manage/images/taskbar-region-defr.png
new file mode 100644
index 0000000000..6d707b16f4
Binary files /dev/null and b/windows/manage/images/taskbar-region-defr.png differ
diff --git a/windows/manage/images/taskbar-region-other.png b/windows/manage/images/taskbar-region-other.png
new file mode 100644
index 0000000000..fab367ef7a
Binary files /dev/null and b/windows/manage/images/taskbar-region-other.png differ
diff --git a/windows/manage/images/taskbar-region-usuk.png b/windows/manage/images/taskbar-region-usuk.png
new file mode 100644
index 0000000000..6bba65ee81
Binary files /dev/null and b/windows/manage/images/taskbar-region-usuk.png differ
diff --git a/windows/manage/images/taskbarSTARTERBLANK.png b/windows/manage/images/taskbarSTARTERBLANK.png
new file mode 100644
index 0000000000..e206bdc196
Binary files /dev/null and b/windows/manage/images/taskbarSTARTERBLANK.png differ
diff --git a/windows/manage/images/trust-package.png b/windows/manage/images/trust-package.png
new file mode 100644
index 0000000000..8a293ea4da
Binary files /dev/null and b/windows/manage/images/trust-package.png differ
diff --git a/windows/manage/images/twain.png b/windows/manage/images/twain.png
new file mode 100644
index 0000000000..53cd5eadc7
Binary files /dev/null and b/windows/manage/images/twain.png differ
diff --git a/windows/manage/images/uev-adk-select-uev-feature.png b/windows/manage/images/uev-adk-select-uev-feature.png
new file mode 100644
index 0000000000..1556f115c0
Binary files /dev/null and b/windows/manage/images/uev-adk-select-uev-feature.png differ
diff --git a/windows/manage/images/uev-archdiagram.png b/windows/manage/images/uev-archdiagram.png
new file mode 100644
index 0000000000..eae098e666
Binary files /dev/null and b/windows/manage/images/uev-archdiagram.png differ
diff --git a/windows/manage/images/uev-checklist-box.gif b/windows/manage/images/uev-checklist-box.gif
new file mode 100644
index 0000000000..8af13c51d1
Binary files /dev/null and b/windows/manage/images/uev-checklist-box.gif differ
diff --git a/windows/manage/images/uev-deployment-preparation.png b/windows/manage/images/uev-deployment-preparation.png
new file mode 100644
index 0000000000..b665a0bfea
Binary files /dev/null and b/windows/manage/images/uev-deployment-preparation.png differ
diff --git a/windows/manage/images/uev-generator-process.png b/windows/manage/images/uev-generator-process.png
new file mode 100644
index 0000000000..e16cedd0a7
Binary files /dev/null and b/windows/manage/images/uev-generator-process.png differ
diff --git a/windows/manage/images/who-owns-pc.png b/windows/manage/images/who-owns-pc.png
new file mode 100644
index 0000000000..d3ce1def8d
Binary files /dev/null and b/windows/manage/images/who-owns-pc.png differ
diff --git a/windows/manage/images/wsfb-distribute.png b/windows/manage/images/wsfb-distribute.png
index f276ca5211..d0482f6ebe 100644
Binary files a/windows/manage/images/wsfb-distribute.png and b/windows/manage/images/wsfb-distribute.png differ
diff --git a/windows/manage/images/wsfb-inventory.png b/windows/manage/images/wsfb-inventory.png
new file mode 100644
index 0000000000..b060fb30e4
Binary files /dev/null and b/windows/manage/images/wsfb-inventory.png differ
diff --git a/windows/manage/images/wsfb-inventoryaddprivatestore.png b/windows/manage/images/wsfb-inventoryaddprivatestore.png
index b7152ea973..bb1152e35b 100644
Binary files a/windows/manage/images/wsfb-inventoryaddprivatestore.png and b/windows/manage/images/wsfb-inventoryaddprivatestore.png differ
diff --git a/windows/manage/images/wsfb-private-store-gpo.PNG b/windows/manage/images/wsfb-private-store-gpo.PNG
new file mode 100644
index 0000000000..5e7fe44ec2
Binary files /dev/null and b/windows/manage/images/wsfb-private-store-gpo.PNG differ
diff --git a/windows/manage/index.md b/windows/manage/index.md
index 570fd79769..eba6dd0e9c 100644
--- a/windows/manage/index.md
+++ b/windows/manage/index.md
@@ -24,10 +24,6 @@ Learn about managing and updating Windows 10.
 </tr>
 </thead>
 <tbody>
-<tr class="odd">
-<td align="left"><p>[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)</p></td>
-<td align="left"><p>This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
-</tr>
 <tr class="even">
 <td align="left"><p>[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)</p></td>
 <td align="left"><p>Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.</p></td>
@@ -41,37 +37,54 @@ Learn about managing and updating Windows 10.
 <td align="left"><p>You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.</p></td>
 </tr>
 <tr class="odd">
+<td align="left"><p>[Windows Spotlight on the lock screen](windows-spotlight.md)</p></td>
+<td align="left"><p>Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)</p></td>
 <td align="left"><p>Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"><p>[Lock down Windows 10](lock-down-windows-10.md)</p></td>
 <td align="left"><p>Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>[Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)</p></td>
 <td align="left"><p>Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE).</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"><p>[Configure devices without MDM](configure-devices-without-mdm.md)</p></td>
 <td align="left"><p>Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>[Windows 10 servicing options](introduction-to-windows-10-servicing.md)</p></td>
 <td align="left"><p>This article describes the new servicing options available in Windows 10, Windows 10 Mobile, and Windows 10 IoT Core (IoT Core) and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles.</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"><p>[Application development for Windows as a service](application-development-for-windows-as-a-service.md)</p></td>
 <td align="left"><p>In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation, development, and delivery called [Windows as a service (WaaS)](introduction-to-windows-10-servicing.md). The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle and provide feedback to Microsoft through an iterative methodology called flighting.</p></td>
 </tr>
+<tr class="even">
+<td align="left"><p>[Application Virtualization for Windows (App-V)](appv-for-windows.md)</p></td>
+<td align="left"><p>When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally.</p></td>
+</tr>
 <tr class="odd">
+<td align="left"><p>[User Experience Virtualization for Windows (UE-V)](uev-for-windows.md)</p></td>
+<td align="left"><p>When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>[Windows Store for Business](windows-store-for-business.md)</p></td>
 <td align="left"><p>Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.</p></td>
 </tr>
+<tr class="odd">
+<td align="left"><p>[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)</p></td>
+<td align="left"><p>This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
+</tr>
 </tbody>
 </table>
  
 ## Related topics
 [Windows 10 and Windows 10 Mobile](../index.md)
+
  
- [Learn how Microsoft does IT at the IT Showcase](https://www.microsoft.com/itshowcase)
+[Learn how Microsoft does IT at the IT Showcase](https://www.microsoft.com/itshowcase)
diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
index 3a8047bf80..07b423dbf8 100644
--- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Join Windows 10 Mobile to Azure Active Directory
diff --git a/windows/manage/lock-down-windows-10-to-specific-apps.md b/windows/manage/lock-down-windows-10-to-specific-apps.md
index 232ab26d13..71622d4902 100644
--- a/windows/manage/lock-down-windows-10-to-specific-apps.md
+++ b/windows/manage/lock-down-windows-10-to-specific-apps.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: edu, security
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Lock down Windows 10 to specific apps
@@ -114,6 +115,10 @@ To learn more about locking down features, see [Customizations for Windows 10 En
 
 Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
 
+## Related topics
+
+- [Provisioning packages for Windows 10](../deploy/provisioning-packages.md)
+
  
 
  
diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md
index 320d69d80d..a3374f6d0f 100644
--- a/windows/manage/lock-down-windows-10.md
+++ b/windows/manage/lock-down-windows-10.md
@@ -8,16 +8,11 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Lock down Windows 10
 
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
 Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
 
 ## In this section
@@ -34,7 +29,8 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p
 <th align="left">Description</th>
 </tr>
 </thead>
-<tbody>
+<tbody><tr><td><p>[Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)</p></td><td><p>Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.</p></td></tr>
+<tr><td align="left"><p>[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)</p></td><td align="left"><p>Windows 10, Version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise  and temporary customer use in retail.</p></td></tr>
 <tr class="odd">
 <td align="left"><p>[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)</p></td>
 <td align="left"><p>You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.</p></td>
diff --git a/windows/manage/lockdown-features-windows-10.md b/windows/manage/lockdown-features-windows-10.md
new file mode 100644
index 0000000000..555ec7ab73
--- /dev/null
+++ b/windows/manage/lockdown-features-windows-10.md
@@ -0,0 +1,116 @@
+---
+title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10)
+description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. 
+ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14
+keywords: lockdown, embedded
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Lockdown features from Windows Embedded 8.1 Industry
+
+**Applies to**
+-   Windows 10
+
+
+Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Windows Embedded 8.1 Industry lockdown feature</th>
+<th align="left">Windows 10 feature</th>
+<th align="left">Changes</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Hibernate Once/Resume Many (HORM)](http://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device</p></td>
+<td align="left">N/A</td>
+<td align="left"><p>HORM is supported in Windows 10, version 1607. </p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media</p></td>
+<td align="left">[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607)</td>
+<td align="left"><p>The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations</p></td>
+<td align="left">[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391)</td>
+<td align="left"><p>Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via <strong>Turn Windows Features On/Off</strong>. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on</p></td>
+<td align="left">[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=618603)</td>
+<td align="left"><p>Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the <strong>SMISettings</strong> category.</p>
+<p>Learn [how to use Shell Launcher to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Application Launcher]( http://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on</p></td>
+<td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
+<td align="left"><p>The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Dialog Filter](http://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run</p></td>
+<td align="left">[AppLocker](../keep-secure/applocker-overview.md)</td>
+<td align="left"><p>Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.</p>
+<ul>
+<li><p>Control over which processes are able to run will now be provided by AppLocker.</p></li>
+<li><p>System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Toast Notification Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications</p></td>
+<td align="left">Mobile device management (MDM) and Group Policy</td>
+<td align="left"><p>Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.</p>
+<p>Group Policy: <strong>User Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>Start Menu and Taskbar</strong> &gt; <strong>Notifications</strong></p>
+<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow action center notifications</strong> and a [custom OMA-URI setting](http://go.microsoft.com/fwlink/p/?LinkID=616317) for <strong>AboveLock/AllowActionCenterNotifications</strong>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Embedded Lockdown Manager](http://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features</p></td>
+<td align="left">[Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkID=525483)</td>
+<td align="left"><p>The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[USB Filter](http://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system</p></td>
+<td align="left">MDM and Group Policy</td>
+<td align="left"><p>The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.</p>
+<p>Group Policy: <strong>Computer Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>System</strong> &gt; <strong>Device Installation</strong> &gt; <strong>Device Installation Restrictions</strong></p>
+<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow removable storage</strong> or <strong>Allow USB connection (Windows 10 Mobile only)</strong>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system</p></td>
+<td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
+<td align="left"><p>Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.</p>
+<p>In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.</p>
+<p>Learn [how to use Assigned Access to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Gesture Filter](http://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen</p></td>
+<td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
+<td align="left"><p>The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Custom Logon]( http://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown</p></td>
+<td align="left">[Embedded Logon](http://go.microsoft.com/fwlink/p/?LinkId=626760)</td>
+<td align="left"><p>No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements</p></td>
+<td align="left">[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626873)</td>
+<td align="left"><p>No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.</p></td>
+</tr>
+</tbody>
+</table>
+ 
+ 
+ 
diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md
index 7655d1f5e4..08bd7496c7 100644
--- a/windows/manage/lockdown-xml.md
+++ b/windows/manage/lockdown-xml.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Configure Windows 10 Mobile using Lockdown XML
@@ -20,105 +21,464 @@ Windows 10 Mobile allows enterprises to lock down a device, define multiple use
 
 This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices.
 
-After you apply the lockdown settings, the lockdown configuration is stored in a wehlockdown.xml file on the device.
+Lockdown XML is an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601).
 
-For details on each of the configuration items, see the AssignedAccess/AssignedAccessXml section of the [EnterpriseAssignedAccess configuration service provider (CSP) reference](http://go.microsoft.com/fwlink/p/?LinkID=618601).
+> [!NOTE]
+>  On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601).
 
-## Order of lockdown settings
+If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) first.
 
+## Overview of the lockdown XML file
 
-The configuration items must be in the following order when you lock down settings:
-
--   Default profile
-    -   ActionCenter
-    -   Apps
-        -   Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
-        -   App User Model ID, as described in [Configuring Multiple App Packages](#bmk-map)
-        -   PinToStart
-            -   Size
-            -   Location
-    -   Buttons
-        -   ButtonLockdownList
-            -   Button name
-        -   ButtonRemapList
-            -   Button name
-                -   Button event name
-                    -   Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
-    -   CSPRunner
-        -   SyncML
-    -   MenuItems
-        -   Disable menu items
-    -   Settings
-        -   System name, as described in [Settings and quick actions that can be locked down](settings-that-can-be-locked-down.md)
-    -   Tiles
-        -   Enable tile manipulation
-    -   StartScreenSize
--   RoleList
-    -   Role (repeat for each role)
-        -   ActionCenter
-        -   Apps
-            -   Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
-            -   App User Model ID (AUMID), as described in [Configuring Multiple App Packages](#bmk-map)
-            -   PinToStart
-                -   Size
-                -   Location
-        -   Buttons
-            -   ButtonLockdownList
-                -   Button name
-            -   ButtonRemapList
-                -   Button name
-                    -   Button event name
-                        -   Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
-        -   CSPRunner
-            -   SyncML
-        -   MenuItems
-            -   Disable menu items
-        -   Settings
-            -   System name, as described in [Settings and quick actions that can be locked down](settings-that-can-be-locked-down.md)
-        -   Tiles
-            -   Enable tile manipulation
-        -   StartScreenSize
-
-## <a href="" id="bmk-map"></a>Configuring multiple app packages
-
-
-Multiple app packages enable multiple apps to exist inside the same package. Since product IDs identify packages and not applications, specifying a product ID is not enough to distinguish between individual apps inside a multiple app package. Trying to pin application tiles from a multiple app package with just a product ID can result in unexpected behavior.
-
-To support pinning applications in multiple app packages, an AUMID parameter can be specified in lockdown.xml.
-
-The following example shows how to pin both Outlook Mail and Outlook Calendar:
+Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml.
 
+```xml
+<?xml version "1.0" encoding "utf-8"?>
+<HandheldLockdown version "1.0" >
+	<Default>
+		<ActionCenter>
+		<Apps>
+		<Buttons>
+		<CSPRunner>
+		<MenuItems>
+		<Settings>
+		<Tiles>
+		<StartScreenSize>
+	</Default>
+</HandheldLockdown>
 ```
+
+**Default** and the entries beneath it establish the default device settings that are applied for every user. The device will always boot to this Default role. You can create additional roles on the device, each with its own settings, in the same XML file. [Learn how to add roles.](#configure-additional-roles)
+
+The settings for the Default role and other roles must be listed in your XML file in the order presented in this topic. All of the entries are optional. If you don't include a setting, that aspect of the device will operate as it would for an nonconfigured device.
+
+>  **Tip**&nbsp;&nbsp;Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure.
+
+## Action Center
+
+![XML for Action Center](images/ActionCenterXML.jpg)
+
+The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.
+
+In the following example, the Action Center is enabled and both policies are disabled.
+
+```xml
+<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>
+```
+
+In the following example, Action Center and the toast policy are enabled, and the notifications policy is disabled.
+
+```xml
+<ActionCenter enabled="true" aboveLockToastEnabled="1" actionCenterNotificationEnabled="0"/>
+```
+
+The following example is a complete lockdown XML file that disables Action Center, notifications, and toasts. 
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<HandheldLockdown version="1.0" >
+    <Default>
+	<!-- disable Action Center -->
+        <ActionCenter enabled="false" />
+    </Default>
+</HandheldLockdown>
+```
+
+## Apps
+
+![XML for Apps](images/AppsXML.png)
+
+The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. If you don't include the Apps setting in the file, all apps on the device are available to the user.
+
+You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
+
+The following example makes Outlook Calendar available on the device.
+
+```xml
+<Apps>
+    <!-- Outlook Calendar -->
+    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
+    </Application>
+</Apps>
+```
+
+When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size).
+
+![Grid to lay out tiles for Start](images/StartGrid.jpg)
+
+Tile sizes are:
+* Small: 1x1
+* Medium: 2x2
+* Large: 2x4
+
+Based on 6 columns, you can pin six small tiles or three medium tiles on a single row. A large tile can be combined with two small tiles or one medium tile on the same row. Obviously, you cannot set a medium tile for LocationX=5, or a large tile for LocationX=3, 4, or 5.
+
+If the tile configuration in your file exceeds the available width, such as setting a large tile to start at position 3 on the X axis, that tile is appended to the bottom of the Start screen. Also, if the tile configuration in your file would result in tiles overlapping each other, the overlapping tiles are instead appended to the bottom of the Start screen.
+
+In the following example, Outlook Calendar and Outlook Mail are pinned to the Start screen, and the Store app is allowed but is not pinned to Start.
+
+```xml
 <Apps>
     <!-- Outlook Calendar -->
     <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
         <PinToStart>
             <Size>Large</Size>
             <Location>
-                <LocationX>1</LocationX>
-                <LocationY>4</LocationY>
+                <LocationX>0</LocationX>
+                <LocationY>0</LocationY>
             </Location>
         </PinToStart>
     </Application>
     <!-- Outlook Mail-->
     <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
         <PinToStart>
-            <Size>Large</Size>
+            <Size>Medium</Size>
             <Location>
-                <LocationX>1</LocationX>
-                <LocationY>6</LocationY>
+                <LocationX>4</LocationX>
+                <LocationY>0</LocationY>
+            </Location>
+        </PinToStart>
+    </Application>
+	<!-- Store -->
+	<Application productId="7D47D89A-7900-47C5-93F2-46EB6D94C159" aumid="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
+</Apps>
+```
+
+That layout would appear on a device like this:
+
+![Example of the layout on a Start screen](images/StartGridPinnedApps.jpg)
+
+You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start.
+
+```xml
+<Apps>
+    <!-- Management folder -->
+    <Application folderId="1" folderName="Management">
+	  <PinToStart>
+            <Size>Medium</Size>
+            <Location>
+                <LocationX>4</LocationX>
+                <LocationY>0</LocationY>
             </Location>
         </PinToStart>
     </Application>
 </Apps>
 ```
 
-## Lockdown example to use in a lockdown XML file
-
-
-The XML example can be used as a lockdown file that is contained in a provisioning package created in Windows Imaging and Configuration Designer (ICD). However, if you use MDM to push the lockdown file directly to devices, the XML example must use escaped characters for lockdown (such as &lt; in place of &lt;) as a result of XML embedded in XML. You can easily find an online escape tool to help you with this process.
+To add apps to the folder, include **ParentFolderId** in the application XML, as shown in the following example:
 
+```xml
+<Apps>
+    <!-- Outlook Calendar -->
+    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
+        <PinToStart>
+            <Size>Large</Size>
+            <Location>
+                <LocationX>0</LocationX>
+                <LocationY>0</LocationY>
+            </Location>
+			<ParentFolderId>1</ParentFolderId>
+        </PinToStart>
+    </Application>
+    <!-- Outlook Mail-->
+    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
+        <PinToStart>
+            <Size>Medium</Size>
+            <Location>
+                <LocationX>4</LocationX>
+                <LocationY>0</LocationY>
+            </Location>
+			<ParentFolderId>1</ParentFolderId>
+        </PinToStart>
+    </Application>
+</Apps>
 ```
+When an app is contained in a folder, its **PinToStart** configuration (tile size and location) applies to its appearance when the folder is opened.
+
+## Buttons
+
+![XML for buttons](images/ButtonsXML.jpg)
+
+In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify. 
+
+### ButtonLockdownList
+
+When a user taps a button that is in the lockdown list, nothing will happen. The following table lists which events can be disabled for each button.
+
+Button | Press | PressAndHold | All
+---|:---:|:---:|:--:|-
+Start | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)
+Back | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) 
+Search | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png)
+Camera | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png)
+Custom 1, 2, and 3 | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png)
+
+> [!NOTE]
+>  Custom buttons are hardware buttons that can be added to devices by OEMs.
+
+In the following example, press-and-hold is disabled for the Back button.
+
+```xml
+<Buttons>
+	<ButtonLockdownList>
+		<Button name="Back">
+			<ButtonEvent name="PressAndHold" />
+		</Button>
+	</ButtonLockdownList>
+</Buttons>
+```
+
+If you don't specify a button event, all actions for the button are disabled. In the next example, all actions are disabled for the camera button.
+
+```xml
+<Buttons>
+	<ButtonLockdownList>
+		<Button name="Camera">
+		</Button>
+	</ButtonLockdownList>
+</Buttons>
+```
+
+### ButtonRemapList
+
+ButtonRemapList lets you change the app that a button will run. You can remap the Search button and any custom buttons included by the OEM. You can't remap the Back, Start, or Camera buttons.
+
+> [!WARNING]
+>  Button remapping can enable a user to open an application that is not in the allow list for that user role. Use button lock down to prevent application access for a user role.
+ 
+To remap a button, you specify the button, the event, and the product ID for the app that you want the event to open. 
+In the following example, when a user presses the Search button, the phone dialer will open instead of the Search app.
+
+```xml
+<Buttons>
+	<ButtonRemapList>
+		<Button name="Search">
+			<ButtonEvent name="Press">
+				<!-- Phone dialer -->
+				<Application productID="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7 }" parameters="" />
+			</ButtonEvent>
+		</Button>
+	</ButtonRemapList>
+</Buttons>
+```
+
+## CSPRunner
+
+![XML for CSP Runner](images/CSPRunnerXML.jpg)
+
+You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](http://go.microsoft.com/fwlink/p/?LinkID=717460) or [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx).
+ 
+CSPRunner is helpful when you are configuring a device to support multiple roles. It lets you apply different policies according to the role that is signed on. For example, Wi-Fi could be enabled for a supervisor role and disabled for a stocking clerk role. 
+
+In CSPRunner, you specify the CSP and settings using SyncML, a standardized markup language for device management. A SyncML section can include multiple settings, or you can use multiple SyncML sections -- it's up to you how you want to organize settings in this section.
+
+> [!NOTE]
+> This description of SyncML is just the information that you need to use SyncML in a lockdown XML file. To learn more about SyncML, see [Structure of OMA DM provisioning files](https://msdn.microsoft.com/windows/hardware/dn914774.aspx).
+
+Let's start with the structure of SyncML in the following example:
+
+```xml
+SyncML>
+	<SyncBody>
+		<Add>|<Replace>
+			<CmdID>#</CmdID>
+			<Item>
+				<Target>
+					<LocURI>CSP Path</LocURI>
+				</Target>
+				<Meta>
+					<Format xmlns="syncml:metinf">Data Type</Format>
+				</Meta>
+				<Data>Value</Data>
+			</Item>
+		</Add>|</Replace>
+		<Final/>
+	</SyncBody>
+</SyncML>
+```
+
+This table explains the parts of the SyncML structure.
+
+SyncML entry | Description
+---|---
+**Add** or **Replace** | Use **Add** to apply a setting or policy that is not already configured. Use **Replace** to change an existing setting or policy.
+**CmdID** | SyncBody can contain multiple commands. Each command in a lockdown XML file must have a different **CmdID** value.
+**Item** | **Item** is a wrapper for a single setting. You can include multiple items for the command if they all use the same **Add** or **Replace** operation.
+**Target > LocURI** | **LocURI** is the path to the CSP. 
+**Meta > Format** | The data format required by the CSP.
+**Data** | The value for the setting.
+
+
+## Menu items
+
+![XML for menu items](images/MenuItemsXML.png)
+
+Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create.
+
+```xml
+  <MenuItems>
+      <DisableMenuItems/>
+  </MenuItems>
+```
+
+## Settings
+
+![XML for settings](images/SettingsXML.png)
+
+The **Settings** section contains an `allow` list of pages in the Settings app. The following example allows all settings.
+
+```xml
+ <Settings>
+     <!-- Allow all settings -->
+ </Settings>
+ ```
+In the following example, all system setting pages are enabled.
+
+```xml
+<Settings> 
+  <System name="SettingsPageGroupPCSystem" /> 
+  <System name="SettingsPageDisplay" /> 
+  <System name="SettingsPageAppsNotifications" />
+  <System name="SettingsPageCalls" />
+  <System name="SettingsPageMessaging" /> 
+  <System name="SettingsPageBatterySaver" /> 
+  <System name="SettingsPageStorageSenseStorageOverview" />
+  <System name="SettingsPageGroupPCSystemDeviceEncryption" /> 
+  <System name="SettingsPageDrivingMode" /> 
+  <System name="SettingsPagePCSystemInfo" /> 
+ </Settings>
+```
+
+If you list a setting or quick action in **Settings**, all settings and quick actions that are not listed are blocked. To remove access to all of the settings in the system, do not include the settings application in [Apps](#apps).
+
+For a list of the settings and quick actions that you can allow or block, see [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md).
+
+ 
+ ## Tiles
+ 
+ ![XML for tiles](images/TilesXML.png)
+ 
+ By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. 
+ 
+ > [!IMPORTANT]
+ > If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile. 
+ 
+ ```xml
+ <Tiles>
+     <EnableTileManipulation/>
+ </Tiles>
+ ```
+ 
+ ## Start screen size
+ 
+ Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: 
+ * Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx). 
+ * Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx). 
+ 
+ 
+ If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. 
+ 
+ [Learn about effective pixel width (epx) for different device size classes.](http://go.microsoft.com/fwlink/p/?LinkId=733340)
+ 
+ 
+ ## Configure additional roles
+ 
+ You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied.
+ 
+ [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin)
+ 
+ In the XML file, you define each role with a GUID and name, as shown in the following example:
+ 
+ ```xml
+ <Role guid="{7bb62e8c-81ba-463c-b691-74af68230b42}" name="Manager">
+ ```
+ 
+ You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file.
+ 
+ You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM. 
+ 
+ ```xml
+<?xml version "1.0" encoding "utf-8"?>
+<HandheldLockdown version "1.0" >
+	<Default>
+		<ActionCenter>
+		<Apps>
+		<Buttons>
+		<CSPRunner>
+		<MenuItems>
+		<Settings>
+		<Tiles>
+		<StartScreenSize>
+	</Default>
+		<RoleList>
+			<Role>
+				<ActionCenter>
+				<Apps>
+				<Buttons>
+				<CSPRunner>
+				<MenuItems>
+				<Settings>
+				<Tiles>
+			</Role>
+		</RoleList>
+	</Default>
+</HandheldLockdown>
+```
+ 
+## Add lockdown XML to a provisioning package
+
+
+Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+1.  Follow the instructions at [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651) to create a project, selecting **Common to all Windows mobile editions** for your project.
+
+2.  In **Available customizations**, go to **Runtime settings** &gt; **EmbeddedLockdownProfiles** &gt; **AssignedAccessXml**.
+
+3.  In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
+
+    ![browse button](images/icdbrowse.png)
+
+4.  On the **File** menu, select **Save.**
+
+5.  On the **Export** menu, select **Provisioning package**.
+
+6.  Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+7.  Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+
+8.  Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
+
+    Optionally, you can click **Browse** to change the default output location.
+
+9.  Click **Next**.
+
+10. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+
+    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+11. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=619164).
+
+## Push lockdown XML using MDM
+
+
+After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601).
+
+To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as &lt; in place of &lt;). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
+
+## Full Lockdown.xml example
+
+```xml
 <?xml version="1.0" encoding="utf-8"?>
 <HandheldLockdown version="1.0" >
     <Default>
@@ -486,59 +846,9 @@ The XML example can be used as a lockdown file that is contained in a provisioni
         </Role>
     </RoleList>
 </HandheldLockdown>
+
 ```
 
-## Add lockdown XML to a provisioning package
-
-
-Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
-
-1.  Follow the instructions at [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651) to create a project, selecting **Common to all Windows mobile editions** for your project.
-
-2.  In **Available customizations**, go to **Runtime settings** &gt; **EmbeddedLockdownProfiles** &gt; **AssignedAccessXml**.
-
-3.  In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
-
-    ![browse button](images/icdbrowse.png)
-
-4.  On the **File** menu, select **Save.**
-
-5.  On the **Export** menu, select **Provisioning package**.
-
-6.  Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
-
-7.  Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
-
-    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
-
-    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
-
-8.  Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
-
-    Optionally, you can click **Browse** to change the default output location.
-
-9.  Click **Next**.
-
-10. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
-
-    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-
-11. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-
-    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-
-    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
-    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-
-After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=619164).
-
-## Push lockdown XML using MDM
-
-
-After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601).
-
-To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as &lt; in place of &lt;). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
-
 ## Learn more
 
 [Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
diff --git a/windows/manage/manage-access-to-private-store.md b/windows/manage/manage-access-to-private-store.md
index 8e2f813d33..634eb7c4a9 100644
--- a/windows/manage/manage-access-to-private-store.md
+++ b/windows/manage/manage-access-to-private-store.md
@@ -27,6 +27,22 @@ The private store is a feature in Store for Business that organizations receive
 
 Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group-policy-table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy.
 
+## Show private store only using Group Policy 
+
+If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.  
+
+**To show private store only in Windows Store app**
+
+1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
+
+2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**.
+
+3. Right-click **Only display the private store within the Windows Store app** in the right pane, and click **Edit**.
+
+    This opens the **Only display the private store within the Windows Store app** policy settings.
+
+4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**.
+
 You can also prevent employees from using the Windows Store. For more information, see [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md).
 
 ## Related topics
diff --git a/windows/manage/manage-apps-windows-store-for-business-overview.md b/windows/manage/manage-apps-windows-store-for-business-overview.md
index 6856a7683d..76b2ee98e8 100644
--- a/windows/manage/manage-apps-windows-store-for-business-overview.md
+++ b/windows/manage/manage-apps-windows-store-for-business-overview.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Manage apps in Windows Store for Business
diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 4c01926131..d1bedc3492 100644
--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -6,6 +6,7 @@ keywords: privacy, manage connections to Microsoft
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
+localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -21,9 +22,9 @@ Learn about the network connections that Windows components make to Microsoft an
 
 If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
 
-Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
+Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, Windows 10, version 1507, and Windows 10, version 1511. However, you must use Windows 10 Enterprise, version 1607 or Windows 10 Education, version 1607 to manage them all.
 
-In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
+You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
 
 We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
 
@@ -31,224 +32,167 @@ Here's what's covered in this article:
 
 -   [Info management settings](#bkmk-othersettings)
 
-    -   [1. Cortana](#bkmk-cortana)
+    -   [1. Certificate trust lists](#certificate-trust-lists)
 
-        -   [1.1 Cortana Group Policies](#bkmk-cortana-gp)
+    -   [2. Cortana](#bkmk-cortana)
 
-        -   [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
+        -   [2.1 Cortana Group Policies](#bkmk-cortana-gp)
 
-        -   [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
+        -   [2.2 Cortana MDM policies](#bkmk-cortana-mdm)
 
-    -   [2. Date & Time](#bkmk-datetime)
+        -   [2.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
 
-    -   [3. Device metadata retrieval](#bkmk-devinst)
+    -   [3. Date & Time](#bkmk-datetime)
 
-    -   [4. Font streaming](#font-streaming)
+    -   [4. Device metadata retrieval](#bkmk-devinst)
 
-    -   [5. Insider Preview builds](#bkmk-previewbuilds)
+    -   [5. Font streaming](#font-streaming)
 
-    -   [6. Internet Explorer](#bkmk-ie)
+    -   [6. Insider Preview builds](#bkmk-previewbuilds)
 
-        -   [6.1 Internet Explorer Group Policies](#bkmk-ie-gp)
+    -   [7. Internet Explorer](#bkmk-ie)
 
-        -   [6.2 ActiveX control blocking](#bkmk-ie-activex)
+        -   [7.1 Internet Explorer Group Policies](#bkmk-ie-gp)
 
-    -   [7. Live Tiles](#live-tiles)
+        -   [7.2 ActiveX control blocking](#bkmk-ie-activex)
+
+    -   [8. Live Tiles](#live-tiles)
     
-    -   [8. Mail synchronization](#bkmk-mailsync)
+    -   [9. Mail synchronization](#bkmk-mailsync)
 
-    -   [9. Microsoft Edge](#bkmk-edge)
+    -   [10. Microsoft Account](#bkmk-microsoft-account)
 
-        -   [9.1 Microsoft Edge Group Policies](#bkmk-edgegp)
+    -   [11. Microsoft Edge](#bkmk-edge)
 
-        -   [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
+        -   [11.1 Microsoft Edge Group Policies](#bkmk-edgegp)
 
-        -   [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
+        -   [11.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
 
-    -   [10. Network Connection Status Indicator](#bkmk-ncsi)
+        -   [11.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
 
-    -   [11. Offline maps](#bkmk-offlinemaps)
+    -   [12. Network Connection Status Indicator](#bkmk-ncsi)
 
-    -   [12. OneDrive](#bkmk-onedrive)
+    -   [13. Offline maps](#bkmk-offlinemaps)
 
-    -   [13. Preinstalled apps](#bkmk-preinstalledapps)
+    -   [14. OneDrive](#bkmk-onedrive)
 
-    -   [14. Settings &gt; Privacy](#bkmk-settingssection)
+    -   [15. Preinstalled apps](#bkmk-preinstalledapps)
 
-        -   [14.1 General](#bkmk-priv-general)
+    -   [16. Settings &gt; Privacy](#bkmk-settingssection)
 
-        -   [14.2 Location](#bkmk-priv-location)
+        -   [16.1 General](#bkmk-priv-general)
 
-        -   [14.3 Camera](#bkmk-priv-camera)
+        -   [16.2 Location](#bkmk-priv-location)
 
-        -   [14.4 Microphone](#bkmk-priv-microphone)
+        -   [16.3 Camera](#bkmk-priv-camera)
 
-        -   [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+        -   [16.4 Microphone](#bkmk-priv-microphone)
 
-        -   [14.6 Account info](#bkmk-priv-accounts)
+        -   [16.5 Notifications](#bkmk-priv-notifications)
 
-        -   [14.7 Contacts](#bkmk-priv-contacts)
+        -   [16.6 Speech, inking, & typing](#bkmk-priv-speech)
 
-        -   [14.8 Calendar](#bkmk-priv-calendar)
+        -   [16.7 Account info](#bkmk-priv-accounts)
 
-        -   [14.9 Call history](#bkmk-priv-callhistory)
+        -   [16.8 Contacts](#bkmk-priv-contacts)
 
-        -   [14.10 Email](#bkmk-priv-email)
+        -   [16.9 Calendar](#bkmk-priv-calendar)
 
-        -   [14.11 Messaging](#bkmk-priv-messaging)
+        -   [16.10 Call history](#bkmk-priv-callhistory)
 
-        -   [14.12 Radios](#bkmk-priv-radios)
+        -   [16.11 Email](#bkmk-priv-email)
 
-        -   [14.13 Other devices](#bkmk-priv-other-devices)
+        -   [16.12 Messaging](#bkmk-priv-messaging)
 
-        -   [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+        -   [16.13 Radios](#bkmk-priv-radios)
 
-        -   [14.15 Background apps](#bkmk-priv-background)
+        -   [16.14 Other devices](#bkmk-priv-other-devices)
 
-    -   [15. Software Protection Platform](#bkmk-spp)
+        -   [16.15 Feedback & diagnostics](#bkmk-priv-feedback)
 
-    -   [16. Sync your settings](#bkmk-syncsettings)
+        -   [16.16 Background apps](#bkmk-priv-background)
 
-    -   [17. Teredo](#bkmk-teredo)
+    -   [17. Software Protection Platform](#bkmk-spp)
 
-    -   [18. Wi-Fi Sense](#bkmk-wifisense)
+    -   [18. Sync your settings](#bkmk-syncsettings)
 
-    -   [19. Windows Defender](#bkmk-defender)
+    -   [19. Teredo](#bkmk-teredo)
 
-    -   [20. Windows Media Player](#bkmk-wmp)
+    -   [20. Wi-Fi Sense](#bkmk-wifisense)
 
-    -   [21. Windows spotlight](#bkmk-spotlight)
+    -   [21. Windows Defender](#bkmk-defender)
 
-    -   [22. Windows Store](#bkmk-windowsstore)
+    -   [22. Windows Media Player](#bkmk-wmp)
 
-    -   [23. Windows Update Delivery Optimization](#bkmk-updates)
+    -   [23. Windows spotlight](#bkmk-spotlight)
 
-        -   [23.1 Settings &gt; Update & security](#bkmk-wudo-ui)
+    -   [24. Windows Store](#bkmk-windowsstore)
 
-        -   [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
+    -   [25. Windows Update Delivery Optimization](#bkmk-updates)
 
-        -   [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
+        -   [25.1 Settings &gt; Update & security](#bkmk-wudo-ui)
 
-        -   [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
+        -   [25.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
 
-    -   [24. Windows Update](#bkmk-wu)
+        -   [25.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
 
-## What's new in Windows 10, version 1511
+        -   [25.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
 
+    -   [26. Windows Update](#bkmk-wu)
 
-Here's a list of changes that were made to this article for Windows 10, version 1511:
+## What's new in Windows 10, version 1607
 
--   Added the following new sections:
+Here's a list of changes that were made to this article for Windows 10, version 1607:
 
-    -   [Mail synchronization](#bkmk-mailsync)
+- Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech).
+- Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy.
+- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists).
+- Added a new setting in [25. Windows Update](#bkmk-wu). 
+- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi).
+- Added a section on how to turn off features that depend on Microsoft Account cloud authentication service [10. Microsoft Account](#bkmk-microsoft-account).
 
-    -   [Offline maps](#bkmk-offlinemaps)
+- Added the following Group Policies:
 
-    -   [Windows spotlight](#bkmk-spotlight)
-
-    -   [Windows Store](#bkmk-windowsstore)
-
--   Added the following Group Policies:
-
-    -   Open a new tab with an empty tab
-
-    -   Configure corporate Home pages
-
-    -   Let Windows apps access location
-
-    -   Let Windows apps access the camera
-
-    -   Let Windows apps access the microphone
-
-    -   Let Windows apps access account information
-
-    -   Let Windows apps access contacts
-
-    -   Let Windows apps access the calendar
-
-    -   Let Windows apps access messaging
-
-    -   Let Windows apps control radios
-
-    -   Let Windows apps access trusted devices
-
-    -   Do not show feedback notifications
-
-    -   Turn off Automatic Download and Update of Map Data
-
-    -   Force a specific default lock screen image
-
--   Added the AllowLinguisticDataCollection MDM policy.
-
--   Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall.
-
--   Changed the Windows Update section to apply system-wide settings, and not just per user.
+    - Turn off unsolicited network traffic on the Offline Maps settings page
+    - Turn off all Windows spotlight features
 
 ## <a href="" id="bkmk-othersettings"></a>Info management settings
 
 
 This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
 
-The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
-
--   [1. Cortana](#bkmk-cortana)
-
--   [2. Date & Time](#bkmk-datetime)
-
--   [3. Device metadata retrieval](#bkmk-devinst)
-
--   [4. Font streaming](#font-streaming)
-
--   [5. Insider Preview builds](#bkmk-previewbuilds)
-
--   [6. Internet Explorer](#bkmk-ie)
-
--   [7. Live Tiles](#live-tiles)
-
--   [8. Mail synchronization](#bkmk-mailsync)
-
--   [9. Microsoft Edge](#bkmk-edge)
-
--   [10. Network Connection Status Indicator](#bkmk-ncsi)
-
--   [11. Offline maps](#bkmk-offlinemaps)
-
--   [12. OneDrive](#bkmk-onedrive)
-
--   [13. Preinstalled apps](#bkmk-preinstalledapps)
-
--   [14. Settings &gt; Privacy](#bkmk-settingssection)
-
--   [15. Software Protection Platform](#bkmk-spp)
-
--   [16. Sync your settings](#bkmk-syncsettings)
-
--   [17. Teredo](#bkmk-teredo)
-
--   [18. Wi-Fi Sense](#bkmk-wifisense)
-
--   [19. Windows Defender](#bkmk-defender)
-
--   [20. Windows Media Player](#bkmk-wmp)
-
--   [21. Windows spotlight](#bkmk-spotlight)
-
--   [22. Windows Store](#bkmk-windowsstore)
-
--   [23. Windows Update Delivery Optimization](#bkmk-updates)
-
--   [24. Windows Update](#bkmk-wu)
-
+The settings in this section assume you are using Windows 10, version 1607. They will also be included in the next update for the Long Term Servicing Branch.
 
 See the following table for a summary of the management settings. For more info, see its corresponding section.
 
 ![Management settings table](images/settings-table.png)
 
-### <a href="" id="bkmk-cortana"></a>1. Cortana
+
+### <a href="" id="certificate-trust-lists"></a>1. Certificate trust lists
+
+A certificate trust list is a predefined list of items, such as a list of certificate hashes or a list of file name, that are signed by a trusted entity. Windows automatically downloads an updated certificate trust list when it is available.
+
+To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list.
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update**
+
+    -or-
+
+- Create a REG\_DWORD registry setting called **DisableRootAutoUpdate** in **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate**, with a value of 1.
+
+After that, do the following in a Group Policy:
+
+1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**.
+2. Double-click **Certificate Path Validation Settings**.
+3. On the **Network Retrieval** tab, select the **Define these policy settings** check box.
+4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**.
+
+
+### <a href="" id="bkmk-cortana"></a>2. Cortana
 
 Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683).
 
-### <a href="" id="bkmk-cortana-gp"></a>1.1 Cortana Group Policies
+### <a href="" id="bkmk-cortana-gp"></a>2.1 Cortana Group Policies
 
 Find the Cortana Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Search**.
 
@@ -260,7 +204,10 @@ Find the Cortana Group Policy objects under **Computer Configuration** &gt; **Ad
 | Don't search the web or display web results in Search| Choose whether to search the web from Cortana.                                        |
 | Set what information is shared in Search             | Control what information is shared with Bing in Search.                               |
 
-When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
+In Windows 10, version 1507 and Windows 10, version 1511, When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
+
+>[!IMPORTANT]
+>These steps are not required for devices running Windows 10, version 1607. 
 
 1.  Expand **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Windows Firewall with Advanced Security** &gt; **Windows Firewall with Advanced Security - &lt;LDAP name&gt;**, and then click **Outbound Rules**.
 
@@ -286,9 +233,9 @@ When you enable the **Don't search the web or display web results in Search** Gr
 
     -   For **Remote port**, choose **All ports**.
 
-> **Note:**  If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
+If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
 
-### <a href="" id="bkmk-cortana-mdm"></a>1.2 Cortana MDM policies
+### <a href="" id="bkmk-cortana-mdm"></a>2.2 Cortana MDM policies
 
 The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
 
@@ -297,11 +244,11 @@ The following Cortana MDM policies are available in the [Policy CSP](http://msdn
 | Experience/AllowCortana                              | Choose whether to let Cortana install and run on the device.                                        |
 | Search/AllowSearchToUseLocation                      | Choose whether Cortana and Search can provide location-aware search results. <br /> Default: Allowed|
 
-### <a href="" id="bkmk-cortana-prov"></a>1.3 Cortana Windows Provisioning
+### <a href="" id="bkmk-cortana-prov"></a>2.3 Cortana Windows Provisioning
 
 To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies** to find **Experience** &gt; **AllowCortana** and **Search** &gt; **AllowSearchToUseLocation**.
 
-### <a href="" id="bkmk-datetime"></a>2. Date & Time
+### <a href="" id="bkmk-datetime"></a>3. Date & Time
 
 You can prevent Windows from setting the time automatically.
 
@@ -311,23 +258,24 @@ You can prevent Windows from setting the time automatically.
 
 -   Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
 
-### <a href="" id="bkmk-devinst"></a>3. Device metadata retrieval
+### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
 
 To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Device Installation** &gt; **Prevent device metadata retrieval from the Internet**.
 
-### <a href="" id="font-streaming"></a>4. Font streaming
+### <a href="" id="font-streaming"></a>5. Font streaming
 
 Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
 
 To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
 
-> **Note:**  This may change in future versions of Windows.
+> [!NOTE] 
+> This may change in future versions of Windows.
 
-### <a href="" id="bkmk-previewbuilds"></a>5. Insider Preview builds
+### <a href="" id="bkmk-previewbuilds"></a>6. Insider Preview builds
 
 To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
 
--   Turn off the feature in the UI: **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Stop Insider builds**.
+-   Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**.
 
     -or-
 
@@ -353,11 +301,11 @@ To turn off Insider Preview builds if you're running a released version of Windo
 
     -   **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
 
-### <a href="" id="bkmk-ie"></a>6. Internet Explorer
+### <a href="" id="bkmk-ie"></a>7. Internet Explorer
 
 Use Group Policy to manage settings for Internet Explorer.
 
-### <a href="" id="bkmk-ie-gp"></a>6.1 Internet Explorer Group Policies
+### <a href="" id="bkmk-ie-gp"></a>7.1 Internet Explorer Group Policies
 
 Find the Internet Explorer Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Internet Explorer**.
 
@@ -369,19 +317,26 @@ Find the Internet Explorer Group Policy objects under **Computer Configuration**
 | Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version. <br /> Default: Enabled |
 | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> Default: Disabled|
 
-### <a href="" id="bkmk-ie-activex"></a>6.2 ActiveX control blocking
+There are two more Group Policy objects that are used by Internet Explorer:
+
+| Path | Policy | Description |
+| - | - | - |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page**  | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website. <br /> Default: Enabled |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices. <br /> Default: Enabled |
+
+### <a href="" id="bkmk-ie-activex"></a>7.2 ActiveX control blocking
 
 ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
 
 For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
 
-### <a href="" id="live-tiles"></a>7. Live Tiles
+### <a href="" id="live-tiles"></a>8. Live Tiles
 
 To turn off Live Tiles:
 
 -   Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
 
-### <a href="" id="bkmk-mailsync"></a>8. Mail synchronization
+### <a href="" id="bkmk-mailsync"></a>9. Mail synchronization
 
 To turn off mail synchronization for Microsoft Accounts that are configured on a device:
 
@@ -399,15 +354,36 @@ To turn off the Windows Mail app:
 
 -   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Mail** &gt; **Turn off Windows Mail application**
 
-### <a href="" id="bkmk-edge"></a>9. Microsoft Edge
+### <a href="" id="bkmk-microsoft-account"></a>10. Microsoft Account
+
+To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways.
+
+-   Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentControlSet\\Services\\wlidsvc** to 4.
+
+
+### <a href="" id="bkmk-edge"></a>11. Microsoft Edge
 
 Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
 
-### <a href="" id="bkmk-edgegp"></a>9.1 Microsoft Edge Group Policies
+### <a href="" id="bkmk-edgegp"></a>11.1 Microsoft Edge Group Policies
 
 Find the Microsoft Edge Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge**.
 
-> **Note:**  The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
+> [!NOTE] 
+> The Microsoft Edge Group Policy names were changed in Windows 10, version 1607. The table below reflects those changes.
+
+| Policy                                               | Description                                                                                         |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Configure autofill                                    | Choose whether employees can use autofill on websites. <br /> Default: Enabled                      |
+| Configure Do Not Track         | Choose whether employees can send Do Not Track headers.<br /> Default: Disabled                     |
+| Configure password manager                            | Choose whether employees can save passwords locally on their devices. <br /> Default: Enabled       |
+| Configure search suggestions in Address bar              | Choose whether the address bar shows search suggestions. <br /> Default: Enabled                    |
+| Configure SmartScreen Filter                      | Choose whether SmartScreen is turned on or off.  <br /> Default: Enabled                            |
+| Allow web content on New Tab page                     | Choose whether a new tab page appears.  <br /> Default: Enabled                                     |
+| Configure Home pages                       | Choose the corporate Home page for domain-joined devices. <br /> Set this to **about:blank**        |
+
+
+The Windows 10, version 1511 Microsoft Edge Group Policy names are:
 
 | Policy                                               | Description                                                                                         |
 |------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@@ -419,7 +395,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
 | Open a new tab with an empty tab                     | Choose whether a new tab page appears.  <br /> Default: Enabled                                     |
 | Configure corporate Home pages                       | Choose the corporate Home page for domain-joined devices. <br /> Set this to **about:blank**        |
 
-### <a href="" id="bkmk-edge-mdm"></a>9.2 Microsoft Edge MDM policies
+### <a href="" id="bkmk-edge-mdm"></a>11.2 Microsoft Edge MDM policies
 
 The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
 
@@ -431,35 +407,42 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
 | Browser/AllowSearchSuggestionsinAddressBar           | Choose whether the address bar shows search suggestions.. <br /> Default: Allowed                   |
 | Browser/AllowSmartScreen                             | Choose whether SmartScreen is turned on or off.  <br /> Default: Allowed                            |
 
-### <a href="" id="bkmk-edge-prov"></a>9.3 Microsoft Edge Windows Provisioning
+### <a href="" id="bkmk-edge-prov"></a>11.3 Microsoft Edge Windows Provisioning
 
 Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies**.
 
 For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
 
-### <a href="" id="bkmk-ncsi"></a>10. Network Connection Status Indicator
+### <a href="" id="bkmk-ncsi"></a>12. Network Connection Status Indicator
 
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+
+In versions of Windows 10 prior to Windows 10, version 1607, the URL was http://www.msftncsi.com. 
 
 You can turn off NCSI through Group Policy:
 
 -   Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off Windows Network Connectivity Status Indicator active tests**
 
-> **Note**  After you apply this policy, you must restart the device for the policy setting to take effect.
+> [!NOTE] 
+> After you apply this policy, you must restart the device for the policy setting to take effect.
 
-### <a href="" id="bkmk-offlinemaps"></a>11. Offline maps
+### <a href="" id="bkmk-offlinemaps"></a>13. Offline maps
 
 You can turn off the ability to download and update offline maps.
 
 -   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Maps** &gt; **Turn off Automatic Download and Update of Map Data**
 
-### <a href="" id="bkmk-onedrive"></a>12. OneDrive
+    -and-
+
+- In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
+
+### <a href="" id="bkmk-onedrive"></a>14. OneDrive
 
 To turn off OneDrive in your organization:
 
 -   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **OneDrive** &gt; **Prevent the usage of OneDrive for file storage**
 
-### <a href="" id="bkmk-preinstalledapps"></a>13. Preinstalled apps
+### <a href="" id="bkmk-preinstalledapps"></a>15. Preinstalled apps
 
 Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
 
@@ -571,47 +554,50 @@ To remove the Get Skype app:
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
 
-### <a href="" id="bkmk-settingssection"></a>14. Settings &gt; Privacy
+### <a href="" id="bkmk-settingssection"></a>16. Settings &gt; Privacy
 
 Use Settings &gt; Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
 
--   [14.1 General](#bkmk-general)
+-   [16.1 General](#bkmk-general)
 
--   [14.2 Location](#bkmk-priv-location)
+-   [16.2 Location](#bkmk-priv-location)
 
--   [14.3 Camera](#bkmk-priv-camera)
+-   [16.3 Camera](#bkmk-priv-camera)
 
--   [14.4 Microphone](#bkmk-priv-microphone)
+-   [16.4 Microphone](#bkmk-priv-microphone)
 
--   [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+-   [16.5 Notifications](#bkmk-priv-notifications)
 
--   [14.6 Account info](#bkmk-priv-accounts)
+-   [16.6 Speech, inking, & typing](#bkmk-priv-speech)
 
--   [14.7 Contacts](#bkmk-priv-contacts)
+-   [16.7 Account info](#bkmk-priv-accounts)
 
--   [14.8 Calendar](#bkmk-priv-calendar)
+-   [16.8 Contacts](#bkmk-priv-contacts)
 
--   [14.9 Call history](#bkmk-priv-callhistory)
+-   [16.9 Calendar](#bkmk-priv-calendar)
 
--   [14.10 Email](#bkmk-priv-email)
+-   [16.10 Call history](#bkmk-priv-callhistory)
 
--   [14.11 Messaging](#bkmk-priv-messaging)
+-   [16.11 Email](#bkmk-priv-email)
 
--   [14.12 Radios](#bkmk-priv-radios)
+-   [16.12 Messaging](#bkmk-priv-messaging)
 
--   [14.13 Other devices](#bkmk-priv-other-devices)
+-   [16.13 Radios](#bkmk-priv-radios)
 
--   [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+-   [16.14 Other devices](#bkmk-priv-other-devices)
 
--   [14.15 Background apps](#bkmk-priv-background)
+-   [16.15 Feedback & diagnostics](#bkmk-priv-feedback)
 
-### <a href="" id="bkmk-general"></a>14.1 General
+-   [16.16 Background apps](#bkmk-priv-background)
+
+### <a href="" id="bkmk-general"></a>16.1 General
 
 **General** includes options that don't fall into other areas.
 
 To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
 
-> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
+> [!NOTE] 
+> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
 
 -   Turn off the feature in the UI.
 
@@ -647,11 +633,12 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window
 
     -or-
 
--   Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
+-   Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero).
 
 To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
 
-> **Note: **  If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
+> [!NOTE] 
+> If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
 
  
 
@@ -673,7 +660,15 @@ To turn off **Let websites provide locally relevant content by accessing my lang
 
 -   Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
 
-### <a href="" id="bkmk-priv-location"></a>14.2 Location
+To turn off **Let apps on my other devices open apps and continue experiences on this devices**:
+
+- Turn off the feature in the UI.
+
+To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**:
+
+- Turn off the feature in the UI.
+
+### <a href="" id="bkmk-priv-location"></a>16.2 Location
 
 In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
 
@@ -695,8 +690,8 @@ To turn off **Location for this device**:
 
     -   **2**. Turned on and the employee can't turn it off.
 
-    **Note**  
-    You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+    > [!NOTE]   
+    > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
 
     -or-
 
@@ -724,7 +719,7 @@ To turn off **Choose apps that can use your location**:
 
 -   Turn off each app using the UI.
 
-### <a href="" id="bkmk-priv-camera"></a>14.3 Camera
+### <a href="" id="bkmk-priv-camera"></a>16.3 Camera
 
 In the **Camera** area, you can choose which apps can access a device's camera.
 
@@ -746,8 +741,8 @@ To turn off **Let apps use my camera**:
 
     -   **1**. Apps can use the camera.
 
-    **Note**  
-    You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+    > [!NOTE]
+    > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
     
    -or-
 
@@ -761,7 +756,7 @@ To turn off **Choose apps that can use your camera**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-priv-microphone"></a>14.4 Microphone
+### <a href="" id="bkmk-priv-microphone"></a>16.4 Microphone
 
 In the **Microphone** area, you can choose which apps can access a device's microphone.
 
@@ -779,13 +774,26 @@ To turn off **Choose apps that can use your microphone**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-priv-speech"></a>14.5 Speech, inking, & typing
+### <a href="" id="bkmk-priv-notifications"></a>16.5 Notifications
+
+In the **Notifications** area, you can choose which apps have access to notifications.
+
+To turn off **Let apps access my notifications**:
+
+-   Turn off the feature in the UI.
+
+   -or-
+
+-   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access my notifications**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+### <a href="" id="bkmk-priv-speech"></a>16.6 Speech, inking, & typing
 
 In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
 
-> **Note:**  For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
-
- 
+> [!NOTE] 
+> For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
 
 To turn off the functionality:
 
@@ -801,9 +809,21 @@ To turn off the functionality:
 
    -and-
 
-    Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
+-  Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
 
-### <a href="" id="bkmk-priv-accounts"></a>14.6 Account info
+
+If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models:
+
+Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate), where:
+
+-   **0** (default). Not allowed.
+-   **1**. Allowed.
+
+   -or-
+
+- Create a REG\_DWORD registry setting called **AllowSpeechModelUpdate** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\Current\\Device\\Speech**, with a value of 0 (zero).
+
+### <a href="" id="bkmk-priv-accounts"></a>16.7 Account info
 
 In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
 
@@ -821,7 +841,7 @@ To turn off **Choose the apps that can access your account info**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-priv-contacts"></a>14.7 Contacts
+### <a href="" id="bkmk-priv-contacts"></a>16.8 Contacts
 
 In the **Contacts** area, you can choose which apps can access an employee's contacts list.
 
@@ -835,7 +855,7 @@ To turn off **Choose apps that can access contacts**:
 
     -   Set the **Select a setting** box to **Force Deny**.
 
-### <a href="" id="bkmk-priv-calendar"></a>14.8 Calendar
+### <a href="" id="bkmk-priv-calendar"></a>16.9 Calendar
 
 In the **Calendar** area, you can choose which apps have access to an employee's calendar.
 
@@ -853,7 +873,7 @@ To turn off **Choose apps that can access calendar**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-priv-callhistory"></a>14.9 Call history
+### <a href="" id="bkmk-priv-callhistory"></a>16.10 Call history
 
 In the **Call history** area, you can choose which apps have access to an employee's call history.
 
@@ -867,7 +887,7 @@ To turn off **Let apps access my call history**:
 
     -   Set the **Select a setting** box to **Force Deny**.
 
-### <a href="" id="bkmk-priv-email"></a>14.10 Email
+### <a href="" id="bkmk-priv-email"></a>16.11 Email
 
 In the **Email** area, you can choose which apps have can access and send email.
 
@@ -881,7 +901,7 @@ To turn off **Let apps access and send email**:
 
     -   Set the **Select a setting** box to **Force Deny**.
 
-### <a href="" id="bkmk-priv-messaging"></a>14.11 Messaging
+### <a href="" id="bkmk-priv-messaging"></a>16.12 Messaging
 
 In the **Messaging** area, you can choose which apps can read or send messages.
 
@@ -899,7 +919,7 @@ To turn off **Choose apps that can read or send messages**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-priv-radios"></a>14.12 Radios
+### <a href="" id="bkmk-priv-radios"></a>16.13 Radios
 
 In the **Radios** area, you can choose which apps can turn a device's radio on or off.
 
@@ -917,7 +937,7 @@ To turn off **Choose apps that can control radios**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-priv-other-devices"></a>14.13 Other devices
+### <a href="" id="bkmk-priv-other-devices"></a>16.14 Other devices
 
 In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
 
@@ -935,14 +955,14 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
 
     -   Set the **Select a setting** box to **Force Deny**.
 
-### <a href="" id="bkmk-priv-feedback"></a>14.14 Feedback & diagnostics
+### <a href="" id="bkmk-priv-feedback"></a>16.15 Feedback & diagnostics
 
 In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
 
 To change how frequently **Windows should ask for my feedback**:
 
-**Note**  
-Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
+> [!NOTE] 
+> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
 
  
 
@@ -976,7 +996,8 @@ To change the level of diagnostic and usage data sent when you **Send your devic
 
 -   To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
 
-    > **Note:**  You can't use the UI to change the telemetry level to **Security**.
+    > [!NOTE] 
+    > You can't use the UI to change the telemetry level to **Security**.
 
      
 
@@ -1008,7 +1029,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
 
     -   **3**. Maps to the **Full** level.
 
-### <a href="" id="bkmk-priv-background"></a>14.15 Background apps
+### <a href="" id="bkmk-priv-background"></a>16.16 Background apps
 
 In the **Background Apps** area, you can choose which apps can run in the background.
 
@@ -1016,15 +1037,19 @@ To turn off **Let apps run in the background**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-spp"></a>15. Software Protection Platform
+### <a href="" id="bkmk-spp"></a>17. Software Protection Platform
 
-Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
+Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
 
-**Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Software Protection Platform** &gt; **Turn off KMS Client Online AVS Activation**
+- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Software Protection Platform** &gt; **Turn off KMS Client Online AVS Activation**
+
+    -or-
+
+-   Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled.
 
 The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
 
-### <a href="" id="bkmk-syncsettings"></a>16. Sync your settings
+### <a href="" id="bkmk-syncsettings"></a>18. Sync your settings
 
 You can control if your settings are synchronized:
 
@@ -1050,13 +1075,13 @@ To turn off Messaging cloud sync:
 
 -   Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
 
-### <a href="" id="bkmk-teredo"></a>17. Teredo
+### <a href="" id="bkmk-teredo"></a>19. Teredo
 
 You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
 
 -   From an elevated command prompt, run **netsh interface teredo set state disabled**
 
-### <a href="" id="bkmk-wifisense"></a>18. Wi-Fi Sense
+### <a href="" id="bkmk-wifisense"></a>20. Wi-Fi Sense
 
 Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
 
@@ -1082,7 +1107,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
 
 When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
 
-### <a href="" id="bkmk-defender"></a>19. Windows Defender
+### <a href="" id="bkmk-defender"></a>21. Windows Defender
 
 You can disconnect from the Microsoft Antimalware Protection Service.
 
@@ -1126,11 +1151,15 @@ You can stop downloading definition updates:
 
     -and-
 
--   Enable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **Signature Updates** &gt; **Define file shares for downloading definition updates** and set it to nothing.
+-   Disable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **Signature Updates** &gt; **Define file shares for downloading definition updates** and set it to nothing.
+
+You can stop Enhanced Notifications:
+
+- Turn off the feature in the UI.
 
 You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
 
-### <a href="" id="bkmk-wmp"></a>20. Windows Media Player
+### <a href="" id="bkmk-wmp"></a>22. Windows Media Player
 
 To remove Windows Media Player:
 
@@ -1140,13 +1169,22 @@ To remove Windows Media Player:
 
 -   Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
 
-### <a href="" id="bkmk-spotlight"></a>21. Windows spotlight
+### <a href="" id="bkmk-spotlight"></a>23. Windows spotlight
 
-Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
+Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy.
+
+If you're running Windows 10, version 1607 or later, you only need to enable the following Group Policy:
+
+- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
+
+If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
 
 -   Configure the following in **Settings**:
 
-    -   **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**.
+    -   **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**.
+
+        > [!NOTE]  
+        > In Windows 10, version 1507 and Windows 10, version 1511, this setting was called **Show me tips, tricks, and more on the lock screen**.
 
     -   **Personalization** &gt; **Start** &gt; **Occasionally show suggestions in Start**.
 
@@ -1161,7 +1199,8 @@ Windows spotlight provides different background images and text on the lock scre
 
         -   Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
 
-        **Note**  This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**.
+        > [!NOTE] 
+        > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**.
 
          
 
@@ -1169,15 +1208,15 @@ Windows spotlight provides different background images and text on the lock scre
 
     -   **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Cloud Content** &gt; **Turn off Microsoft consumer experiences**.
 
-For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
+For more info, see [Windows Spotlight on the lock screen](../manage/windows-spotlight.md).
 
-### <a href="" id="bkmk-windowsstore"></a>22. Windows Store
+### <a href="" id="bkmk-windowsstore"></a>24. Windows Store
 
 You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
 
 -   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Disable all apps from Windows Store**.
 
-### <a href="" id="bkmk-updates"></a>23. Windows Update Delivery Optimization
+### <a href="" id="bkmk-updates"></a>25. Windows Update Delivery Optimization
 
 Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
 
@@ -1185,38 +1224,40 @@ By default, PCs running Windows 10 Enterprise and Windows 10 Education will only
 
 Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
 
-### <a href="" id="bkmk-wudo-ui"></a>23.1 Settings &gt; Update & security
+In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below.
+
+### <a href="" id="bkmk-wudo-ui"></a>25.1 Settings &gt; Update & security
 
 You can set up Delivery Optimization from the **Settings** UI.
 
 -   Go to **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Choose how updates are delivered**.
 
-### <a href="" id="bkmk-wudo-gp"></a>23.2 Delivery Optimization Group Policies
+### <a href="" id="bkmk-wudo-gp"></a>25.2 Delivery Optimization Group Policies
 
 You can find the Delivery Optimization Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Delivery Optimization**.
 
 | Policy                    | Description                                                                                         |
 |---------------------------|-----------------------------------------------------------------------------------------------------|
-| Download Mode             | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>None</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>Group</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>Internet</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li><li><p><strong>LAN</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li></ul>|
-| Group ID                  | Lets you provide a Group ID that limits which PCs can share apps and updates. <br /> ** Note** This ID must be a GUID.|
+| Download Mode             | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>None</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>Group</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>Internet</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li><li><p><strong>LAN</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li><li><p><strong>Simple</strong>. Simple download mode with no peering.</p></li><li><p><strong>Bypass</strong>. Use BITS instead of Windows Update Delivery Optimization.</p></li></ul>|
+| Group ID                  | Lets you provide a Group ID that limits which PCs can share apps and updates. <br /> **Note:** This ID must be a GUID.|
 | Max Cache Age             | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache. <br /> The default value is 259200 seconds (3 days).|
 | Max Cache Size            | Lets you specify the maximum cache size as a percentage of disk size. <br /> The default value is 20, which represents 20% of the disk.|
 | Max Upload Bandwidth      | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. <br /> The default value is 0, which means unlimited possible bandwidth.|
 
-### <a href="" id="bkmk-wudo-mdm"></a>23.3 Delivery Optimization MDM policies
+### <a href="" id="bkmk-wudo-mdm"></a>25.3 Delivery Optimization MDM policies
 
 The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
 
 | Policy                    | Description                                                                                         |
 |---------------------------|-----------------------------------------------------------------------------------------------------|
-| DeliveryOptimization/DODownloadMode             | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>0</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>1</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li><li><p><strong>2</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>3</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li></ul>|
+| DeliveryOptimization/DODownloadMode             | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>0</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>1</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li><li><p><strong>2</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>3</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li><li><p><strong>99</strong>. Simple download mode with no peering.</p></li><li><p><strong>100</strong>. Use BITS instead of Windows Update Delivery Optimization.</p></li></ul>|
 | DeliveryOptimization/DOGroupID                 | Lets you provide a Group ID that limits which PCs can share apps and updates. <br /> **Note** This ID must be a GUID.|
 | DeliveryOptimization/DOMaxCacheAge             | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache. <br /> The default value is 259200 seconds (3 days).|
 | DeliveryOptimization/DOMaxCacheSize            | Lets you specify the maximum cache size as a percentage of disk size. <br /> The default value is 20, which represents 20% of the disk.|
 | DeliveryOptimization/DOMaxUploadBandwidth      | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. <br /> The default value is 0, which means unlimited possible bandwidth.|
 
 
-### <a href="" id="bkmk-wudo-prov"></a>23.4 Delivery Optimization Windows Provisioning
+### <a href="" id="bkmk-wudo-prov"></a>25.4 Delivery Optimization Windows Provisioning
 
 If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
 
@@ -1232,7 +1273,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo
 
 For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
 
-### <a href="" id="bkmk-wu"></a>24. Windows Update
+### <a href="" id="bkmk-wu"></a>26. Windows Update
 
 You can turn off Windows Update by setting the following registry entries:
 
@@ -1242,6 +1283,11 @@ You can turn off Windows Update by setting the following registry entries:
 
 -   Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
 
+    -and-
+
+-   Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1.
+
+
 You can turn off automatic updates by doing one of the following. This is not recommended.
 
 -   Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
index dbc5ed0c8a..c3bdd6979a 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Manage corporate devices
@@ -48,7 +49,7 @@ Desktop devices running Windows 10 that are joined to an Active Directory domai
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>[Microsoft System Center Configuration Manager Technical Preview](http://go.microsoft.com/fwlink/p/?LinkId=613622)</p></td>
+<td align="left"><p>[Microsoft System Center Configuration Manager 2016](http://go.microsoft.com/fwlink/p/?LinkId=613622)</p></td>
 <td align="left"><p>Client deployment, upgrade, and management with new and existing features</p></td>
 </tr>
 <tr class="even">
@@ -95,7 +96,7 @@ For more information about the MDM protocols, see [Mobile device management](htt
 
 ## Learn more
 
-[How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627898.aspx)
+[How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx)
 
 [Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/)
 
@@ -115,16 +116,16 @@ Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager &
 
 ## Related topics
 
+[Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
 
-[New policies for Windows 10](new-policies-for-windows-10.md)
+- [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) 
+- [New policies for Windows 10](new-policies-for-windows-10.md)
+- [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
+- [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
+- [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
+- [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md)
 
-[Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
 
-[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
-
-[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
-
- 
 
  
 
diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md
index b44e4c4920..7b756a7a18 100644
--- a/windows/manage/manage-cortana-in-enterprise.md
+++ b/windows/manage/manage-cortana-in-enterprise.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
+localizationpriority: high
 ---
 
 # Cortana integration in your business or enterprise
@@ -50,14 +51,15 @@ Set up and manage Cortana by using the following Group Policy and mobile device
 
 |Group policy |MDM policy |Description |
 |-------------|-----------|------------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.<p>**Note**<br>Employees can still perform searches even with Cortana turned off. |
-|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInput Personalization |Specifies whether to turn on automatic learning, which allows the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana.<p>**Important**<br>Cortana won’t work if this setting is turned off (disabled). |
-|None |System/AllowLocation |Specifies whether to allow app access to the Location service. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.<p>**Important**<br>Cortana won’t work if this setting is turned off (disabled). |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUse Location |Specifies whether search and Cortana can provide location aware search and Cortana results.<p>**Important**<br>Cortana won’t work if this setting is turned off (disabled). |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearch Permissions |Specifies what level of safe search (filtering adult content) is required.<p>**Note**<br>This setting only applies to Windows 10 Mobile. |
-|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.<p>**Important**<br>Cortana won’t work if this setting is turned off (disabled). |
-|User Configuration\Administrative Templates\Start Menu and Taskbar\Do not search communications |None |Specifies whether the Start menu search box searches communications.<p>**Important**<br>Cortana won’t work if this setting is turned off (disabled). |
+|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.<p>**Note**<br>This setting only applies to Windows 10 for desktop devices. |
+|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in the enterprise.<p>**In Windows 10, version 1511**<br>Cortana won’t work if this setting is turned off (disabled).<p>**In Windows 10, version 1607 and later**<br>Cortana still works if this setting is turned off (disabled). |
+|None |System/AllowLocation |Specifies whether to allow app access to the Location service.<p>**In Windows 10, version 1511**<br>Cortana won’t work if this setting is turned off (disabled).<p>**In Windows 10, version 1607 and later**<br>Cortana still works if this setting is turned off (disabled). |
+|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.<p>Use this setting if you only want to support Azure AD in your organization. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.<p>**Note**<br>This setting only applies to Windows 10 Mobile. |
+|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.<p>**In Windows 10 Pro edition**<br>This setting can’t be managed.<p>**In Windows 10 Enterprise edition**<br>Cortana won't work if this setting is turned off (disabled). |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.<p>**Important**<br>Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off. |
 
 **More info:**
 -   For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).
diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md
index 8535d16d65..f8db99379b 100644
--- a/windows/manage/manage-inventory-windows-store-for-business.md
+++ b/windows/manage/manage-inventory-windows-store-for-business.md
@@ -1,70 +1,10 @@
 ---
 title: Manage inventory in Windows Store for Business (Windows 10)
 description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses.
-redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/app-inventory-management-windows-store-for-business
+redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ---
 
-# Manage inventory in Window Store for Business
-When you acquire apps from the Windows Store for Business, we add them to the inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses.
-
-## Distribute apps
-You can assign apps to people, or you can make apps available in your private store. Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
-
-**To make an app in inventory available in your private store**
-
-1.	Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2.	Click **Manage**, and then choose **Inventory**.
-3.	Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
-4.	From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
-
-The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. 
-
-Employees can claim apps that admins added to the private store by doing the following.
-
-**To claim an app from the private store**
-
-1.	Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
-2.	Click the private store tab.
-3.	Click the app you want to install, and then click **Install**.
-
-Another way to distribute apps is by assigning them to people in your organization. 
-
-**To assign an app to an employee**
-
-1.	Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2.	Click **Manage**, and then choose **Inventory**.
-3.	Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
-4.	Type the email address for the employee that you're assigning the app to, and click **Confirm**.
-
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**. 
-
-## Manage licenses
-For apps in inventory, when you assign an app to an employee, a license for the app is assigned to them. You can manage these licenses, either by assigning them, or reclaiming them so you can assign them to another employee. You can also remove an app from the private store. 
-
-**To assign licenses**
-1.  Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2.	Click **Manage**, and then choose **Inventory**.
-3.	Find an app, click the ellipses under **Action**, and then choose **View license details**.
-4.  Click **Assign to people**, type the name you are assigning the license to, and then click **Assign**. 
-
-Store for Business assigns a license to the person, and adds them to the list of assigned licenses. 
-
-**To reclaim licenses**
-1.  Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2.	Click **Manage**, and then choose **Inventory**.
-3.	Find an app, click the ellipses under **Action**, and then choose **View license details**.
-4.  Click the name of the person you are reclaiming the license from, and then click **Reclaim licenses**. 
-
-Store for Business reclaims the license, and updates the number of avialable licenses. After you reclaim a license, you can assign a license to another employee. 
-
-**To remove an app from the private store**
-
-If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store. 
-1.  Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2.	Click **Manage**, and then choose **Inventory**.
-3.	Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**.
-
-The app will still be in your inventory, but your employees will not have access to the app from your private store. 
+ 
diff --git a/windows/manage/manage-orders-windows-store-for-business.md b/windows/manage/manage-orders-windows-store-for-business.md
index 03d95f9433..9ca7ce1322 100644
--- a/windows/manage/manage-orders-windows-store-for-business.md
+++ b/windows/manage/manage-orders-windows-store-for-business.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Manage app orders in Windows Store for Business
diff --git a/windows/manage/manage-private-store-settings.md b/windows/manage/manage-private-store-settings.md
index 6132f1e513..e070bd57ea 100644
--- a/windows/manage/manage-private-store-settings.md
+++ b/windows/manage/manage-private-store-settings.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Manage private store settings
diff --git a/windows/manage/manage-settings-windows-store-for-business.md b/windows/manage/manage-settings-windows-store-for-business.md
index 04bd40016e..704d4d4401 100644
--- a/windows/manage/manage-settings-windows-store-for-business.md
+++ b/windows/manage/manage-settings-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Manage settings for the Windows Store for Business
@@ -36,7 +37,7 @@ You can add users and groups, as well as update some of the settings associated
 <tbody>
 <tr class="odd">
 <td align="left"><p>[Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)</p></td>
-<td align="left"><p>The <strong>Account information</strong> page in Windows Store for Business shows information about your organization that you can update, including: country or region, organization name, default domain, and language preference. These are settings in the Azure AD directory that you used when signing up for Store for Business</p></td>
+<td align="left"><p>The <strong>Account information</strong> page in Windows Store for Business shows information about your organization that you can update, including: organization information, payment options, and offline licensing settings.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)</p></td>
diff --git a/windows/manage/manage-tips-and-suggestions.md b/windows/manage/manage-tips-and-suggestions.md
new file mode 100644
index 0000000000..f64642592b
--- /dev/null
+++ b/windows/manage/manage-tips-and-suggestions.md
@@ -0,0 +1,64 @@
+---
+title: Manage Windows 10 and Windows Store tips, tricks, and suggestions (Windows 10)
+description: Windows 10 provides organizations with various options to manage auser experiences to provide a consistent and predictable experience for employees. 
+keywords: ["device management"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: devices
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Manage Windows 10 and Windows Store tips, tricks, and suggestions
+
+
+**Applies to**
+
+-   Windows 10
+
+
+Since its inception, Windows 10 has included a number of user experience features that provide useful tips, tricks, and suggestions as you use Windows, as well as app suggestions from the Windows Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Windows Store. Examples of such user experiences include: 
+
+* **Windows Spotlight on the lock screen**.  Daily updated images on the lock screen that can include additional facts and tips in “hotspots” that are revealed on hover. 
+
+* **Start menu app suggestions**. App suggestions in Start that recommend productivity tool or utilities from the Windows Store. 
+
+* **Additional apps on Start**.  Additional apps pre-installed on the Start screen which can enhance the user’s experience. 
+
+* **Windows tips**.  Contextual tips that appear based on specific user actions to reveal related Windows features or help users complete a scenario. 
+
+* **Microsoft account notifications**.  For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration. 
+
+>[!TIP]
+> On all Windows desktop editions, users can directly enable and disable Windows 10 tips, tricks, and suggestions and Windows Store suggestions.  For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, tricks, or suggestions as they use Windows.   
+
+Windows 10, version 1607 (also known as the Anniversary Update), provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions.  
+
+## Options available to manage Windows 10 tips and tricks and Windows Store suggestions
+
+| Windows 10 edition | Disable |Show Microsoft apps only | Show Microsoft and popular third-party apps |
+| --- | --- | --- | --- |
+| Windows 10 Pro | No | Yes | Yes (default)  |
+| Windows 10 Enterprise | Yes  | Yes | Yes (default)  |
+| Windows 10 Pro Education | Yes (default)  | Yes | No (setting cannot be changed) |
+| Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) |
+
+
+
+## Related topics
+
+- [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md)
+- [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
+- [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md)
+- [Windows 10 editions for education customers](https://technet.microsoft.com/en-us/edu/windows/windows-editions-for-education-customers)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/manage-users-and-groups-windows-store-for-business.md b/windows/manage/manage-users-and-groups-windows-store-for-business.md
index 42fb25bfa2..e445c7f72b 100644
--- a/windows/manage/manage-users-and-groups-windows-store-for-business.md
+++ b/windows/manage/manage-users-and-groups-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Manage user accounts in Windows Store for Business
diff --git a/windows/manage/manage-wifi-sense-in-enterprise.md b/windows/manage/manage-wifi-sense-in-enterprise.md
index 172b930871..6f26bd1a70 100644
--- a/windows/manage/manage-wifi-sense-in-enterprise.md
+++ b/windows/manage/manage-wifi-sense-in-enterprise.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: eross-msft
+localizationpriority: medium
 ---
 
 # Manage Wi-Fi Sense in your company
diff --git a/windows/manage/new-policies-for-windows-10.md b/windows/manage/new-policies-for-windows-10.md
index 2da6a7e615..6dc1d6a75b 100644
--- a/windows/manage/new-policies-for-windows-10.md
+++ b/windows/manage/new-policies-for-windows-10.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # New policies for Windows 10
diff --git a/windows/manage/prerequisites-windows-store-for-business.md b/windows/manage/prerequisites-windows-store-for-business.md
index 85f411ba17..8c759e9d5d 100644
--- a/windows/manage/prerequisites-windows-store-for-business.md
+++ b/windows/manage/prerequisites-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Prerequisites for Windows Store for Business
diff --git a/windows/manage/product-ids-in-windows-10-mobile.md b/windows/manage/product-ids-in-windows-10-mobile.md
index f1e1f9a3e3..fd249d0732 100644
--- a/windows/manage/product-ids-in-windows-10-mobile.md
+++ b/windows/manage/product-ids-in-windows-10-mobile.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Product IDs in Windows 10 Mobile
diff --git a/windows/manage/reset-a-windows-10-mobile-device.md b/windows/manage/reset-a-windows-10-mobile-device.md
index f9b0a026b4..5455485e1f 100644
--- a/windows/manage/reset-a-windows-10-mobile-device.md
+++ b/windows/manage/reset-a-windows-10-mobile-device.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Reset a Windows 10 Mobile device
diff --git a/windows/manage/roles-and-permissions-windows-store-for-business.md b/windows/manage/roles-and-permissions-windows-store-for-business.md
index 92d9f7e5e8..9542529fbe 100644
--- a/windows/manage/roles-and-permissions-windows-store-for-business.md
+++ b/windows/manage/roles-and-permissions-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Roles and permissions in Windows Store for Business
@@ -96,7 +97,7 @@ This table lists the global user accounts and the permissions they have in the S
 
 ### Store for Business roles and permissions
 
-Store for Businesshas a set of roles that help IT admins and employees manage access to apps and tasks for the Store for Business. Employees with these roles will need to use their Azure AD account to access the Store for Business.
+Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for the Store for Business. Employees with these roles will need to use their Azure AD account to access the Store for Business.
 
 This table lists the roles and their permissions.
 
diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/manage/set-up-a-device-for-anyone-to-use.md
index 156c44901a..28b5f6a030 100644
--- a/windows/manage/set-up-a-device-for-anyone-to-use.md
+++ b/windows/manage/set-up-a-device-for-anyone-to-use.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Set up a device for anyone to use (kiosk mode)
@@ -33,8 +34,8 @@ Do you need a computer that can only do one thing? For example:
 
 The following table identifies the type of application that can be used on each Windows 10 edition to create a kiosk device.
 
-**Note**  
-A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
+> [!NOTE]  
+> A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
 
  
 
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index e60c8c0a02..940a457a76 100644
--- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Set up a kiosk on Windows 10 Pro, Enterprise, or Education
@@ -18,7 +19,7 @@ author: jdeckerMS
 
 >  **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( http://go.microsoft.com/fwlink/p/?LinkId=613653)
 
-A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
+A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
 
 **Note**  
 A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
@@ -68,21 +69,20 @@ For a more secure kiosk experience, we recommend that you make the following con
 
 Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
 
--   [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) - Windows 10 Pro, Enterprise, and Education
+| Method | Account type | Windows 10 edition |
+| --- | --- | --- |
+| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
+| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
+| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
+| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
 
--   [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) - Windows 10 Enterprise and Education
 
--   [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) - Windows 10 Enterprise and Education
-
--   [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) - Windows 10 Pro, Enterprise, and Education
 
 ### Requirements
 
--   A domain or local user account.
-
-    The user account must have logged on at least once before you set up assigned access, or no apps will be available for that account. To set up assigned access using MDM, you need the user account (domain\\account).
-
--   A Universal Windows app that is installed for that account and is an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](http://go.microsoft.com/fwlink/p/?LinkId=708386).
+-   A domain or local user account. 
+    
+-   A Universal Windows app that is installed or provisioned for that account and is an above lock screen app. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](http://go.microsoft.com/fwlink/p/?LinkId=708386).
 
     The app can be your own company app that you have made available in your own app Store. To set up assigned access using MDM or PowerShell, you also need the Application User Model ID (AUMID) for the app. [Learn how to get the AUMID](http://go.microsoft.com/fwlink/p/?LinkId=614867).
 
@@ -101,7 +101,7 @@ Assigned access does not work on a device that is connected to more than one mon
 
 3.  Choose an account.
 
-4.  Choose an app. Only apps that can run above the lock screen will be displayed.
+4.  Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
 
 5.  Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on.
 
@@ -117,17 +117,20 @@ Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you
 
 ### <a href="" id="icd"></a>Set up assigned access using Windows Imaging and Configuration Designer (ICD)
 
-Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+> **Important**
+When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
 **Create a provisioning package for a kiosk device**
 
 1.  Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
 
-2.  Choose **New provisioning package**.
+2.  Choose **Advanced provisioning**.
 
 3.  Name your project, and click **Next**.
 
-4.  Choose **Common to all Windows desktop editions** and click **Next**.
+4.  Choose **All Windows desktop editions** and click **Next**.
 
 5.  On **New project**, click **Finish**. The workspace for your package opens.
 
@@ -178,7 +181,9 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
 
 ### Set up assigned access using Windows PowerShell
 
-You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results.
+You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. 
+
+To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
 
 ```
 Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
@@ -196,8 +201,11 @@ Set-AssignedAccess -AppName <CustomApp> -UserName <username>
 Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
 ```
 
+> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. 
 [Learn how to get the AUMID](http://go.microsoft.com/fwlink/p/?LinkId=614867).
 
+[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**).
+
 [Learn how to get the SID](http://go.microsoft.com/fwlink/p/?LinkId=615517).
 
 To remove assigned access, using PowerShell, run the following cmdlet.
@@ -209,7 +217,7 @@ Clear-AssignedAccess
 
 ### Set up automatic logon
 
-When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically.
+When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
 
 Edit the registry to have an account automatically logged on.
 
@@ -217,12 +225,11 @@ Edit the registry to have an account automatically logged on.
 
     **Note**  
     If you are not familiar with Registry Editor, [learn how to modify the Windows registry](http://go.microsoft.com/fwlink/p/?LinkId=615002).
-
-     
+  
 
 2.  Go to
 
-    ****HKEY\_LOCAL\_MACHINE**\\**SOFTWARE**\\**Microsoft**\\**WindowsNT**\\**CurrentVersion**\\**Winlogon****
+    **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
 
 3.  Set the values for the following keys.
 
@@ -232,10 +239,7 @@ Edit the registry to have an account automatically logged on.
 
     -   *DefaultPassword*: set value as the password for the account.
 
-        **Note**  
-        If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
-
-         
+       > **Note**  If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
 
     -   *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
 
@@ -247,7 +251,7 @@ To sign out of an assigned access account, press **Ctrl + Alt + Del**, and then
 
 If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
 
-****HKEY\_LOCAL\_MACHINE**\\**SOFTWARE**\\**Microsoft**\\**Windows**\\**CurrentVersion**\\**Authentication**\\**LogonUI****
+**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
 
 To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
 
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index 53f2403397..a8a83c428c 100644
--- a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
@@ -73,6 +74,9 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r
 
 ### Set up assigned access using Windows Imaging and Configuration Designer (ICD)
 
+> **Important**
+When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
 **To create and apply a provisioning package for a kiosk device**
 
 1.  Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601).
@@ -82,13 +86,14 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r
 
      
 
-2.  Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+2.  Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
+3. Choose **Advanced provisioning**.
+
 
-3.  Choose **New provisioning package**.
 
 4.  Name your project, and click **Next**.
 
-5.  Choose **Common to all Windows mobile editions** and click **Next**.
+5.  Choose **All Windows mobile editions** and click **Next**.
 
 6.  On **New project**, click **Finish**. The workspace for your package opens.
 
diff --git a/windows/manage/set-up-shared-or-guest-pc.md b/windows/manage/set-up-shared-or-guest-pc.md
new file mode 100644
index 0000000000..047004f0c0
--- /dev/null
+++ b/windows/manage/set-up-shared-or-guest-pc.md
@@ -0,0 +1,301 @@
+---
+title: Set up a shared or guest PC with Windows 10 (Windows 10)
+description: Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios.
+keywords: ["shared pc mode"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Set up a shared or guest PC with Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+
+Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise  and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
+
+> [!NOTE]
+> If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
+
+##Shared PC mode concepts
+A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. Users who sign-in are signed in as standard users, not admin users.
+
+###Account models
+It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC as a standard user. The user who originally joined the PC to the domain will have administrative rights when they sign in. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Start without an account** option on the sign-in screen, which doesn't require any user credentials or authentication and creates a new local account.
+
+###Account management
+When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Start without an account** option. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low.
+
+###Maintenance and sleep
+Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not is use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods.
+
+While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. Use one of the following methods to configure Windows Update:
+
+- Group Policy: Set **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** to `4` and check **Install during automatic maintenance**.
+- MDM: Set **Update/AllowAutoUpdate** to `4`. 
+- Provisioning: In Windows Imaging and Configuration Designer (ICD), set **Policies/Update/AllowAutoUpdate** to `4`. 
+
+[Learn more about the AllowAutoUpdate settings](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_AllowAutoUpdate)
+
+###App behavior
+
+Apps can take advantage of shared PC mode by changing their app behavior to align with temporary use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences. For information on how an app can query for shared PC mode, see [SharedModeSettings class](https://msdn.microsoft.com/en-us/library/windows/apps/windows.system.profile.sharedmodesettings.aspx).
+
+###Customization
+Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table.
+
+| Setting | Value |
+|:---|:---|
+| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**.  |
+| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Start without an account** option to the sign-in screen and enable anonymous guest access to the PC. <br/>  - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.<br/>  - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.<br/>-   **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account.   |
+| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out. <br/>- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed. <br/><br/>Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not.  |
+| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching.   |
+| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion.   |
+| AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
+| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value.   |
+| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional settings are applied:<br/>- Local storage locations are restricted. Users can only save files to the cloud. <br/>- Custom Start and taskbar layouts are set.\* <br/>- A custom sign-in screen background image is set.\* <br/>- Additional educational policies are applied (see full list below).<br/><br/>\*Only applies to Windows 10 Pro Education, Enterprise, and Education  |
+| Customization: SetPowerPolicies |  When set as **True**:<br/>- Prevents users from changing power settings<br/>- Turns off hibernate<br/>- Overrides all power state transitions to sleep (e.g. lid close)  |
+| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep.     |
+| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies.     |
+
+
+##Configuring shared PC mode on Windows
+You can configure Windows to be in shared PC mode in a couple different ways:
+- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune)
+
+![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) 
+
+- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC.
+
+![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
+
+
+### Create a provisioning package for shared use
+
+Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+1.  Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). 
+
+2. On the **Start page**, select **Advanced provisioning**.
+
+3. Enter a name and (optionally) a description for the project, and click **Next**.
+
+4. Select **All Windows desktop editions**, and click **Next**.
+
+5. Click **Finish**. Your project opens in Windows ICD.
+
+6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization)
+
+7. On the **File** menu, select **Save.**
+8.  On the **Export** menu, select **Provisioning package**.
+9.  Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+10. Set a value for **Package Version**.
+    > [!TIP]
+    > You can make changes to existing packages and change the version number to update previously applied packages.
+  
+11. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+       > [!IMPORTANT]  
+       > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
+        
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+    Optionally, you can click **Browse** to change the default output location.
+13. Click **Next**.
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+    -   Shared network folder
+
+    -   SharePoint site
+
+    -   Removable media (USB/SD) (select this option to apply to a PC during initial setup)
+    
+
+### Apply the provisioning package
+
+You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up.
+
+**During initial setup**
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. If there is only one provisioning package on the USB drive, you don't need to press the Windows key five times, Windows will automatically ask you if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+6. Read and accept the Microsoft Software License Terms.  
+
+    ![Sign in](images/license-terms.png)
+    
+7. Select **Use Express settings**.
+
+    ![Get going fast](images/express-settings.png)
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+    ![Who owns this PC?](images/who-owns-pc.png)
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+    ![Connect to Azure AD](images/connect-aad.png)
+
+10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+    ![Sign in](images/sign-in-prov.png)
+
+    
+**After setup**
+
+On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and selects the package to install. 
+
+![add a package option](images/package.png)
+
+> [!NOTE]
+> If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
+
+## Guidance for accounts on shared PCs
+
+* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
+* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out.
+* On a Windows PC joined to Azure Active Directory:
+    * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
+    * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
+* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out.
+* If admin accounts are necessary on the PC
+    * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
+    * Create admin accounts before setting up shared PC mode, or 
+    * Create exempt accounts before signing out when turning shared pc mode on.
+* The account management service supports accounts that are exempt from deletion.
+    * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
+    * To add the account SID to the registry key using PowerShell:<br/>
+        ```
+        $adminName = "LocalAdmin"
+        $adminPass = 'Pa$$word123'
+        iex "net user /add $adminName $adminPass"
+        $user = New-Object System.Security.Principal.NTAccount($adminName) 
+        $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) 
+        $sid = $sid.Value;
+        New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
+        ``` 
+
+
+
+
+## Policies set by shared PC mode
+Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
+
+> [!IMPORTANT]
+> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**.	The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
+
+<table border="1"> 
+
+<tr><th><p>Policy name</p></th><th><p>Value</p></th><th><p>When set?</p></th></tr> </thead>
+<tbody>
+<tr><td colspan="3"><p><strong>Admin Templates</strong> > <strong>Control Panel</strong> > <strong>Personalization</strong></p></td></tr> 
+<tr><td><p>Prevent enabling lock screen slide show</p></td><td><p>Enabled</p></td><td><p>Always</p></td></tr> 
+<tr><td><p>Prevent changing lock screen and logon image</p></td><td><p>Enabled</p></td><td><p>Always</p></td></tr> 
+<tr><td colspan="3"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Button Settings</strong></p></td></tr> 
+<tr><td><p>Select the Power button action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr><td><p>Select the Power button action (on battery)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr><td><p>Select the Sleep button action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr><td><p>Select the lid switch action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr><td><p>Select the lid switch action (on battery)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr><td colspan="3"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Sleep Settings</strong></p></td></tr> 
+<tr><td><p>Require a password when a computer wakes (plugged in)</p></td><td><p>Enabled</p></td><td><p>SignInOnResume=True</p></td></tr> 
+<tr><td><p>Require a password when a computer wakes (on battery)</p></td><td><p>Enabled</p></td><td><p>SignInOnResume=True</p></td></tr>
+<tr><td><p>Specify the system sleep timeout (plugged in)</p></td><td><p>*SleepTimeout*</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr><td><p>Specify the system sleep timeout (on battery)</p></td><td><p>*SleepTimeout*</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr> <td> <p>Turn off hybrid sleep (plugged in)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr> <td> <p>Turn off hybrid sleep (on battery)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr> <td> <p>Specify the unattended sleep timeout (plugged in)</p></td> <td> <p>*SleepTimeout*</p> </td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr> <td> <p>Specify the unattended sleep timeout (on battery)</p></td> <td> <p>*SleepTimeout*</p> </td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr> <td> <p>Allow standby states (S1-S3) when sleeping (plugged in)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr> <td> <p>Allow standby states (S1-S3) when sleeping (on battery)</p></td> <td> <p>Enabled</p></td> <td><p>SetPowerPolicies=True</p></td></tr> 
+<tr> <td> <p>Specify the system hibernate timeout (plugged in)</p></td> <td> <p>Enabled, 0</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr> <td> <p>Specify the system hibernate timeout (on battery)</p></td> <td> <p>Enabled, 0</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>Power Management</strong>><strong>Video and Display Settings</strong></p></td></tr> 
+<tr> <td> <p>Turn off the display (plugged in)</p></td> <td> <p>*SleepTimeout*</p> </td></td><td><p>SetPowerPolicies=True</p></td></tr>
+ <tr> <td> <p>Turn off the display (on battery</p></td> <td> <p>*SleepTimeout*</p> </td></td><td><p>SetPowerPolicies=True</p></td></tr> 
+<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>Logon</strong></p></td></tr> 
+<tr> <td> <p>Show first sign-in animation</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td> <p>Hide entry points for Fast User Switching</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td> <p>Turn on convenience PIN sign-in</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td> <p>Turn off picture password sign-in</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td> <p>Turn off app notification on the lock screen</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td> <p>Allow users to select when a password is required when resuming from connected standby</p></td> <td> <p>Disabled</p></td><td><p>SignInOnResume=True</p></td>
+</tr> 
+<tr> <td> <p>Block user from showing account details on sign-in</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>User Profiles</strong></p></td></tr> 
+<tr> <td> <p>Turn off the advertising ID</p></td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
+<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components </strong></p></td></tr> 
+<tr> <td> <p>Do not show Windows Tips </p>*Only on Pro, Enterprise, Pro Education, and Education* </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
+<tr> <td> <p>Turn off Microsoft consumer experiences </p>*Only on Pro, Enterprise, Pro Education, and Education* </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
+<tr> <td> <p>Microsoft Passport for Work</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td> <p>Prevent the usage of OneDrive for file storage</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Biometrics</strong></p></td></tr> 
+<tr> <td> <p>Allow the use of biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td> <p>Allow users to log on using biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td> <p>Allow domain users to log on using biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Data Collection and Preview Builds</strong></p></td></tr> 
+<tr> <td> <p>Toggle user control over Insider builds</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td> <p>Disable pre-release features or settings</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td> <p>Do not show feedback notifications</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>File Explorer</strong></p></td></tr> 
+<tr> <td> <p>Show lock in the user tile menu</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Maintenance Scheduler</strong></p></td></tr> 
+<tr> <td> <p>Automatic Maintenance Activation Boundary</p></td> <td> <p>*MaintenanceStartTime*</p></td><td><p>Always</p></td></tr> 
+<tr> <td> <p>Automatic Maintenance Random Delay</p></td> <td> <p>Enabled, 2 hours</p></td><td><p>Always</p></td></tr> 
+<tr> <td> <p>Automatic Maintenance WakeUp Policy</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
+<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Microsoft Edge</strong></p></td></tr> 
+<tr> <td> <p>Open a new tab with an empty tab</p></td> <td> <p>Disabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
+<tr> <td> <p>Configure corporate home pages</p></td> <td> <p>Enabled, about:blank</p></td><td><p>SetEduPolicies=True</p></td></tr> 
+<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Search</strong></p></td></tr> 
+<tr> <td> <p>Allow Cortana</p> </td> <td> <p>Disabled</p> </td><td><p>SetEduPolicies=True</p></td></tr> 
+<tr> <td colspan="3"> <p><strong>Windows Settings</strong>><strong>Security Settings</strong>><strong>Local Policies</strong>><strong>Security Options</strong></p></td> 
+</tr>
+<tr> <td> <p>Interactive logon: Do not display last user name</p> </td> <td> <p>Enabled, Disabled when account model is only guest</p> </td><td><p>Always</p></td></tr>
+<tr> <td> <p>Interactive logon: Sign-in last interactive user automatically after a system-initiated restart</p> </td> <td> <p>Disabled</p> </td> <td><p>Always</p></td> 
+</tr> 
+<tr> <td> <p>Shutdown: Allow system to be shut down without having to log on</p> </td> <td> <p>Disabled</p> </td><td><p>Always</p></td></tr> 
+<tr> <td> <p>User Account Control: Behavior of the elevation prompt for standard users</p> </td> <td> <p>Auto deny</p> </td><td><p>Always</p></td></tr> 
+</tbody>
+</table> </br></br>
+
+
+
+## Related topics
+
+[Set up a device for anyone to use (kiosk)](set-up-a-device-for-anyone-to-use.md)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/settings-reference-windows-store-for-business.md b/windows/manage/settings-reference-windows-store-for-business.md
index 283e512bd4..8b88eba8e5 100644
--- a/windows/manage/settings-reference-windows-store-for-business.md
+++ b/windows/manage/settings-reference-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Settings reference: Windows Store for Business
diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/manage/settings-that-can-be-locked-down.md
index a58bf463c0..fe4253fb64 100644
--- a/windows/manage/settings-that-can-be-locked-down.md
+++ b/windows/manage/settings-that-can-be-locked-down.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerMS
+localizationpriority: high
 ---
 
 # Settings and quick actions that can be locked down in Windows 10 Mobile
@@ -48,7 +49,7 @@ The following table lists the settings pages and page groups. Use the page name
 </tr>
 <tr class="odd">
 <td align="left"></td>
-<td align="left">Notifications and actions</td>
+<td align="left">Notifications & actions</td>
 <td align="left">SettingsPageAppsNotifications</td>
 </tr>
 <tr class="even">
@@ -58,24 +59,24 @@ The following table lists the settings pages and page groups. Use the page name
 </tr>
 <tr class="odd">
 <td align="left"></td>
-<td align="left">Message</td>
+<td align="left">Messaging</td>
 <td align="left">SettingsPageMessaging</td>
 </tr>
 <tr class="even">
 <td align="left"></td>
-<td align="left">Battery saver</td>
+<td align="left">Battery</td>
 <td align="left">SettingsPageBatterySaver</td>
 </tr>
 <tr class="odd">
 <td align="left"></td>
+<td align="left">Apps for websites</td>
+<td align="left">SettingsPageAppsForWebsites</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
 <td align="left">Storage</td>
 <td align="left">SettingsPageStorageSenseStorageOverview</td>
 </tr>
-<tr class="even">
-<td align="left"></td>
-<td align="left">Device encryption</td>
-<td align="left">SettingsPageGroupPCSystemDeviceEncryption</td>
-</tr>
 <tr class="odd">
 <td align="left"></td>
 <td align="left">Driving mode</td>
@@ -128,7 +129,7 @@ The following table lists the settings pages and page groups. Use the page name
 </tr>
 <tr class="odd">
 <td align="left"></td>
-<td align="left">Cellular and sim</td>
+<td align="left">Cellular & SIM</td>
 <td align="left">SettingsPageNetworkCellular</td>
 </tr>
 <tr class="even">
@@ -149,7 +150,7 @@ The following table lists the settings pages and page groups. Use the page name
 <tr class="odd">
 <td align="left"></td>
 <td align="left">Mobile hotspot</td>
-<td align="left">SettingsPageInternetSharing</td>
+<td align="left">SettingsPageNetworkMobileHotspot</td>
 </tr>
 <tr class="even">
 <td align="left"></td>
@@ -181,10 +182,15 @@ The following table lists the settings pages and page groups. Use the page name
 <td align="left">Lock screen</td>
 <td align="left">SettingsPageLockscreen</td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"></td>
-<td align="left">Theme</td>
-<td align="left">SettingsPageStartTheme</td>
+<td align="left">Glance screen</td>
+<td align="left">SettingsPageGlance</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Navigation bar</td>
+<td align="left">SettingsNagivationBar</td>
 </tr>
 <tr class="odd">
 <td align="left">Accounts</td>
@@ -193,7 +199,7 @@ The following table lists the settings pages and page groups. Use the page name
 </tr>
 <tr class="even">
 <td align="left"></td>
-<td align="left">Your account</td>
+<td align="left">Your info</td>
 <td align="left">SettingsPageAccountsPicture</td>
 </tr>
 <tr class="odd">
@@ -203,39 +209,33 @@ The following table lists the settings pages and page groups. Use the page name
 </tr>
 <tr class="even">
 <td align="left"></td>
-<td align="left">Work access</td>
-<td align="left">SettingsPageAccountsWorkplace</td>
+<td align="left">Email & app accounts</td>
+<td align="left">SettingsPageAccountsEmailApp</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Access work or school</td>
+<td align="left">SettingsPageWorkAccess</td>
 </tr>
 <tr class="odd">
 <td align="left"></td>
 <td align="left">Sync your settings</td>
 <td align="left">SettingsPageAccountsSync</td>
 </tr>
-<tr class="even">
-<td align="left"></td>
-<td align="left"><p>Kid's corner</p>
-<p>(disabled in Assigned Access)</p></td>
-<td align="left">SettingsPageKidsCorner</td>
-</tr>
 <tr class="odd">
 <td align="left"></td>
 <td align="left"><p>Apps corner</p>
 <p>(disabled in Assigned Access)</p></td>
 <td align="left">SettingsPageAppsCorner</td>
 </tr>
-<tr class="even">
-<td align="left"></td>
-<td align="left">Provisioning</td>
-<td align="left">SettingsPageProvisioningPage</td>
-</tr>
 <tr class="odd">
-<td align="left">Time and language</td>
+<td align="left">Time & language</td>
 <td align="left"></td>
 <td align="left">SettingsPageGroupTimeRegion</td>
 </tr>
 <tr class="even">
 <td align="left"></td>
-<td align="left">Date and time</td>
+<td align="left">Date & time</td>
 <td align="left">SettingsPageTimeRegionDateTime</td>
 </tr>
 <tr class="odd">
@@ -275,7 +275,7 @@ The following table lists the settings pages and page groups. Use the page name
 </tr>
 <tr class="even">
 <td align="left"></td>
-<td align="left">High contracts</td>
+<td align="left">High contrast</td>
 <td align="left">SettingsPageEaseoOfAccessHighContrast</td>
 </tr>
 <tr class="odd">
@@ -315,7 +315,12 @@ The following table lists the settings pages and page groups. Use the page name
 </tr>
 <tr class="even">
 <td align="left"></td>
-<td align="left">Speech inking and typing</td>
+<td align="left">Notifications</td>
+<td align="left">SettingsPagePrivacyNotifications</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Speech. inking, & typing</td>
 <td align="left">SettingsPagePrivacyPersonalization</td>
 </tr>
 <tr class="odd">
@@ -335,6 +340,20 @@ The following table lists the settings pages and page groups. Use the page name
 </tr>
 <tr class="even">
 <td align="left"></td>
+<td align="left">Phone calls</td>
+<td align="left">SettingsPagePrivacyPhoneCall</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Call history</td>
+<td align="left">SettingsPagePrivacyCallHistory</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Email</td>
+<td align="left">SettingsPagePrivacyEmail</td>
+</tr><tr class="even">
+<td align="left"></td>
 <td align="left">Messaging</td>
 <td align="left">SettingsPagePrivacyMessaging</td>
 </tr>
@@ -345,13 +364,18 @@ The following table lists the settings pages and page groups. Use the page name
 </tr>
 <tr class="even">
 <td align="left"></td>
+<td align="left">Continue App Experiences</td>
+<td align="left">SettingsPagePrivacyCDP</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
 <td align="left">Background apps</td>
 <td align="left">SettingsPagePrivacyBackgroundApps</td>
 </tr>
 <tr class="odd">
 <td align="left"></td>
-<td align="left">Accessory app0s</td>
-<td align="left">SettingsPagePrivacyAccessories</td>
+<td align="left">Accessory apps</td>
+<td align="left">SettingsPageAccessories</td>
 </tr>
 <tr class="even">
 <td align="left"></td>
@@ -378,6 +402,16 @@ The following table lists the settings pages and page groups. Use the page name
 <td align="left">Phone update</td>
 <td align="left">SettingsPageRestoreMusUpdate</td>
 </tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Windows Insider Program</td>
+<td align="left">SettingsPageFlights</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Device encryption</td>
+<td align="left">SettingsPageGroupPCSystemDeviceEncryption</td>
+</tr>
 <tr class="odd">
 <td align="left"></td>
 <td align="left">Backup</td>
@@ -391,7 +425,7 @@ The following table lists the settings pages and page groups. Use the page name
 <tr class="odd">
 <td align="left"></td>
 <td align="left">For developers</td>
-<td align="left">SettingsSystemDeveloperOptions</td>
+<td align="left">SettingsPageSystemDeveloperOptions</td>
 </tr>
 <tr class="even">
 <td align="left">OEM</td>
@@ -426,19 +460,16 @@ You can specify the quick actions as follows:
     <System name="SystemSettings_Privacy_LocationEnabledUserPhone"/>
     <System name="SystemSettings_Network_VPN_QuickAction"/>
     <System name="SystemSettings_Flashlight_Toggle"/>
-    <System name="SystemSettings_QuickAction_Bluetooth"/>
+    <System name="SystemSettings_Device_BluetoothQuickAction"/>
     <System name="SystemSettings_BatterySaver_LandingPage_OverrideControl" />
     <System name="SystemSettings_QuickAction_QuietHours" />
     <System name="SystemSettings_QuickAction_Camera" />
+    <System name="SystemSettings_Launcher_QuickNote" />
+    <System name="QuickActions_Launcher_AllSettings" />
+    <System name="QuickActions_Launcher_DeviceDiscovery" />
 </Settings> 
 ```
 
-The following quick actions buttons are not conditional and will always be displayed:
-
--   QuickActions\_Launcher\_AllSettings
--   SystemSettings\_Launcher\_QuickNote
--   QuickActions\_Launcher\_DeviceDiscovery
-
 Some quick actions are dependent on related settings pages/page groups. When a dependent page/group is not available, then the corresponding quick action will also be hidden.
 
 **Note**  
@@ -448,24 +479,24 @@ Dependent settings group/pages will be automatically enabled when a quick action
 
 The following table lists the dependencies between quick actions and Settings groups/pages.
 
-| Quick action                                               | Settings group                                   | Settings page                      |
-|------------------------------------------------------------|--------------------------------------------------|------------------------------------|
-| SystemSettings\_System\_Display\_QuickAction\_Brightness   | SettingsPageSystemDisplay                        | SettingsPageDisplay                |
-| SystemSettings\_System\_Display\_Internal\_Rotation        | SettingsPageSystemDisplay                        | SettingsPageDisplay                |
-| SystemSettings\_QuickAction\_WiFi                          | SettingsPageNetworkWiFi                          | SettingsPageNetworkWiFi            |
-| SystemSettings\_QuickAction\_InternetSharing               | SettingsPageNetworkInternetSharing               | SettingsPageNetworkInternetSharing |
-| SystemSettings\_QuickAction\_CellularData                  | SettingsGroupCellular                            | SettingsPageNetworkCellular        |
-| SystemSettings\_QuickAction\_AirplaneMode                  | SettingsPageNetworkAirplaneMode                  | SettingsPageNetworkAirplaneMode    |
-| SystemSettings\_Privacy\_LocationEnabledUserPhone          | SettingsGroupPrivacyLocationGlobals              | SettingsPagePrivacyLocation        |
-| SystemSettings\_Network\_VPN\_QuickAction                  | SettingsPageNetworkVPN                           | SettingsPageNetworkVPN             |
-| SystemSettings\_Launcher\_QuickNote                        | N/A                                              | N/A                                |
-| SystemSettings\_Flashlight\_Toggle                         | N/A                                              | N/A                                |
-| SystemSettings\_QuickAction\_Bluetooth                     | SettingsPagePCSystemBluetooth                    | SettingsPagePCSystemBluetooth      |
-| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver           |
-| QuickActions\_Launcher\_DeviceDiscovery                    | N/A                                              | N/A                                |
-| QuickActions\_Launcher\_AllSettings                        | N/A                                              | N/A                                |
-| SystemSettings\_QuickAction\_QuietHours                    | N/A                                              | N/A                                |
-| SystemSettings\_QuickAction\_Camera                        | N/A                                              | N/A                                |
+| Quick action   | Settings group    | Settings page  |
+|-----|-------|-------|
+| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay | 
+| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay   |
+| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi  | SettingsPageNetworkWiFi  |
+| SystemSettings\_QuickAction\_InternetSharing   | SettingsPageNetworkInternetSharing  | SettingsPageNetworkInternetSharing |
+| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular  | SettingsPageNetworkCellular  |
+| SystemSettings\_QuickAction\_AirplaneMode  | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode |
+| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals   | SettingsPagePrivacyLocation  |
+| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN   | SettingsPageNetworkVPN  |
+| SystemSettings\_Launcher\_QuickNote | N/A   | N/A    |
+| SystemSettings\_Flashlight\_Toggle  | N/A    | N/A    |
+| SystemSettings\_Device\_BluetoothQuickAction   | SettingsPagePCSystemBluetooth   | SettingsPagePCSystemBluetooth  |
+| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver   |
+| QuickActions\_Launcher\_DeviceDiscovery  | N/A    | N/A   |
+| QuickActions\_Launcher\_AllSettings    | N/A   | N/A  |
+| SystemSettings\_QuickAction\_QuietHours   | N/A    | N/A   |
+| SystemSettings\_QuickAction\_Camera   | N/A   | N/A   |
 
  
 
diff --git a/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md b/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
index 71deb2dedb..96a6b5344b 100644
--- a/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store, security
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Sign code integrity policy with Device Guard signing
diff --git a/windows/manage/sign-up-windows-store-for-business-overview.md b/windows/manage/sign-up-windows-store-for-business-overview.md
index 93c2e85ad1..5a85ddec8a 100644
--- a/windows/manage/sign-up-windows-store-for-business-overview.md
+++ b/windows/manage/sign-up-windows-store-for-business-overview.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Sign up and get started
@@ -35,18 +36,22 @@ IT admins can sign up for the Windows Store for Business, and get started workin
 </thead>
 <tbody>
 <tr class="odd">
+<td align="left"><p>[Windows Store for Business overview](windows-store-for-business-overview.md)</p></td>
+<td align="left"><p>Learn about Windows Store for Business.</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>[Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)</p></td>
 <td align="left"><p>There are a few prerequisites for using Store for Business.</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"><p>[Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)</p></td>
 <td align="left"><p>Before you sign up for Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD account and directory as part of the sign up process.</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>[Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)</p></td>
 <td align="left"><p>The first person to sign in to Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"><p>[Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)</p></td>
 <td align="left"><p>The Store for Business has a group of settings that admins use to manage the store.</p></td>
 </tr>
diff --git a/windows/manage/sign-up-windows-store-for-business.md b/windows/manage/sign-up-windows-store-for-business.md
index 643d42eddf..b64638e1a8 100644
--- a/windows/manage/sign-up-windows-store-for-business.md
+++ b/windows/manage/sign-up-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Sign up for Windows Store for Business
diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md
index dabf676bf5..7a21ec1cc1 100644
--- a/windows/manage/stop-employees-from-using-the-windows-store.md
+++ b/windows/manage/stop-employees-from-using-the-windows-store.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store, mobile
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Configure access to Windows Store
@@ -84,8 +85,25 @@ When your MDM tool supports Windows Store for Business, the MDM can use these CS
 -   [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only)
 
 For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md).
-## Related topics
 
+## Show private store only using Group Policy 
+Applies to Windows 10 Enterprise, version 1607.
+
+If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. 
+
+**To show private store only in Windows Store app**
+
+1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
+
+2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**.
+
+3. Right-click **Only display the private store within the Windows Store app** in the right pane, and click **Edit**.
+
+    This opens the **Only display the private store within the Windows Store app** policy settings.
+
+4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**.
+
+## Related topics
 
 [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
 
diff --git a/windows/manage/troubleshoot-windows-store-for-business.md b/windows/manage/troubleshoot-windows-store-for-business.md
index e2653436b7..6be281bae5 100644
--- a/windows/manage/troubleshoot-windows-store-for-business.md
+++ b/windows/manage/troubleshoot-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Troubleshoot Windows Store for Business
diff --git a/windows/manage/uev-accessibility.md b/windows/manage/uev-accessibility.md
new file mode 100644
index 0000000000..e54c168813
--- /dev/null
+++ b/windows/manage/uev-accessibility.md
@@ -0,0 +1,88 @@
+---
+title: Accessibility for UE-V
+description: Accessibility for UE-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Accessibility for UE-V
+
+
+Microsoft is committed to making its products and services easier for everyone to use. This section provides information about features and services that make this product and its corresponding documentation more accessible for people with disabilities.
+
+## Access any command with a few keystrokes
+
+
+You can access most commands by using two keystrokes. To use an access key:
+
+1.  Press Alt.
+
+    The keyboard shortcuts are displayed over each feature that is available in the current view.
+
+2.  Press the letter that is shown in the keyboard shortcut over the feature that you want to use.
+
+### Documentation in alternative formats
+
+If you have difficulty reading or handling printed materials, you can obtain the documentation for many Microsoft products in more accessible formats. You can view an index of accessible product documentation on the Microsoft Accessibility website. In addition, you can obtain additional Microsoft publications from Learning Ally, formerly known as Recording for the Blind & Dyslexic, Inc. Learning Ally distributes these documents to registered, eligible members of their distribution service.
+
+For information about the availability of Microsoft product documentation and books from Microsoft Press, use the following contact.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Learning Ally (formerly Recording for the Blind &amp; Dyslexic, Inc.)</strong></p>
+<p>20 Roszel Road</p>
+<p>Princeton, NJ 08540</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Telephone number from within the United States:</p></td>
+<td align="left"><p>(800) 221-4792</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Telephone number from outside the United States and Canada:</p></td>
+<td align="left"><p>(609) 452-0606</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Fax:</p></td>
+<td align="left"><p>(609) 987-8116</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[http://www.learningally.org/](http://go.microsoft.com/fwlink/p/?linkid=239)</p></td>
+<td align="left"><p>Web addresses can change, so you might be unable to connect to the website or sites that are mentioned here.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Customer service for people with hearing impairments
+
+If you are deaf or hard-of-hearing, complete access to Microsoft product and customer services is available through a text telephone (TTY/TDD) service:
+
+-   For customer service, contact Microsoft Sales Information Center at (800) 892-5234 between 6:30 AM and 5:30 PM Pacific Time, Monday through Friday, excluding holidays.
+
+-   For technical assistance in the United States, contact Microsoft Product Support Services at (800) 892-5234 between 6:00 AM and 6:00 PM Pacific Time, Monday through Friday, excluding holidays. In Canada, dial (905) 568-9641 between 8:00 AM and 8:00 PM Eastern Time, Monday through Friday, excluding holidays.
+
+Microsoft Support Services are subject to the prices, terms, and conditions in place at the time that the service is used.
+
+## For more information
+
+
+For more information about how accessible technology for computers can help to improve the lives of people with disabilities, see the [Microsoft Accessibility website](https://www.microsoft.com/enable/default.aspx).
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+[Technical Reference for UE-V](uev-technical-reference.md)
diff --git a/windows/manage/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/manage/uev-administering-uev-with-windows-powershell-and-wmi.md
new file mode 100644
index 0000000000..081924a8c9
--- /dev/null
+++ b/windows/manage/uev-administering-uev-with-windows-powershell-and-wmi.md
@@ -0,0 +1,39 @@
+---
+title: Administering UE-V with Windows PowerShell and WMI
+description: Administering UE-V with Windows PowerShell and WMI
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Administering UE-V with Windows PowerShell and WMI
+
+
+User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. The following sections provide more information about using Windows PowerShell in UE-V.
+
+**Note**  
+Administering UE-V with Windows PowerShell requires PowerShell 3.0 or higher. For a complete list of UE-V PowerShell cmdlets, see [UE-V Cmdlet Reference](http://go.microsoft.com/fwlink/p/?LinkId=393495).
+
+## Managing the UE-V service and packages by using Windows PowerShell and WMI
+
+You can use Windows PowerShell and Windows Management Instrumentation (WMI) to manage UE-V service configuration and synchronization behavior. The following topic describes how to manage configuration and synchronization.
+
+[Managing the UE-V Service and Packages with Windows PowerShell and WMI](uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md)
+
+## Managing UE-V settings location templates by using Windows PowerShell and WMI
+
+
+After you create and deploy UE-V settings location templates, you can manage those templates by using Windows PowerShell or WMI. The following topic describes how to manage the settings location templates by using Windows PowerShell and WMI.
+
+[Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md)
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+[Administering UE-V](uev-administering-uev.md)
diff --git a/windows/manage/uev-administering-uev.md b/windows/manage/uev-administering-uev.md
new file mode 100644
index 0000000000..83f4e99a1b
--- /dev/null
+++ b/windows/manage/uev-administering-uev.md
@@ -0,0 +1,73 @@
+---
+title: Administering UE-V
+description: Administering UE-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Administering UE-V
+
+After you finish deploying User Experience Virtualization (UE-V), you'll perform ongoing administrative tasks, such as managing the configuration of the UE-V service and recovering lost settings. These tasks are explained in the following sections.
+
+## Managing UE-V configurations
+
+
+In the course of the UE-V lifecycle, you'll manage the configuration of the UE-V service and also manage storage locations for resources such as settings package files.
+
+[Manage Configurations for UE-V](uev-manage-configurations.md)
+
+## Working with custom UE-V templates and the UE-V template generator
+
+
+This topic explains how to use the UE-V template generator and manage custom settings location templates.
+
+[Working with Custom UE-V Templates and the UE-V Template Generator](uev-working-with-custom-templates-and-the-uev-generator.md)
+
+## Back up and restore application and Windows settings that are synchronized with UE-V
+
+
+Windows Management Instrumentation (WMI) and Windows PowerShell features of UE-V allow you to restore settings packages. By using WMI and Windows PowerShell commands, you can restore application and Windows settings to their original state and restore additional settings when a user adopts a new device.
+
+[Manage Administrative Backup and Restore in UE-V](uev-manage-administrative-backup-and-restore.md)
+
+## Changing the frequency of UE-V scheduled tasks
+
+
+You can configure the scheduled tasks that manage when UE-V checks for new or updated settings or for updated custom settings location templates in the settings template catalog.
+
+[Changing the Frequency of UE-V Scheduled Tasks](uev-changing-the-frequency-of-scheduled-tasks.md)
+
+## Migrating UE-V settings packages
+
+
+You can relocate the user settings packages either when they migrate to a new server or for backup purposes.
+
+[Migrating UE-V Settings Packages](uev-migrating-settings-packages.md)
+
+## Using UE-V with Application Virtualization applications
+
+
+You can use UE-V with Microsoft Application Virtualization (App-V) to share settings between virtual applications and installed applications across multiple computers.
+
+[Using UE-V with Application Virtualization Applications](uev-using-uev-with-application-virtualization-applications.md)
+
+## Other resources for this feature
+
+
+-   [User Experience Virtualization for Windows overview](uev-for-windows.md)
+
+-   [Get Started with UE-V](uev-getting-started.md)
+
+-   [Prepare a UE-V Deployment](uev-prepare-for-deployment.md)
+
+-   [Troubleshooting UE-V](uev-troubleshooting.md)
+
+-   [Technical Reference for UE-V](uev-technical-reference.md)
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
diff --git a/windows/manage/uev-application-template-schema-reference.md b/windows/manage/uev-application-template-schema-reference.md
new file mode 100644
index 0000000000..c5c7a98379
--- /dev/null
+++ b/windows/manage/uev-application-template-schema-reference.md
@@ -0,0 +1,964 @@
+---
+title: Application Template Schema Reference for UE-V
+description: Application Template Schema Reference for UE-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Application Template Schema Reference for UE-V
+
+
+User Experience Virtualization (UE-V) uses XML settings location templates to define the desktop application settings and Windows settings that are captured and applied by UE-V. UE-V includes a set of default settings location templates. You can also create custom settings location templates with the UE-V template generator.
+
+An advanced user can customize the XML file for a settings location template. This topic details the XML structure of the UE-V settings location templates and provides guidance for editing these files.
+
+## UE-V Application Template Schema Reference
+
+
+This section details the XML structure of the UE-V settings location template and provides guidance for editing this file.
+
+### In This Section
+
+-   [XML Declaration and Encoding Attribute](#xml21)
+
+-   [Namespace and Root Element](#namespace21)
+
+-   [Data types](#data21)
+
+-   [Name Element](#name21)
+
+-   [ID Element](#id21)
+
+-   [Version Element](#version21)
+
+-   [Author Element](#author21)
+
+-   [Processes and Process Element](#processes21)
+
+-   [Application Element](#application21)
+
+-   [Common Element](#common21)
+
+-   [SettingsLocationTemplate Element](#settingslocationtemplate21)
+
+-   [Appendix: SettingsLocationTemplate.xsd](#appendix21)
+
+### <a href="" id="xml21"></a>XML Declaration and Encoding Attribute
+
+**Mandatory: True**
+
+**Type: String**
+
+The XML declaration must specify the XML version 1.0 attribute (&lt;?xml version="1.0"&gt;). Settings location templates created by the UE-V template generator are saved in UTF-8 encoding, although the encoding is not explicitly specified. We recommend that you include the encoding="UTF-8" attribute in this element as a best practice. All templates included with the product specify this tag as well (see the documents in %ProgramFiles%\\Microsoft User Experience Virtualization\\Templates for reference). For example:
+
+`<?xml version="1.0" encoding="UTF-8"?>`
+
+### <a href="" id="namespace21"></a>Namespace and Root Element
+
+**Mandatory: True**
+
+**Type: String**
+
+UE-V uses the http://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
+
+`<SettingsLocationTemplate xmlns='http://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate'>`
+
+### <a href="" id="data21"></a>Data types
+
+These are the data types for the UE-V application template schema.
+
+<a href="" id="guid"></a>**GUID**  
+GUID describes a standard globally unique identifier regular expression in the form "\\{\[a-fA-F0-9\]{8}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{12}\\}". This is used in the Filesetting\\Root\\KnownFolder element to verify the formatting of well-known folders.
+
+<a href="" id="filenamestring"></a>**FilenameString**  
+FilenameString refers to the file name of a process to be monitored. Its values are restricted by the regex \[^\\\\\\?\\\*\\|&lt;&gt;/:\]+, (that is, they may not contain backslash characters, asterisk or question mark wild-card characters, the pipe character, the greater than or less than sign, forward slash, or colon characters).
+
+<a href="" id="idstring"></a>**IDString**  
+IDString refers to the ID value of Application elements, SettingsLocationTemplate, and Common elements (used to describe application suites that share common settings). It is restricted by the same regex as FilenameString (\[^\\\\\\?\\\*\\|&lt;&gt;/:\]+).
+
+<a href="" id="templateversion"></a>**TemplateVersion**  
+TemplateVersion is an integer value used to describe the revision of the settings location template. Its value may range from 0 to 2147483647.
+
+<a href="" id="empty"></a>**Empty**  
+Empty refers to a null value. This is used in Process\\ShellProcess to indicate that there is no process to monitor. This value should not be used in any application templates.
+
+<a href="" id="author"></a>**Author**  
+The Author data type is a complex type that identifies the author of a template. It contains two child elements: **Name** and **Email**. Within the Author data type, the Name element is mandatory while the Email element is optional. This type is described in more detail under the SettingsLocationTemplate element.
+
+<a href="" id="range"></a>**Range**  
+Range defines an integer class consisting of two child elements: **Minimum** and **Maximum**. This data type is implemented in the ProcessVersion data type. If specified, both Minimum and Maximum values must be included.
+
+<a href="" id="processversion"></a>**ProcessVersion**  
+ProcessVersion defines a type with four child elements: **Major**, **Minor**, **Build**, and **Patch**. This data type is used by the Process element to populate its ProductVersion and FileVersion values. The data for this type is a Range value. The Major child element is mandatory and the others are optional.
+
+<a href="" id="architecture"></a>**Architecture**  
+Architecture enumerates two possible values: **Win32** and **Win64**. These values are used to specify process architecture.
+
+<a href="" id="process"></a>**Process**  
+The Process data type is a container used to describe processes to be monitored by UE-V. It contains six child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. This table details each element’s respective data type:
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Element</strong></p></td>
+<td align="left"><p><strong>Data Type</strong></p></td>
+<td align="left"><p><strong>Mandatory</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Filename</p></td>
+<td align="left"><p>FilenameString</p></td>
+<td align="left"><p>True</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Architecture</p></td>
+<td align="left"><p>Architecture</p></td>
+<td align="left"><p>False</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>ProductName</p></td>
+<td align="left"><p>String</p></td>
+<td align="left"><p>False</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>FileDescription</p></td>
+<td align="left"><p>String</p></td>
+<td align="left"><p>False</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>ProductVersion</p></td>
+<td align="left"><p>ProcessVersion</p></td>
+<td align="left"><p>False</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>FileVersion</p></td>
+<td align="left"><p>ProcessVersion</p></td>
+<td align="left"><p>False</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+<a href="" id="processes"></a>**Processes**  
+The Processes data type represents a container for a collection of one or more Process elements. Two child elements are supported in the Processes sequence type: **Process** and **ShellProcess**. Process is an element of type Process and ShellProcess is of data type Empty. At least one item must be identified in the sequence.
+
+<a href="" id="path"></a>**Path**  
+Path is consumed by RegistrySetting and FileSetting to refer to registry and file paths. This element supports two optional attributes: **Recursive** and **DeleteIfNotFound**. Both values are set to default=”False”.
+
+Recursive indicates that the path and all subfolders are included for file settings or that all child registry keys are included for registry settings. In both cases, all items at the current level are included in the data captured. For a FileSettings object, all files within the specified folder are included in the data captured by UE-V but folders are not included. For registry paths, all values in the current path are captured but child registry keys are not captured. In both cases, care should be taken to avoid capturing large data sets or large numbers of items.
+
+The DeleteIfNotFound attribute removes the setting from the user’s settings storage path data. This may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server.
+
+<a href="" id="filemask"></a>**FileMask**  
+FileMask specifies only certain file types for the folder that is defined by Path. For example, Path might be `C:\users\username\files` and FileMask could be `*.txt` to include only text files.
+
+<a href="" id="registrysetting"></a>**RegistrySetting**  
+RegistrySetting represents a container for registry keys and values and the associated desired behavior on the part of the UE-V service. Four child elements are defined within this type: **Path**, **Name**, **Exclude**, and a sequence of the values **Path** and **Name**.
+
+<a href="" id="filesetting"></a>**FileSetting**  
+FileSetting contains parameters associated with files and files paths. Four child elements are defined: **Root**, **Path**, **FileMask**, and **Exclude**. Root is mandatory and the others are optional.
+
+<a href="" id="settings"></a>**Settings**  
+Settings is a container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings described earlier. In addition, it can also contain the following child elements with behaviors described:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Element</strong></p></td>
+<td align="left"><p><strong>Description</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Asynchronous</p></td>
+<td align="left"><p>Asynchronous settings packages are applied without blocking the application startup so that the application start proceeds while the settings are still being applied. This is useful for settings that can be applied asynchronously, such as those <code>get/set</code> through an API, like SystemParameterSetting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>PreventOverlappingSynchronization</p></td>
+<td align="left"><p>By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to ‘false’, UE-V exports the settings even if other instances of an application are running. Suited templates – those that include a Common element section– that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>AlwaysApplySettings</p></td>
+<td align="left"><p>This parameter forces an imported settings package to be applied even if there are no differences between the package and the current state of the application. This parameter should be used only in special cases since it can slow down settings import.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="name21"></a>Name Element
+
+**Mandatory: True**
+
+**Type: String**
+
+Name specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. In general, avoid referencing version information, as this can be objected from the ProductVersion element. For example, specify `<Name>My Application</Name>` rather than `<Name>My Application 1.1</Name>`.
+
+**Note**  
+UE-V does not reference external DTDs, so it is not possible to use named entities in a settings location template. For example, do not use &reg; to refer to the registered trade mark sign ®. Instead, use canonical numbered references to include these types of special characters, for example, &\#174 for the ® character. This rule applies to all string values in this document.
+
+See <http://www.w3.org/TR/xhtml1/dtds.html> for a complete list of character entities. UTF-8-encoded documents may include the Unicode characters directly. Saving templates through the UE-V template generator converts character entities to their Unicode representations automatically.
+
+ 
+
+### <a href="" id="id21"></a>ID Element
+
+**Mandatory: True**
+
+**Type: String**
+
+ID populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime (for example, see the output of the Get-UevTemplate and Get-UevTemplateProgram PowerShell cmdlets). By convention, this tag should not contain any spaces, which simplifies scripting. Version numbers of applications should be specified in this element to allow for easy identification of the template, such as `<ID>MicrosoftOffice2016Win64</ID>`.
+
+### <a href="" id="version21"></a>Version Element
+
+**Mandatory: True**
+
+**Type: Integer**
+
+**Minimum Value: 0**
+
+**Maximum Value: 2147483647**
+
+Version identifies the version of the settings location template for administrative tracking of changes. The UE-V template generator automatically increments this number by one each time the template is saved. Notice that this field must be a whole number integer; fractional values, such as `<Version>2.5</Version>` are not allowed.
+
+**Hint:** You can save notes about version changes using XML comment tags `<!-- -->`, for example:
+
+``` syntax
+  <!--
+     Version History
+
+     Version 1 Jul 05, 2012 Initial template created by Generator - Denise@Contoso.com
+     Version 2 Jul 31, 2012 Added support for app.exe v2.1.3 - Mark@Contoso.com
+     Version 3 Jan 01, 2013 Added font settings support - Mark@Contoso.com
+     Version 4 Jan 31, 2013 Added support for plugin settings - Tony@Contoso.com
+   -->
+  <Version>4</Version>
+```
+
+**Important**  
+This value is queried to determine if a new version of a template should be applied to an existing template in these instances:
+
+-   When the scheduled Template Auto Update task executes
+
+-   When the Update-UevTemplate PowerShell cmdlet is executed
+
+-   When the microsoft\\uev:SettingsLocationTemplate Update method is called through WMI
+
+ 
+
+### <a href="" id="author21"></a>Author Element
+
+**Mandatory: False**
+
+**Type: String**
+
+Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly, for example, on the [UE-V Template Gallery](http://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V).
+
+### <a href="" id="processes21"></a>Processes and Process Element
+
+**Mandatory: True**
+
+**Type: Element**
+
+Processes contains at least one `<Process>` element, which in turn contains the following child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. The Filename child element is mandatory and the others are optional. A fully populated element contains tags similar to this example:
+
+``` syntax
+    <Process>
+      <Filename>MyApplication.exe</Filename>
+      <Architecture>Win64</Architecture>
+      <ProductName> MyApplication </ProductName>
+      <FileDescription>MyApplication.exe</FileDescription>
+      <ProductVersion>
+        <Major Minimum="2" Maximum="2" />
+        <Minor Minimum="0" Maximum="0" />
+        <Build Minimum="0" Maximum="0" />
+        <Patch Minimum="5" Maximum="5" />
+      </ProductVersion>
+      <FileVersion>
+        <Major Minimum="2" Maximum="2" />
+        <Minor Minimum="0" Maximum="0" />
+        <Build Minimum="0" Maximum="0" />
+        <Patch Minimum="5" Maximum="5" />
+      </FileVersion>
+    </Process>
+```
+
+### Filename
+
+**Mandatory: True**
+
+**Type: String**
+
+Filename refers to the actual file name of the executable as it appears in the file system. This element specifies the primary criterion that UE-V uses to evaluate whether a template applies to a process or not. This element must be specified in the settings location template XML.
+
+Valid filenames must not match the regular expression \[^\\\\\\?\\\*\\|&lt;&gt;/:\]+, that is, they may not contain backslash characters, asterisk or question mark wild-card characters, the pipe character, the greater than or less than sign, forward slash, or colon (the \\ ? \* | &lt; &gt; / or : characters.).
+
+**Hint:** To test a string against this regex, use a PowerShell command window and substitute your executable’s name for **YourFileName**:
+
+`"YourFileName.exe" -match  "[\\\?\*\|<>/:]+"`
+
+A value of **True** indicates that the string contains illegal characters. Here are some examples of illegal values:
+
+-   \\\\server\\share\\program.exe
+
+-   Program\*.exe
+
+-   Pro?ram.exe
+
+-   Program&lt;1&gt;.exe
+
+**Note**  
+The UE-V template generator encodes the greater than and less than characters as &gt; and &lt; respectively.
+
+ 
+
+In rare circumstances, the FileName value will not necessarily include the .exe extension, but it should be specified as part of the value. For example, `<Filename>MyApplication.exe</Filename>` should be specified instead of `<Filename>MyApplication</Filename>`. The second example will not apply the template to the process if the actual name of the executable file is “MyApplication.exe”.
+
+### Architecture
+
+**Mandatory: False**
+
+**Type: Architecture (String)**
+
+Architecture refers to the processor architecture for which the target executable was compiled. Valid values are Win32 for 32-bit applications or Win64 for 64-bit applications. If present, this tag limits the applicability of the settings location template to a particular application architecture. For an example of this, compare the %ProgramFiles%\\Microsoft User Experience Virtualization\\templates\\ MicrosoftOffice2016Win32.xml and MicrosoftOffice2016Win64.xml files included with UE-V. This is useful when relative paths change between different versions of an executable or if settings have been added or removed when moving from one processor architecture to another.
+
+If this element is absent, the settings location template ignores the process’ architecture and applies to both 32 and 64-bit processes if the file name and other attributes apply.
+
+**Note**  
+UE-V does not support ARM processors in this version.
+
+ 
+
+### ProductName
+
+**Mandatory: False**
+
+**Type: String**
+
+ProductName is an optional element used to identify a product for administrative purposes or reporting. ProductName differs from Filename in that there are no regular expression restrictions on its value. This allows for more easily understood descriptions of a process where the executable name may not be obvious. For example:
+
+``` syntax
+    <Process>
+      <Filename>MyApplication.exe</Filename>
+      <ProductName>My Application 6.x by Contoso.com</ProductName>
+      <ProductVersion>
+        <Major Minimum="6" Maximum="6" />
+      </ProductVersion>
+    </Process>
+```
+
+### FileDescription
+
+**Mandatory: False**
+
+**Type: String**
+
+FileDescription is an optional tag that allows for an administrative description of the executable file. This is a free text field and can be useful in distinguishing multiple executables within a software package where there is a need to identify the function of the executable.
+
+For example, in a suited application, it might be useful to provide reminders about the function of two executables (MyApplication.exe and MyApplicationHelper.exe), as shown here:
+
+``` syntax
+<Processes>
+ 
+   <Process>
+      <Filename>MyApplication.exe</Filename>
+      <FileDescription>My Application Main Engine</ FileDescription>
+      <ProductVersion>
+        <Major Minimum="6" Maximum="6" />
+      </ProductVersion>
+    </Process>
+    <Process>
+      <Filename>MyApplicationHelper.exe</Filename>
+      <FileDescription>My Application Background Process Executable</FileDescription>
+      <ProductVersion>
+        <Major Minimum="6" Maximum="6" />
+      </ProductVersion>
+    </Process>
+</Processes>
+```
+
+### ProductVersion
+
+**Mandatory: False**
+
+**Type: String**
+
+ProductVersion refers to the major and minor product versions of a file, as well as a build and patch level. ProductVersion is an optional element, but if specified, it must contain at least the Major child element. The value must express a range in the form Minimum="X" Maximum="Y" where X and Y are integers. The Minimum and Maximum values can be identical.
+
+The product and file version elements may be left unspecified. Doing so makes the template “version agnostic”, meaning that the template will apply to all versions of the specified executable.
+
+**Example 1:**
+
+Product version: 1.0 specified in the UE-V template generator produces the following XML:
+
+``` syntax
+      <ProductVersion>
+        <Major Minimum="1" Maximum="1" />
+        <Minor Minimum="0" Maximum="0" />
+      </ProductVersion>
+```
+
+**Example 2:**
+
+File version: 5.0.2.1000 specified in the UE-V template generator produces the following XML:
+
+``` syntax
+      <FileVersion>
+        <Major Minimum="5" Maximum="5" />
+        <Minor Minimum="0" Maximum="0" />
+        <Build Minimum="2" Maximum="2" />
+        <Patch Minimum="1000" Maximum="1000" />
+      </FileVersion>
+```
+
+**Incorrect Example 1 – incomplete range:**
+
+Only the Minimum attribute is present. Maximum must be included in a range as well.
+
+``` syntax
+      <ProductVersion>
+        <Major Minimum="2" />
+      </ProductVersion>
+```
+
+**Incorrect Example 2 – Minor specified without Major element:**
+
+Only the Minor element is present. Major must be included as well.
+
+``` syntax
+      <ProductVersion>
+        <Minor Minimum="0" Maximum="0" />
+      </ProductVersion>
+```
+
+### FileVersion
+
+**Mandatory: False**
+
+**Type: String**
+
+FileVersion differentiates between the release version of a published application and the internal build details of a component executable. For the majority of commercial applications, these numbers are identical. Where they vary, the product version of a file indicates a generic version identification of a file, while file version indicates a specific build of a file (as in the case of a hotfix or update). This uniquely identifies files without breaking detection logic.
+
+To determine the product version and file version of a particular executable, right-click on the file in Windows Explorer, select Properties, then click on the Details tab.
+
+Including a FileVersion element for an application allows for more granular fine-tuning detection logic, but is not necessary for most applications. The ProductVersion element settings are checked first, and then FileVersion is checked. The more restrictive setting will apply.
+
+The child elements and syntax rules for FileVersion are identical to those of ProductVersion.
+
+``` syntax
+      <Process>
+        <Filename>MSACCESS.EXE</Filename>
+        <Architecture>Win32</Architecture>
+        <ProductVersion>
+          <Major Minimum="14" Maximum="14" />
+          <Minor Minimum="0" Maximum="0" />
+        </ProductVersion>
+        <FileVersion>
+          <Major Minimum="14" Maximum="14" />
+          <Minor Minimum="0" Maximum="0" />
+        </FileVersion>
+      </Process>
+```
+
+### <a href="" id="application21"></a>Application Element
+
+Application is a container for settings that apply to a particular application. It is a collection of the following fields/types.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Field/Type</strong></p></td>
+<td align="left"><p><strong>Description</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Name</p></td>
+<td align="left"><p>Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ID</p></td>
+<td align="left"><p>Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Description</p></td>
+<td align="left"><p>An optional description of the template.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>LocalizedNames</p></td>
+<td align="left"><p>An optional name displayed in the UI, localized by a language locale.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>LocalizedDescriptions</p></td>
+<td align="left"><p>An optional template description localized by a language locale.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Version</p></td>
+<td align="left"><p>Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DeferToMSAccount</p></td>
+<td align="left"><p>Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>DeferToOffice365</p></td>
+<td align="left"><p>Similar to MSA, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>FixedProfile</p></td>
+<td align="left"><p>Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Processes</p></td>
+<td align="left"><p>A container for a collection of one or more Process elements. For more information, see [Processes](#processes21).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Settings</p></td>
+<td align="left"><p>A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see <strong>Settings</strong> in [Data types](#data21).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="common21"></a>Common Element
+
+Common is similar to an Application element, but it is always associated with two or more Application elements. The Common section represents the set of settings that are shared between those Application instances. It is a collection of the following fields/types.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Field/Type</strong></p></td>
+<td align="left"><p><strong>Description</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Name</p></td>
+<td align="left"><p>Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ID</p></td>
+<td align="left"><p>Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Description</p></td>
+<td align="left"><p>An optional description of the template.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>LocalizedNames</p></td>
+<td align="left"><p>An optional name displayed in the UI, localized by a language locale.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>LocalizedDescriptions</p></td>
+<td align="left"><p>An optional template description localized by a language locale.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Version</p></td>
+<td align="left"><p>Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DeferToMSAccount</p></td>
+<td align="left"><p>Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>DeferToOffice365</p></td>
+<td align="left"><p>Similar to MSA, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>FixedProfile</p></td>
+<td align="left"><p>Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Settings</p></td>
+<td align="left"><p>A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see <strong>Settings</strong> in [Data types](#data21).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="settingslocationtemplate21"></a>SettingsLocationTemplate Element
+
+This element defines the settings for a single application or a suite of applications.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Field/Type</strong></p></td>
+<td align="left"><p><strong>Description</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Name</p></td>
+<td align="left"><p>Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ID</p></td>
+<td align="left"><p>Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Description</p></td>
+<td align="left"><p>An optional description of the template.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>LocalizedNames</p></td>
+<td align="left"><p>An optional name displayed in the UI, localized by a language locale.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>LocalizedDescriptions</p></td>
+<td align="left"><p>An optional template description localized by a language locale.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="appendix21"></a>Appendix: SettingsLocationTemplate.xsd
+
+Here is the SettingsLocationTemplate.xsd file showing its elements, child elements, attributes, and parameters:
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema id="UevSettingsLocationTemplate"
+  targetNamespace="http://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
+  elementFormDefault="qualified"
+  xmlns="http://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
+  xmlns:mstns="http://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate"
+  xmlns:xs="http://www.w3.org/2001/XMLSchema">
+
+    <xs:simpleType name="Guid">
+        <xs:restriction base="xs:string">
+            <xs:pattern value="\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}" />
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:simpleType name="FilenameString">
+        <xs:restriction base="xs:string">
+            <xs:pattern value="[^\\\?\*\|&lt;&gt;/:]+" />
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:simpleType name="IDString">
+        <xs:restriction base="xs:string">
+            <xs:pattern value="[^\\\?\*\|&lt;&gt;/:.]+" />
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:simpleType name="CompositeIDString">
+        <xs:restriction base="xs:string">
+            <xs:pattern value="[^\\\?\*\|&lt;&gt;/:.]+([.][^\\\?\*\|&lt;&gt;/:.]+)?" />
+        </xs:restriction>
+    </xs:simpleType>
+  
+    <xs:simpleType name="TemplateVersion">
+        <xs:restriction base="xs:integer">
+            <xs:minInclusive value="0" />
+            <xs:maxInclusive value="2147483647" />
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:complexType name="Empty">
+        <xs:sequence/>
+    </xs:complexType>
+
+    <xs:complexType name="LocalizedString">
+        <xs:simpleContent>
+            <xs:extension base="xs:string">
+                <xs:attribute name="Locale" type="xs:string" use="required"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
+
+    <xs:complexType name="LocalizedName">
+        <xs:sequence>
+            <xs:element name="Name" type="LocalizedString" minOccurs="1" maxOccurs="unbounded" />
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="LocalizedDescription">
+        <xs:sequence>
+            <xs:element name="Description" type="LocalizedString" minOccurs="1" maxOccurs="unbounded" />
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="ReplacedTemplates">
+      <xs:sequence>
+        <xs:element name="ID" type="CompositeIDString" minOccurs="1" maxOccurs="unbounded" />
+    </xs:sequence>
+    </xs:complexType>
+  
+    <xs:complexType name="Author">
+        <xs:all>
+            <xs:element name="Name" type="xs:string" minOccurs="1" />
+            <xs:element name="Email" type="xs:string" minOccurs="0" />
+        </xs:all>
+    </xs:complexType>
+
+    <xs:complexType name="Range">
+        <xs:attribute name="Minimum" type="xs:integer" use="required"/>
+        <xs:attribute name="Maximum" type="xs:integer" use="required"/>
+    </xs:complexType>
+
+    <xs:complexType name="ProcessVersion">
+        <xs:sequence>
+            <xs:element name="Major" type="Range" minOccurs="1" />
+            <xs:element name="Minor" type="Range" minOccurs="0" />
+            <xs:element name="Build" type="Range" minOccurs="0" />
+            <xs:element name="Patch" type="Range" minOccurs="0" />
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:simpleType name="Architecture">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="Win32"/>
+            <xs:enumeration value="Win64"/>
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:complexType name="Process">
+        <xs:sequence>
+            <xs:element name="Filename" type="FilenameString" minOccurs="1" />
+            <xs:element name="Architecture" type="Architecture" minOccurs="0" />
+            <xs:element name="ProductName" type="xs:string" minOccurs="0" />
+            <xs:element name="FileDescription" type="xs:string" minOccurs="0" />
+            <xs:element name="ProductVersion" type="ProcessVersion" minOccurs="0" maxOccurs="unbounded"/>
+            <xs:element name="FileVersion" type="ProcessVersion" minOccurs="0" maxOccurs="unbounded"/>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="Processes">
+        <xs:sequence>
+            <xs:choice minOccurs="1">
+                <xs:element name="Process" type="Process" />
+                <xs:element name="ShellProcess" type="Empty" />
+            </xs:choice>
+            <xs:element name="Process" type="Process" minOccurs="0" maxOccurs="unbounded" />
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="Path">
+        <xs:simpleContent>
+            <xs:extension base="xs:string">
+                <xs:attribute name="Recursive" type="xs:boolean" default="false"/>
+                <xs:attribute name="DeleteIfNotFound" type="xs:boolean" default="false"/>
+            </xs:extension>
+        </xs:simpleContent>
+    </xs:complexType>
+
+    <xs:complexType name="RegistrySetting">
+        <xs:sequence>
+            <xs:element name="Path" type="Path" />
+            <xs:element name="Name" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
+            <xs:element name="Exclude" minOccurs="0" maxOccurs="unbounded">
+                <xs:complexType>
+                    <xs:sequence>
+                        <xs:element name="Path" type="Path" minOccurs="0" />
+                        <xs:element name="Name" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
+                    </xs:sequence>
+                </xs:complexType>
+            </xs:element>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="FileSetting">
+        <xs:sequence>
+
+            <xs:element name="Root">
+                <xs:complexType>
+                    <xs:choice>
+                        <xs:element name="KnownFolder" type="Guid" />
+                        <xs:element name="RegistryEntry" type="xs:string" />
+                        <xs:element name="EnvironmentVariable" type="xs:string" />
+                    </xs:choice>
+                </xs:complexType>
+            </xs:element>
+
+            <xs:element name="Path" minOccurs="0" type="Path" />
+            <xs:element name="FileMask" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+
+            <xs:element name="Exclude" minOccurs="0" maxOccurs="unbounded">
+                <xs:complexType>
+                    <xs:sequence>
+                        <xs:element name="Path" type="Path" minOccurs="0" />
+                        <xs:element name="FileMask" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
+                    </xs:sequence>
+                </xs:complexType>
+            </xs:element>
+
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:simpleType name="CustomActionSetting">
+        <xs:restriction base="xs:anyURI"/>
+    </xs:simpleType>
+
+    <xs:simpleType name="SystemParameterSetting">
+        <xs:restriction base="xs:string">
+
+            <!-- Accessibility parameters -->
+            <xs:enumeration value="AccessTimeout"/>
+            <xs:enumeration value="AudioDescription"/>
+            <xs:enumeration value="ClientAreaAnimation"/>
+            <xs:enumeration value="DisableOverlappedContent"/>
+            <xs:enumeration value="FilterKeys"/>
+            <xs:enumeration value="FocusBorderHeight"/>
+            <xs:enumeration value="FocusBorderWidth"/>
+            <xs:enumeration value="HighContrast"/>
+            <xs:enumeration value="MessageDuration"/>
+            <xs:enumeration value="MouseClickLock"/>
+            <xs:enumeration value="MouseClickLockTime"/>
+            <xs:enumeration value="MouseKeys"/>
+            <xs:enumeration value="MouseSonar"/>
+            <xs:enumeration value="MouseVanish"/>
+            <xs:enumeration value="ScreenReader"/>
+            <xs:enumeration value="ShowSounds"/>
+            <xs:enumeration value="SoundSentry"/>
+            <xs:enumeration value="StickyKeys"/>
+            <xs:enumeration value="ToggleKeys"/>
+
+            <!-- Input parameters -->
+            <xs:enumeration value="Beep"/>
+            <xs:enumeration value="BlockSendInputResets"/>
+            <xs:enumeration value="DefaultInputLang"/>
+            <xs:enumeration value="DoubleClickTime"/>
+            <xs:enumeration value="DoubleClkHeight"/>
+            <xs:enumeration value="DoubleClkWidth"/>
+            <xs:enumeration value="KeyboardCues"/>
+            <xs:enumeration value="KeyboardDelay"/>
+            <xs:enumeration value="KeyboardPref"/>
+            <xs:enumeration value="KeyboardSpeed"/>
+            <xs:enumeration value="Mouse"/>
+            <xs:enumeration value="MouseButtonSwap"/>
+            <xs:enumeration value="MouseHoverHeight"/>
+            <xs:enumeration value="MouseHoverTime"/>
+            <xs:enumeration value="MouseHoverWidth"/>
+            <xs:enumeration value="MouseSpeed"/>
+            <xs:enumeration value="MouseTrails"/>
+            <xs:enumeration value="SnapToDefButton"/>
+            <xs:enumeration value="WheelScrollChars"/>
+            <xs:enumeration value="WheelScrollLines"/>
+
+            <!-- Desktop parameters (limited subset) -->
+            <xs:enumeration value="DeskWallpaper"/>
+            <xs:enumeration value="DesktopColor"/>
+
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:complexType name="Settings">
+        <xs:sequence>
+            <xs:element name="Asynchronous" type="xs:boolean" minOccurs="0" />
+            <xs:element name="PreventOverlappingSynchronization" type="xs:boolean" minOccurs="0" />
+            <xs:element name="AlwaysApplySettings" type="xs:boolean" minOccurs="0" />
+            <xs:choice minOccurs="0" maxOccurs="unbounded">
+                <xs:element name="Registry" type="RegistrySetting" />
+                <xs:element name="File" type="FileSetting" />
+                <xs:element name="SystemParameter" type="SystemParameterSetting" />
+                <xs:element name="CustomAction" type="CustomActionSetting" />
+            </xs:choice>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="Common">
+        <xs:sequence>
+            <xs:element name="Name" type="xs:string" />
+            <xs:element name="ID" type="IDString" />
+            <xs:element name="ReplacedTemplates" type="ReplacedTemplates" minOccurs="0" />
+            <xs:element name="Description" type="xs:string" minOccurs="0" />
+            <xs:element name="LocalizedNames" type="LocalizedName" minOccurs="0" />
+            <xs:element name="LocalizedDescriptions" type="LocalizedDescription" minOccurs="0" />
+            <xs:element name="Version" type="xs:integer" />
+            <xs:element name="DeferToMSAccount" type="Empty"  minOccurs="0" />
+            <xs:element name="DeferToOffice365" type="Empty" minOccurs="0" />
+            <xs:element name="Settings" type="Settings" />
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="Application">
+        <xs:sequence>
+            <xs:element name="Name" type="xs:string" />
+            <xs:element name="ID" type="IDString" />
+            <xs:element name="ReplacedTemplates" type="ReplacedTemplates" minOccurs="0" />
+            <xs:element name="Description" type="xs:string" minOccurs="0" />
+            <xs:element name="LocalizedNames" type="LocalizedName" minOccurs="0" />
+            <xs:element name="LocalizedDescriptions" type="LocalizedDescription" minOccurs="0" />
+            <xs:element name="Version" type="xs:integer" />
+            <xs:element name="DeferToMSAccount" type="Empty"  minOccurs="0" />
+            <xs:element name="DeferToOffice365" type="Empty" minOccurs="0" />
+            <xs:element name="Processes" type="Processes" />
+            <xs:element name="Settings" type="Settings" />
+        </xs:sequence>
+    </xs:complexType>
+
+
+    <xs:element name="SettingsLocationTemplate">
+        <xs:complexType>
+            <xs:sequence>
+
+                <xs:element name="Name" type="xs:string" />
+                <xs:element name="ID" type="IDString" />
+                <xs:element name="Description" type="xs:string" minOccurs="0" />
+                <xs:element name="LocalizedNames" type="LocalizedName" minOccurs="0" />
+                <xs:element name="LocalizedDescriptions" type="LocalizedDescription" minOccurs="0" />
+
+                <xs:choice>
+
+                    <!-- Single application -->
+                    <xs:sequence>
+                        <xs:element name="ReplacedTemplates" type="ReplacedTemplates" minOccurs="0" />
+                        <xs:element name="Version" type="TemplateVersion" />
+                        <xs:element name="Author" type="Author" minOccurs="0" />
+                        <xs:element name="FixedProfile" type="xs:string"  minOccurs="0" />
+                        <xs:element name="DeferToMSAccount" type="Empty"  minOccurs="0" />
+                        <xs:element name="DeferToOffice365" type="Empty" minOccurs="0" />
+                        <xs:element name="Processes" type="Processes" />
+                        <xs:element name="Settings" type="Settings" />
+                    </xs:sequence>
+
+                    <!-- Suite of applications -->
+                    <xs:sequence>
+                        <xs:element name="ManageSuiteOnly" type="xs:boolean" minOccurs="0" />
+                        <xs:element name="Author" type="Author" minOccurs="0" />
+                        <xs:element name="FixedProfile" type="xs:string"  minOccurs="0" />
+                        <xs:element name="Common" type="Common" />
+                        <xs:element name="Application" type="Application" minOccurs="2" maxOccurs="unbounded" />
+                    </xs:sequence>
+
+                </xs:choice>
+
+            </xs:sequence>
+        </xs:complexType>
+    </xs:element>
+    <!-- SettingsLocationTemplate -->
+
+</xs:schema>
+```
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+[Working with Custom UE-V Templates and the UE-V Template Generator](uev-working-with-custom-templates-and-the-uev-generator.md)
+
+[Technical Reference for UE-V](uev-technical-reference.md)
diff --git a/windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md
new file mode 100644
index 0000000000..e05fa13e99
--- /dev/null
+++ b/windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -0,0 +1,247 @@
+---
+title: Changing the Frequency of UE-V Scheduled Tasks
+description: Changing the Frequency of UE-V Scheduled Tasks
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Changing the Frequency of UE-V Scheduled Tasks
+
+
+When the User Experience Virtualization (UE-V) service is enabled, it creates the following scheduled tasks:
+
+-   **Monitor Application Settings**
+
+-   **Sync Controller Application**
+
+-   **Synchronize Settings at Logoff**
+
+-   **Template Auto Update**
+
+**Note**  
+These tasks must remain enabled as UE-V cannot function without them.
+
+These scheduled tasks are not configurable with the UE-V tools. Administrators who want to change the scheduled task for these items can create a script that uses the Schtasks.exe command-line options.
+
+For more information about Schtasks.exe, see [Schtasks](https://technet.microsoft.com/library/cc725744(v=ws.11).aspx).
+
+## UE-V Scheduled Tasks
+
+The following scheduled tasks are included in UE-V with sample scheduled task configuration commands.
+
+### Monitor Application Settings
+
+The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It is runs at logon but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task name</th>
+<th align="left">Default event</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>\Microsoft\UE-V\Monitor Application Status</p></td>
+<td align="left"><p>Logon</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Sync Controller Application
+
+The **Sync Controller Application** task is used to start the Sync Controller to synchronize settings from the computer to the settings storage location. By default, the task runs every 30 minutes. At that time, local settings are synchronized to the settings storage location, and updated settings on the settings storage location are synchronized to the computer. The Sync Controller application runs the Microsoft.Uev.SyncController.exe, which is located in the UE-V Agent installation directory.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task name</th>
+<th align="left">Default event</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>\Microsoft\UE-V\Sync Controller Application</p></td>
+<td align="left"><p>Logon, and every 30 minutes thereafter</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For example, the following command configures the agent to synchronize settings every 15 minutes instead of the default 30 minutes.
+
+``` syntax
+Schtasks /change /tn “Microsoft\UE-V\Sync Controller Application” /ri 15
+```
+
+### Synchronize Settings at Logoff
+
+The **Synchronize Settings at Logoff** task is used to start an application at logon that controls the synchronization of applications at logoff for UE-V. The Synchronize Settings at Logoff task runs the Microsoft.Uev.SyncController.exe file, which is located in the UE-V Agent installation directory.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task name</th>
+<th align="left">Default event</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>\Microsoft\UE-V\Synchronize Settings at Logoff</p></td>
+<td align="left"><p>Logon</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Template Auto Update
+
+The **Template Auto Update** task checks the settings template catalog for new, updated, or removed templates. This task only runs if the SettingsTemplateCatalog is configured. The **Template Auto Update** task runs the ApplySettingsCatalog.exe file, which is located in the UE-V Agent installation directory.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Task name</th>
+<th align="left">Default event</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>\Microsoft\UE-V\Template Auto Update</p></td>
+<td align="left"><p>System startup and at 3:30 AM every day, at a random time within a 1-hour window</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Example:** The following command configures the UE-V service to check the settings template catalog store every hour.
+
+``` syntax
+schtasks /change /tn "Microsoft\UE-V\Template Auto Update" /ri 60
+```
+
+
+## UE-V Scheduled Task Details
+
+
+The following chart provides additional information about scheduled tasks for UE-V 2:
+
+<table style="width:100%;">
+<colgroup>
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Task Name</strong> (file name)</p></td>
+<td align="left"><p><strong>Default Frequency</strong></p></td>
+<td align="left"><p><strong>Power Toggle</strong></p></td>
+<td align="left"><p><strong>Idle Only</strong></p></td>
+<td align="left"><p><strong>Network Connection</strong></p></td>
+<td align="left"><p><strong>Description</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Monitor Application Settings</strong> (UevAppMonitor.exe)</p></td>
+<td align="left"><p>Starts 30 seconds after logon and continues until logoff.</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p>Synchronizes settings for Windows (AppX) apps.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Sync Controller Application</strong> (Microsoft.Uev.SyncController.exe)</p></td>
+<td align="left"><p>At logon and every 30 min thereafter.</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Only if Network is connected</p></td>
+<td align="left"><p>Starts the Sync Controller which synchronizes local settings with the settings storage location.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Synchronize Settings at Logoff</strong> (Microsoft.Uev.SyncController.exe)</p></td>
+<td align="left"><p>Runs at logon and then waits for Logoff to Synchronize settings.</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p>Start an application at logon that controls the synchronization of applications at logoff.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Template Auto Update</strong> (ApplySettingsCatalog.exe)</p></td>
+<td align="left"><p>Runs at initial logon and at 3:30 AM every day thereafter.</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p>Checks the settings template catalog for new, updated, or removed templates. This task only runs if SettingsTemplateCatalog is configured.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Legend**
+
+-   **Power Toggle** – Task Scheduler will optimize power consumption when not connected to AC power. The task might stop running if the computer switches to battery power.
+
+-   **Idle Only** – The task will stop running if the computer ceases to be idle. By default the task will not restart when the computer is idle again. Instead the task will begin again on the next task trigger.
+
+-   **Network Connection** – Tasks marked “Yes” only run if the computer has a network connection available. Tasks marked “N/A” run regardless of network connectivity.
+
+### How to Manage Scheduled Tasks
+
+To find Scheduled Tasks, perform the following:
+
+1.  Open “Schedule Tasks” on the user computer.
+
+2.  Navigate to: Task Scheduler -&gt; Task Scheduler Library -&gt; Microsoft -&gt; UE-V
+
+3.  Select the scheduled task you wish to manage and configure in the details pane.
+
+### Additional information
+
+The following additional information applies to UE-V scheduled tasks:
+
+-   All task sequence programs are located in the UE-V Agent installation folder, `%programFiles%\Microsoft User Experience Virtualization\Agent\[architecture]\`, by default.
+
+-   The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings do not synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute.  You can also increase the 30 min default to a higher amount if necessary.
+
+-   You do not need to disable the Template Auto Update scheduled task if you use another method to keep the clients’ templates in sync (i.e. Group Policy or Configuration Manager Baselines). Leaving the SettingsTemplateCatalog property value blank prevents UE-V from checking the settings catalog for custom templates. This scheduled task runs ApplySettingsCatalog.exe and will essentially return immediately.
+
+-   The Monitor Application Settings scheduled task will update Windows app (AppX) settings in real time, based on Windows app program setting triggers built into each app.
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+[Administering UE-V](uev-administering-uev.md)
+
+[Deploy UE-V for Custom Applications](uev-deploy-uev-for-custom-applications.md#deploycatalogue)
diff --git a/windows/manage/uev-configuring-uev-with-group-policy-objects.md b/windows/manage/uev-configuring-uev-with-group-policy-objects.md
new file mode 100644
index 0000000000..9bb13f98c6
--- /dev/null
+++ b/windows/manage/uev-configuring-uev-with-group-policy-objects.md
@@ -0,0 +1,199 @@
+---
+title: Configuring UE-V with Group Policy Objects
+description: Configuring UE-V with Group Policy Objects
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Configuring UE-V with Group Policy Objects
+
+
+Some User Experience Virtualization (UE-V) Group Policy settings can be defined for computers, and other Group Policy settings can be defined for users. The Group Policy administrative templates for these settings are included in Windows 10, version 1607. 
+
+
+The following policy settings can be configured for UE-V.
+
+**Group Policy settings**
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Group Policy setting name</th>
+<th align="left">Target</th>
+<th align="left">Group Policy setting description</th>
+<th align="left">Configuration options</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Do not use the sync provider</p></td>
+<td align="left"><p>Computers and Users</p></td>
+<td align="left"><p>By using this Group Policy setting, you can configure whether UE-V uses the sync provider feature. This policy setting also lets you enable notification to appear when the import of user settings is delayed.</p></td>
+<td align="left"><p>Enable this setting to configure the UE-V service not to use the sync provider.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>First Use Notification</p></td>
+<td align="left"><p>Computers Only</p></td>
+<td align="left"><p>This Group Policy setting enables a notification in the notification area that appears when the UE-V service runs for the first time.</p></td>
+<td align="left"><p>The default is enabled.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Roam Windows settings</p></td>
+<td align="left"><p>Computers and Users</p></td>
+<td align="left"><p>This Group Policy setting configures the synchronization of Windows settings.</p></td>
+<td align="left"><p>Select which Windows settings synchronize between computers.</p>
+<p>By default, Windows themes, desktop settings, and Ease of Access settings synchronize settings between computers of the same operating system version.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Settings package size warning threshold</p></td>
+<td align="left"><p>Computers and Users</p></td>
+<td align="left"><p>This Group Policy setting lets you configure the UE-V service to report when a settings package file size reaches a defined threshold.</p></td>
+<td align="left"><p>Specify the preferred threshold for settings package sizes in kilobytes (KB).</p>
+<p>By default, the UE-V service does not have a package file size threshold.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Settings storage path</p></td>
+<td align="left"><p>Computers and Users</p></td>
+<td align="left"><p>This Group Policy setting configures where the user settings are to be stored.</p></td>
+<td align="left"><p>Enter a Universal Naming Convention (UNC) path and variables such as \\Server\SettingsShare\%username%.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Settings template catalog path</p></td>
+<td align="left"><p>Computers Only</p></td>
+<td align="left"><p>This Group Policy setting configures where custom settings location templates are stored. This policy setting also configures whether the catalog is to be used to replace the default Microsoft templates that are installed with the UE-V service.</p></td>
+<td align="left"><p>Enter a Universal Naming Convention (UNC) path such as \\Server\TemplateShare or a folder location on the computer.</p>
+<p>Select the check box to replace the default Microsoft templates.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Sync settings over metered connections</p></td>
+<td align="left"><p>Computers and Users</p></td>
+<td align="left"><p>This Group Policy setting defines whether UE-V synchronizes settings over metered connections.</p></td>
+<td align="left"><p>By default, the UE-V service does not synchronize settings over a metered connection.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Sync settings over metered connections even when roaming</p></td>
+<td align="left"><p>Computers and Users</p></td>
+<td align="left"><p>This Group Policy setting defines whether UE-V synchronizes settings over metered connections outside of the home provider network, for example, when the data connection is in roaming mode.</p></td>
+<td align="left"><p>By default, UE-V does not synchronize settings over a metered connection when it is in roaming mode.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Synchronization timeout</p></td>
+<td align="left"><p>Computers and Users</p></td>
+<td align="left"><p>This Group Policy setting configures the number of milliseconds that the computer waits before a time-out when it retrieves user settings from the remote settings location. If the remote storage location is unavailable, and the user does not use the sync provider, the application start is delayed by this many milliseconds.</p></td>
+<td align="left"><p>Specify the preferred synchronization time-out in milliseconds. The default value is 2000 milliseconds.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Tray Icon</p></td>
+<td align="left"><p>Computers Only</p></td>
+<td align="left"><p>This Group Policy setting enables the User Experience Virtualization (UE-V) tray icon.</p></td>
+<td align="left"><p>This setting only has an effect for UE-V 2.x and earlier. It has no effect for UE-V in Windows 10, version 1607.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Use User Experience Virtualization (UE-V)</p></td>
+<td align="left"><p>Computers and Users</p></td>
+<td align="left"><p>This Group Policy setting lets you enable or disable User Experience Virtualization (UE-V).</p></td>
+<td align="left"><p>This setting only has an effect for UE-V 2.x and earlier. For UE-V in Windows 10, version 1607, use the **Enable UE-V** setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Enable UE-V</p></td>
+<td align="left"><p>Computers and Users</p></td>
+<td align="left"><p>This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effect.</p></td>
+<td align="left"><p>This setting only has an effect for UE-V in Windows 10, version 1607. For UE-V 2.x and earlier, choose the **Use User Experience Virtualization (UE-V)** setting.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+In addition, Group Policy settings are available for many desktop applications and Windows apps. You can use these settings to enable or disable settings synchronization for specific applications.
+
+ 
+
+**Windows App Group Policy settings**
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Group Policy setting name</th>
+<th align="left">Target</th>
+<th align="left">Group Policy setting description</th>
+<th align="left">Configuration options</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Do not synchronize Windows Apps</p></td>
+<td align="left"><p>Computers and Users</p></td>
+<td align="left"><p>This Group Policy setting defines whether the UE-V service synchronizes settings for Windows apps.</p></td>
+<td align="left"><p>The default is to synchronize Windows apps.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows App List</p></td>
+<td align="left"><p>Computer and User</p></td>
+<td align="left"><p>This setting lists the family package names of the Windows apps and states expressly whether UE-V synchronizes that app’s settings.</p></td>
+<td align="left"><p>You can use this setting to specify that settings of an app are never synchronized by UE-V, even if the settings of all other Windows apps are synchronized.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Sync Unlisted Windows Apps</p></td>
+<td align="left"><p>Computer and User</p></td>
+<td align="left"><p>This Group Policy setting defines the default settings sync behavior of the UE-V service for Windows apps that are not explicitly listed in the Windows app list.</p></td>
+<td align="left"><p>By default, the UE-V service only synchronizes settings of those Windows apps that are included in the Windows app list.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For more information about synchronizing Windows apps, see [Windows App List](http://technet.microsoft.com/library/dn458925.aspx#win8applist).
+
+**To configure computer-targeted Group Policy settings**
+
+1.  Use the Group Policy Management Console (GPMC) or the Advanced Group Policy Management (AGPM) on the computer that acts as a domain controller to manage Group Policy settings for UE-V computers. Navigate to **Computer configuration**, select **Policies**, select **Administrative Templates**, click **Windows Components**, and then select **Microsoft User Experience Virtualization**.
+
+2.  Select the Group Policy setting to be edited.
+
+**To configure user-targeted Group Policy settings**
+
+1.  Use the Group Policy Management Console (GPMC) or the Advanced Group Policy Management (AGPM) tool in Microsoft Desktop Optimization Pack (MDOP) on the domain controller computer to manage Group Policy settings for UE-V. Navigate to **User configuration**, select **Policies**, select **Administrative Templates**, click **Windows Components**, and then select **Microsoft User Experience Virtualization**.
+
+2.  Select the edited Group Policy setting.
+
+The UE-V service uses the following order of precedence to determine synchronization.
+
+**Order of precedence for UE-V settings**
+
+1.  User-targeted settings that are managed by Group Policy settings - These configuration settings are stored in the registry key by Group Policy under `HKEY_CURRENT_USER\Software\Policies\Microsoft\Uev\Agent\Configuration`.
+
+2.  Computer-targeted settings that are managed by Group Policy settings - These configuration settings are stored in the registry key by Group Policy under `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Uev\Agent\Configuration`.
+
+3.  Configuration settings that are defined by the current user by using Windows PowerShell or Windows management Instrumentation (WMI) - These configuration settings are stored by the UE-V service under this registry location: `HKEY_CURRENT_USER\Software\Microsoft\Uev\Agent\Configuration`.
+
+4.  Configuration settings that are defined for the computer by using Windows PowerShell or WMI. These configuration settings are stored by the UE-V service under this registry location: `HKEY_LOCAL_MACHINE\Software\Microsoft\Uev\Agent\Configuration`.
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+
+[Administering UE-V](uev-administering-uev.md)
+
+[Manage Configurations for UE-V](uev-manage-configurations.md)
diff --git a/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md
new file mode 100644
index 0000000000..f6f6eb97fc
--- /dev/null
+++ b/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -0,0 +1,247 @@
+---
+title: Configuring UE-V with System Center Configuration Manager
+description: Configuring UE-V with System Center Configuration Manager 
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Configuring UE-V with System Center Configuration Manager 
+
+
+After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of System Center Configuration Manager (2012 SP1 or later) to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
+
+## UE-V Configuration Pack supported features
+
+
+The UE-V Configuration Pack includes tools to:
+
+-   Create or update UE-V settings location template distribution baselines
+
+    -   Define UE-V templates to be registered or unregistered
+
+    -   Update UE-V template configuration items and baselines as templates are added or updated
+
+    -   Distribute and register UE-V templates using standard Configuration Item remediation
+
+-   Create or update a UE-V Agent policy configuration item to set or clear these settings
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Max package size</p></td>
+    <td align="left"><p>Enable/disable Windows app sync</p></td>
+    <td align="left"><p>Wait for sync on application start</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Setting import delay</p></td>
+    <td align="left"><p>Sync unlisted Windows apps</p></td>
+    <td align="left"><p>Wait for sync on logon</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Settings import notification</p></td>
+    <td align="left"><p>IT contact URL</p></td>
+    <td align="left"><p>Wait for sync timeout</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Settings storage path</p></td>
+    <td align="left"><p>IT contact descriptive text</p></td>
+    <td align="left"><p>Settings template catalog path</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Sync enablement</p></td>
+    <td align="left"><p>Tray icon enabled</p></td>
+    <td align="left"><p>Start/Stop UE-V agent service</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Sync method</p></td>
+    <td align="left"><p>First use notification</p></td>
+    <td align="left"><p>Define which Windows apps will roam settings</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Sync timeout</p></td>
+    <td align="left"><p></p></td>
+    <td align="left"><p></p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   Verify compliance by confirming that UE-V is running.
+
+## Generate a UE-V service policy configuration item
+
+
+All UE-V service policy and configuration is distributed through a single configuration item that is generated using the UevAgentPolicyGenerator.exe tool. This tool reads the desired configuration from an XML configuration file and creates a CI containing the discovery and remediation settings needed to bring the machine into compliance.
+
+The UE-V service policy configuration item CAB file is created using the UevTemplateBaselineGenerator.exe command line tool, which has these parameters:
+
+-   Site &lt;site code&gt;
+
+-   PolicyName &lt;name&gt; Optional: Defaults to “UE-V Agent Policy” if not present
+
+-   PolicyDescription &lt;description&gt; Optional: A description is provided if not present
+
+-   CabFilePath &lt;full path to configuration item .CAB file&gt;
+
+-   ConfigurationFile &lt;full path to agent configuration XML file&gt;
+
+**Note**  
+It might be necessary to change the PowerShell execution policy to allow these scripts to run in your environment. Perform these steps in the Configuration Manager console:
+
+1.  Select **Administration &gt; Client Settings &gt; Properties**
+
+2.  In the **User Agent** tab, set the **PowerShell Execution Policy** to **Bypass**
+
+ 
+
+**Create the first UE-V policy configuration item**
+
+1.  Copy the default settings configuration file from the UE-V Config Pack installation directory to a location visible to your ConfigMgr Admin Console:
+
+    ``` syntax
+    C:\Program Files (x86)\Windows Kits\10\Microsoft User Experience Virtualization\Management\AgentConfiguration.xml 
+    ```
+
+    The default configuration file contains five sections:
+
+    <a href="" id="computer-policy"></a>**Computer Policy**  
+    All UE-V machine level settings. The DesiredState attribute can be
+
+    -   **Set** to have the value assigned in the registry
+
+    -   **Clear** to remove the setting
+
+    -   **Unmanaged** to have the configuration item left at its current state
+
+    Do not remove lines from this section. Instead, set the DesiredState to ‘Unmanaged’ if you do not want Configuration Manager to alter current or default values.
+
+    <a href="" id="currentcomputeruserpolicy"></a>**CurrentComputerUserPolicy**  
+    All UE-V user level settings. These entries override the machine settings for a user. The DesiredState attribute can be
+
+    -   **Set** to have the value assigned in the registry
+
+    -   **Clear** to remove the setting
+
+    -   **Unmanaged** to have the configuration item left at its current state
+
+    Do not remove lines from this section. Instead, set the DesiredState to ‘Unmanaged’ if you do not want Configuration Manager to alter current or default values.
+
+    <a href="" id="services"></a>**Services**  
+    Entries in this section control service operation. The default configuration file contains a single entry for the UevAgentService. The DesiredState attribute can be set to **Running** or **Stopped**.
+
+    <a href="" id="windows8appscomputerpolicy"></a>**Windows8AppsComputerPolicy**  
+    All machine level Windows app synchronization settings. Each PackageFamilyName listed in this section can be assigned a DesiredState of
+
+    -   **Enabled** to have settings roam
+
+    -   **Disabled** to prevent settings from roaming
+
+    -   **Cleared** to have the entry removed from UE-V control
+
+    Additional lines can be added to this section based on the list of installed Windows apps that can be viewed using the PowerShell cmdlet GetAppxPackage.
+
+    <a href="" id="windows8appscurrentcomputeruserpolicy"></a>**Windows8AppsCurrentComputerUserPolicy**  
+    Identical to the Windows8AppsComputerPolicy with settings that override machine settings for an individual user.
+
+2.  Edit the configuration file by changing the desired state and value fields.
+
+3.  Run this command on a machine running the ConfigMgr Admin Console:
+
+    ``` syntax
+    C:\Program Files (x86)\Microsoft User Experience Virtualization\ConfigPack\UevAgentPolicyGenerator.exe –Site ABC –CabFilePath “C:\MyCabFiles\UevPolicyItem.cab” –ConfigurationFile “c:\AgentConfiguration.xml”
+    ```
+
+4.  Import the CAB file using ConfigMgr console or PowerShell Import-CMConfigurationItem
+
+**Update a UE-V Policy Configuration Item**
+
+1.  Edit the configuration file by changing the desired state and value fields.
+
+2.  Run the command from Step 3 in [Create the First UE-V Policy Configuration Item](#create). If you changed the name with the PolicyName parameter, make sure you enter the same name.
+
+3.  Reimport the CAB file. The version in ConfigMgr will be updated.
+
+## Generate a UE-V Template Baseline
+
+
+UE-V templates are distributed using a baseline containing multiple configuration items. Each configuration item contains the discovery and remediation scripts needed to install one UE-V template. The actual UE-V template is embedded within the remediation script for distribution using standard Configuration Item functionality.
+
+The UE-V template baseline is created using the UevTemplateBaselineGenerator.exe command line tool, which has these parameters:
+
+-   Site &lt;site code&gt;
+
+-   BaselineName &lt;name&gt; (Optional: defaults to “UE-V Template Distribution Baseline” if not present)
+
+-   BaselineDescription &lt;description&gt; (Optional: a description is provided if not present)
+
+-   TemplateFolder &lt;UE-V template folder&gt;
+
+-   Register &lt;comma separated template file list&gt;
+
+-   Unregister &lt;comma separated template list&gt;
+
+-   CabFilePath &lt;Full path to baseline CAB file to generate&gt;
+
+The result is a baseline CAB file that is ready for import into Configuration Manager. If at a future date, you update or add a template, you can rerun the command using the same baseline name. Importing the CAB results in CI version updates on the changed templates.
+
+### <a href="" id="create2"></a>Create the First UE-V Template Baseline
+
+1.  Create a “master” set of UE-V templates in a stable folder location visible to the machine running your ConfigMgr Admin Console. As templates are added or updated, this folder is where they are pulled for distribution. The initial list of templates can be copied from a machine with UE-V installed. The default template location is C:\\Program Files\\Microsoft User Experience Virtualization\\Templates.
+
+2.  Create a text.bat file where you can add the template generator command. This is optional, but will make regeneration simpler if you save the command parameters.
+
+3.  Add the command and parameters to the .bat file that will generate the baseline. The following example creates a baseline that distributes Notepad and Calculator:
+
+    ``` syntax
+    C:\Program Files (x86)\Microsoft User Experience Virtualization\ConfigPack\UevTemplateBaselineGenerator.exe –Site “ABC” –TemplateFolder “C:\ProductionUevTemplates” –Register “MicrosoftNotepad.xml, MicrosoftCalculator.xml” –CabFilePath “C:\MyCabFiles\UevTemplateBaseline.cab”
+    ```
+
+4.  Run the .bat file to create UevTemplateBaseline.cab ready for import into Configuration Manager.
+
+### Update a UE-V Template Baseline
+
+The template generator uses the template version to determine if a template should be updated. If you make a template change and update the version, the baseline generator compares the template in your master folder with the template contained in the CI on the ConfigMgr server. If a difference is found, the generated baseline and modified CI versions are updated.
+
+To distribute a new Notepad template, you would perform these steps:
+
+1.  Update the template and template version located in the &lt;Version&gt; element of the template.
+
+2.  Copy the template to your master template directory.
+
+3.  Run the command in the .bat file that you created in Step 3 in [Create the First UE-V Template Baseline](#create2).
+
+4.  Import the generated CAB file into ConfigMgr using the console or PowerShell Import-CMBaseline.
+
+## Get the UE-V Configuration Pack
+
+
+The UE-V Configuration Pack for Configuration Manager 2012 SP1 or later can be downloaded [here](http://go.microsoft.com/fwlink/?LinkId=317263).
+
+## Have a suggestion for UE-V?
+
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+
+[Manage Configurations for UE-V](uev-manage-configurations.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/uev-deploy-required-features.md b/windows/manage/uev-deploy-required-features.md
new file mode 100644
index 0000000000..c3324cab35
--- /dev/null
+++ b/windows/manage/uev-deploy-required-features.md
@@ -0,0 +1,156 @@
+---
+title: Deploy required UE-V features
+description: Deploy required UE-V features
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Deploy required UE-V features
+
+To get up and running with User Experience Virtualization (UE-V), install and configure the following features.
+
+-   [Deploy a settings storage location](#deploy-a-ue-v-settings-storage-location) that is accessible to end users.
+
+    This is a standard network share that stores and retrieves user settings.
+
+-   [Choose the configuration method for UE-V](#choose-the-configuration-method-for-ue-v)
+
+    You can deploy and configure UE-V with common management tools including group policy, Configuration Manager, or Windows Management Infrastructure and PowerShell.
+
+-   [Enable the UE-V service](#enable-the-ue-v-service) on user devices.
+
+    With Windows 10, version 1607, UE-V is installed automatically. You need to enable the UE-V service on each user device you want to include in your UE-V environment.
+
+The topics in this section describe how to deploy these features.
+
+## Deploy a UE-V Settings Storage Location
+
+UE-V requires a location in which to store user settings in settings package files. You can configure this settings storage location in one of these ways:
+
+-   Create your own settings storage location
+
+-   Use existing Active Directory for your settings storage location
+
+> **Note**&nbsp;&nbsp; As a matter of [performance and capacity planning](uev-prepare-for-deployment.md#performance-and-capacity-planning) and to reduce problems with network latency, create settings storage locations on the same local networks where the users’ devices reside. We recommend 20 MB of disk space per user for the settings storage location.
+
+### Create a UE-V Settings Storage Location
+
+Before you define the settings storage location, you must create a root directory with read/write permissions for users who store settings on the share. The UE-V service creates user-specific folders under this root directory.
+
+The settings storage location is defined by setting the SettingsStoragePath configuration option, which you can configure by using one of these methods:
+
+-   Through [Group Policy](uev-configuring-uev-with-group-policy-objects.md) settings
+
+-   With the [System Center Configuration Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V
+
+-   With [Windows PowerShell or Windows Management Instrumentation (WMI)](uev-administering-uev-with-windows-powershell-and-wmi.md)
+
+    The path must be in a universal naming convention (UNC) path of the server and share. For example, **\\\\Server\\Settingsshare\\**. This configuration option supports the use of variables to enable specific synchronization scenarios. For example, you can use the %username%\\%computername% variables to preserve the end user settings experience in these scenarios:
+
+-   End users that use multiple physical devices in your enterprise
+
+-   Enterprise computers that are used by multiple end users
+
+The UE-V service dynamically creates a user-specific settings storage path, with a hidden system folder named **SettingsPackages**, based on the configuration setting of **SettingsStoragePath**. The service reads and writes settings to this location as defined by the registered UE-V settings location templates.
+
+**UE-V settings are determined by a "Last write wins" rule:** If the settings storage location is the same for a user with multiple managed computers, one UE-V service reads and writes to the settings location independently of services running on other computers. The last written settings and values are the ones applied when the service next reads from the settings storage location.
+
+**Deploy the settings storage location:** Follow these steps to define the settings storage location rather than using your existing Active Directory agent. You should limit access to the settings storage share to those users that require it, as shown in the tables below.
+
+**To deploy the UE-V network share**
+
+1.  Create a new security group for UE-V users.
+
+2.  Create a new folder on the centrally located computer that stores the UE-V settings packages, and then grant UE-V users access with group permissions to the folder. The administrator who supports UE-V must have permissions to this shared folder.
+
+3.  Set the following share-level Server Message Block (SMB) permissions for the settings storage location folder.
+
+    | **User account**             | **Recommended permissions** |
+    |------------------------------|-----------------------------|
+    | Everyone                     | No permissions              |
+    | Security group of UE-V users | Full control                |
+
+4.  Set the following NTFS file system permissions for the settings storage location folder.
+
+    | **User account**             | **Recommended permissions**                       | **Folder**                |
+    |------------------------------|---------------------------------------------------|---------------------------|
+    | Creator/owner                | Full control                                      | Subfolders and files only |
+    | Security group of UE-V users | List folder/read data, create folders/append data | This folder only          |
+
+With this configuration, the UE-V service creates and secures a Settingspackage folder while it runs in the context of the user, and grants each user permission to create folders for settings storage. Users receive full control to their Settingspackage folder while other users cannot access it.
+
+**Note**
+If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor:
+
+1.  Add a **REG\_DWORD** registry key named **"RepositoryOwnerCheckEnabled"** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\UEV\\Agent\\Configuration**.
+
+2.  Set the registry key value to *1*.
+
+### Use Active Directory with UE-V
+
+The UE-V service uses Active Directory (AD) by default if you don’t define a settings storage location. In these cases, the UE-V service dynamically creates the settings storage folder under the root of the AD home directory of each user. However, if a custom directory setting is configured in AD, then that directory is used instead.
+
+## Choose the Configuration Method for UE-V
+
+You’ll need to decide which configuration method you'll use to manage UE-V after deployment since this will be the configuration method you use to deploy the UE-V Agent. Typically, this is the configuration method that you already use in your environment, such as Windows PowerShell or Configuration Manager.
+
+You can configure UE-V before, during, or after you enable the UE-V service on user devices, depending on the configuration method that you use.
+
+-   [**Group Policy**](uev-configuring-uev-with-group-policy-objects.md) You can use your existing Group Policy infrastructure to configure UE-V before or after you enable the UE-V service. The UE-V Group Policy ADMX template enables the central management of common UE-V service configuration options and includes settings to configure UE-V synchronization.
+
+    >**Note**  Starting with Windows 10, version 1607, UE-V ADMX templates are installed automatically.
+
+    Group Policy ADMX templates configure the synchronization settings for the UE-V service and enable the central management of common UE-V service configuration settings by using an existing Group Policy infrastructure.
+
+    Supported operating systems for the domain controller that deploys the Group Policy Objects include:
+
+    Windows Server 2012 and Windows Server 2012 R2
+
+-   [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of System Center Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
+
+-   [**Windows PowerShell and WMI**](uev-administering-uev-with-windows-powershell-and-wmi.md) You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify the configuration of the UE-V service.
+
+>**Note**
+Registry modification can result in data loss, or the computer becomes unresponsive. We recommend that you use other configuration methods.
+
+## Enable the UE-V service
+
+The UE-V service is the client-side component that captures user-personalized application and Windows settings and saves them in settings packages. Settings packages are built, locally stored, and copied to the settings storage location.
+
+Before enabling the UE-V service, you need to register the UE-V templates for first time use. In a PowerShell window, type **register-&lt;TemplateName&gt;** where **TemplateName** is the name of the UE-V template you want to register, and press ENTER.
+
+With Windows 10, version 1607 and later, the UE-V service is installed on user devices. Enable the service to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell.
+
+**To enable the UE-V service with Group Policy**
+
+1.  Open the device’s **Group Policy Editor**.
+
+2.  Navigate to **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft** **User Experience Virtualization**.
+
+3.  Run **Enable UEV**.
+
+4.  Restart the device.
+
+**To enable the UE-V service with Windows PowerShell**
+
+1.  In a PowerShell window, type **Enable-UEV** and press ENTER.
+
+2.  Restart the device.
+
+3.  In a PowerShell window, type **Get-UEVStatus** and press ENTER to verify that the UE-V service was successfully enabled.
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/forums/home?forum=mdopuev).
+
+## Related topics
+
+[Prepare a UE-V deployment](uev-prepare-for-deployment.md)
+
+[Deploy UE-V for use with custom applications](uev-deploy-uev-for-custom-applications.md)
+
+[Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
+
diff --git a/windows/manage/uev-deploy-uev-for-custom-applications.md b/windows/manage/uev-deploy-uev-for-custom-applications.md
new file mode 100644
index 0000000000..120b0b4602
--- /dev/null
+++ b/windows/manage/uev-deploy-uev-for-custom-applications.md
@@ -0,0 +1,248 @@
+---
+title: Use UE-V with custom applications
+description: Use UE-V with custom applications
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Use UE-V with custom applications 
+
+User Experience Virtualization (UE-V) uses XML files called ***settings location templates*** to monitor and synchronize application settings and Windows settings between user devices. By default, some settings location templates are included in UE-V. However, if you want to synchronize settings for desktop applications other than those included in the default templates, you can create your own custom settings location templates with the UE-V template generator.
+
+After you’ve reviewed [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) and decided that you want to synchronize settings for custom applications (third-party, line-of-business, e.g.), you’ll need to deploy the features of UE-V described in this topic.
+
+To start, here are the main steps required to synchronize settings for custom applications:
+
+-   [Install the UE-V template generator](#install-the-uev-template-generator)
+
+    Use the UEV template generator to create custom XML settings location templates.
+
+-   [Configure a UE-V settings template catalog](#deploy-a-settings-template-catalog)
+
+    You can define this path where custom settings location templates are stored.
+
+-   [Create custom settings location templates](#create-custom-settings-location-templates)
+
+    These custom templates let users sync settings for custom applications.
+
+-   [Deploy the custom settings location templates](#deploy-the-custom-settings-location-templates)
+
+    After you test the custom template to ensure that settings are synced correctly, you can deploy these templates in one of these ways:
+
+    -   With your existing electronic software distribution solution, such as Configuration Manager
+
+    -   With Group Policy preferences
+
+    -   With a UE-V settings template catalog
+
+>**Note**
+Templates that are deployed with electronic software distribution methods or Group Policy must be registered with UE-V Windows Management Instrumentation (WMI) or Windows PowerShell.
+
+## Prepare to deploy UE-V for custom applications
+
+Before you start deploying the UE-V features that handle custom applications, review the following important information.
+
+### The UE-V template generator
+
+Use the UE-V template generator to monitor, discover, and capture the locations where Win32 applications store settings. The template generator does not create settings location templates for the following types of applications:
+
+-   Virtualized applications
+
+-   Applications that are offered through Terminal Services
+
+-   Java applications
+
+-   Windows applications
+
+>**Note**
+UE-V settings location templates cannot be created from virtualized applications or Terminal Services applications. However, settings that are synchronized by using the templates can be applied to those applications. To create templates that support Virtual Desktop Infrastructure (VDI) and Terminal Services applications, open a version of the Windows Installer (.msi) package of the application by using the UE-V template generator. For more information about synchronizing settings for virtual applications, see [Using UE-V with virtual applications](uev-using-uev-with-application-virtualization-applications.md).
+
+**Excluded Locations:** The discovery process excludes locations that commonly store application software files that do not synchronize settings well between user computers or computing environments. By default, these are excluded:
+
+-   HKEY\_CURRENT\_USER registry keys and files to which the logged-on user cannot write values
+
+-   HKEY\_CURRENT\_USER registry keys and files that are associated with the core functionality of the Windows operating system
+
+-   All registry keys that are located in the HKEY\_LOCAL\_MACHINE hive
+
+-   Files that are located in Program Files directories
+
+-   Files that are located in Users \\ \[User name\] \\ AppData \\ LocalLow
+
+-   Windows operating system files that are located in %Systemroot%
+
+If registry keys and files that are stored in excluded locations are required to synchronize application settings, you can manually add the locations to the settings location template during the template creation process.
+
+### Replace the default Microsoft templates
+
+A default group of settings location templates for common Microsoft applications and Windows settings is included with Windows 10, version 1607. If you customize these templates, or create settings location templates to synchronize settings for custom applications, the UE-V service can be configured to use a settings template catalog to store the templates. In this case, you will need to include the default templates with the custom templates in the settings template catalog.
+
+>**Important**
+After you enable the UE-V service, you’ll need to register the settings location templates using the `Register-UevTemplate` cmdlet in Windows PowerShell.
+
+When you use Group Policy to configure the settings template catalog path, you can choose to replace the default Microsoft templates. If you configure the policy settings to replace the default Microsoft templates, all of the default Microsoft templates that are installed with Windows 10, version 1607 are deleted and only the templates that are located in the settings template catalog are used.
+
+**Note**
+If there are customized templates in the settings template catalog that use the same ID as the default Microsoft templates, the Microsoft templates are ignored.
+
+You can replace the default templates by using the UE-V Windows PowerShell features. To replace the default Microsoft template with Windows PowerShell, unregister all of the default Microsoft templates, and then register the customized templates.
+
+Old settings packages remain in the settings storage location even if you deploy new settings location templates for an application. These packages are not read by the UE-V service, but neither are they automatically deleted.
+
+### Install the UEV template generator
+
+Use the UE-V template generator to create custom settings location templates that you can then distribute to user devices. You can also use the template generator to edit an existing template or validate a template that was created with another XML editor.
+
+The UE-V template generator is included in the Windows Assessment and Deployment Kit (ADK) for Windows 10.
+
+Install the UE-V template generator on a computer that you can use to create a custom settings location template. This computer should have the applications installed for which custom settings location templates need to be generated.
+
+>**Important**
+UE-V for Windows 10, version 1607 includes a new template generator. If you are upgrading from an existing UE-V installation, you’ll need to use the new generator to create settings location templates. Templates created with previous versions of the UE-V template generator will continue to work.
+
+**To install the UE-V template generator**
+
+1.  Go to [Download the Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) to access the ADK.
+
+2.  Select the **Get Windows ADK for Windows 10** button on this page to start the ADK installer. On the window pictured below, select **Microsoft User Experience Virtualization (UE-V) Template Generator** and then select Install.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image1.png" width="537" height="394" />
+-->
+
+![Selecting UE-V features in ADK](images/uev-adk-select-uev-feature.png)
+
+3.  To open the generator, select **Microsoft Application Virtualization Generator** from the **Start** menu. 
+
+4. See [Working with Custom UE-V Templates and the UE-V Template Generator](uev-working-with-custom-templates-and-the-uev-generator.md) for information about how to use the template generator.
+
+### Deploy a settings template catalog
+
+The UE-V settings template catalog is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores all the custom settings location templates. The UE-V service checks this location one time each day and updates its synchronization behavior, based on the templates in this folder.
+
+The UE-V service checks this folder for templates that were added, updated, or removed. It registers new and changed templates and unregisters removed templates. By default, templates are registered and unregistered one time per day at 3:30 A.M. local time by the Task Scheduler and at system startup. To customize the frequency of this scheduled task, see [Changing the frequency of UE-V scheduled tasks](uev-changing-the-frequency-of-scheduled-tasks.md).
+
+You can configure the settings template catalog path with command-line options, Group Policy, WMI, or Windows PowerShell. Templates stored at the settings template catalog path are automatically registered and unregistered by a scheduled task.
+
+**To configure the settings template catalog for UE-V**
+
+1.  Create a new folder on the computer that stores the UE-V settings template catalog.
+
+2.  Set the following share-level (SMB) permissions for the settings template catalog folder.
+
+    | **User account** | **Recommended permissions**  |
+    |------------------|------------------------------|
+    | Everyone         | No Permissions               |
+    | Domain Computers | Read Permission Levels       |
+    | Administrators   | Read/Write Permission Levels |
+
+3.  Set the following NTFS file system permissions for the settings template catalog folder.
+
+    | **User account** | **Recommended permissions**   | **Apply to**                      |
+    |------------------|-------------------------------|-----------------------------------|
+    | Creator/Owner    | Full Control                  | This Folder, Subfolders and Files |
+    | Domain Computers | List Folder Contents and Read | This Folder, Subfolders and Files |
+    | Everyone         | No Permissions                | No Permissions                    |
+    | Administrators   | Full Control                  | This Folder, Subfolders and Files |
+
+4.  Click **OK** to close the dialog boxes.
+
+At a minimum, the network share must grant permissions for the Domain Computers group. In addition, grant access permissions for the network share folder to administrators who are to manage the stored templates.
+
+### Create custom settings location templates
+
+Use the UE-V template generator to create settings location templates for line-of-business applications or other custom applications. After you create the template for an application, deploy it to computers to synchronize settings for that application.
+
+**To create a UE-V settings location template with the UE-V template generator**
+
+1.  Click **Start** &gt; **All Programs** &gt; **Microsoft User Experience Virtualization** &gt; **Microsoft User Experience Virtualization template generator**.
+
+2.  Click **Create a settings location template**.
+
+3.  Specify the application. Browse to the file path of the application (.exe) or the application shortcut (.lnk) for which you want to create a settings location template. Specify the command-line arguments, if any, and working directory, if any.
+
+4.  Click **Next** to continue.
+
+    >**Note** Before the application is started, the system displays a prompt for **User Account Control**. Permission is required to monitor the registry and file locations that the application uses to store settings.
+
+5.  After the application starts, close the application. The UE-V template generator records the locations where the application stores its settings.
+
+6.  After the process is completed, click **Next** to continue.
+
+7.  Review and select the appropriate registry settings locations and settings file locations to synchronize for this application. The list includes the following two categories for settings locations:
+
+    -   **Standard**: Application settings that are stored in the registry under the HKEY\_CURRENT\_USER keys or in the file folders under \\ **Users** \\ \[User name\] \\ **AppData** \\ **Roaming**. The UE-V template generator includes these settings by default.
+
+    -   **Nonstandard**: Application settings that are stored outside the locations are specified in the best practices for settings data storage (optional). These include files and folders under **Users** \\ \[User name\] \\ **AppData** \\ **Local**. Review these locations to determine whether to include them in the settings location template. Select the locations check boxes to include them.
+
+8.  Click **Next** to continue.
+
+9.  Review and edit any **Properties**, **Registry** locations, and **Files** locations for the settings location template.
+
+    -   Edit the following properties on the **Properties** tab:
+
+        -   **Application Name**: The application name that is written in the description of the program files properties.
+
+        -   **Program name**: The name of the program that is taken from the program file properties. This name usually has the .exe file name extension.
+
+        -   **Product version**: The product version number of the .exe file of the application. This property, in conjunction with the **File version**, helps determine which applications are targeted by the settings location template. This property accepts a major version number. If this property is empty, the settings location template applies to all versions of the product.
+
+        -   **File version**: The file version number of the .exe file of the application. This property, in conjunction with the **Product version**, helps determine which applications are targeted by the settings location template. This property accepts a major version number. If this property is empty, the settings location template applies to all versions of the program.
+
+        -   **template author name** (optional): The name of the settings location template author.
+
+        -   **template author email** (optional): The email address of the settings location template author.
+
+    -   The **Registry** tab lists the **Key** and **Scope** of the registry locations that are included in the settings location template. Edit the registry locations by using the **Tasks** drop-down menu. Tasks enable you to add new keys, edit the name or scope of existing keys, delete keys, and browse the registry where the keys are located. Use the **All Settings** scope to include all the registry settings under the specified key. Use the **All Settings and Subkeys** to include all the registry settings under the specified key, subkeys, and subkey settings.
+
+    -   The **Files** tab lists the file path and file mask of the file locations that are included in the settings location template. Edit the file locations by use of the **Tasks** drop-down menu. Tasks for file locations enable you to add new files or folder locations, edit the scope of existing files or folders, delete files or folders, and open the selected location in Windows Explorer. Leave the file mask empty to include all files in the specified folder.
+
+10.  Click **Create**, and then click **Save** to save the settings location template on the computer.
+
+11.  Click **Close** to close the settings template wizard. Exit the UE-V template generator application.
+
+12.  After you have created the settings location template for an application, test the template. Deploy the template in a lab environment before you put it into production in the enterprise.
+
+See [Application template schema reference for UE-V](uev-application-template-schema-reference.md) for details about the XML structure of the UE-V settings location template and for guidance about editing these files.
+
+### Deploy the Custom Settings Location templates
+
+After you create a settings location template with the UE-V template generator, you should test it to ensure that the application settings are synchronized correctly. You can then safely deploy the settings location template to user devices in the enterprise.
+
+You can deploy settings location templates using of these methods:
+
+-   An electronic software distribution (ESD) system such as System Center Configuration Manager
+
+-   Group Policy preferences
+
+-   A UE-V settings template catalog
+
+Templates that are deployed by using an ESD system or Group Policy objects must be registered using UE-V Windows Management Instrumentation (WMI) or Windows PowerShell. Templates that are stored in the settings template catalog location are automatically registered by the UE-V service.
+
+**To deploy UE-V settings location templates with a settings template catalog path**
+
+1.  Browse to the network share folder that you defined as the settings template catalog.
+
+2.  Add, remove, or update settings location templates in the settings template catalog to reflect the UE-V service template configuration that you want for UE-V computers.
+
+    >**Note**
+    Templates on computers are updated daily. The update is based on changes to the settings template catalog.
+
+3.  To manually update templates on a computer that runs the UE-V service, open an elevated command prompt, and browse to **Program Files\\Microsoft User Experience Virtualization \\ Agent \\ &lt;x86 or x64 &gt;**, and then run **ApplySettingstemplateCatalog.exe**.
+
+    >**Note**
+    This program runs automatically during computer startup and daily at 3:30 A. M. to gather any new templates that were recently added to the catalog.
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md)
+
+- [Deploy Required UE-V Features](uev-deploy-required-features.md)
+
diff --git a/windows/manage/uev-for-windows.md b/windows/manage/uev-for-windows.md
new file mode 100644
index 0000000000..96293f71db
--- /dev/null
+++ b/windows/manage/uev-for-windows.md
@@ -0,0 +1,95 @@
+---
+title: User Experience Virtualization for Windows 10, version 1607
+description: Overview of User Experience Virtualization for Windows 10, version 1607
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# User Experience Virtualization (UE-V) for Windows 10 overview
+
+Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Windows Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. 
+
+With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
+
+**With UE-V you can…**
+
+-   Specify which application and Windows settings synchronize across user devices
+
+-   Deliver the settings anytime and anywhere users work throughout the enterprise
+
+-   Create custom templates for your third-party or line-of-business applications
+
+-   Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state
+
+With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
+
+## Components of UE-V
+
+The diagram below illustrates how UE-V components work together to synchronize user settings.
+
+<img src="images/uev-archdiagram.png" alt="UE-V architecture, with server share, desktop, and UE-V service" width="625" height="351" />
+
+<!--  SIMPLER METHOD FOR CODING IMAGE
+![UE-V architecture, with server share, desktop, and UE-V service](images/uev-archdiagram.png)
+-->
+
+| **Component**            | **Function**     |
+|--------------------------|------------------|
+| **UE-V service**    | Enabled on every device that needs to synchronize settings, the **UE-V service** monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. |
+| **Settings packages**                   | Application settings and Windows settings are stored in **settings packages** created by the UE-V service. Settings packages are built, locally stored, and copied to the settings storage location.<br>The setting values for **desktop applications** are stored when the user closes the application.<br>Values for **Windows settings** are stored when the user logs off, when the computer is locked, or when the user disconnects remotely from a computer.<br>The sync provider determines when the application or operating system settings are read from the **Settings Packages** and synchronized. |
+| **Settings storage location**           | This is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings.    |
+| **Settings location templates**         | UE-V uses XML files as settings location templates to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by [managing settings synchronization for custom applications](#manage-settings-synchronization-for-custom-applications).<br>**Note**&nbsp;&nbsp;Settings location templates are not required for Windows applications.   |
+| **Universal Windows applications list** | Settings for Windows applications are captured and applied dynamically. The app developer specifies the settings that are synchronized for each app. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.<br>You can add or remove applications in the Windows app list by following the procedures in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).  |
+
+## Manage settings synchronization for custom applications
+
+Use these UE-V components to create and manage custom templates for your third-party or line-of-business applications.
+
+| Component                     | Description   |
+|-------------------------------|---------------|
+| **UE-V template generator**            | Use the **UE-V template generator** to create custom settings location templates that you can then distribute to user computers. The UE-V template generator also lets you edit an existing template or validate a template that was created with a different XML editor. <br>With the Windows 10, version 1607 release, the UE-V template generator is installed with the [Windows Assessment and Deployment kit for Windows 10, version 1607](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK). <br>If you are upgrading from an existing UE-V installation, you’ll need to use the new generator to create new settings location templates. Application templates created with previous versions of the UE-V template generator are still supported, however. |
+| **Settings template catalog** | The **settings template catalog** is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores the custom settings location templates. The UE-V service checks this location once a day, retrieves new or updated templates, and updates its synchronization behavior.<br>If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Deploy a UE-V settings template catalog](uev-deploy-uev-for-custom-applications.md#deploycatalogue).  |
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE - NOTE THAT UPDATED IMAGE IS A PNG FILE
+<img src="media/image2.gif" width="595" height="330" />
+-->
+
+![UE-V template generator process](images/uev-generator-process.png)
+
+## Settings synchronized by default
+
+UE-V synchronizes settings for these applications by default. For a complete list and more detailed information, see [Settings that are automatically synchronized in a UE-V deployment](uev-prepare-for-deployment.md#autosyncsettings).
+
+-   Microsoft Office 2016, 2013, and 2010
+
+-   Internet Explorer 11 and 10
+
+-   Many Windows applications, such as Xbox
+
+-   Many Windows desktop applications, such as Notepad
+
+-   Many Windows settings, such as desktop background or wallpaper
+
+>**Note**
+You can also [customize UE-V to synchronize settings](uev-deploy-uev-for-custom-applications.md) for applications other than those synchronized by default.
+
+## Other resources for this feature
+
+-   [Get Started with UE-V for Windows 10](uev-getting-started.md)
+
+-   [UE-V for Windows 10 Release Notes](uev-release-notes-1607.md)
+
+-   [Prepare to deploy UE-V for Windows 10](uev-prepare-for-deployment.md)
+
+-   [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
+
+-   [Administer UE-V for Windows 10](uev-administering-uev.md)
+
+-   [Technical Reference for UE-V for Windows 10](uev-technical-reference.md)
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
diff --git a/windows/manage/uev-getting-started.md b/windows/manage/uev-getting-started.md
new file mode 100644
index 0000000000..42fdafe047
--- /dev/null
+++ b/windows/manage/uev-getting-started.md
@@ -0,0 +1,139 @@
+---
+title: Get Started with UE-V
+description: Get Started with UE-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Get Started with UE-V
+
+Applies to: Windows 10, version 1607
+
+Follow the steps in this topic to deploy User Experience Virtualization (UE-V) for the first time in a test environment. Evaluate UE-V to determine whether it’s the right solution to manage user settings across multiple devices within your enterprise.
+
+>**Note**
+The information in this section is explained in greater detail throughout the rest of the documentation. If you’ve already determined that UE-V is the right solution and you don’t need to further evaluate it, see [Prepare a UE-V deployment](uev-prepare-for-deployment.md).
+
+The standard installation of UE-V synchronizes the default Microsoft Windows and Office settings and many Windows applications settings. For best results, ensure that your test environment includes two or more user computers that share network access.
+
+-   [Step 1: Confirm prerequisites](#step-1-confirm-prerequisites). Review the supported configurations in this section to verify that your environment is able to run UE-V.
+
+-   [Step 2: Deploy the settings storage location](#step-2-deploy-the-settings-storage-location). Explains how to deploy a settings storage location. All UE-V deployments require a location to store settings packages that contain the synchronized setting values.
+
+-   [Step 3: Enable the UE-V service](#step-3-enable-the-ue-v-service-on-user-devices). Explains how to enable to UE-V service on user devices. To synchronize settings using UE-V, devices must have the UE-V service enabled and running.
+
+-   [Step 4: Test Your UE-V evaluation deployment](#step-4-test-your-ue-v-evaluation-deployment). Run a few tests on two computers with the UE-V service enabled to see how UE-V works and if it meets your organization’s needs.
+
+-   Step 5: Deploy UE-V for custom applications (optional). If you want to evaluate how your third-party and line-of-business applications work with UE-V, follow the steps in [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). Following this link takes you to another topic. Use your browser’s **Back** button to return to this topic.
+
+## Step 1: Confirm prerequisites
+
+Before you proceed, ensure that your environment meets the following requirements for running UE-V.
+
+| **Operating system**   | **Edition**  | **Service pack** | **System architecture** | **Windows PowerShell**           | **Microsoft .NET Framework** |
+|-------------------------|-------------|------------------|-------------------------|----------------------------------|------------------------------|
+| Windows 10, version 1607 | Windows 10 Enterprise         | NA                      | 32-bit or 64-bit        | Windows PowerShell 3.0 or higher | .NET Framework 4 or higher   |
+| Windows 8 and Windows 8.1 | Enterprise or Pro              | None                  | 32-bit or 64-bit        | Windows PowerShell 3.0 or higher | .NET Framework 4.5  |
+| Windows Server 2012 or Windows Server 2012 R2 | Standard or Datacenter    | None   | 64-bit                  | Windows PowerShell 3.0 or higher | .NET Framework 4.5 |
+
+## Step 2: Deploy the settings storage location
+
+You’ll need to deploy a settings storage location, a standard network share where user settings are stored in a settings package file. When you create the settings storage share, you should limit access to users that require it. [Deploy a settings storage location](https://technet.microsoft.com/library/dn458891.aspx#ssl) provides more detailed information.
+
+**Create a network share**
+
+1.  Create a new security group and add UE-V users to it.
+
+2.  Create a new folder on the centrally located computer that stores the UE-V settings packages, and then grant the UE-V users access with group permissions to the folder. The administrator who supports UE-V must have permissions to this shared folder.
+
+3.  Assign UE-V users permission to create a directory when they connect. Grant full permission to all subdirectories of that directory, but block access to anything above.
+
+4.  Set the following share-level Server Message Block (SMB) permissions for the settings storage location folder.
+
+    | **User account**             | **Recommended permissions** |
+    |------------------------------|-----------------------------|
+    | Everyone                     | No permissions              |
+    | Security group of UE-V users | Full control                |
+
+5.  Set the following NTFS file system permissions for the settings storage location folder.
+
+    | **User account**             | **Recommended permissions**                       | **Folder**                |
+    |------------------------------|---------------------------------------------------|---------------------------|
+    | Creator/owner                | Full control                                      | Subfolders and files only |
+    | Security group of UE-V users | List folder/read data, create folders/append data | This folder only          |
+
+**Security Note**&nbsp;&nbsp;If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor:
+
+1.  Add a **REG\_DWORD** registry key named **"RepositoryOwnerCheckEnabled"** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\UEV\\Agent\\Configuration**.
+
+2.  Set the registry key value to *1*.
+
+## Step 3: Enable the UE-V service on user devices
+
+For evaluation purposes, enable the service on at least two devices that belong to the same user in your test environment.
+
+The UE-V service is the client-side component that captures user-personalized application and Windows settings and saves them in settings packages. Settings packages are built, locally stored, and copied to the settings storage location.
+
+Before enabling the UE-V service, you'll need to register the UE-V templates for first use. In a PowerShell window, type `register-TemplateName` where **TemplateName** is the name of the UE-V template you want to register, and press ENTER.
+
+With Windows 10, version 1607 and later, the UE-V service is installed on user devices when the operating system is installed. Enable the service to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell.
+
+**To enable the UE-V service with Group Policy**
+
+1.  Open the device’s **Group Policy Editor**.
+
+2.  Navigate to **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft** **User Experience Virtualization**.
+
+3.  Run **Enable UEV**.
+
+4.  Restart the device.
+
+**To enable the UE-V service with Windows PowerShell**
+
+1.  In a PowerShell window, type **Enable-UEV** and press ENTER.
+
+2.  Restart the device.
+
+3.  In a PowerShell window, type **Get-UEVStatus** and press ENTER to verify that the UE-V service was successfully enabled.
+
+## Step 4: Test your UE-V evaluation deployment
+
+You’re ready to run a few tests on your UE-V evaluation deployment to see how UE-V works.
+
+1.  On the first device (Computer A), make one or more of these changes:
+
+    -   Open Windows Desktop and move the taskbar to a different location in the window.
+
+    -   Change the default fonts.
+
+    -   Open Notepad and set format -&gt; word wrap **on**.
+
+    -   Change the behavior of any Windows application, as detailed in [Managing UE-V settings location templates using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).
+
+    -   Disable Microsoft Account settings synchronization and roaming profiles.
+
+2.  Log off Computer A. Settings are saved in a UE-V settings package when users lock, logoff, exit an application, or when the sync provider runs (every 30 minutes by default).
+
+3.  Log in to the second device (Computer B) as the same user as Computer A.
+
+4.  Open Windows Desktop and verify that the taskbar location matches that of Computer A. Verify that the default fonts match and that NotePad is set to **word wrap on**. Also verify the change you made to any Windows applications.
+
+5.  You can change the settings in Computer B back to the original Computer A settings. Then log off Computer B and log in to Computer A to verify the changes.
+
+Other resources for this feature
+--------------------------------
+
+-   [User Experience Virtualization overview](uev-for-windows.md)
+
+-   [Prepare a UE-V Deployment](uev-prepare-for-deployment.md)
+
+-   [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
+
+-   [Administering UE-V ](uev-administering-uev.md)
+
+-   [Troubleshooting UE-V ](uev-troubleshooting.md)
+
+-   [Technical Reference for UE-V](uev-technical-reference.md)
diff --git a/windows/manage/uev-manage-administrative-backup-and-restore.md b/windows/manage/uev-manage-administrative-backup-and-restore.md
new file mode 100644
index 0000000000..61f024d919
--- /dev/null
+++ b/windows/manage/uev-manage-administrative-backup-and-restore.md
@@ -0,0 +1,168 @@
+---
+title: Manage Administrative Backup and Restore in UE-V
+description: Manage Administrative Backup and Restore in UE-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Manage Administrative Backup and Restore in UE-V
+
+As an administrator of User Experience Virtualization (UE-V), you can restore application and Windows settings to their original state. You can also restore additional settings when a user adopts a new device.
+
+## Restore Settings in UE-V when a User Adopts a New Device
+
+
+To restore settings when a user adopts a new device, you can put a settings location template in **backup** or **roam (default)** profile using the Set-UevTemplateProfile PowerShell cmdlet. This lets computer settings sync to the new computer, in addition to user settings. Templates assigned to the backup profile are backed up for that device and configured on a per-device basis. To backup settings for a template, use the following cmdlet in Windows PowerShell:
+
+``` syntax
+Set-UevTemplateProfile -ID <TemplateID> -Profile <backup>
+```
+
+-   &lt;TemplateID&gt; is the UE-V Template ID
+
+-   &lt;backup&gt; can either be Backup or Roaming
+
+When replacing a user’s device, UE-V automatically restores settings if the user’s domain, username, and device name all match. All synchronized and any backup data is restored on the device automatically.
+
+You can also use the Windows PowerShell cmdlet, Restore-UevBackup, to restore settings from a different device. To clone the settings packages for the new device, use the following cmdlet in Windows PowerShell:
+
+``` syntax
+Restore-UevBackup –Machine <MachineName>
+```
+
+where &lt;MachineName&gt; is the computer name of the device.
+
+Templates such as the Office 2013 template that include many applications can either all be included in the roamed (default) or backed up profile. Individual apps in a template suite follow the group. Office 2013 in-box templates include both roaming and backup-only settings. Backup-only settings cannot be included in a roaming profile.
+
+As part of the Backup/Restore feature, UE-V added **last known good (LKG)** to the options for rolling back to settings. In this release, you can roll back to either the original settings or LKG settings. The LKG settings let users roll back to an intermediate and stable point ahead of the pre-UE-V state of the settings.
+
+### How to Backup/Restore Templates with UE-V
+
+These are the key backup and restore components of UE-V:
+
+-   Template profiles
+
+-   Settings packages location within the Settings Storage Location template
+
+-   Backup trigger
+
+-   How settings are restored
+
+**Template Profiles**
+
+A UE-V template profile is defined when the template is registered on the device or post registration through the PowerShell/WMI configuration utility. The profile types include:
+
+-   Roaming (default)
+
+-   Backup
+
+-   BackupOnly
+
+All templates are included in the roaming profile when registered unless otherwise specified. These templates synchronize settings to all UE-V enabled devices with the corresponding template enabled.
+
+Templates can be added to the Backup Profile with PowerShell or WMI using the Set-UevTemplateProfile cmdlet. Templates in the Backup Profile back up these settings to the Settings Storage Location in a special Device name directory. Specified settings are backed up to this location.
+
+Templates designated BackupOnly include settings specific to that device that should not be synchronized unless explicitly restored. These settings are stored in the same device-specific settings package location on the settings storage location as the Backedup Settings. These templates have a special identifier embedded in the template that specifies they should be part of this profile.
+
+**Settings packages location within the Settings Storage Location template**
+
+Roaming Profile settings are stored on the settings storage location. Templates assigned to the Backup or the BackupOnly profile store their settings to the Settings Storage Location in a special Device name directory. Each device with templates in these profiles has its own device name. UE-V does not clean up these directories.
+
+**Backup trigger**
+
+Backup is triggered by the same events that trigger a UE-V synchronization.
+
+**How settings are restored**
+
+Restoring a user’s device restores the currently registered Template’s settings from another device’s backup folder and all synchronized settings to the current machine. Settings are restored in these two ways:
+
+-   **Automatic restore**
+
+    If the user’s UE-V settings storage path, domain, and Computer name match the current user then all of the settings for that user are synchronized, with only the latest settings applied. If a user logs on to a new device for the first time and these criteria are met, the settings data is applied to that device.
+
+    **Note**  
+    Accessibility and Windows Desktop settings require the user to re-logon to Windows to be applied.
+
+     
+
+-   **Manual Restore**
+
+    If you want to assist users by restoring a device during a refresh, you can choose to use the Restore-UevBackup cmdlet. This command ensures that the user’s current settings become the current state on the Settings Storage Location.
+
+## Restore Application and Windows Settings to Original State
+
+
+WMI and Windows PowerShell commands let you restore application and Windows settings to the settings values that were on the computer the first time that the application started after the UE-V service was enabled. This restoring action is performed on a per-application or Windows settings basis. The settings are restored the next time that the application runs, or the settings are restored when the user logs on to the operating system.
+
+**To restore application settings and Windows settings with Windows PowerShell for UE-V**
+
+1.  Open the Windows PowerShell window.
+
+2.  Enter the following Windows PowerShell cmdlet to restore the application settings and Windows settings.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left"><strong>Windows PowerShell cmdlet</strong></th>
+    <th align="left"><strong>Description</strong></th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><code>Restore-UevUserSetting -&lt;TemplateID&gt;</code></p></td>
+    <td align="left"><p>Restores the user settings for an application or restores a group of Windows settings.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+**To restore application settings and Windows settings with WMI**
+
+1.  Open a Windows PowerShell window.
+
+2.  Enter the following WMI command to restore application settings and Windows settings.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left"><strong>WMI command</strong></th>
+    <th align="left"><strong>Description</strong></th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class UserSettings -Name RestoreByTemplateId -ArgumentList &lt;template_ID&gt;</code></p></td>
+    <td align="left"><p>Restores the user settings for an application or restores a group of Windows settings.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    **Note**  
+    UE-V does not provide a settings rollback for Windows apps.
+
+     
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+[Administering UE-V with Windows PowerShell and WMI](uev-administering-uev-with-windows-powershell-and-wmi.md)
+
+[Administering UE-V](uev-administering-uev.md)
diff --git a/windows/manage/uev-manage-configurations.md b/windows/manage/uev-manage-configurations.md
new file mode 100644
index 0000000000..bfcb65c039
--- /dev/null
+++ b/windows/manage/uev-manage-configurations.md
@@ -0,0 +1,67 @@
+---
+title: Manage Configurations for UE-V
+description: Manage Configurations for UE-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Manage Configurations for UE-V
+
+
+In the course of the User Experience Virtualization (UE-V) lifecycle, you have to manage the configuration of the UE-V service and also manage storage locations for resources such as settings package files. The following topics provide guidance for managing these UE-V resources.
+
+## Configuring UE-V by using Group Policy Objects
+
+You can use Group Policy Objects to modify the settings that define how UE-V synchronizes settings on computers.
+
+[Configuring UE-V with Group Policy Objects](uev-configuring-uev-with-group-policy-objects.md)
+
+## Configuring UE-V with System Center Configuration Manager
+
+You can use System Center Configuration Manager to manage the UE-V service by using the UE-V Configuration Pack.
+
+[Configuring UE-V with System Center Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md)
+
+## Administering UE-V with PowerShell and WMI
+
+UE-V provides Windows PowerShell cmdlets, which can help administrators perform various UE-V tasks.
+
+[Administering UE-V with Windows PowerShell and WMI](uev-administering-uev-with-windows-powershell-and-wmi.md)
+
+## Examples of configuration settings for UE-V
+
+Here are some examples of UE-V configuration settings:
+
+-   **Settings Storage Path:** Specifies the location of the file share that stores the UE-V settings.
+
+-   **Settings Template Catalog Path:** Specifies the Universal Naming Convention (UNC) path that defines the location that was checked for new settings location templates.
+
+-   **Register Microsoft Templates:** Specifies whether the default Microsoft templates should be registered during installation.
+
+-   **Synchronization Method:** Specifies whether UE-V uses the sync provider or "none". The "SyncProvider" supports computers that are disconnected from the network. "None" applies when the computer is always connected to the network. For more information about the Sync Method, see [Sync Methods for UE-V](uev-sync-methods.md).
+
+-   **Synchronization Timeout:** Specifies the number of milliseconds that the computer waits before time-out when it retrieves the user settings from the settings storage location.
+
+-   **Synchronization Enable:** Specifies whether the UE-V settings synchronization is enabled or disabled.
+
+-   **Maximum Package Size:** Specifies a settings package file threshold size in bytes at which the UE-V service reports a warning.
+
+-   **Don’t Sync Windows App Settings:** Specifies that UE-V should not synchronize Windows apps.
+
+-   **Enable/Disable First Use Notification:** Specifies whether UE-V displays a dialog box the first time that the UE-V service runs on a user’s computer.
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+[Administering UE-V](uev-administering-uev.md)
+
+[Deploy Required UE-V Features](uev-deploy-required-features.md)
+
+[Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md)
diff --git a/windows/manage/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/manage/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
new file mode 100644
index 0000000000..e28ebdbf9e
--- /dev/null
+++ b/windows/manage/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
@@ -0,0 +1,337 @@
+---
+title: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
+description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
+
+
+User Experience Virtualization (UE-V) uses XML settings location templates to define the settings that User Experience Virtualization captures and applies. UE-V includes a set of standard settings location templates. It also includes the UE-V template generator tool that enables you to create custom settings location templates. After you create and deploy settings location templates, you can manage those templates by using Windows PowerShell and the Windows Management Instrumentation (WMI). For a complete list of UE-V PowerShell cmdlets, see [UE-V 2 Cmdlet Reference](https://technet.microsoft.com/library/dn520275.aspx).
+
+## Manage UE-V settings location templates by using Windows PowerShell
+
+
+The WMI and Windows PowerShell features of UE-V include the ability to enable, disable, register, update, and unregister settings location templates. By using these features, you can automate the process of registering, updating, or unregistering templates with the UE-V service. You can also manually register templates by using WMI and Windows PowerShell commands. By using these features in conjunction with an electronic software distribution solution, Group Policy, or another automated deployment method such as a script, you can further automate that process.
+
+You must have administrator permissions to update, register, or unregister a settings location template. Administrator permissions are not required to enable, disable, or list templates.
+
+****To manage settings location templates by using Windows PowerShell****
+
+1.  Use an account with administrator rights to open a Windows PowerShell command prompt.
+
+2.  Use the following Windows PowerShell cmdlets to register and manage the UE-V settings location templates.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Windows PowerShell command</th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><code>Get-UevTemplate</code></p></td>
+    <td align="left"><p>Lists all the settings location templates that are registered on the computer.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Get-UevTemplate –Application &lt;string&gt;</code></p></td>
+    <td align="left"><p>Lists all the settings location templates that are registered on the computer where the application name or template name contains &lt;string&gt;.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Get-UevTemplate –TemplateID &lt;string&gt;</code></p></td>
+    <td align="left"><p>Lists all the settings location templates that are registered on the computer where the template ID contains &lt;string&gt;.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Get-UevTemplate [-ApplicationOrTemplateID] &lt;string&gt;</code></p></td>
+    <td align="left"><p>Lists all the settings location templates that are registered on the computer where the application or template name, or template ID contains &lt;string&gt;.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Get-UevTemplateProgram [-ID] &lt;template ID&gt;</code></p></td>
+    <td align="left"><p>Gets the name of the program and version information, which depend on the template ID.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Get-UevAppXPackage</code></p></td>
+    <td align="left"><p>Gets the effective list of Windows apps.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Get-UevAppXPackage -Computer</code></p></td>
+    <td align="left"><p>Gets the list of Windows apps that are configured for the computer.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Get-UevAppXPackage -CurrentComputerUser</code></p></td>
+    <td align="left"><p>Gets the list of Windows apps that are configured for the current user.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Register-UevTemplate [-Path] &lt;template file path&gt;[,&lt;template file path&gt;]</code></p></td>
+    <td align="left"><p>Registers one or more settings location template with UE-V by using relative paths and/or wildcard characters in file paths. After a template is registered, UE-V synchronizes the settings that are defined in the template between computers that have the template registered.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Register-UevTemplate –LiteralPath &lt;template file path&gt;[,&lt;template file path&gt;]</code></p></td>
+    <td align="left"><p>Registers one or more settings location template with UE-V by using literal paths, where no characters can be interpreted as wildcard characters. After a template is registered, UE-V synchronizes the settings that are defined in the template between computers that have the template registered.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Unregister-UevTemplate [-ID] &lt;template ID&gt;</code></p></td>
+    <td align="left"><p>Unregisters a settings location template with UE-V. When a template is unregistered, UE-V no longer synchronizes the settings that are defined in the template between computers.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Unregister-UevTemplate -All</code></p></td>
+    <td align="left"><p>Unregisters all settings location templates with UE-V. When a template is unregistered, UE-V no longer synchronizes the settings that are defined in the template between computers.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Update-UevTemplate [-Path] &lt;template file path&gt;[,&lt;template file path&gt;]</code></p></td>
+    <td align="left"><p>Updates one or more settings location templates with a more recent version of the template. Use relative paths and/or wildcard characters in the file paths. The new template should be a newer version than the existing template.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Update-UevTemplate –LiteralPath &lt;template file path&gt;[,&lt;template file path&gt;]</code></p></td>
+    <td align="left"><p>Updates one or more settings location templates with a more recent version of the template. Use full paths to template files, where no characters can be interpreted as wildcard characters. The new template should be a newer version than the existing template.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Clear-UevAppXPackage –Computer [-PackageFamilyName] &lt;package family name&gt;[,&lt;package family name&gt;]</code></p></td>
+    <td align="left"><p>Removes one or more Windows apps from the computer Windows app list.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Clear-UevAppXPackage -CurrentComputerUser</code></p></td>
+    <td align="left"><p>Removes Windows app from the current user Windows app list.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Clear-UevAppXPackage –Computer -All</code></p></td>
+    <td align="left"><p>Removes all Windows apps from the computer Windows app list.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Clear-UevAppXPackage [–CurrentComputerUser] [-PackageFamilyName] &lt;package family name&gt;[,&lt;package family name&gt;]</code></p></td>
+    <td align="left"><p>Removes one or more Windows apps from the current user Windows app list.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Clear-UevAppXPackage [–CurrentComputerUser] -All</code></p></td>
+    <td align="left"><p>Removes all Windows apps from the current user Windows app list.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Disable-UevTemplate [-ID] &lt;template ID&gt;</code></p></td>
+    <td align="left"><p>Disables a settings location template for the current user of the computer.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Disable-UevAppXPackage –Computer [-PackageFamilyName] &lt;package family name&gt;[,&lt;package family name&gt;]</code></p></td>
+    <td align="left"><p>Disables one or more Windows apps in the computer Windows app list.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Disable-UevAppXPackage [–CurrentComputerUser] [-PackageFamilyName] &lt;package family name&gt;[,&lt;package family name&gt;]</code></p></td>
+    <td align="left"><p>Disables one or more Windows apps in the current user Windows app list.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Enable-UevTemplate [-ID] &lt;template ID&gt;</code></p></td>
+    <td align="left"><p>Enables a settings location template for the current user of the computer.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Enable-UevAppXPackage –Computer [-PackageFamilyName] &lt;package family name&gt;[,&lt;package family name&gt;]</code></p></td>
+    <td align="left"><p>Enables one or more Windows apps in the computer Windows app list.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Enable-UevAppXPackage [–CurrentComputerUser] [-PackageFamilyName] &lt;package family name&gt;[,&lt;package family name&gt;]</code></p></td>
+    <td align="left"><p>Enables one or more Windows apps in the current user Windows app list.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Test-UevTemplate [-Path] &lt;template file path&gt;[,&lt;template file path&gt;]</code></p></td>
+    <td align="left"><p>Determines whether one or more settings location templates comply with its XML schema. Can use relative paths and wildcard characters.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Test-UevTemplate –LiteralPath &lt;template file path&gt;[,&lt;template file path&gt;]</code></p></td>
+    <td align="left"><p>Determines whether one or more settings location templates comply with its XML schema. The path must be a full path to the template file, but does not include wildcard characters.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+The UE-V Windows PowerShell features enable you to manage a group of settings templates that are deployed in your enterprise. Use the following procedure to manage a group of templates by using Windows PowerShell.
+
+**To manage a group of settings location templates by using Windows PowerShell**
+
+1.  Modify or update the desired settings location templates.
+
+2.  If you want to modify or update the settings location templates, deploy those settings location templates to a folder that is accessible to the local computer.
+
+3.  On the local computer, open a Windows PowerShell window with administrator rights.
+
+4.  Unregister all the previously registered versions of the templates by typing the following command.
+
+    ``` syntax
+    Unregister-UevTemplate -All
+    ```
+
+    This command unregisters all active templates on the computer.
+
+5.  Register the updated templates by typing the following command.
+
+    ``` syntax
+    Register-UevTemplate <path to template folder>\*.xml
+    ```
+
+    This command registers all of the settings location templates that are located in the specified template folder.
+
+### <a href="" id="win8applist"></a>Windows app list
+
+By listing a Windows app in the Windows app list, you specify whether that app is enabled or disabled for settings synchronization. Apps are identified in the list by their Package Family name and whether settings synchronization should be enabled or disabled for that app. When you use these settings along with the Unlisted Default Sync Behavior setting, you can control whether Windows apps are synchronized.
+
+To display the Package Family Name of installed Windows apps, at a Windows PowerShell command prompt, enter:
+
+``` syntax
+Get-AppxPackage | Sort-Object PackageFamilyName | Format-Table PackageFamilyName
+```
+
+To display a list of Windows apps that can synchronize settings on a computer with their package family name, enabled status, and enabled source, at a Windows PowerShell command prompt, enter: `Get-UevAppxPackage`
+
+**Definitions of Get-UevAppxPackage properties**
+
+<a href="" id="packagefamilyname"></a>**PackageFamilyName**  
+The name of the package that is installed for the current user.
+
+<a href="" id="enabled"></a>**Enabled**  
+Defines whether the settings for the app are configured to synchronize.
+
+<a href="" id="enabledsource"></a>**EnabledSource**  
+The location where the configuration that enables or disables the app is set. Possible values are: *NotSet*, *LocalMachine*, *LocalUser*, *PolicyMachine*, and *PolicyUser*.
+
+<a href="" id="notset"></a>**NotSet**  
+The policy is not configured to synchronize this app.
+
+<a href="" id="localmachine"></a>**LocalMachine**  
+The enabled state is set in the local computer section of the registry.
+
+<a href="" id="localuser"></a>**LocalUser**  
+The enabled state is set in the current user section of the registry.
+
+<a href="" id="policymachine"></a>**PolicyMachine**  
+The enabled state is set in the policy section of the local computer section of the registry.
+
+To get the user-configured list of Windows apps, at the Windows PowerShell command prompt, enter: `Get-UevAppxPackage –CurrentComputerUser`
+
+To get the computer-configured list of Windows apps, at the Windows PowerShell command prompt, enter: `Get-UevAppxPackage –Computer`
+
+For either parameter, CurrentComputerUser or Computer, the cmdlet returns a list of the Windows apps that are configured at the user or at the computer level.
+
+**Definitions of properties**
+
+<a href="" id="packagefamilyname"></a>**PackageFamilyName**  
+The name of the package that is installed for the current user.
+
+<a href="" id="enabled"></a>**Enabled**  
+Defines whether the settings for the app are configured to synchronize for the specified switch, that is, **user** or **computer**.
+
+<a href="" id="installed"></a>**Installed**  
+True if the app, that is, the PackageFamilyName is installed for the current user.
+
+### Manage UE-V settings location templates by using WMI
+
+User Experience Virtualization provides the following set of WMI commands. Administrators can use these interfaces to manage settings location templates from Windows PowerShell and automate template administrative tasks.
+
+**To manage settings location templates by using WMI**
+
+1.  Use an account with administrator rights to open a Windows PowerShell window.
+
+2.  Use the following WMI commands to register and manage the UE-V settings location templates.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left"><code>                         Windows PowerShell command</code></th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><code>Get-WmiObject -Namespace root\Microsoft\UEV SettingsLocationTemplate | Select-Object TemplateId,TemplateName, TemplateVersion,Enabled | Format-Table -Autosize</code></p></td>
+    <td align="left"><p>Lists all the settings location templates that are registered for the computer.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Invoke-WmiMethod –Namespace root\Microsoft\UEV –Class SettingsLocationTemplate –Name GetProcessInfoByTemplateId &lt;template Id&gt;</code></p></td>
+    <td align="left"><p>Gets the name of the program and version information, which depends on the template name.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Get-WmiObject -Namespace root\Microsoft\UEV EffectiveWindows8App</code></p></td>
+    <td align="left"><p>Gets the effective list of Windows apps.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Get-WmiObject -Namespace root\Microsoft\UEV MachineConfiguredWindows8App</p></td>
+    <td align="left"><p>Gets the list of Windows apps that are configured for the computer.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Get-WmiObject -Namespace root\Microsoft\UEV UserConfiguredWindows8App</code></p></td>
+    <td align="left"><p>Gets the list of Windows apps that are configured for the current user.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class SettingsLocationTemplate -Name Register -ArgumentList &lt;template path &gt;</code></p></td>
+    <td align="left"><p>Registers a settings location template with UE-V.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class SettingsLocationTemplate -Name UnregisterByTemplateId -ArgumentList &lt;template ID&gt;</code></p></td>
+    <td align="left"><p>Unregisters a settings location template with UE-V. As soon as a template is unregistered, UE-V no longer synchronizes the settings that are defined in the template between computers.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class SettingsLocationTemplate -Name Update -ArgumentList &lt;template path&gt;</code></p></td>
+    <td align="left"><p>Updates a settings location template with UE-V. The new template should be a newer version than the existing one.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class MachineConfiguredWindows8App -Name RemoveApp -ArgumentList &lt;package family name | package family name&gt;</code></p></td>
+    <td align="left"><p>Removes one or more Windows apps from the computer Windows app list.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class UserConfiguredWindows8App -Name RemoveApp -ArgumentList &lt;package family name | package family name&gt;</code></p></td>
+    <td align="left"><p>Removes one or more Windows apps from the current user Windows app list.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class SettingsLocationTemplate -Name DisableByTemplateId -ArgumentList &lt;template ID&gt;</code></p></td>
+    <td align="left"><p>Disables one or more settings location templates with UE-V.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class MachineConfiguredWindows8App -Name DisableApp -ArgumentList &lt;package family name | package family name&gt;</code></p></td>
+    <td align="left"><p>Disables one or more Windows apps in the computer Windows app list.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class UserConfiguredWindows8App -Name DisableApp -ArgumentList &lt;package family name | package family name&gt;</code></p></td>
+    <td align="left"><p>Disables one or more Windows apps in the current user Windows app list.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class SettingsLocationTemplate -Name EnableByTemplateId -ArgumentList &lt;template ID&gt;</code></p></td>
+    <td align="left"><p>Enables a settings location template with UE-V.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class MachineConfiguredWindows8App -Name EnableApp -ArgumentList &lt;package family name | package family name&gt;</code></p></td>
+    <td align="left"><p>Enables Windows apps in the computer Windows app list.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class UserConfiguredWindows8App -Name EnableApp -ArgumentList &lt;package family name | package family name&gt;</code></p></td>
+    <td align="left"><p>Enables Windows apps in the current user Windows app list.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class SettingsLocationTemplate -Name Validate -ArgumentList &lt;template path&gt;</code></p></td>
+    <td align="left"><p>Determines whether a given settings location template complies with its XML schema.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+**Note**  
+Where a list of Package Family Names is called by the WMI command, the list must be in quotes and separated by a pipe symbol, for example, `"<package family name | package family name>"`.
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+[Administering UE-V with Windows PowerShell and WMI](uev-administering-uev-with-windows-powershell-and-wmi.md)
+
+[Administering UE-V](uev-administering-uev.md)
diff --git a/windows/manage/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/manage/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
new file mode 100644
index 0000000000..fc1134e656
--- /dev/null
+++ b/windows/manage/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
@@ -0,0 +1,348 @@
+---
+title: Managing the UE-V Service and Packages with Windows PowerShell and WMI
+description: Managing the UE-V service and packages with Windows PowerShell and WMI
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Managing the UE-V service and packages with Windows PowerShell and WMI
+
+You can use Windows Management Instrumentation (WMI) and Windows PowerShell to manage User Experience Virtualization (UE-V) service configuration and synchronization behavior. For a complete list of UE-V PowerShell cmdlets, see [UE-V Cmdlet Reference](https://technet.microsoft.com/library/dn520275.aspx).
+
+
+## To configure the UE-V service with Windows PowerShell
+
+1.  Open a Windows PowerShell window. To manage computer settings that affect all users of the computer by using the *Computer* parameter, open the window with an account that has administrator rights.
+
+2.  Use the following Windows PowerShell commands to configure the service.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Windows PowerShell command</th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><code>Enable-UEV</code></p>
+    <p></p></td>
+    <td align="left"><p>Turns on the UE-V service. Requires reboot.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Disable-UEV</code></p></td>
+    <td align="left"><p>Turns off the UE-V service. Requires reboot.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Get-UevStatus</code></p></td>
+    <td align="left"><p>Displays whether UE-V service is enabled or disabled, using a Boolean value.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Get-UevConfiguration</code></p>
+    <p></p></td>
+    <td align="left"><p>Gets the effective UE-V service settings. User-specific settings have precedence over the computer settings.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Get-UevConfiguration -CurrentComputerUser</code></p>
+    <p></p></td>
+    <td align="left"><p>Gets the UE-V service settings values for the current user only.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Get-UevConfiguration -Computer</code></p></td>
+    <td align="left"><p>Gets the UE-V service configuration settings values for all users on the computer.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Get-UevConfiguration -Details</code></p></td>
+    <td align="left"><p>Gets the details for each configuration setting. Displays where the setting is configured or if it uses the default value. Is displayed if the current setting is valid.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Set-UevConfiguration -Computer –EnableDontSyncWindows8AppSettings</code></p></td>
+    <td align="left"><p>Configures the UE-V service to not synchronize any Windows apps for all users on the computer.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Set-UevConfiguration -CurrentComputerUser – EnableDontSyncWindows8AppSettings</code></p></td>
+    <td align="left"><p>Configures the UE-V service to not synchronize any Windows apps for the current computer user.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Set-UevConfiguration -Computer –EnableFirstUseNotification</code></p></td>
+    <td align="left"><p>Configures the UE-V service to display notification the first time the service runs for all users on the computer.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Set-UevConfiguration -Computer –DisableFirstUseNotification</code></p></td>
+    <td align="left"><p>Configures the UE-V service to not display notification the first time that the service runs for all users on the computer.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Set-UevConfiguration -Computer –EnableSettingsImportNotify</code></p></td>
+    <td align="left"><p>Configures the UE-V service to notify all users on the computer when settings synchronization is delayed.</p>
+    <p>Use the <em>DisableSettingsImportNotify</em> parameter to disable notification.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Set-UevConfiguration -CurrentComputerUser -EnableSettingsImportNotify</code></p></td>
+    <td align="left"><p>Configures the UE-V service to notify the current user when settings synchronization is delayed.</p>
+    <p>Use the <em>DisableSettingsImportNotify</em> parameter to disable notification.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Set-UevConfiguration -Computer –EnableSyncUnlistedWindows8Apps</code></p></td>
+    <td align="left"><p>Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for all users of the computer. For more information, see &quot;Get-UevAppxPackage&quot; in [Managing UE-V 2.x Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).</p>
+    <p>Use the <em>DisableSyncUnlistedWindows8Apps</em> parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Set-UevConfiguration -CurrentComputerUser - EnableSyncUnlistedWindows8Apps</code></p></td>
+    <td align="left"><p>Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for the current user on the computer. For more information, see &quot;Get-UevAppxPackage&quot; in [Managing UE-V 2.x Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).</p>
+    <p>Use the <em>DisableSyncUnlistedWindows8Apps</em> parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Set-UevConfiguration –Computer –DisableSync</code></p></td>
+    <td align="left"><p>Disables UE-V for all the users on the computer.</p>
+    <p>Use the <em>EnableSync</em> parameter to enable or re-enable.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Set-UevConfiguration –CurrentComputerUser -DisableSync</code></p></td>
+    <td align="left"><p>Disables UE-V for the current user on the computer.</p>
+    <p>Use the <em>EnableSync</em> parameter to enable or re-enable.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Set-UevConfiguration -Computer –EnableTrayIcon</code></p></td>
+    <td align="left"><p>Enables the UE-V icon in the notification area for all users of the computer.</p>
+    <p>Use the <em>DisableTrayIcon</em> parameter to disable the icon.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Set-UevConfiguration -Computer -MaxPackageSizeInBytes &lt;size in bytes&gt;</code></p></td>
+    <td align="left"><p>Configures the UE-V service to report when a settings package file size reaches the defined threshold for all users on the computer. Sets the threshold package size in bytes.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Set-UevConfiguration -CurrentComputerUser -MaxPackageSizeInBytes &lt;size in bytes&gt;</code></p></td>
+    <td align="left"><p>Configures the UE-V service to report when a settings package file size reaches the defined threshold. Sets the package size warning threshold for the current user.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Set-UevConfiguration -Computer -SettingsImportNotifyDelayInSeconds</code></p></td>
+    <td align="left"><p>Specifies the time in seconds before the user is notified for all users of the computer</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Set-UevConfiguration -CurrentComputerUser -SettingsImportNotifyDelayInSeconds</code></p></td>
+    <td align="left"><p>Specifies the time in seconds before notification for the current user is sent.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Set-UevConfiguration -Computer -SettingsStoragePath &lt;path to _settings_storage_location&gt;</code></p></td>
+    <td align="left"><p>Defines a per-computer settings storage location for all users of the computer.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Set-UevConfiguration -CurrentComputerUser -SettingsStoragePath &lt;path to _settings_storage_location&gt;</code></p></td>
+    <td align="left"><p>Defines a per-user settings storage location.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Set-UevConfiguration –Computer –SettingsTemplateCatalogPath &lt;path to catalog&gt;</code></p></td>
+    <td align="left"><p>Sets the settings template catalog path for all users of the computer.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Set-UevConfiguration -Computer -SyncMethod &lt;sync method&gt;</code></p></td>
+    <td align="left"><p>Sets the synchronization method for all users of the computer: SyncProvider or None.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Set-UevConfiguration -CurrentComputerUser  -SyncMethod &lt;sync method&gt;</code></p></td>
+    <td align="left"><p>Sets the synchronization method for the current user: SyncProvider or None.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Set-UevConfiguration -Computer -SyncTimeoutInMilliseconds &lt;timeout in milliseconds&gt;</code></p></td>
+    <td align="left"><p>Sets the synchronization time-out in milliseconds for all users of the computer</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Set-UevConfiguration -CurrentComputerUser -SyncTimeoutInMilliseconds &lt;timeout in milliseconds&gt;</code></p></td>
+    <td align="left"><p>Set the synchronization time-out for the current user.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Clear-UevConfiguration –Computer -&lt;setting name&gt;</code></p></td>
+    <td align="left"><p>Clears the specified setting for all users on the computer.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Clear-UevConfiguration –CurrentComputerUser -&lt;setting name&gt;</code></p></td>
+    <td align="left"><p>Clears the specified setting for the current user only.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Export-UevConfiguration &lt;settings migration file&gt;</code></p></td>
+    <td align="left"><p>Exports the UE-V computer configuration to a settings migration file. The file name extension must be .uev.</p>
+    <p>The <code>Export</code> cmdlet exports all UE-V service settings that are configurable with the <em>Computer</em> parameter.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Import-UevConfiguration &lt;settings migration file&gt;</code></p></td>
+    <td align="left"><p>Imports the UE-V computer configuration from a settings migration file. The file name extension must be .uev.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+## To export UE-V package settings and repair UE-V templates with Windows PowerShell
+
+1.  Open a Windows PowerShell window as an administrator.
+
+2.  Use the following Windows PowerShell commands to configure the service.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><strong>Windows PowerShell command</strong></p></td>
+    <td align="left"><p><strong>Description</strong></p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Export-UevPackage MicrosoftNotepad.pkgx</code></p></td>
+    <td align="left"><p>Extracts the settings from a Microsoft Notepad package file and converts them into a human-readable format in XML.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Repair-UevTemplateIndex</code></p></td>
+    <td align="left"><p>Repairs the index of the UE-V settings location templates.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+## To configure the UE-V service with WMI
+
+1.  User Experience Virtualization provides the following set of WMI commands. Administrators can use this interface to configure the UE-V service at the command line and automate typical configuration tasks.
+
+    Use an account with administrator rights to open a Windows PowerShell window.
+
+2.  Use the following WMI commands to configure the service.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left"><code>Windows PowerShell command</code></th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><code>Get-WmiObject -Namespace root\Microsoft\UEV Configuration</code></p>
+    <p></p></td>
+    <td align="left"><p>Displays the active UE-V service settings. User-specific settings have precedence over the computer settings.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Get-WmiObject -Namespace root\Microsoft\UEV UserConfiguration</code></p></td>
+    <td align="left"><p>Displays the UE-V service configuration that is defined for a user.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration</code></p></td>
+    <td align="left"><p>Displays the UE-V service configuration that is defined for a computer.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Get-WmiObject –Namespace root\Microsoft\Uev ConfigurationItem</code></p></td>
+    <td align="left"><p>Displays the details for each configuration item.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration</code></p>
+    <p><code>$config.SettingsStoragePath = &lt;path_to_settings_storage_location&gt;</code></p>
+    <p>$config.Put()</p></td>
+    <td align="left"><p>Defines a per-computer settings storage location.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>$config = Get-WmiObject -Namespace root\Microsoft\UEV UserConfiguration</code></p>
+    <p><code>$config.SettingsStoragePath = &lt;path_to_settings_storage_location&gt;</code></p>
+    <p><code>$config.Put()</code></p></td>
+    <td align="left"><p>Defines a per-user settings storage location.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration</code></p>
+    <p><code>$config.SyncTimeoutInMilliseconds = &lt;timeout_in_milliseconds&gt;</code></p>
+    <p><code>$config.Put()</code></p></td>
+    <td align="left"><p>Sets the synchronization time-out in milliseconds for all users of the computer.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration</code></p>
+    <p><code>$config.MaxPackageSizeInBytes = &lt;size_in_bytes&gt;</code></p>
+    <p><code>$config.Put()</code></p></td>
+    <td align="left"><p>Configures the UE-V service to report when a settings package file size reaches a defined threshold. Set the threshold package file size in bytes for all users of the computer.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration</code></p>
+    <p><code>$config.SyncMethod = &lt;sync_method&gt;</code></p>
+    <p><code>$config.Put()</code></p></td>
+    <td align="left"><p>Sets the synchronization method for all users of the computer: SyncProvider or None.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration</code></p>
+    <p><code>$config.&lt;setting name&gt; = $true</code></p>
+    <p><code>$config.Put()</code></p></td>
+    <td align="left"><p>To enable a specific per-computer setting, clear the setting, and use <em>$null</em> as the setting value. Use UserConfiguration for per-user settings.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration</code></p>
+    <p><code>$config.&lt;setting name&gt; = $false</code></p>
+    <p><code>$config.Put()</code></p></td>
+    <td align="left"><p>To disable a specific per-computer setting, clear the setting, and use <em>$null</em> as the setting value. Use User Configuration for per-user settings.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration</code></p>
+    <p><code>$config.&lt;setting name&gt; = &lt;setting value&gt;</code></p>
+    <p><code>$config.Put()</code></p></td>
+    <td align="left"><p>Updates a specific per-computer setting. To clear the setting, use <em>$null</em> as the setting value.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><code>$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration</code></p>
+    <p><code></code>$config.&lt;setting name&gt; = &lt;setting value&gt;</p>
+    <p><code>$config.Put()</code></p></td>
+    <td align="left"><p>Updates a specific per-user setting for all users of the computer. To clear the setting, use <em>$null</em> as the setting value.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+When you are finished configuring the UE-V service with WMI and Windows PowerShell, the defined configuration is stored in the registry in the following locations.
+
+`\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UEV\Agent\Configuration`
+
+`\HKEY_CURRENT_USER\SOFTWARE\Microsoft\UEV\Agent\Configuration`
+
+## To export UE-V package settings and repair UE-V templates by using WMI
+
+1.  UE-V provides the following set of WMI commands. Administrators can use this interface to export a package or repair UE-V templates.
+
+2.  Use the following WMI commands.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">WMI command</th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class UserSettings -Name ExportPackage -ArgumentList &lt;package name&gt;</code></p></td>
+    <td align="left"><p>Extracts the settings from a package file and converts them into a human-readable format in XML.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><code>Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class SettingsLocationTemplate -Name RebuildIndex</code></p></td>
+    <td align="left"><p>Repairs the index of the UE-V settings location templates. Must be run as administrator.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+   
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+[Administering UE-V with Windows PowerShell and WMI](uev-administering-uev-with-windows-powershell-and-wmi.md)
+
+[Administering UE-V](uev-administering-uev.md)
diff --git a/windows/manage/uev-migrating-settings-packages.md b/windows/manage/uev-migrating-settings-packages.md
new file mode 100644
index 0000000000..0bf674caeb
--- /dev/null
+++ b/windows/manage/uev-migrating-settings-packages.md
@@ -0,0 +1,51 @@
+---
+title: Migrating UE-V settings packages
+description: Migrating UE-V settings packages
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Migrating UE-V settings packages
+
+
+In the lifecycle of a User Experience Virtualization (UE-V) deployment, you might have to relocate the user settings packages either when you migrate to a new server or when you perform backups. Settings packages might have to be migrated in the following scenarios:
+
+-   Upgrade of existing server hardware to a more modern server
+
+-   Migration of a settings storage location share from a test server to a production server
+
+Simply copying the files and folders does not preserve the security settings and permissions. The following steps describe how to correctly copy the settings package along with their NTFS file system permissions to a new share.
+
+**To preserve UE-V settings packages when you migrate to a new server**
+
+1.  In a new location on a different server, create a new folder, for example, MySettings.
+
+2.  Disable sharing for the old folder share on the old server.
+
+3.  To copy the existing settings packages to the new server with Robocopy
+
+    ``` syntax
+    C:\start robocopy "\\servername\E$\MySettings" "\\servername\E$\MySettings" /b /sec /secfix /e /LOG:D:\Robocopylogs\MySettings.txt
+    ```
+
+    **Note**  
+    To monitor the copy progress, open MySettings.txt with a log viewer such as Trace32.
+
+     
+
+4.  Grant share-level permissions to the new share. Leave the NTFS file system permissions as they were set by Robocopy.
+
+    On computers on which the UE-V service is enabled, update the **SettingsStoragePath** configuration setting to the Universal Naming Convention (UNC) path of the new share.
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+[Administering UE-V](uev-administering-uev.md)
+
diff --git a/windows/manage/uev-prepare-for-deployment.md b/windows/manage/uev-prepare-for-deployment.md
new file mode 100644
index 0000000000..a7735d20e4
--- /dev/null
+++ b/windows/manage/uev-prepare-for-deployment.md
@@ -0,0 +1,398 @@
+---
+title: Prepare a UE-V Deployment
+description: Prepare a UE-V Deployment
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Prepare a UE-V Deployment
+
+Applies to: Windows 10, version 1607
+
+Before you deploy User Experience Virtualization (UE-V), review this topic for important information about the type of deployment you’re planning and for preparations you can make beforehand so that your deployment is successful. If you leave this page, be sure to come back and read through the planning information in this topic.
+
+## Plan your UE-V deployment
+
+With UE-V, you can synchronize user-defined application and operating system settings across all the devices that a user works from. Use UE-V to synchronize settings for Windows applications and custom applications, such as third-party and line of business applications. 
+
+Whether you want to synchronize settings for only default Windows applications or for both Windows and custom applications, you’ll need to first deploy the features required to use UE-V.  
+
+[Deploy required UE-V features](uev-deploy-required-features.md)
+
+-   [Define a settings storage location](uev-deploy-required-features.md#ssl)
+
+-   [Decide how to manage UE-V configurations](#config)
+
+-   [Enable the UE-V service](uev-deploy-required-features.md#enable-the-ue-v-service) on user computers
+
+If you want to use UE-V to synchronize user-defined settings for custom applications (third-party or line-of-business), you’ll need to install and configure these optional additional UE-V features:
+
+[Deploy UE-V for custom applications](uev-deploy-uev-for-custom-applications.md)
+
+- [Install the UE-V template generator](uev-deploy-uev-for-custom-applications.md#install-the-uev-template-generator) so you can create, edit, and validate the custom settings location templates required to synchronize custom application settings
+
+- [Create custom settings location templates](uev-deploy-uev-for-custom-applications.md#createcustomtemplates) with the UE-V template generator
+
+- [Deploy a UE-V settings template catalog](uev-deploy-uev-for-custom-applications.md#deploycatalogue) to store your custom settings location templates
+
+The workflow diagram below illustrates a typical UE-V deployment and the decisions you need to be prepared to make.
+
+![UE-V deployment preparation](images/uev-deployment-preparation.png)
+
+<!-- PRESERVING ^ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image1.png" width="446" height="362" />
+-->
+
+### Planning a UE-V deployment 
+
+Review the following topics to determine which UE-V components you’ll be deploying.
+
+-   [Decide whether to synchronize settings for custom applications](#decide-whether-to-synchronize-settings-for-custom-applications)
+
+    If you want to synchronize settings for custom applications, you’ll need to install the UE-V template generator. Use the generator to create custom settings location templates, which involves the following tasks:
+
+    -   Review the [settings that are synchronized automatically in a UE-V deployment](#settings-automatically-synchronized-in-a-ue-v-deployment).
+
+    -   [Determine whether you need settings synchronized for other applications](#determine-whether-you-need-settings-synchronized-for-other-applications).
+
+-   Review [other considerations for deploying UE-V](#other-considerations-when-preparing-a-ue-v-deployment), including high availability and capacity planning.
+
+-   [Confirm prerequisites and supported configurations for UE-V](#confirm-prerequisites-and-supported-configurations-for-ue-v)
+
+## Decide whether to synchronize settings for custom applications
+
+In a UE-V deployment, many settings are automatically synchronized. You can also customize UE-V to synchronize settings for other applications, such as line-of-business and third-party apps.
+
+Deciding if you want UE-V to synchronize settings for custom applications is an essential part of planning your UE-V deployment. The topics in this section will help you make that decision.
+
+### Settings automatically synchronized in a UE-V deployment
+
+This section explains which settings are synchronized by default in UE-V, including:
+
+-   Desktop applications that are synchronized by default
+
+-   Windows desktop settings that are synchronized by default
+
+-   A statement of support for Windows applications setting synchronization
+
+See [Microsoft Authored Office 2016 UE-V Templates](https://www.microsoft.com/download/details.aspx?id=46367) to download a list of the specific Office 2016 settings that are synchronized by UE-V.
+
+To download a list of the Microsoft Office 2013 and 2010 settings that are synchronized by UE-V, see [User Experience Virtualization (UE-V) settings templates for Microsoft Office](https://www.microsoft.com/download/details.aspx?id=46367). 
+
+
+### Desktop applications synchronized by default in UE-V
+
+When you enable the UE-V service on user devices, it registers a default group of settings location templates that capture settings values for these common Microsoft applications.
+
+| **Application category**    | **Description**   |
+|-----------------------------|-------------------|
+| Microsoft Office 2016 applications<br>[Download a list of all settings synced](https://gallery.technet.microsoft.com/Authored-Office-2016-32-0dc05cd8) | Microsoft Access 2016<br>Microsoft Lync 2016<br>Microsoft Excel 2016<br>Microsoft OneNote 2016<br>Microsoft Outlook 2016<br>Microsoft PowerPoint 2016<br>Microsoft Project 2016<br>Microsoft Publisher 2016<br>Microsoft SharePoint Designer 2013 (not updated for 2016)<br>Microsoft Visio 2016<br>Microsoft Word 2016<br>Microsoft Office Upload Manager<br>Microsoft Infopath has been removed (deprecated) from the Office 2016 suite |
+| Microsoft Office 2013 applications<br>[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2013<br>Microsoft Excel 2013<br>Microsoft Outlook 2013<br>Microsoft Access 2013<br>Microsoft Project 2013<br>Microsoft PowerPoint 2013<br>Microsoft Publisher 2013<br>Microsoft Visio 2013<br>Microsoft InfoPath 2013<br>Microsoft Lync 2013<br>Microsoft OneNote 2013<br>Microsoft SharePoint Designer 2013<br>Microsoft Office 2013 Upload Center<br>Microsoft OneDrive for Business 2013
+| Microsoft Office 2010 applications<br>[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2010<br>Microsoft Excel 2010<br>Microsoft Outlook 2010<br>Microsoft Access 2010<br>Microsoft Project 2010<br>Microsoft PowerPoint 2010<br>Microsoft Publisher 2010<br>Microsoft Visio 2010<br>Microsoft SharePoint Workspace 2010<br>Microsoft InfoPath 2010<br>Microsoft Lync 2010<br>Microsoft OneNote 2010<br>Microsoft SharePoint Designer 2010  |
+| Browser options: Internet Explorer 11 and 10 | Synchronize favorites, home page, tabs, and toolbars.<br>**Note**<br>UE-V does not roam settings for Internet Explorer cookies. |
+| Windows accessories | Microsoft NotePad, WordPad |
+
+**Notes**
+An Outlook profile must be created for any device on which a user wants to sync their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization.
+
+UE-V does not synchronize settings between the Microsoft Calculator in Windows 10 and the Microsoft Calculator in previous operating systems.
+
+### Windows settings synchronized by default
+
+UE-V includes settings location templates that capture settings values for these Windows settings.
+
+| **Windows settings** | **Description** | **Apply on** | **Export on** | **Default state** |
+|----------------------|-----------------|--------------|---------------|-------------------|
+| Desktop background   | Currently active desktop background or wallpaper | Log on, unlock, remote connect, Scheduled Task events | Log off, lock, remote disconnect, or scheduled task interval | Enabled           |
+| Ease of Access       | Accessibility and input settings, Microsoft Magnifier, Narrator, and on-Screen Keyboard | Log on only | Log off or scheduled task interval | Enabled           |
+| Desktop settings     | Start menu and Taskbar settings, folder options, default desktop icons, additional clocks, and region and language settings | Log on only  | Log off or scheduled task | Enabled           |
+
+>**Important**
+UE-V roams taskbar settings between Windows 10 devices. However, UE-V does not synchronize taskbar settings between Windows 10 devices and devices running previous operating systems versions.
+
+| **Settings group**       | **Category**   | **Capture**    | **Apply**    |
+|--------------------------|----------------|----------------|--------------|
+| **Application Settings** | Windows applications   | Close appllication<br>Windows application settings change event | Start the UE-V App Monitor at startup<br>Open app<br>Windows application settings change event<br>Arrival of a settings package     |
+|           | Desktop applications   | Application closes | Application opens and closes        |
+| **Desktop settings**     | Desktop background     | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs |
+|           | Ease of Access (Common – Accessibility, Narrator, Magnifier, On-Screen-Keyboard) | Lock or Log off | Log on        |
+|           | Ease of Access (Shell - Audio, Accessibility, Keyboard, Mouse)    | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs  |
+|           | Desktop settings       | Lock or log off | Log on        |
+
+### UE-V-support for Windows applications
+
+For Windows applications, the application developer specifies which user settings are synchronized. You can specify which Windows apps are enabled for settings synchronization.
+
+To display a list of Windows applications that can synchronize settings with their package family name, enabled status, and enabled source, open a Windows PowerShell window, type Get-UevAppxPackage, and press ENTER.
+
+>**Note** 
+Starting in Windows 10, version 1607, you can configure UE-V to not synchronize Windows applications settings if the device is configured to use Enterprise State Roaming.
+
+### UE-V-support for roaming printers
+
+Users can print to their saved network printers, including their default network printer, from any network device.
+
+Printer roaming in UE-V requires one of these scenarios:
+
+-   The print server can download the required driver when it roams to a new device.
+
+-   The driver for the roaming network printer is pre-installed on any device that needs to access that network printer.
+
+-   The printer driver can be imported from Windows Update.
+
+>**Note**
+The UE-V printer roaming feature does not roam printer settings or preferences, such as printing double-sided.
+
+### Determine whether you need settings synchronized for other applications
+
+After you have reviewed the settings that are synchronized automatically in a UE-V deployment, you’ll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise.
+
+As an administrator, when you consider which desktop applications to include in your UE-V solution, consider which settings can be customized by users, and how and where the application stores its settings. Not all desktop applications have settings that can be customized or that are routinely customized by users. In addition, not all desktop applications settings can be synchronized safely across multiple devices or environments.
+
+In general, you can synchronize settings that meet the following criteria:
+
+-   Settings that are stored in user-accessible locations. For example, do not synchronize settings that are stored in System32 or outside the HKEY\_CURRENT\_USER (HKCU) section of the registry.
+
+-   Settings that are not specific to the particular device. For example, exclude network shortcuts or hardware configurations.
+
+-   Settings that can be synchronized between computers without risk of corrupted data. For example, do not use settings that are stored in a database file.
+
+### Checklist for evaluating custom applications
+
+If you’ve decided that you need to synchronize settings for custom applications, use this checklist to determine which applications you’ll include.
+
+|       | **Description**          |
+|-------|--------------------------|
+| ![Checklist box](images/uev-checklist-box.gif) | Does this application contain settings that the user can customize? |
+| ![Checklist box](images/uev-checklist-box.gif) | Is it important for the user that these settings are synchronized?  |
+| ![Checklist box](images/uev-checklist-box.gif) | Are these user settings already managed by an application management or settings policy solution? UE-V applies application settings at application startup and Windows settings at logon, unlock, or remote connect events. If you use UE-V with other settings sharing solutions, users might experience inconsistency across synchronized settings.  |
+| ![Checklist box](images/uev-checklist-box.gif) | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations do not consistently synchronize across sessions and can cause a poor application experience. |
+| ![Checklist box](images/uev-checklist-box.gif) | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually should not synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. |
+| ![Checklist box](images/uev-checklist-box.gif) | Does the application store any settings in a file that contains other application data that should not synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this additional data can cause a poor application experience. |
+| ![Checklist box](images/uev-checklist-box.gif) | How large are the files that contain the settings? The performance of the settings synchronization can be affected by large files. Including large files can affect the performance of settings synchronization. |
+
+## Other considerations when preparing a UE-V deployment
+
+You should also consider these things when you are preparing to deploy UE-V:
+
+-   [Managing credentials synchronization](#managing-credentials-synchronization-in-ue-v)
+
+-   [Windows applications settings synchronization](#windows-applications-settings-synchronization)
+
+-   [Custom UE-V settings location templates](#custom-ue-v-settings-location-templates)
+
+-   [Unintentional user settings configurations](#prevent-unintentional-user-settings-configuration)
+
+-   [Performance and capacity](#performance-and-capacity-planning)
+
+-   [High availability](#high-availability-for-ue-v)
+
+-   [Computer clock synchronization](#synchronize-computer-clocks-for-ue-v-settings-synchronization)
+
+### Managing credentials synchronization in UE-V 
+
+Many enterprise applications, including Microsoft Outlook, Lync, and Skype for Business prompt users for their domain credentials when they log in. Users have the option of saving their credentials to disk to prevent having to enter them every time they open these applications. Enabling roaming credentials synchronization lets users save their credentials on one computer and avoid re-entering them on every computer they use in their environment. Users can synchronize some domain credentials with UE-V.
+
+**Important**
+Credentials synchronization is disabled by default. You must explicitly enable credentials synchronization after you enable the UE-V service to implement this feature.
+
+UE-V can synchronize enterprise credentials, but does not roam credentials intended only for use on the local device.
+
+Credentials are synchronous settings, meaning that they are applied to users' profiles the first time they log on to their devices after UE-V synchronizes.
+
+Credentials synchronization is managed by its own settings location template, which is disabled by default. You can enable or disable this template through the same methods used for other templates. The template identifier for this feature is RoamingCredentialSettings.
+
+>**Important**
+If you are using Active Directory Credential Roaming in your environment, we recommend that you do not enable the UE-V credential roaming template. Instead, use PowerShell or Group Policy to enable credentials synchronization. Note that credentials are encrypted during synchronization.
+
+[PowerShell](uev-administering-uev-with-windows-powershell-and-wmi.md)**:** Enter this PowerShell cmdlet to enable credential synchronization:
+
+`Enable-UevTemplate RoamingCredentialSettings`
+
+`Copy`
+
+Use this PowerShell cmdlet to disable credential synchronization:
+
+`Disable-UevTemplate RoamingCredentialSettings`
+
+`Copy`
+
+<!-- WATCH THE MDOP ADMX templates LINK IN THE NEXT PARAGRAPH. IS IT CURRENT? -->
+
+[Group Policy](uev-configuring-uev-with-group-policy-objects.md)**:** You must edit the Group Policy administrative template for UE-V, which is included in Windows 10, version 1607, to enable credential synchronization through group policy. Credentials synchronization is managed in Windows settings. To manage this feature with Group Policy, enable the **Synchronize Windows** settings policy.
+
+1.  Open Group Policy Editor and navigate to **User Configuration > Administrative Templates > Windows Components > Microsoft User Experience Virtualization**.
+
+2.  Double-click **Synchronize Windows settings**.
+
+3.  If this policy is enabled, you can enable credentials synchronization by checking the **Roaming Credentials** check box, or disable credentials synchronization by unchecking it.
+
+4.  Click **OK**.
+
+### Credential locations synchronized by UE-V
+
+Credential files saved by applications into the following locations are synchronized:
+
+-   %UserProfile%\\AppData\\Roaming\\Microsoft\\Credentials\\
+
+-   %UserProfile%\\AppData\\Roaming\\Microsoft\\Crypto\\
+
+-   %UserProfile%\\AppData\\Roaming\\Microsoft\\Protect\\
+
+-   %UserProfile%\\AppData\\Roaming\\Microsoft\\SystemCertificates\\
+
+Credentials saved to other locations are not synchronized by UE-V.
+
+### Windows applications settings synchronization
+
+UE-V manages Windows application settings synchronization in three ways:
+
+-   **Sync Windows applications:** Allow or deny any Windows application synchronization
+
+-   **Windows applications list:** Synchronize a list of Windows applications
+
+-   **Unlisted default sync behavior:** Determine the synchronization behavior of Windows applications that are not in the Windows applications list.
+
+For more information, see the [Windows Application List](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md#win8applist).
+
+### Custom UE-V settings location templates
+
+If you are deploying UE-V to synchronize settings for custom applications, you’ll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
+
+Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including System Center Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
+
+For more information about custom settings location templates, see [Deploy UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). For more information about using UE-V with Configuration Manager, see [Configuring UE-V with System Center Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md).
+
+### Prevent unintentional user settings configuration
+
+UE-V downloads new user settings information from a settings storage location and applies the settings to the local device in these instances:
+
+-   Each time an application is started that has a registered UE-V template
+
+-   When a user logs on to a device
+
+-   When a user unlocks a device
+
+-   When a connection is made to a remote desktop device running UE-V
+
+-   When the Sync Controller Application scheduled task is run
+
+If UE-V is installed on computer A and computer B, and the settings that you want for the application are on computer A, then computer A should open and close the application first. If the application is opened and closed on computer B first, then the application settings on computer A are configured to the application settings on computer B. Settings are synchronized between computers on per-application basis. Over time, settings become consistent between computers as they are opened and closed with preferred settings.
+
+This scenario also applies to Windows settings. If the Windows settings on computer B should be the same as the Windows settings on computer A, then the user should log on and log off computer A first.
+
+If the user settings that the user wants are applied in the wrong order, they can be recovered by performing a restore operation for the specific application or Windows configuration on the computer on which the settings were overwritten. For more information, see [Manage Administrative Backup and Restore in UE-V](uev-manage-administrative-backup-and-restore.md).
+
+### Performance and capacity planning
+
+Specify your requirements for UE-V with standard disk capacity and network health monitoring.
+
+UE-V uses a Server Message Block (SMB) share for the storage of settings packages. The size of settings packages varies depending on the settings information for each application. While most settings packages are small, the synchronization of potentially large files, such as desktop images, can result in poor performance, particularly on slower networks.
+
+To reduce problems with network latency, create settings storage locations on the same local networks where the users’ computers reside. We recommend 20 MB of disk space per user for the settings storage location.
+
+By default, UE-V synchronization times out after 2 seconds to prevent excessive lag due to a large settings package. You can configure the SyncMethod=SyncProvider setting by using [Group Policy objects](uev-configuring-uev-with-group-policy-objects.md).
+
+### High availability for UE-V
+
+The UE-V settings storage location and settings template catalog support storing user data on any writable share. To ensure high availability, follow these criteria:
+
+-   Format the storage volume with an NTFS file system.
+
+<!-- There's a question out for Tommy on the next item -- the link is very old. -->
+
+-   The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is specifically not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see [Microsoft’s Support Statement Around Replicated User Profile Data](http://go.microsoft.com/fwlink/p/?LinkId=313991).
+
+    In addition, because SYSVOL uses DFSR for replication, SYSVOL cannot be used for UE-V data file replication.
+
+-   Configure the share permissions and NTFS access control lists (ACLs) as specified in [Deploying the settings storage location for UE-V](uev-deploy-required-features.md#ssl).
+
+-   Use file server clustering along with the UE-V service to provide access to copies of user state data in the event of communications failures.
+
+-   You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFSN shares, or on both.
+
+### Synchronize computer clocks for UE-V settings synchronization
+
+Computers that run the UE-V service must use a time server to maintain a consistent settings experience. UE-V uses time stamps to determine if settings must be synchronized from the settings storage location. If the computer clock is inaccurate, older settings can overwrite newer settings, or the new settings might not be saved to the settings storage location.
+
+## Confirm prerequisites and supported configurations for UE-V
+
+Before you proceed, ensure that your environment meets these requirements for using UE-V.
+
+| **Operating system**     | **Edition**   | **Service pack** | **System architecture** | **Windows PowerShell**   | **Microsoft .NET Framework**   |
+|--------------------------|---------------|------------------|-------------------------|--------------------------|--------------------------------|
+| Windows 10, version 1607 | Windows 10 for Enterprise  | NA  | 32-bit or 64-bit        | Windows PowerShell 3.0 or higher | .NET Framework 4.5 or higher |
+| Windows 8 and Windows 8.1         | Enterprise or Pro | None | 32-bit or 64-bit        | Windows PowerShell 3.0 or higher | .NET Framework 4.5 or higher   |
+| Windows Server 2012 and Windows Server 2012 R2       | Standard or Datacenter           | None | 64-bit   | Windows PowerShell 3.0 or higher | .NET Framework 4.5 or higher   |
+
+**Note**
+-  Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed.
+
+-   The “Delete Roaming Cache” policy for mandatory profiles is not supported with UE-V and should not be used.
+
+There are no special random access memory (RAM) requirements specific to UE-V.
+
+### Synchronization of settings through the Sync Provider
+
+Sync Provider is the default setting for users and synchronizes a local cache with the settings storage location in these instances:
+
+-   Log on/log off
+
+-   Lock/unlock
+
+-   Remote desktop connect/disconnect
+
+-   Application open/close
+
+A scheduled task manages this synchronization of settings every 30 minutes or through trigger events for certain applications. For more information, see [Changing the frequency of UE-V scheduled tasks](uev-changing-the-frequency-of-scheduled-tasks.md).
+
+The UE-V service synchronizes user settings for devices that are not always connected to the enterprise network (remote devices and laptops) and devices that are always connected to the network (devices that run Windows Server and host virtual desktop interface (VDI) sessions).
+
+**Synchronization for computers with always-available connections** When you use UE-V on devices that are always connected to the network, you must configure the UE-V service to synchronize settings by using the *SyncMethod=None* parameter, which treats the settings storage server as a standard network share. In this configuration, the UE-V service can be configured to notify if the import of the application settings is delayed.
+
+Enable this configuration using one of these methods:
+
+- After you enable the UE-V service, use the Settings Management feature in System Center Configuration Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration.
+
+- Use Windows PowerShell or Windows Management Instrumentation (WMI) to set the SyncMethod = None configuration.
+
+Restart the device to allow the settings to synchronize.
+
+- >**Note**
+These methods do not work for pooled virtual desktop infrastructure (VDI) environments.
+
+
+>**Note**
+If you set *SyncMethod = None*, any settings changes are saved directly to the server. If the network connection to the settings storage path is not found, then the settings changes are cached on the device and are synchronized the next time that the sync provider runs. If the settings storage path is not found and the user profile is removed from a pooled VDI environment on log off, settings changes are lost and the user must reapply the change when the computer is reconnected to the settings storage path.
+
+**Synchronization for external sync engines** The *SyncMethod=External* parameter specifies that if UE-V settings are written to a local folder on the user device, then any external sync engine (such as OneDrive for Business, Work Folders, Sharepoint, or Dropbox) can be used to apply these settings to the different devices that users access.
+
+**Support for shared VDI sessions** UE-V supports VDI sessions that are shared among end users. You can register and configure a special VDI template, which ensures that UE-V keeps all of its functionality intact for non-persistent VDI sessions.
+
+>**Note**
+If you do not enable VDI mode for non-persistent VDI sessions, certain features do not work, such as [back-up/restore and last known good (LKG)](uev-manage-administrative-backup-and-restore.md).
+
+The VDI template is provided with UE-V and is typically available here after installation: C:\ProgramData\Microsoft\UEV\InboxTemplates
+
+### Prerequisites for UE-V template generator support
+
+Install the UE-V template generator on the device that is used to create custom settings location templates. This device should be able to run the applications that you want to synchronize settings for. You must be a member of the Administrators group on the device that runs the UE-V template generator software.
+
+The UE-V template generator must be installed on a device that uses an NTFS file system. The UE-V template generator software requires .NET Framework 4. For more information, see [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md).
+
+## Other resources for this feature
+
+-   [User Experience Virtualization overview](uev-for-windows.md)
+
+-   [Get started with UE-V](uev-getting-started.md)
+
+-   [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
+
+-   [Administering UE-V ](uev-administering-uev.md)
+
+-   [Troubleshooting UE-V ](uev-troubleshooting.md)
+
+-   [Technical Reference for UE-V](uev-technical-reference.md)
diff --git a/windows/manage/uev-privacy-statement.md b/windows/manage/uev-privacy-statement.md
new file mode 100644
index 0000000000..30e1e65622
--- /dev/null
+++ b/windows/manage/uev-privacy-statement.md
@@ -0,0 +1,156 @@
+---
+title: User Experience Virtualization Privacy Statement
+description: User Experience Virtualization Privacy Statement
+author: jamiejdt
+ms.assetid: c2919034-f2cf-48d6-b18e-4dd318252426
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w8
+---
+
+
+# User Experience Virtualization Privacy Statement
+
+
+Microsoft is committed to protecting your privacy, while delivering software that brings you the performance, power, and convenience you desire in your personal computing. This privacy statement explains many of the data collection and use practices of Microsoft User Experience Virtualization (“UE-V”). This is a preliminary disclosure that focuses on features that communicate with the Internet and is not intended to be an exhaustive list.
+
+Microsoft User Experience Virtualization allows the separation of settings from an application or operating system. Those settings can then be transferred to a remote storage location, eliminating the constraints of local storage and giving users the ability to have their settings follow them to other computers.
+
+## <a href="" id="bkmk-collectionanduseofyourinformation"></a>Collection and Use of Your Information
+
+
+The information we collect from you will be used by Microsoft and its controlled subsidiaries and affiliates to enable the features you are using and provide the service(s) or carry out the transaction(s) you have requested or authorized. It may also be used to analyze and improve Microsoft products and services.
+
+We may send certain mandatory service communications such as welcome letters, billing reminders, information on technical service issues, and security announcements. Some Microsoft services may send periodic member letters that are considered part of the service. We may occasionally request your feedback, invite you to participate in surveys, or send you promotional mailings to inform you of other products or services available from Microsoft and its affiliates.
+
+In order to offer you a more consistent and personalized experience in your interactions with Microsoft, information collected through one Microsoft service may be combined with information obtained through other Microsoft services. We may also supplement the information we collect with information obtained from other companies. For example, we may use services from other companies that enable us to derive a general geographic area based on your IP address in order to customize certain services to your geographic area.
+
+Except as described in this statement, personal information you provide will not be transferred to third parties without your consent. We occasionally hire other companies to provide limited services on our behalf, such as packaging, sending and delivering purchases and other mailings, answering customer questions about products or services, processing event registration, or performing statistical analysis of our services. We will only provide those companies the personal information they need to deliver the service, and they are prohibited from using that information for any other purpose.
+
+Microsoft may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public. We may also disclose personal information as part of a corporate transaction such as a merger or sale of assets.
+
+Information that is collected by or sent to Microsoft by UE-V may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or service providers maintain facilities. Microsoft abides by the safe harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Union, the European Economic Area, and Switzerland.
+
+## Collection and Use of Information about Your Computer
+
+
+When you use software with Internet-enabled features, information about your computer ("standard computer information") is sent to the Web sites you visit and online services you use. Microsoft uses standard computer information to provide you Internet-enabled services, to help improve our products and services, and for statistical analysis. Standard computer information typically includes information such as your IP address, operating system version, browser version, and regional and language settings. In some cases, standard computer information may also include hardware ID, which indicates the device manufacturer, device name, and version. If a particular feature or service sends information to Microsoft, standard computer information will be sent as well.
+
+The privacy details for each UE-V feature, software or service listed in this privacy statement describe what additional information is collected and how it is used.
+
+## Security of Your Information
+
+
+Microsoft is committed to helping protect the security of your information. We use a variety of security technologies and procedures to help protect your information from unauthorized access, use, or disclosure. For example, we store the information you provide on computer systems with limited access, which are located in controlled facilities.
+
+## Changes to This Privacy Statement
+
+
+We will occasionally update this privacy statement to reflect changes in our products, services, and customer feedback. When we post changes, we will revise the "last updated" date at the top of this statement. If there are material changes to this statement or in how Microsoft will use your personal information, we will notify you either by posting a notice of such changes prior to implementing the change or by directly sending you a notification. We encourage you to periodically review this statement to be informed of how Microsoft is protecting your information.
+
+## For More Information
+
+
+Microsoft welcomes your comments regarding this privacy statement. If you have questions about this statement or believe that we have not adhered to it, please contact us [MSUEVPrivacy@microsoft.com](mailto:%20MSUEVPrivacy@microsoft.com).
+
+## Specific features
+
+
+The remainder of this document will address the following specific features:
+
+### UE-V Generator
+
+**What This Feature Does**:
+
+The UE-V generator is used to create settings location templates. These templates allow users to roam the settings for their applications.
+
+**Information Collected, Processed, or Transmitted**:
+
+When creating a settings location template the UE-V generator uses a Lightweight Directory Access Protocol (LDAP) query to get username and email address of the current logged in user. This information is stored in the template as the template author name and template author email. None of this information is sent to Microsoft.
+
+If you plan to share settings location templates with anyone outside your organization you should review all the settings locations and ensure the settings location template do not contain any personal or company information. You can view the contents by opening the settings location template files using any XML viewer. The following are ways you can view and remove any personal or company information from the settings location template files before sharing with anyone outside your company:
+
+-   **Template Author Name** – Specify a general, non-identifying name for the template author name or exclude this data from the template.
+
+-   **Template Author Email** – Specify a general, non-identifying template author email or exclude this data from the template.
+
+**Use of Information**:
+
+The template author name and template author email can be used to identify the author of settings location template. If you share the template, the author name and email is viewable to all who use the template. No information is sent to Microsoft.
+
+**Choice/Control**: 
+
+To remove the template author name or template author email, start the UE-V generator application. Select **Edit a Settings Location Template**. Select the settings location template to edit from the recently used templates or Browse to the settings template file. Select **Next** to continue. On the Properties page, remove the data from the Template author name or Template author email text fields. Save the settings location template.
+
+## <a href="" id="bkmk-ceip"></a>Customer Experience Improvement Program
+
+
+**What This Feature Does:**
+
+The Customer Experience Improvement Program (“CEIP”) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services. We will not collect your name, address, or other contact information.
+
+**Information Collected, Processed, or Transmitted:**
+
+For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at <http://go.microsoft.com/fwlink/?LinkID=248701>.
+
+**Use of Information:**
+
+We use this information to improve the quality, reliability, and performance of Microsoft software and services.
+
+**Choice/Control:**
+
+You are offered the opportunity to participate in CEIP during setup of the UE-V Agent. If you choose to participate and later change your mind, you can turn off CEIP at any time by:Re-running the UE-V agent setup and opting out of CEIP or by setting the following registry key either manually or via Group Policy:
+
+``` syntax
+Key = HKEY_LOCAL_MACHINE\Software\Microsoft\UEV\Agent
+RegEntry name = CustomerExperienceImprovementProgram
+Entry type REG_DWORD (Hexadecimal):
+0 is off
+1 is on
+```
+
+## <a href="" id="bkmk-microsofterrorreporting"></a>Microsoft Error Reporting
+
+
+**What This Feature Does:**
+
+Microsoft Error Reporting provides a service that allows you to report problems you may be having with UE-V or other enabled applications to Microsoft and to receive information that may help you avoid or solve such problems.
+
+**Information Collected, Processed, or Transmitted:**
+
+For information about the information collected, processed, or transmitted by Microsoft Error Reporting, see the Microsoft Error Reporting privacy statement at <http://go.microsoft.com/fwlink/?LinkId=248702>.
+
+**Use of Information:**
+
+We use the error reporting data to solve customer problems and improve our software and services.
+
+**Choice/Control:**
+
+If you choose the recommended settings during Windows setup, you turn on automatic checking for solutions, which will send basic error reports and look for solutions to the problems reported. If you use automatic checking, you are not typically prompted to send basic information about errors to Microsoft. If a more detailed error report is required, you will be prompted to review it. You can change this setting at any time by going to Action Center in Control Panel.
+
+**Important Information:**
+
+Enterprise customers can use Group Policy to configure how Microsoft Error Reporting behaves on their computers. Configuration options include the ability to turn off Microsoft Error Reporting. If you are an administrator and wish to configure Group Policy for Microsoft Error Reporting, technical details are available at <http://go.microsoft.com/fwlink/?LinkId=262264>.
+
+UE-V will not modify the Microsoft Error Reporting preference and will honor the system setting in the Control Panel and/or the setting enforced via Group Policy.
+
+## <a href="" id="bkmk-microsoftupdate"></a>Microsoft Update
+
+
+**What This Feature Does:**
+
+Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software.
+
+**Information Collected, Processed, or Transmitted:**
+
+For details about what information is collected and how it is used, see the Update Services Privacy Statement at <http://go.microsoft.com/fwlink/?LinkId=248704>
+
+**Use of Information:**
+
+-   For details about what information is collected and how it is used, see the Update Services Privacy Statement at <http://go.microsoft.com/fwlink/?LinkId=248704>.
+
+-   Choice/Control:
+
+    For details about controlling this feature, see the Update Services Privacy Statement at <http://go.microsoft.com/fwlink/?LinkId=248704>.
+
diff --git a/windows/manage/uev-release-notes-1607.md b/windows/manage/uev-release-notes-1607.md
new file mode 100644
index 0000000000..d28d61f312
--- /dev/null
+++ b/windows/manage/uev-release-notes-1607.md
@@ -0,0 +1,117 @@
+---
+title: User Experience Virtualization (UE-V) Release Notes
+description: User Experience Virtualization (UE-V) Release Notes
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# User Experience Virtualization (UE-V) Release Notes
+
+Applies to: Windows 10, version 1607
+
+This topic includes information required to successfully install and use UE-V that is not included in the User Experience Virtualization (UE-V) documentation. If there are differences between the information in this topic and other UE-V topics, the latest change should be considered authoritative.
+
+### Upgrading from UE-V 1.0 to the in-box version of UE-V is blocked
+
+Version 1.0 of UE-V used Offline Files (Client Side Caching) for settings synchronization and pinned the UE-V sync folder to be available when the network was offline, however, this technology was removed in UE-V 2.x. As a result, UE-V 1.0 users are blocked from upgrading to UE-V for Windows 10, version 1607.
+
+WORKAROUND: Remove the UE-V 1.0 sync folder from the Offline Files configuration and then upgrade to the in-box version of UE-V for Windows, version 1607 release.
+
+### UE-V settings location templates for Skype cause Skype to crash
+
+When a user generates a valid settings location template for the Skype desktop application, registers it, and then launches the Skype desktop application, Skype crashes. An ACCESS\_VIOLATION is recorded in the Application Event Log.
+
+WORKAROUND: Remove or unregister the Skype template to allow Skype to work again.
+
+### Registry settings do not synchronize between App-V and native applications on the same device
+
+When a device has an application that is installed through both Application Virtualization (App-V) and locally with a Windows Installer (.msi) file, the registry-based settings do not synchronize between the technologies.
+
+WORKAROUND: To resolve this problem, run the application by selecting one of the two technologies, but not both.
+
+### Unpredictable results when both Office 2010 and Office 2013 are installed on the same device
+
+When a user has both Office 2010 and Office 2013 installed, any common settings between the two versions of Office are roamed by UE-V. This could cause the Office 2010 package size to be quite large or result in unpredictable conflicts with 2013, particularly if Office 365 is used.
+
+WORKAROUND: Install only one version of Office or limit which settings are synchronized by UE-V.
+
+### Uninstall and re-install of Windows 8 applications reverts settings to initial state
+
+While using UE-V settings synchronization for a Windows 8 application, if the user uninstalls the application and then reinstalls the application, the application’s settings revert to their default values. This happens because the uninstall removes the local (cached) copy of the application’s settings but does not remove the local UE-V settings package. When the application is reinstalled and launched, UE-V gather the application settings that were reset to the application defaults and then uploads the default settings to the central storage location. Other computers running the application then download the default settings. This behavior is identical to the behavior of desktop applications.
+
+WORKAROUND: None.
+
+### UE-V does not support roaming settings between 32-bit and 64-bit versions of Microsoft Office
+
+We recommend that you install the 32-bit version of Microsoft Office for both 32-bit and 64-bit operating systems. To choose the Microsoft Office version that you need, click [here](<http://office.microsoft.com/word-help/choose-the-32-bit-or-64-bit-version-of-microsoft-office-HA010369476.aspx>). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V does not support roaming settings between 32-bit and 64-bit versions of Office.
+
+WORKAROUND: None
+
+### Favicons that are associated with Internet Explorer 9 favorites do not roam
+
+The favicons that are associated with Internet Explorer 9 favorites are not roamed by User Experience Virtualization and do not appear when the favorites first appear on a new computer.
+
+WORKAROUND: Favicons will appear with their associated favorites once the bookmark is used and cached in the Internet Explorer 9 browser.
+
+### File settings paths are stored in registry
+
+Some application settings store the paths of their configuration and settings files as values in the registry. The files that are referenced as paths in the registry must be synchronized when settings are roamed between computers.
+
+WORKAROUND: Use folder redirection or some other technology to ensure that any files that are referenced as file settings paths are present and placed in the same location on all computers where settings roam.
+
+### Long Settings Storage Paths could cause an error
+
+Keep settings storage paths as short as possible. Long paths could prevent resolution or synchronization. UE-V uses the Settings storage path as part of the calculated path to store settings. That path is calculated in the following way: settings storage path + “settingspackages” + package dir (template ID) + package name (template ID) + .pkgx. If that calculated path exceeds 260 characters, package storage will fail and generate the following error message in the UE-V operational event log:
+
+\[boost::filesystem::copy\_file: The system cannot find the path specified\]
+
+To check the operational log events, open the Event Viewer and navigate to Applications and Services Logs / Microsoft / User Experience Virtualization / Logging / Operational.
+
+WORKAROUND: None.
+
+### Some operating system settings only roam between like operating system versions
+
+Operating system settings for Narrator and currency characters specific to the locale (i.e. language and regional settings) will only roam across like operating system versions of Windows. For example, currency characters will not roam between Windows 7 and Windows 8.
+
+WORKAROUND: None
+
+## Hotfixes and Knowledge Base articles for UE-V 
+
+This section contains hotfixes and KB articles for UE-V.
+
+| KB Article | Title   | Link   |
+|------------|---------|--------|
+| 3018608    | UE-V - TemplateConsole.exe crashes when UE-V WMI classes are missing       | [support.microsoft.com/kb/3018608/EN-US](http://support.microsoft.com/kb/3018608/EN-US) |
+| 2903501    | UE-V: User Experience Virtualization (UE-V) compatibility with user profiles   | [support.microsoft.com/kb/2903501/EN-US](http://support.microsoft.com/kb/2903501/EN-US) |
+| 2770042    | UE-V Registry Settings                                                         | [support.microsoft.com/kb/2770042/EN-US](http://support.microsoft.com/kb/2770042/EN-US) |
+| 2847017    | UE-V settings replicated by Internet Explorer                                  | [support.microsoft.com/kb/2847017/EN-US](http://support.microsoft.com/kb/2847017/EN-US) |
+| 2769631    | How to repair a corrupted UE-V install                                         | [support.microsoft.com/kb/2769631/EN-US](http://support.microsoft.com/kb/2769631/EN-US) |
+| 2850989    | Migrating MAPI profiles with Microsoft UE-V is not supported                   | [support.microsoft.com/kb/2850989/EN-US](http://support.microsoft.com/kb/2850989/EN-US) |
+| 2769586    | UE-V roams empty folders and registry keys                                     | [support.microsoft.com/kb/2769586/EN-US](http://support.microsoft.com/kb/2769586/EN-US) |
+| 2782997    | How To Enable Debug Logging in Microsoft User Experience Virtualization (UE-V) | [support.microsoft.com/kb/2782997/EN-US](http://support.microsoft.com/kb/2782997/EN-US) |
+| 2769570    | UE-V does not update the theme on RDS or VDI sessions                          | [support.microsoft.com/kb/2769570/EN-US](http://support.microsoft.com/kb/2769570/EN-US) |
+| 2850582    | How To Use Microsoft User Experience Virtualization With App-V Applications    | [support.microsoft.com/kb/2850582/EN-US](http://support.microsoft.com/kb/2850582/EN-US) |
+| 3041879    | Current file versions for Microsoft User Experience Virtualization             | [support.microsoft.com/kb/3041879/EN-US](http://support.microsoft.com/kb/3041879/EN-US) |
+| 2843592    | Information on User Experience Virtualization and High Availability            | [support.microsoft.com/kb/2843592/EN-US](http://support.microsoft.com/kb/2843592/EN-US) |
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+**Additional resources for this feature**
+
+
+-   [User Experience Virtualization](uev-for-windows.md)
+
+-   [Prepare a UE-V Deployment](uev-prepare-for-deployment.md)
+
+-   [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
+
+-   [Administering UE-V ](uev-administering-uev.md)
+
+-   [Troubleshooting UE-V ](uev-troubleshooting.md)
+
+-   [Technical Reference for UE-V](uev-technical-reference.md)
diff --git a/windows/manage/uev-security-considerations.md b/windows/manage/uev-security-considerations.md
new file mode 100644
index 0000000000..2cfc34087e
--- /dev/null
+++ b/windows/manage/uev-security-considerations.md
@@ -0,0 +1,225 @@
+---
+title: Security Considerations for UE-V
+description: Security Considerations for UE-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Security Considerations for UE-V
+
+
+This topic contains a brief overview of accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V). For more information, follow the links that are provided here.
+
+## Security considerations for UE-V configuration
+
+
+**Important**
+When you create the settings storage share, limit the share access to users who require access.
+
+Because settings packages might contain personal information, you should take care to protect them as well as possible. In general, do the following:
+
+-   Restrict the share to only those users who require access. Create a security group for users who have redirected folders on a particular share and limit access to only those users.
+
+-   When you create the share, hide the share by putting a $ after the share name. This addition hides the share from casual browsers, and the share is not visible in My Network Places.
+
+-   Only give users the minimum amount of permissions that they must have. The following tables show the required permissions.
+
+1.  Set the following share-level SMB permissions for the setting storage location folder.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">User account</th>
+    <th align="left">Recommended permissions</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Everyone</p></td>
+    <td align="left"><p>No permissions</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Security group of UE-V</p></td>
+    <td align="left"><p>Full control</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+
+2.  Set the following NTFS file system permissions for the settings storage location folder.
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">User account</th>
+    <th align="left">Recommended permissions</th>
+    <th align="left">Folder</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Creator/Owner</p></td>
+    <td align="left"><p>No permissions</p></td>
+    <td align="left"><p>No permissions</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Domain Admins</p></td>
+    <td align="left"><p>Full control</p></td>
+    <td align="left"><p>This folder, subfolders, and files</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Security group of UE-V users</p></td>
+    <td align="left"><p>List folder/read data, create folders/append data</p></td>
+    <td align="left"><p>This folder only</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Everyone</p></td>
+    <td align="left"><p>Remove all permissions</p></td>
+    <td align="left"><p>No permissions</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+3.  Set the following share-level SMB permissions for the settings template catalog folder.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">User account</th>
+    <th align="left">Recommend permissions</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Everyone</p></td>
+    <td align="left"><p>No permissions</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Domain computers</p></td>
+    <td align="left"><p>Read permission Levels</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Administrators</p></td>
+    <td align="left"><p>Read/write permission levels</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+
+4.  Set the following NTFS permissions for the settings template catalog folder.
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">User account</th>
+    <th align="left">Recommended permissions</th>
+    <th align="left">Apply to</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Creator/Owner</p></td>
+    <td align="left"><p>Full control</p></td>
+    <td align="left"><p>This folder, subfolders, and files</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Domain Computers</p></td>
+    <td align="left"><p>List folder contents and Read permissions</p></td>
+    <td align="left"><p>This folder, subfolders, and files</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Everyone</p></td>
+    <td align="left"><p>No permissions</p></td>
+    <td align="left"><p>No permissions</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Administrators</p></td>
+    <td align="left"><p>Full Control</p></td>
+    <td align="left"><p>This folder, subfolders, and files</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+### Use Windows Server as of Windows Server 2003 to host redirected file shares
+
+User settings package files contain personal information that is transferred between the client computer and the server that stores the settings packages. Because of this process, you should ensure that the data is protected while it travels over the network.
+
+User settings data is vulnerable to these potential threats: interception of the data as it passes over the network, tampering with the data as it passes over the network, and spoofing of the server that hosts the data.
+
+As of Windows Server 2003, several features of the Windows Server operating system can help secure user data:
+
+-   **Kerberos** - Kerberos is standard on all versions of Microsoft Windows 2000 Server and Windows Server beginning with Windows Server 2003. Kerberos ensures the highest level of security to network resources. NTLM authenticates the client only; Kerberos authenticates the server and the client. When NTLM is used, the client does not know whether the server is valid. This difference is particularly important if the client exchanges personal files with the server, as is the case with Roaming User Profiles. Kerberos provides better security than NTLM. Kerberos is not available on the Microsoft Windows NT Server 4.0 or earlier operating systems.
+
+-   **IPsec** - The IP Security Protocol (IPsec) provides network-level authentication, data integrity, and encryption. IPsec ensures the following:
+
+    -   Roamed data is safe from data modification while data is en route.
+
+    -   Roamed data is safe from interception, viewing, or copying.
+
+    -   Roamed data is safe from access by unauthenticated parties.
+
+-   **SMB Signing** - The Server Message Block (SMB) authentication protocol supports message authentication, which prevents active message and "man-in-the-middle" attacks. SMB signing provides this authentication by placing a digital signature into each SMB. The digital signature is then verified by both the client and the server. In order to use SMB signing, you must first either enable it, or you must require it on both the SMB client and the SMB server. Note that the SMB signing imposes a performance penalty. It does not consume any more network bandwidth, but it uses more CPU cycles on the client and server side.
+
+### Always use the NTFS file system for volumes that hold user data
+
+For the most secure configuration, configure servers that host the UE-V settings files to use the NTFS file system. Unlike the FAT file system, NTFS supports Discretionary access control lists (DACLs) and system access control lists (SACLs). DACLs and SACLs control who can perform operations on a file and what events trigger the logging of actions that is performed on a file.
+
+### Do not rely on EFS to encrypt user files when they are transmitted over the network
+
+When you use the Encrypting File System (EFS) to encrypt files on a remote server, the encrypted data is not encrypted during transit over the network; it only becomes encrypted when it is stored on disk.
+
+This encryption process does not apply when your system includes Internet Protocol security (IPsec) or Web Distributed Authoring and Versioning (WebDAV). IPsec encrypts data while it is transported over a TCP/IP network. If the file is encrypted before it is copied or moved to a WebDAV folder on a server, it remains encrypted during the transmission and while it is stored on the server.
+
+### Let the UE-V service create folders for each user
+
+To ensure that UE-V works optimally, create only the root share on the server, and let the UE-V service create the folders for each user. UE-V creates these user folders with the appropriate security.
+
+This permission configuration enables users to create folders for settings storage. The UE-V service creates and secures a settings package folder while it runs in the context of the user. Users receive full control to their settings package folder. Other users do not inherit access to this folder. You do not have to create and secure individual user directories. The UE-V service that runs in the context of the user does it automatically.
+
+> **Note**&nbsp;&nbsp;Additional security can be configured when a Windows Server is used for the settings storage share. UE-V can be configured to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable additional security, use the following command:
+
+1.  Add the REG\_DWORD registry key RepositoryOwnerCheckEnabled to `HKEY_LOCAL_MACHINE\Software\Microsoft\UEV\Agent\Configuration`.
+
+2.  Set the registry key value to *1*.
+
+When this configuration setting is in place, the UE-V service verifies that the local Administrators group or current user is the owner of the settings package folder. If not, then the UE-V service does not grant access to the folder.
+
+
+If you must create folders for the users, ensure that you have the correct permissions set.
+
+We strongly recommend that you do not pre-create folders. Instead, let the UE-V service create the folder for the user.
+
+### Ensure correct permissions to store UE-V 2 settings in a home directory or custom directory
+
+If you redirect UE-V settings to a user’s home directory or a custom Active Directory (AD) directory, ensure that the permissions on the directory are set appropriately for your organization.
+
+## Have a suggestion for UE-V?
+
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+[Technical Reference for UE-V](uev-technical-reference.md)
diff --git a/windows/manage/uev-sync-methods.md b/windows/manage/uev-sync-methods.md
new file mode 100644
index 0000000000..7b78c035f0
--- /dev/null
+++ b/windows/manage/uev-sync-methods.md
@@ -0,0 +1,42 @@
+---
+title: Sync Methods for UE-V
+description: Sync Methods for UE-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Sync Methods for UE-V
+
+
+The User Experience Virtualization (UE-V) service lets you synchronize users’ application and Windows settings with the settings storage location. The *Sync Method* configuration defines how the UE-V service uploads and downloads those settings to the settings storage location. UE-V includes a SyncMethod called the *SyncProvider*. For more information about trigger events that start the synchronization of application and Windows settings, see [Sync Trigger Events for UE-V](uev-sync-trigger-events.md).
+
+## SyncMethod Configuration
+
+This table provides a description of each SyncMethod configuration:
+
+| **SyncMethod Configuration** | **Description**     |
+|------------------------------|---------------------|
+| SyncProvider (Default)       | Settings changes for a specific application or for global Windows desktop settings are saved locally to a cache folder. These changes are then synchronized with the settings storage location when a synchronization trigger event takes place. Pushing out changes will save the local changes to the settings storage path.<br>This default setting is the gold standard for computers. This option attempts to synchronize the setting and times out after a short delay to ensure that the application or operating system startup isn’t delayed for a long period of time.<br>This functionality is also tied to the Scheduled task – Sync Controller Application. The administrator controls the frequency of the Scheduled task. By default, computers synchronize their settings every 30 min after logging on.     |
+| External                     | This configuration method specifies that if UE-V settings are written to a local folder on the user computer, then any external sync engine (such as OneDrive for Business, Work Folders, Sharepoint, or Dropbox) can be used to apply these settings to the different computers that users access.    |
+| None                         | This configuration setting is designed for the Virtual Desktop Infrastructure (VDI) and Streamed Application experience primarily. This setting should be used on computers running the Windows Server operating system in a datacenter, where the connection will always be available.<br>Any settings changes are saved directly to the server. If the network connection to the settings storage path is not available, then the settings changes are cached on the device and are synchronized the next time that the Sync Provider runs. If the settings storage path is not found and the user profile is removed from a pooled VDI environment on logoff, then these settings changes are lost, and the user must reapply the change when the computer can again reach the settings storage path.<br>Apps and OS will wait indefinitely for the location to be present. This could cause App load or OS logon time to dramatically increase if the location is not found. |
+
+You can configure the sync method in these ways:
+
+-   Through [Group Policy](uev-configuring-uev-with-group-policy-objects.md) settings
+
+-   With the [System Center Configuration Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V
+
+-   With [Windows PowerShell or Windows Management Instrumentation (WMI)](uev-administering-uev-with-windows-powershell-and-wmi.md)
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+[Deploy Required UE-V Features](uev-deploy-required-features.md)
+
+[Technical Reference for UE-V](uev-technical-reference.md)
diff --git a/windows/manage/uev-sync-trigger-events.md b/windows/manage/uev-sync-trigger-events.md
new file mode 100644
index 0000000000..811a463e97
--- /dev/null
+++ b/windows/manage/uev-sync-trigger-events.md
@@ -0,0 +1,126 @@
+---
+title: Sync Trigger Events for UE-V
+description: Sync Trigger Events for UE-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Sync Trigger Events for UE-V
+
+
+User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices. *Sync trigger events* define when the UE-V service synchronizes those settings with the settings storage location. For more information about Sync Method configuration, see [Sync Methods for UE-V](uev-sync-methods.md).
+
+## UE-V Sync Trigger Events
+
+
+The following table explains the trigger events for classic applications and Windows settings.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>UE-V Trigger Event</strong></p></td>
+<td align="left"><p><strong>SyncMethod=SyncProvider</strong></p></td>
+<td align="left"><p><strong>SyncMethod=None</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Windows Logon</strong></p></td>
+<td align="left"><ul>
+<li><p>Application and Windows settings are imported to the local cache from the settings storage location.</p></li>
+<li><p>[Asynchronous Windows settings](http://technet.microsoft.com/library/dn458932.aspx#autosyncsettings2) are applied.</p></li>
+<li><p>Synchronous Windows settings will be applied during the next Windows logon.</p></li>
+<li><p>Application settings will be applied when the application starts.</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>Application and Windows settings are read directly from the settings storage location.</p></li>
+<li><p>Asynchronous and synchronous Windows settings are applied.</p></li>
+<li><p>Application settings will be applied when the application starts.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Windows Logoff</strong></p></td>
+<td align="left"><p>Store changes locally and cache and copy asynchronous and synchronous Windows settings to the settings storage location server, if available</p></td>
+<td align="left"><p>Store changes to asynchronous and synchronous Windows settings storage location</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Windows Connect (RDP) / Unlock</strong></p></td>
+<td align="left"><p>Synchronize any asynchronous Windows settings from settings storage location to local cache, if available.</p>
+<p>Apply cached Windows settings</p></td>
+<td align="left"><p>Download and apply asynchronous windows settings from settings storage location</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Windows Disconnect (RDP) / Lock</strong></p></td>
+<td align="left"><p>Store asynchronous Windows settings changes to the local cache.</p>
+<p>Synchronize any asynchronous Windows settings from the local cache to settings storage location, if available</p></td>
+<td align="left"><p>Store asynchronous Windows settings changes to the settings storage location</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Application start</strong></p></td>
+<td align="left"><p>Apply application settings from local cache as the application starts</p></td>
+<td align="left"><p>Apply application settings from settings storage location as the application starts</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Application closes</strong></p></td>
+<td align="left"><p>Store any application settings changes to the local cache and copy settings to settings storage location, if available</p></td>
+<td align="left"><p>Store any application settings changes to settings storage location</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Sync Controller Scheduled Task</strong></p>
+<p></p></td>
+<td align="left"><p>Application and Windows settings are synchronized between the settings storage location and the local cache.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Settings changes are not cached locally until an application closes. This trigger will not export changes made to a currently running application.</p>
+<p>For Windows settings, this means that any changes will not be cached locally and exported until the next Lock (Asynchronous) or Logoff (Asynchronous and Synchronous).</p>
+</div>
+<div>
+ 
+</div>
+<p>Settings are applied in these cases:</p>
+<ul>
+<li><p>Asynchronous Windows settings are applied directly.</p></li>
+<li><p>Application settings are applied when the application starts.</p></li>
+<li><p>Both asynchronous and synchronous Windows settings are applied during the next Windows logon.</p></li>
+<li><p>Windows app (AppX) settings are applied during the next refresh. See [Monitor Application Settings](http://technet.microsoft.com/library/dn458944.aspx) for more information.</p></li>
+</ul></td>
+<td align="left"><p>NA</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Asynchronous Settings updated on remote store*</strong></p></td>
+<td align="left"><p>Load and apply new asynchronous settings from the cache.</p></td>
+<td align="left"><p>Load and apply settings from central server</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Have a suggestion for UE-V?
+
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+
+[Technical Reference for UE-V](uev-technical-reference.md)
+
+[Changing the Frequency of UE-V Scheduled Tasks](uev-changing-the-frequency-of-scheduled-tasks.md)
+
+[Choose the Configuration Method for UE-V](uev-deploy-required-features.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/uev-synchronizing-microsoft-office-with-uev.md b/windows/manage/uev-synchronizing-microsoft-office-with-uev.md
new file mode 100644
index 0000000000..47aaa206af
--- /dev/null
+++ b/windows/manage/uev-synchronizing-microsoft-office-with-uev.md
@@ -0,0 +1,139 @@
+---
+title: Synchronizing Microsoft Office with UE-V
+description: Synchronizing Office with UE-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Synchronizing Office with UE-V
+
+Microsoft User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings. The combination of UE-V and App-V  support for Office enables the same experience on virtualized instances of Office from any UE-V-enabled device or virtualized desktop.
+
+To synchronize Office applications settings, you can download Office templates from the [Microsoft User Experience Virtualization (UE-V) Template Gallery](http://go.microsoft.com/fwlink/p/?LinkId=246589). This resource provides Microsoft-authored UE-V settings location templates as well as community-developed settings location templates.
+
+
+## Microsoft Office support in UE-V
+
+UE-V includes settings location templates for Microsoft Office 2016, 2013, and 2010. In previous versions of UE-V, settings location templates for Office 2013 and Office 2010 were distributed and registered when you installed the UE-V agent. Now that UE-V is a feature in Windows 10, version 1607, settings location templates are installed when you install or upgrade to the new operating system.  
+
+These templates help synchronize users’ Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience are not included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](http://go.microsoft.com/fwlink/p/?LinkId=391220).
+
+## Synchronized Office Settings
+
+
+Review the following tables for details about Office support in UE-V:
+
+### Supported UE-V templates for Microsoft Office
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Office 2016 templates (UE-V for Windows 10 and Windows 10, version 1607, available in UE-V gallery)</th>
+<th align="left">Office 2013 templates (UE-V for Windows 10 and UE-V 2.x, available on UE-V gallery)</th>
+<th align="left">Office 2010 templates (UE-V 1.0 and 1.0 SP1)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>MicrosoftOffice2016Win32.xml</p>
+<p>MicrosoftOffice2016Win64.xml</p>
+<p>MicrosoftSkypeForBusiness2016Win32.xml</p>
+<p>MicrosoftSkypeForBusiness2016Win64.xml</p></td>
+<td align="left"><p>MicrosoftOffice2013Win32.xml</p>
+<p>MicrosoftOffice2013Win64.xml</p>
+<p>MicrosoftLync2013Win32.xml</p>
+<p>MicrosoftLync2013Win64.xml</p></td>
+<td align="left"><p>MicrosoftOffice2010Win32.xml</p>
+<p>MicrosoftOffice2010Win64.xml</p>
+<p>MicrosoftLync2010.xml</p>
+<p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Microsoft Office Applications supported by the UE-V templates
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Microsoft Access 2016</p>
+<p>Microsoft Lync 2016</p>
+<p>Microsoft Excel 2016</p>
+<p>Microsoft OneNote 2016</p>
+<p>Microsoft Outlook 2016</p>
+<p>Microsoft PowerPoint 2016</p>
+<p>Microsoft Project 2016</p>
+<p>Microsoft Publisher 2016</p>
+<p>Microsoft SharePoint Designer 2013 (not udpated for 2016)</p>
+<p>Microsoft Visio 2016</p>
+<p>Microsoft Word 2016</p>
+<p>Microsoft Office Upload Manager</p></td>
+<td align="left"><p>Microsoft Access 2013</p>
+<p>Microsoft Lync 2013</p>
+<p>Microsoft Excel 2013</p>
+<p>Microsoft InfoPath 2013</p>
+<p>Microsoft OneNote 2013</p>
+<p>Microsoft Outlook 2013</p>
+<p>Microsoft PowerPoint 2013</p>
+<p>Microsoft Project 2013</p>
+<p>Microsoft Publisher 2013</p>
+<p>Microsoft SharePoint Designer 2013</p>
+<p>Microsoft Visio 2013</p>
+<p>Microsoft Word 2013</p>
+<p>Microsoft Office Upload Manager</p></td>
+<td align="left"><p>Microsoft Access 2010</p>
+<p>Microsoft Lync 2010</p>
+<p>Microsoft Excel 2010</p>
+<p>Microsoft InfoPath 2010</p>
+<p>Microsoft OneNote 2010</p>
+<p>Microsoft Outlook 2010</p>
+<p>Microsoft PowerPoint 2010</p>
+<p>Microsoft Project 2010</p>
+<p>Microsoft Publisher 2010</p>
+<p>Microsoft SharePoint Designer 2010</p>
+<p>Microsoft Visio 2010</p>
+<p>Microsoft Word 2010</p>
+<p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Deploying Office templates
+
+
+You can deploy UE-V settings location template with the following methods:
+
+-   **Registering template with PowerShell**. If you use Windows PowerShell to manage computers, run the following Windows PowerShell command as Administrator to register this settings location template:
+
+    ``` syntax
+    Register-UevTemplate -Path <Path_to_Template>
+    ```
+
+    For more information about using UE-V and Windows PowerShell, see [Managing UE-V settings location templates using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).
+
+-   **Registering template with Template Catalog Path**. If you use the Settings Template Catalog Path to manage templates on users’ computers, copy the Office template into the folder defined in the UE-V service. The next time the Template Auto Update (ApplySettingsCatalog.exe) scheduled task runs, the settings location template will be registered on the device. For more information, see [Deploy a settings template catalog](uev-deploy-uev-for-custom-applications.md#deployasettingstemplatecatalog).
+
+-   **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices. For more information, see the guidance provided in the documentation for the [System Center Configuration Pack for User Experience Virtualization](http://go.microsoft.com/fwlink/?LinkId=317263).
+
+## Have a suggestion for UE-V?
+
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
diff --git a/windows/manage/uev-technical-reference.md b/windows/manage/uev-technical-reference.md
new file mode 100644
index 0000000000..d8eec5847d
--- /dev/null
+++ b/windows/manage/uev-technical-reference.md
@@ -0,0 +1,69 @@
+---
+title: Technical Reference for UE-V
+description: Technical Reference for UE-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Technical Reference for UE-V
+
+
+This technical reference section includes additional technical documentation about the various features of User Experience Virtualization (UE-V). This information is provided to help the administrator better understand UE-V.
+
+## Technical reference topics for UE-V
+
+
+-   [Sync Methods for UE-V](uev-sync-methods.md)
+
+    Defines how UE-V synchronizes settings between computers and the settings storage location. Sync Provider is the default sync method for UE-V. This topic includes technical reference information for sync methods, including the Sync Provider.
+
+-   [Sync Trigger Events for UE-V](uev-sync-trigger-events.md)
+
+    Defines when the UE-V service synchronizes those settings with the settings storage location. This topic provides technical reference information about when synchronization takes place based upon the sync method deployed.
+
+-   [Synchronizing Microsoft Office with UE-V](uev-synchronizing-microsoft-office-with-uev.md)
+
+    Provides guidance for downloading and enabling the Microsoft-authored UE-V settings location templates that support Microsoft Office settings synchronization.
+
+-   [Application Template Schema Reference for UE-V](uev-application-template-schema-reference.md)
+
+    Details the XML structure of UE-V settings location templates and provides guidance for editing these files.
+
+-   [Accessibility for UE-V](uev-accessibility.md)
+
+    Describes features and services that make UE-V more accessible for people with disabilities.
+
+-   [Security Considerations for UE-V](uev-security-considerations.md)
+
+    Provides a brief overview of accounts, groups, and other security-related considerations for UE-V.
+
+## Other resources for this feature
+
+
+-   [User Experience Virtualization overview](uev-for-windows.md)
+
+-   [Get Started with UE-V](uev-getting-started.md)
+
+-   [Prepare a UE-V Deployment](uev-prepare-for-deployment.md)
+
+-   [Administering UE-V](uev-administering-uev.md)
+
+-   [Troubleshooting UE-V](uev-troubleshooting.md)
+
+## Have a suggestion for UE-V?
+
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/uev-troubleshooting.md b/windows/manage/uev-troubleshooting.md
new file mode 100644
index 0000000000..bc48051f72
--- /dev/null
+++ b/windows/manage/uev-troubleshooting.md
@@ -0,0 +1,79 @@
+---
+title: Troubleshooting UE-V
+description: Troubleshooting UE-V
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Troubleshooting UE-V
+
+
+Troubleshooting content is not included in the Administrator's Guide for this product. Instead, you can find troubleshooting information for this product on the [TechNet Wiki](http://go.microsoft.com/fwlink/p/?LinkId=224905).
+
+##  Find troubleshooting information
+
+
+You can use the following information to find troubleshooting content or additional technical content for this product.
+
+
+**To search the TechNet Wiki**
+
+1.  Open a web browser and browse to the [TechNet Wiki](http://go.microsoft.com/fwlink/p/?LinkId=224905) home page.
+
+2.  Locate the **Search TechNet Wiki** search box and enter your search term.
+
+3.  Review the search results for assistance.
+
+##  Create a troubleshooting article
+
+
+If you have a troubleshooting tip or a best practice to share that is not already included in TechNet Wiki, you can create your own TechNet Wiki article.
+
+**To create a TechNet Wiki troubleshooting or best practices article**
+
+1.  Open a web browser and browse to the [TechNet Wiki](http://go.microsoft.com/fwlink/p/?LinkId=224905) home page.
+
+2.  Sign in with your Microsoft account.
+
+3.  Review the **Getting Started** section to learn the basics of the TechNet Wiki and its articles.
+
+4.  Select **Post an article** in the **Getting Started** section.
+
+5.  On the Wiki article **Add Page** page, select **Insert Template** from the toolbar, select the troubleshooting article template, which is named **Troubleshooting.html**, and then click **Insert**.
+
+6.  Give the article a descriptive title, and then overwrite the template information as needed to create your article.
+
+7.  After you review your article, add a tag that is named **Troubleshooting** and another tag for the product name. To add tags help other users find your content.
+
+8.  Click **Save** to publish the article to the TechNet Wiki.
+
+## Other resources for this feature
+
+
+-   [User Experience Virtualization overview](uev-for-windows.md)
+
+-   [Get Started with UE-V](uev-getting-started.md)
+
+-   [Prepare a UE-V deployment](uev-prepare-for-deployment.md)
+
+-   [Administering UE-V](uev-administering-uev.md)
+
+-   [Technical reference for UE-V](uev-technical-reference.md)
+
+## Have a suggestion for UE-V?
+
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/uev-upgrade-uev-from-previous-releases.md b/windows/manage/uev-upgrade-uev-from-previous-releases.md
new file mode 100644
index 0000000000..acfd9ce64a
--- /dev/null
+++ b/windows/manage/uev-upgrade-uev-from-previous-releases.md
@@ -0,0 +1,104 @@
+---
+title: Upgrade to UE-V for Windows 10
+description: Explains how to upgrade to the latest version of UE-V.
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# Upgrade to UE-V for Windows 10
+
+Applies to: Windows 10, version 1607
+
+If you’re already using UE-V 2.x and you’re planning to upgrade user devices to Windows 10, version 1607 or later releases, you need to make only a few adjustments to your existing environment. These steps are explained in more detail below.
+
+1.	Upgrade user devices to Windows 10, version 1607 or later release. 
+
+2.	Verify that UE-V settings were migrated correctly.
+
+3.	Enable the UE-V service on user devices.
+
+4.	Install the UE-V template generator if you want to synchronize application settings for custom applications.
+
+> **Important**&nbsp;&nbsp;You can upgrade your existing UE-V installation to Windows 10, version 1607 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you’ll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10, version 1607..   
+
+## Upgrade user devices to Windows 10, version 1607
+
+Performing an in-place upgrade on user devices automatically installs the UE-V service, updates the settings location path, and migrates users' UE-V settings. See the [Windows 10 for IT Pros documentation](https://technet.microsoft.com/itpro/windows/index) for information about upgrading user devices to Windows 10. 
+
+## Verify that UE-V settings were migrated correctly 
+
+After upgrading a user device to Windows 10, version 1607, it’s important to verify that UE-V settings and template registrations were migrated correctly during the upgrade. You can verify UE-V settings using Windows Powershell or the device’s registry.
+
+**To verify UE-V settings using Windows PowerShell**
+
+1.	Run PowerShell as Administrator, type **Get-UEVConfiguration**, and press ENTER to view current configurations.
+
+2.	Check that the settings were successfully updated.
+
+3.	Type **Get-UEVTemplate** and press ENTER to check that your templates are still registered.
+
+    > **Note** You’ll need to register the NotePad template again after you upgrade the device to Windows 10. 
+
+**To verify UE-V settings using the device’s registry**
+
+1.	In a command prompt, run **Regedit** as Administrator.
+
+2.	Navigate to **HKEY_LOCAL_MACHINE\Software\Microsoft\UEV\Agent\Configuration.**
+
+3.	Verify that the settings storage path and the settings template catalog path are pointing to the same locations as before you upgraded the device to Windows 10. 
+
+## Enable the UE-V service on user devices
+
+The UE-V service is the client-side component that captures user-personalized application and Windows settings and saves them in settings packages. Settings packages are built, locally stored, and copied to the settings storage location. 
+
+With Windows 10, version 1607 and later, the UE-V service replaces the UE-V Agent and no longer requires a separate download and installation. Enable the service on user devices to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell. 
+
+> **Important**&nbsp;&nbsp;The UE-V Agent used in prior releases of UE-V is replaced with the UE service. The UE-V service included with Windows 10, version 1607 and later releases, does not include the agent user interface and is configurable through cmdlets or registry settings only.
+
+**To enable the UE-V service with Group Policy**
+
+1.	Open the device’s **Group Policy Editor**.
+
+2.	Navigate to **Computer Configuration > Administrative Templates > Windows Components > Microsoft User Experience Virtualization**. 
+
+3.	Run **Enable UEV**
+
+4.	Restart the device.
+
+**To enable the UE-V service with Windows PowerShell**
+
+1.	Run PowerShell as Administrator, type **Enable-UEV**, and press ENTER.
+
+2.	Restart the device.
+
+3.	Type **Get-UEVStatus** and press ENTER to verify that the service was successfully enabled.
+
+## Install the UE-V template generator
+
+The UE-V template generator is included in the Windows Assessment and Deployment Kit (ADK) for Windows 10. 
+
+**To install the UE-V template generator**
+
+1.	Go to [Download the Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) to access the ADK. 
+
+2. Select the **Get Windows ADK for Windows 10** button on this page to start the ADK installer. On the screen pictured below, select **Microsoft User Experience Virtualization (UE-V) Template Generator** and then select **Install**.
+
+    ![Selecting UE-V features in ADK](images/uev-adk-select-uev-feature.png)
+ 
+3.	To open the generator, open the **Start** menu and navigate to **Windows Kits** > **Microsoft User Experience Virtualization (UE-V) Template Generator**. 
+
+
+## Other resources for this feature
+
+-   [UE-V Release Notes](uev-release-notes-1607.md)
+
+-   [Prepare a UE-V Deployment](uev-prepare-for-deployment.md)
+
+-   [Administer UE-V](uev-administering-uev.md)
+
+-   [Migrating settings packages](uev-migrating-settings-packages.md)
+
+-   [Technical Reference for UE-V](uev-technical-reference.md)
diff --git a/windows/manage/uev-using-uev-with-application-virtualization-applications.md b/windows/manage/uev-using-uev-with-application-virtualization-applications.md
new file mode 100644
index 0000000000..1f495c9b74
--- /dev/null
+++ b/windows/manage/uev-using-uev-with-application-virtualization-applications.md
@@ -0,0 +1,54 @@
+---
+title: Using UE-V with Application Virtualization applications
+description: Using UE-V with Application Virtualization applications
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Using UE-V with Application Virtualization applications
+
+
+User Experience Virtualization (UE-V) supports Microsoft Application Virtualization (App-V) applications without any required modifications to either the App-V package or the UE-V template. However, an additional step is required because you cannot run the UE-V template generator directly on a virtualized App-V application. Instead, you must install the application locally, generate the template, and then apply the template to the virtualized application. UE-V supports App-V for Windows 10 packages and App-V 5.0 packages.
+
+## UE-V settings synchronization for App-V applications
+
+
+UE-V monitors when an application opens by the program name and, optionally, by file version numbers and product version numbers, whether the application is installed locally or virtually by using App-V. When the application starts, UE-V monitors the App-V process, applies any settings that are stored in the user's settings storage path, and then enables the application to start normally. UE-V monitors App-V applications and automatically translates the relevant file and registry paths to the virtualized location as opposed to the physical location outside the App-V computing environment.
+
+ **To implement settings synchronization for a virtualized application**
+
+1.  Run the UE-V template generator to collect the settings of the locally installed application whose settings you want to synchronize between computers. This process creates a settings location template. If you use a built-in template such as a Microsoft Office template, skip this step. For more information about using the UE-V template generator, see [Deploy UE-V for custom applications](uev-deploy-uev-for-custom-applications.md#createcustomtemplates).
+
+2.  Install the App-V application package if you have not already done so.
+
+3.  Publish the template to the location of your settings template catalog or manually install the template by using the `Register-UEVTemplate` Windows PowerShell cmdlet.
+
+    **Note**  
+    If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**.
+
+     
+
+4.  Start the App-V package.
+
+## Have a suggestion for UE-V?
+
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+
+[Administering UE-V](uev-administering-uev.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/uev-whats-new-in-uev-for-windows.md b/windows/manage/uev-whats-new-in-uev-for-windows.md
new file mode 100644
index 0000000000..f4192c7109
--- /dev/null
+++ b/windows/manage/uev-whats-new-in-uev-for-windows.md
@@ -0,0 +1,105 @@
+---
+title: What's New in UE-V for Windows 10, version 1607
+description: What's New in UE-V for Windows 10, version 1607
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+# What's New in UE-V 
+
+Applies to: Windows 10, version 1607
+
+User Experience Virtualization (UE-V) for Windows 10, version 1607, includes these new features and capabilities compared to UE-V 2.1. See [UE-V Release notes](uev-release-notes-1607.md) for more information about the UE-V for Windows 10, version 1607 release.
+
+## UE-V is now a feature in Windows 10
+
+With Windows 10, version 1607 and later releases, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack. 
+
+The changes in UE-V for Windows 10, version 1607 impact already existing implementations of UE-V in the following ways:
+
+- The UE-V Agent is replaced by the UE-V service. The UE-V service is installed with Windows 10, version 1607 and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the UE-V service, migrates users’ UE-V configurations, and updates the settings storage path.
+
+- The UE-V template generator is available from the Windows 10 ADK. In previous releases of UE-V, the template generator was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new template generator to create new settings location templates, existing settings location templates will continue to work. 
+
+For more information about how to configure an existing UE-V installation after upgrading user devices to Windows 10, see [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md).
+
+> **Important**&nbsp;&nbsp;You can upgrade your existing UE-V installation to Windows 10 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you’ll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10.
+
+## New UE-V template generator is available from the Windows 10 ADK
+
+UE-V for Windows 10 includes a new template generator, available from a new location. If you are upgrading from an existing UE-V installation, you’ll need to use the new generator to create settings location templates. The UE-V for Windows 10 template generator is now available in the [Windows 10 Assessment and Deployment Kit](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK).
+
+## Compatibility with Microsoft Enterprise State Roaming
+
+With Windows 10, version 1607, users can synchronize Windows application settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V on on-premises domain-joined devices only.
+
+In hybrid cloud environments, UE-V can roam win32 applications on-premise while [Enterprise State Roaming](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) (ESR) can roam the rest, e.g., Windows and desktop settings, themes, colors, etc., to an Azure cloud installation.
+
+To configure UE-V to roam Windows desktop and application data only, change the following group policies:
+
+-   Disable “Roam Windows settings” group policy
+
+-   Enable “Do not synchronize Windows Apps” group policy
+
+For more information about using UE-V with Enterprise State Roaming, see [Settings and data roaming FAQ](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-faqs/#what-are-the-options-for-roaming-settings-for-existing-windows-desktop-applications).
+
+Additionally, to enable Windows 10 and UE-V to work together, configure these policy settings in the Microsoft User Experience Virtualization node:
+
+-   Enable “Do Not Synchronize Windows Apps”
+
+-   Disable “Sync Windows Settings”
+
+## Settings Synchronization Behavior Changed in UE-V for Windows 10
+
+While earlier versions of UE-V roamed taskbar settings between Windows 10 devices, UE-V for Windows 10, version 1607 does not synchronize taskbar settings between devices running Windows 10 and devices running previous versions of Windows.
+
+In addition, UE-for Windows does not synchronize settings between the Microsoft Calculator in Windows 10 and the Microsoft Calculator in previous versions of Windows.
+
+## Support Added for Roaming Network Printers
+
+Users can now print to their saved network printers from any network device, including their default network printer.
+
+Printer roaming in UE-V requires one of these scenarios:
+
+-   The print server can download the required driver when it roams to a new device.
+
+-   The driver for the roaming network printer is pre-installed on any device that needs to access that network printer.
+
+-   The printer driver can be imported from Windows Update.
+
+> **Note**&nbsp;&nbsp;The UE-V printer roaming feature does not roam printer settings or preferences, such as printing double-sided.
+
+## Office 2016 Settings Location Template
+
+UE-V for Windows 10, version 1607 includes the Microsoft Office 2016 settings location template with improved Outlook signature support. We’ve added synchronization of default signature settings for new, reply, and forwarded emails. Users no longer have to choose the default signature settings.
+
+> **Note**&nbsp;&nbsp;An Outlook profile must be created on any device on which a user wants to synchronize their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization.
+
+UE-V works with Office 365 to determine whether Office 2016 settings are roamed by Office 365. If settings are roamed by Office 365, they are not roamed by UE-V. See [Overview of user and roaming settings for Microsoft Office](https://technet.microsoft.com/library/jj733593.aspx) for more information.
+
+To enable settings synchronization using UE-V, do one of the following:
+
+-   Use Group Policy to disable Office 365 synchronization
+
+-   Do not enable the Office 365 synchronization experience during Office 2013 installation
+
+UE-V includes Office 2016, Office 2013, and Office 2010 templates. Office 2007 templates are no longer supported. Users can still use Office 2007 templates from UE-V 2.0 or earlier and can still get the templates from the UE-V template gallery located [here](http://go.microsoft.com/fwlink/p/?LinkID=246589).
+
+## Have a suggestion for UE-V?
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+- [Microsoft User Experience Virtualization](uev-for-windows.md)
+
+- [Get Started with UE-V](uev-getting-started.md)
+
+- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md)
+
+- [User Experience Virtualization (UE-V) Release Notes](uev-release-notes-1607.md) for Windows 10, version 1607
+
+- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) 
diff --git a/windows/manage/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/manage/uev-working-with-custom-templates-and-the-uev-generator.md
new file mode 100644
index 0000000000..d708176c7f
--- /dev/null
+++ b/windows/manage/uev-working-with-custom-templates-and-the-uev-generator.md
@@ -0,0 +1,162 @@
+---
+title: Working with Custom UE-V Templates and the UE-V Template Generator
+description: Working with Custom UE-V Templates and the UE-V Template Generator
+author: MaggiePucciEvans
+ms.pagetype: mdop, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Working with custom UE-V templates and the UE-V template generator
+
+Applies to: Windows 10, version 1607
+
+User Experience Virtualization (UE-V) uses XML files called ***settings location templates*** to monitor and synchronize application settings and Windows settings between user devices. By default, some settings location templates are included in UE-V. However, if you want to synchronize settings for desktop applications other than those included in the default templates, you can create your own custom settings location templates with the UE-V template generator. You can also edit or validate custom settings location templates with the UE-V template generator.
+
+Use the UE-V template generator to monitor, discover, and capture the locations where Win32 applications store settings. The template generator does not create settings location templates for the following types of applications:
+
+-   Virtualized applications
+-   Applications that are offered through Terminal Services
+-   Java applications
+-   Windows applications
+
+## Standard and non-standard settings locations
+
+The UE-V template generator helps you identify where applications search for settings files and registry settings that applications use to store settings information. The generator discovers settings only in locations that are accessible to a standard user. Settings that are stored in other locations are excluded. 
+
+Discovered settings are grouped into two categories: **Standard** and **Non-standard**. Standard settings are recommended for synchronization, and UE-V can readily capture and apply them. Non-standard settings can potentially synchronize settings but, because of the rules that UE-V uses, these settings might not consistently or dependably synchronize settings. These settings might depend on temporary files, result in unreliable synchronization, or might not be useful. These settings locations are presented in the UE-V template generator. You can choose to include or exclude them on a case-by-case basis.
+
+The UE-V template generator opens the application as part of the discovery process. The generator can capture settings in the following locations:
+
+-   **Registry Settings** – Registry locations under **HKEY\_CURRENT\_USER**
+
+-   **Application Settings Files** – Files that are stored under \\ **Users** \\ \[User name\] \\ **AppData** \\ **Roaming**
+
+The UE-V template generator excludes locations, which commonly store application software files, but do not synchronize well between user computers or environments. The UE-V template generator excludes these locations. Excluded locations are as follows:
+
+-   HKEY\_CURRENT\_USER registry keys and files to which the logged-on user cannot write values
+
+-   HKEY\_CURRENT\_USER registry keys and files that are associated with the core functionality of the Windows operating system
+
+-   All registry keys that are located in the HKEY\_LOCAL\_MACHINE hive, which requires administrator rights and might require to set a User Account Control (UAC) agreement
+
+-   Files that are located in Program Files directories, which requires administrator rights and might require to set a UAC agreement
+
+-   Files that are located under Users \\ \[User name\] \\ AppData \\ LocalLow
+
+-   Windows operating system files that are located in %Systemroot%, which requires administrator rights and might require to set a UAC agreement
+
+If registry keys and files that are stored in these locations are required to synchronize application settings, you can manually add the excluded locations to the settings location template during the template creation process.
+
+## <a href="" id="edit"></a>Edit settings location templates with the UE-V template generator
+
+Use the UE-V template generator to edit settings location templates. When the revised settings are added to the templates with the UE-V template generator, the version information within the template is automatically updated to ensure that any existing templates that are deployed in the enterprise are updated correctly.
+
+**To edit a UE-V settings location template with the UE-V template generator**
+
+1.  Open the **Start** menu and navigate to **Windows Kits** > **Microsoft User Experience Virtualization (UE-V) Template Generator** to open the template generator.
+
+2.  Click **Edit a settings location template**.
+
+3.  In the list of recently used templates, select the template to be edited. Alternatively, click **Browse** to search for the settings template file. Click **Next** to continue.
+
+4.  Review the **Properties**, **Registry** locations, and **Files** locations for the settings template. Edit as required.
+
+    -   On the **Properties** tab, you can view and edit the following properties:
+
+        -   **Application name** The application name that is written in the description of the program file properties.
+
+        -   **Program name** The name of the program that is taken from the program file properties. This name usually has the .exe file name extension.
+
+        -   **Product version** The product version number of the .exe file of the application. This property, together with the **File version**, helps determine which applications are targeted by the settings location template. This property accepts a major version number. If this property is empty, then the settings location template applies to all versions of the product.
+
+        -   **File version** The file version number of the .exe file of the application. This property, along with the **Product version**, helps determine which applications are targeted by the settings location template. This property accepts a major version number. If this property is empty, the settings location template applies to all versions of the program.
+
+        -   **Template author name** (optional) The name of the settings template author.
+
+        -   **Template author email** (optional) The email address of the settings location template author.
+
+    -   The **Registry** tab lists the **Key** and **Scope** of the registry locations that are included in the settings location template. You can edit the registry locations by using the **Tasks** drop-down menu. In the Tasks menu, you can add new keys, edit the name or scope of existing keys, delete keys, and browse the registry in which the keys are located. When you define the scope for the registry, you can use the **All Settings** scope to include all the registry settings under the specified key. Use **All Settings** and **Subkeys** to include all the registry settings under the specified key, subkeys, and subkey settings.
+
+    -   The **Files** tab lists the file path and file mask of the file locations that are included in the settings location template. You can edit the file locations by using the **Tasks** drop-down menu. In the **Tasks** menu for file locations, you can add new files or folder locations, edit the scope of existing files or folders, delete files or folders, and open the selected location in Windows Explorer. To include all files in the specified folder, leave the file mask empty.
+
+5.  Click **Save** to save the changes to the settings location template.
+
+6.  Click **Close** to close the Settings Template Wizard. Exit the UE-V template generator application.
+
+    After you edit the settings location template for an application, you should test the template. Deploy the revised settings location template in a lab environment before you put it into production in the enterprise.
+
+**How to manually edit a settings location template**
+
+1.  Create a local copy of the settings location template .xml file. UE-V settings location templates are .xml files that identify the locations where application store settings values.
+
+    >**Note**  
+    A settings location template is unique because of the template **ID**. If you copy the template and rename the .xml file, template registration fails because UE-V reads the template **ID** tag in the .xml file to determine the name, not the file name of the .xml file. UE-V also reads the **Version** number to know if anything has changed. If the version number is higher, UE-V updates the template.
+
+     
+2.  Open the settings location template file with an XML editor.
+
+3.  Edit the settings location template file. All changes must conform to the UE-V schema file that is defined in [SettingsLocationTempate.xsd](uev-application-template-schema-reference.md). By default, a copy of the .xsd file is located in \\ProgramData\\Microsoft\\UEV\\Templates.
+
+4.  Increment the **Version** number for the settings location template.
+
+5.  Save the settings location template file, and then close the XML editor.
+
+6.  Validate the modified settings location template file by using the UE-V template generator.
+
+7.  You must register the edited UE-V settings location template before it can synchronize settings between client computers. To register a template, open Windows PowerShell, and then run the following cmdlet: `update-uevtemplate [templatefilename]`. You can then copy the file to the settings storage catalog. The UE-V Agent on users’ computers should then update as scheduled in the scheduled task.
+
+## <a href="" id="validate"></a>Validate settings location templates with the UE-V template generator
+
+
+It is possible to create or edit settings location templates in an XML editor without using the UE-V template generator. If you do, you can use the UE-V template generator to validate that the new or revised XML matches the schema that has been defined for the template.
+
+**To validate a UE-V settings location template with the UE-V template generator**
+
+1.  Open the **Start** menu and navigate to **Windows Kits** > **Microsoft User Experience Virtualization (UE-V) Template Generator** to open the template generator.
+
+2.  Click **Validate a settings location template**.
+
+3.  In the list of recently used templates, select the template to be edited. Alternatively, you can **Browse** to the settings template file. Click **Next** to continue.
+
+4.  Click **Validate** to continue.
+
+5.  Click **Close** to close the Settings Template Wizard. Exit the UE-V template generator application.
+
+    After you validate the settings location template for an application, you should test the template. Deploy the template in a lab environment before you put it into a production environment in enterprise.
+
+## <a href="" id="share"></a>Share settings location templates with the Template Gallery
+
+
+The UE-V template gallery enables administrators to share their UE-V settings location templates. Upload your settings location templates to the gallery for other users to use, and download templates that other users have created. The UE-V template gallery is located on Microsoft TechNet [here](http://go.microsoft.com/fwlink/p/?LinkId=246589).
+
+Before you share a settings location template on the UE-V template gallery, ensure it does not contain any personal or company information. You can use any XML viewer to open and view the contents of a settings location template file. The following template values should be reviewed before you share a template with anyone outside your company.
+
+-   Template Author Name – Specify a general, non-identifying name for the template author name or exclude this data from the template.
+
+-   Template Author Email – Specify a general, non-identifying template author email or exclude this data from the template.
+
+Before you deploy any settings location template that you have downloaded from the UE-V gallery, you should first test the template to ensure that the application settings synchronize settings correctly in a test environment.
+
+## Have a suggestion for UE-V?
+
+
+Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
+
+## Related topics
+
+
+[Administering UE-V](uev-administering-uev.md)
+
+[Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md
index 2870bbda8a..90469e91a6 100644
--- a/windows/manage/update-windows-store-for-business-account-settings.md
+++ b/windows/manage/update-windows-store-for-business-account-settings.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Update Windows Store for Business account settings
@@ -109,7 +110,7 @@ Not all cards available in all countries. When you add a payment option, Store f
 **To add a new payment option** 
 
 1.	Sign in to [Store for Business](http://businessstore.microsoft.com). 
-2.	Click **Settings**, and then click **Account information**. 
+2.	Click **Manage**, and then click **Account information**. 
 3.  Under **My payment options**, tap or click **Show my payment options**, and then select the type of credit card that you want to add. 
 4.	Add information to any required fields, and then click **Next**. 
 
@@ -117,13 +118,13 @@ Once you click Next, the information you provided will be validated with a tes
 
 **Note**: <br>When adding credit or debit cards, you may be prompted to enter a CVV . The CVV is only used for verification purposes and is not stored in our systems after validation. 
 
-**To update a payment option**: 
+**To update a payment option** 
 
 1.	Sign in to [Store for Business](http://businessstore.microsoft.com). 
-2.	Click **Settings**, and then click **Account information**. 
-3.	Under My payment options > Credit Cards, select the payment option that you want to update, and then click Update. 
-4.	Enter any updated information in the appropriate fields, and then click Next. 
-Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. 
+2.	Click **Manage**, and then click **Account information**. 
+3.	Under **My payment options** > **Credit Cards**, select the payment option that you want to update, and then click **Update**. 
+4.	Enter any updated information in the appropriate fields, and then click **Next**. 
+Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. 
  
 **Note**:<br> Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time or have a low balance.
 
@@ -131,6 +132,14 @@ Once you click Next, the information you provided will be validated with a tes
 
 Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. 
 
+Admins can decide whether or not offline licenses are shown for apps in Windows Store for Business. 
+
+**To set offline license visibility**
+
+1.	Sign in to [Store for Business](http://businessstore.microsoft.com). 
+2.	Click **Manage**, and then click **Account information**. 
+3.	Under **Offline licensing**, click **Show offline licensed apps to people shopping in the store** to show availability for both online and offline licenses.
+
 You have the following distribution options for offline-licensed apps:
 - Include the app in a provisioning package, and then use it as part of imaging a device.
 - Distribute the app through a management tool. 
diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md
index 3053aedc09..a7d4e10a34 100644
--- a/windows/manage/windows-10-mobile-and-mdm.md
+++ b/windows/manage/windows-10-mobile-and-mdm.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile, devices, security
 author: AMeeus
+localizationpriority: high
 ---
 
 # Windows 10 Mobile and mobile device management
diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md
index 34e40d5095..c41206fb4c 100644
--- a/windows/manage/windows-10-start-layout-options-and-policies.md
+++ b/windows/manage/windows-10-start-layout-options-and-policies.md
@@ -1,26 +1,29 @@
 ---
-title: Manage Windows 10 Start layout options (Windows 10)
-description: Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education.
+title: Manage Windows 10 Start and taskbar layout  (Windows 10)
+description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education.
 ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
 keywords: ["start screen", "start menu"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
+localizationpriority: medium
 ---
 
-# Manage Windows 10 Start layout options
+# Manage Windows 10 Start and taskbar layout
 
 
 **Applies to**
 
 -   Windows 10
 
-**Looking for consumer information?**
+> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) 
 
--   [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
+Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default.
 
-Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.
+> **Note:** Taskbar configuration is available starting in Windows 10, version 1607.
+
+## Start options
 
 ![start layout sections](images/startannotated.png)
 
@@ -29,11 +32,6 @@ Some areas of Start can be managed using Group Policy. The layout of Start tiles
 The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table.
 
 <table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
 <thead>
 <tr class="header">
 <th align="left">Start</th>
@@ -93,8 +91,8 @@ The following table lists the different parts of Start and any applicable policy
 <p>Group Policy: <strong>Start layout</strong></p>
 <p>Group Policy: <strong>Prevent users from customizing their Start Screen</strong></p>
 <div class="alert">
-<strong>Warning</strong>  
-<p><strong>Start layout</strong> can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which <strong>Start layout</strong> was created. When a Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the <strong>All Apps</strong> view, but they cannot pin any apps to the Start screen.</p>
+<strong>Note</strong>  
+<p> When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the <strong>All Apps</strong> view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.</p><p><strong>Start layout</strong> policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar.
 </div>
 <div>
  
@@ -120,18 +118,57 @@ The following table lists the different parts of Start and any applicable policy
 </tbody>
 </table>
 
- 
+ ## Taskbar options
+
+Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region.
+
+There are three categories of apps that might be pinned to a taskbar:
+* Apps pinned by the user
+* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store)
+* Apps pinned by the enterprise, such as in an unattended Windows setup
+
+ **Note**  
+   The earlier method of using [TaskbarLinks](http://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607.
+   
+The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
+
+> **Note**  In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
+
+![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
+
+Whether you apply the taskbar configuration to a clean install or an update, users will still be able to:
+* Pin additional apps
+* Change the order of pinned apps
+* Unpin any app
+
+### Taskbar configuration applied to clean install of Windows 10
+
+In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied.
+
+### Taskbar configuration applied to Windows 10 upgrades
+
+When a device is upgraded to Windows 10, apps will be pinned to the taskbar already.  Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup. 
+
+The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior:
+* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right.
+* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned.
+* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right.
+* New apps specified in updated layout file are pinned to right of user's pinned apps.
+  
+
 
 ## Related topics
 
 
 [Customize and export Start layout](customize-and-export-start-layout.md)
 
-[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+
+[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
 
 [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 
-[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
 
 [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
 
diff --git a/windows/manage/windows-spotlight.md b/windows/manage/windows-spotlight.md
new file mode 100644
index 0000000000..2af7597418
--- /dev/null
+++ b/windows/manage/windows-spotlight.md
@@ -0,0 +1,78 @@
+---
+title: Windows Spotlight on the lock screen (Windows 10)
+description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
+ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A
+keywords: ["lockscreen"]
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Windows Spotlight on the lock screen
+
+
+**Applies to**
+
+-   Windows 10
+
+Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. 
+
+For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps.
+
+## What does Windows Spotlight include?
+
+
+-   **Background image**
+
+    The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
+
+    ![lock screen image](images/lockscreen.png)
+
+-   **Feature suggestions, fun facts, tips**
+
+    The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
+
+## How do you turn off Windows spotlight locally?
+
+
+To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight** &gt; select a different lock screen background
+
+![personalization background](images/spotlight.png)
+
+## How do you disable Windows Spotlight for managed devices?
+
+
+Windows 10, version 1607, provides three new Group Policy settings to help you manage Spotlight on employees' computers.
+
+**Windows 10 Pro, Enterprise, and Education**
+
+- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services.
+
+**Windows 10 Enterprise and Education**
+
+* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Spotlight features in a single setting.
+* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.)
+
+Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
+
+![lockscreen policy details](images/lockscreenpolicy.png)
+
+Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image.
+
+![fun facts](images/funfacts.png)
+
+## Related topics
+
+
+[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/windows-store-for-business-overview.md b/windows/manage/windows-store-for-business-overview.md
new file mode 100644
index 0000000000..c6213c2a9e
--- /dev/null
+++ b/windows/manage/windows-store-for-business-overview.md
@@ -0,0 +1,278 @@
+---
+title: Windows Store for Business overview (Windows 10)
+description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps.
+ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
+ms.prod: w10
+ms.pagetype: store, mobile
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+localizationpriority: high
+---
+
+# Windows Store for Business overview
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
+
+## Features
+
+
+Organizations of any size can benefit from using the Store for Business provides:
+
+-   **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Businessare available to you, or you can integrate the Store for Businesswith management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
+
+-   **Bulk app acquisition** - Acquire apps in volume from the Store for Business.
+
+-   **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device.
+
+-   **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
+
+    -   Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
+
+    -   Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
+
+    -   Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
+
+-   **Line-of-business apps** - Privately add and distribute your internal line-of-business apps using any of the distribution options.
+
+-   **App license management**: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
+
+-   **Up-to-date apps** - The Store for Business manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.
+
+## Prerequisites
+
+
+You'll need this software to work with the Store for Business.
+
+### Required
+
+-   IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox.
+
+-   Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.
+
+Microsoft Azure Active Directory (AD) accounts for your employees:
+
+-   Admins need Azure AD accounts to sign up for the Store for Business, and then to sign in, get apps, distribute apps, and manage app licenses.
+
+-   Employees need Azure AD account when they access Store for Business content from Windows devices.
+
+-   If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
+
+-   For offline-licensed apps, Azure AD accounts are not required for employees.
+
+For more information on Azure AD, see [About Office 365 and Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](http://go.microsoft.com/fwlink/p/?LinkId=708611).
+
+### Optional
+
+While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
+
+-   Need to integrate with Windows 10 management framework and Azure AD.
+
+-   Need to sync with the Store for Business inventory to distribute apps.
+
+## How does the Store for Business work?
+
+
+### Sign up!
+
+The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
+
+For more information, see [Sign up for the Store for Business](../manage/sign-up-windows-store-for-business.md).
+
+### Set up
+
+After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Permission</th>
+<th align="left">Account settings</th>
+<th align="left">Acquire apps</th>
+<th align="left">Distribute apps</th>
+<th align="left">Device Guard signing</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Admin</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Purchaser</p></td>
+<td align="left"></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Device Guard signer</p></td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left"><p>X</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
+
+Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
+
+### Get apps and content
+
+Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. 
+
+**App types** -- These app types are supported in the Store for Business:
+
+-   Universal Windows Platform apps
+
+-   Universal Windows apps, by device: Phone, Surface Hub, IOT devices , HoloLens
+
+Apps purchased from the Store for Business only work on Windows 10 devices.
+
+Line-of-business (LOB) apps are also supported via the Business store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization. These apps can be distributed using the distribution methods discussed in this topic. For more information, see Working with Line-of-Business apps.
+
+**App licensing model**
+
+The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
+
+For more information, see [Apps in the Store for Business](../manage/apps-in-windows-store-for-business.md#licensing-model).
+
+### Distribute apps and content
+
+App distribution is handled through two channels, either through the Store for Business, or using a management tool. You can use either or both distribution methods in your organization.
+
+**Using the Store for Business** – Distribution options for the Store for Business:
+
+-   Email link – After purchasing an app, admins can send employees a link in an email message. Employees can click the link to install the app.
+
+-   Curate private store for all employees – A private store can include content you’ve purchased from the Store, and your line-of-business apps that you’ve submitted to the Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
+
+-   To use the options above users must be signed in with an Azure AD account on a Windows 10 device.
+
+**Using a management tool** – For larger organizations that might want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
+
+-   Scoped content distribution – Ability to scope content distribution to specific groups of employees.
+
+-   Install apps for employees – Employees are not responsible for installing apps. Management tool installs apps for employees.
+
+Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps.
+
+For more information, see [Distribute apps to your employees from the Store for Business](../manage/distribute-apps-to-your-employees-windows-store-for-business.md).
+
+### Manage Store for Business settings and content
+
+Once you are signed up with the Business store and have purchased apps, Admins can manage Store for Business settings and inventory.
+
+**Manage Store for Business settings**
+
+-   Assign and change roles for employees or groups
+
+-   Device Guard signing
+
+-   Register a management server to deploy and install content
+
+-   Manage relationships with LOB publishers
+
+-   Manage offline licenses
+
+-   Update the name of your private store
+
+**Manage inventory**
+
+-   Assign app licenses to employees
+
+-   Reclaim and reassign app licenses
+
+-   Manage app updates for all apps, or customize updates for each app. Online apps will automatically update from the Store. Offline apps can be updated using a management server.
+
+-   Download apps for offline installs
+
+For more information, see [Manage settings in the Store for Business](../manage/manage-settings-windows-store-for-business.md) and [Manage apps](../manage/manage-apps-windows-store-for-business-overview.md).
+
+## Supported markets
+
+
+Store for Business is currently available in these markets.
+
+|Country or locale|Paid apps|Free apps|
+|-----------------|---------|---------|
+|Argentina|X|X|
+|Australia|X|X|
+|Austria|X|X|
+|Belgium (Dutch, French)|X|X|
+|Brazil| |X|
+|Canada (English, French)|X|X|
+|Chile|X|X|
+|Columbia|X|X|
+|Croatia|X|X|
+|Czech Republic|X|X|
+|Denmark|X|X|
+|Finland|X|X|
+|France|X|X|
+|Germany|X|X|
+|Greece|X|X|
+|Hong Kong SAR|X|X|
+|Hungary|X|X|
+|India| |X|
+|Indonesia|X|X|
+|Ireland|X|X|
+|Italy|X|X|
+|Japan|X|X|
+|Malaysia|X|X|
+|Mexico|X|X|
+|Netherlands|X|X|
+|New Zealand|X|X|
+|Norway|X|X|
+|Philippines|X|X|
+|Poland|X|X|
+|Portugal|X|X|
+|Romania|X|X|
+|Russia| |X|
+|Singapore|X|X|
+|Slovakia|X|X|
+|South Africa|X|X|
+|Spain|X|X|
+|Sweden|X|X|
+|Switzerland (French, German)|X|X|
+|Taiwan| |X|
+|Thailand|X|X|
+|Turkey|X|X|
+|Ukraine| |X|
+|United Kingdom|X|X|
+|United States|X|X|
+|Vietnam|X|X|
+  
+## <a href="" id="isv-wsfb"></a>ISVs and the Store for Business
+
+
+Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these app line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
+
+-   Admin invites devs to be LOB publishers for your organization. These devs can be internal devs, or external ISVs.
+
+-   LOB publishers accept the invitation, develop apps, and submits the app to the Windows Dev Center. LOB publishers use Enterprise associations when submitting the app to make the app exclusive to your organization.
+
+-   Admin adds the app to Store for Business inventory.
+
+Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in the Store for Business. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in the Store for Business will work only on Windows 10.
+
+For more information on line-of-business apps, see [Working with Line-of-Business apps](../manage/working-with-line-of-business-apps.md).
diff --git a/windows/manage/windows-store-for-business.md b/windows/manage/windows-store-for-business.md
index d3a4044273..67a6d43bab 100644
--- a/windows/manage/windows-store-for-business.md
+++ b/windows/manage/windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Windows Store for Business
diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md
index f780a06748..e0d0c284fe 100644
--- a/windows/manage/working-with-line-of-business-apps.md
+++ b/windows/manage/working-with-line-of-business-apps.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Working with line-of-business apps
@@ -80,7 +81,7 @@ After an app is published and available in the Store, ISVs publish an updated ve
 5.  Click **Save** to save your changes and start the app submission process.
 
 For more information, see [Organizational licensing options]( http://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](http://go.microsoft.com/fwlink/p/?LinkId=627543).<br>
-**Note** In order to get the LOB app, the organization must be located in a [supported market](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-store-for-business-overview#supported-markets), and you must not have excluded that market when submitting your app.
+**Note** In order to get the LOB app, the organization must be located in a [supported market](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview#supported-markets), and you must not have excluded that market when submitting your app.
 
 ### <a href="" id="add-lob-app-to-inventory"></a>Add app to inventory (admin)
 
diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md
index fc128ba315..7118e1238c 100644
--- a/windows/plan/TOC.md
+++ b/windows/plan/TOC.md
@@ -1,5 +1,4 @@
 # [Plan for Windows 10 deployment](index.md)
-## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md)
 ## [Windows 10 servicing overview](windows-10-servicing-options.md)
 ## [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
 ## [Windows 10 compatibility](windows-10-compatibility.md)
@@ -109,4 +108,4 @@
 ### [ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
 ### [ACT Glossary](act-glossary.md)
 ### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-
+## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md)
\ No newline at end of file
diff --git a/windows/plan/act-community-ratings-and-process.md b/windows/plan/act-community-ratings-and-process.md
index 6d28ac6493..e9c34a2026 100644
--- a/windows/plan/act-community-ratings-and-process.md
+++ b/windows/plan/act-community-ratings-and-process.md
@@ -1,48 +1,5 @@
 ---
 title: ACT Community Ratings and Process (Windows 10)
 description: The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members.
-ms.assetid: be6c8c71-785b-4adf-a375-64ca7d24e26c
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.pagetype: appcompat
-author: TrudyHa
----
-
-# ACT Community Ratings and Process
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members.
-
-When you access the Microsoft Compatibility Exchange as a registered ACT Community member, you can upload your compatibility data to the community and download issues from other ACT Community members. For information about how compatibility ratings are entered, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
-
-ACT takes your information and combines it with all of the information provided by the other ACT Community users and shows the average rating as a color gradient from one to five bars.
-
-![act community](images/dep-win8-e-act-communityexample.gif)
-
-## Process for Synchronizing Compatibility Ratings
-
-
-The following diagram shows the process for synchronizing compatibility ratings with the ACT Community.
-
-You have the option to exclude applications from being shared with the Microsoft Compatibility Exchange. However, you will not get compatibility ratings from the ACT Community for any application that you exclude. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
-![act community workflow](images/dep-win8-l-act-communityworkflowdiagram.jpg)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-database-configuration.md b/windows/plan/act-database-configuration.md
index dc8103e03e..7c07865d8a 100644
--- a/windows/plan/act-database-configuration.md
+++ b/windows/plan/act-database-configuration.md
@@ -1,85 +1,5 @@
 ---
 title: ACT Database Configuration (Windows 10)
 description: The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data.
-ms.assetid: 032bbfe0-86fa-48ff-b638-b9d6a908c45e
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT Database Configuration
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. If you do not use Microsoft SQL Server, you can download and install Microsoft SQL Server Express. For information about creating Microsoft SQL Server databases, see [Administering the Database Engine](http://go.microsoft.com/fwlink/p/?LinkId=64169).
-
-## ACT Database Creation
-
-
-You can create the ACT database by using one of the following methods:
-
--   Run Application Compatibility Manager (ACM), and then use the ACT Configuration Wizard to create a new database.
-
-    -or-
-
--   Run the CreateDB.sql file, located at %SYSTEMDRIVE%\\ProgramData\\Microsoft\\Application Compatibility Toolkit\\CreateDB.sql.
-
-### ACT Database Permissions
-
-You must assign the following database roles to the following accounts.
-
--   To the user and local service accounts that will run the ACT Log Processing Service (LPS), assign the db\_datareader, db\_datawriter, and db\_owner database roles.
-
--   To the user account that will run Application Compatibility Manager (ACM), assign the db\_datareader and db\_datawriter database roles.
-
-Alternatively, grant the following explicit permissions to each user that will run the ACT LPS or ACM.
-
--   SELECT
-
--   INSERT
-
--   UPDATE
-
--   DELETE
-
--   EXECUTE
-
-### ACT Database Recommendations
-
-We also recommend that you make the following changes to the database as part of your deployment planning:
-
--   **Create a larger database, including a larger log file–size setting, and then set the growth increments appropriately**. If you create a database with the default setting for data storage, the data portion of the database will have an initial size of 1 megabyte (MB), and a growth increment of 1 MB. If you create a database with the default setting for log file storage, the log file portion of the database will have an initial size of 1 MB and a growth increment of 10 percent. We recommend that you maintain a data-to-log file ratio of 5:1 or 4:1. For example, if your data portion is 5 gigabytes (GB), your log file portion should be 1 GB.
-
--   **Change the recovery model of your database**. The default recovery model is **Full**, but we recommend that you change the recovery model to **Simple** to improve performance and reduce disk space requirements.
-
--   **Store the data portion and log file portion of your ACT database on separate hard drives**. Unless otherwise specified by your SQL Administrator, the default is for the data and log files to be stored on the same hard drive. We recommend separating the data from the log files to reduce disk I/O contention.
-
-## Related topics
-
-
-[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
-
-[ACT Deployment Options](act-deployment-options.md)
-
-[ACT Database Migration](act-database-migration.md)
-
-[ACT LPS Share Permissions](act-lps-share-permissions.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-database-migration.md b/windows/plan/act-database-migration.md
index 4b4009c05e..e8b5e9b74f 100644
--- a/windows/plan/act-database-migration.md
+++ b/windows/plan/act-database-migration.md
@@ -1,68 +1,5 @@
 ---
 title: ACT Database Migration (Windows 10)
 description: The schema for an ACT database can change when ACT is updated or when a new version of ACT is released.
-ms.assetid: b13369b4-1fb7-4889-b0b8-6d0ab61aac3d
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT Database Migration
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. If the schema for an ACT database does not match the current schema, you can migrate the compatibility data to a new database. You can then use the current version of ACT to open the new database.
-
-To create the new database, you must have database-creation permissions on the instance of SQL Server.
-
-## Migrating Compatibility Data from an ACT Database
-
-
-You can migrate compatibility data from an ACT database to a new database by using one of the following methods:
-
--   Run Application Compatibility Manager (ACM), and then use the ACT Configuration Wizard to open the database. The wizard guides you through migrating the compatibility data to a new database.
-
--   Run the MigrateDB.sql file, located at %SYSTEMDRIVE%\\ProgramData\\Microsoft\\Application Compatibility Toolkit\\MigrateDB.sql.. The following table shows the location of the MigrateDB.sql file.
-
-## Database Migration from ACT 5.6
-
-
-When you migrate compatibility data from an ACT 5.6 database to a new database, the following information is excluded from the migration:
-
--   Issues that were reported by ACT 5.6 data-collection packages (DCPs).
-
--   Solutions that correspond to issues reported by ACT 5.6 DCPs.
-
--   Lists of file names that ACT 5.6 associated with each application.
-
-You cannot migrate any compatibility data from ACT databases that were created on a version of ACT before ACT 5.6.
-
-## Related topics
-
-
-[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
-
-[ACT Deployment Options](act-deployment-options.md)
-
-[ACT Database Configuration](act-database-configuration.md)
-
-[ACT LPS Share Permissions](act-lps-share-permissions.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-deployment-options.md b/windows/plan/act-deployment-options.md
index 32bb1e10f0..a550b72152 100644
--- a/windows/plan/act-deployment-options.md
+++ b/windows/plan/act-deployment-options.md
@@ -1,61 +1,5 @@
 ---
 title: ACT Deployment Options (Windows 10)
 description: While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT.
-ms.assetid: 90d56dd8-8d57-44e8-bf7a-29aabede45ba
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT Deployment Options
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT.
-
-The following diagram shows supported deployment options for an ACT installation. The options listed first are the most highly recommended.
-
-![act supported topologies](images/dep-win8-l-act-supportedtopologies.jpg)
-
-## Collecting Data Across Domains
-
-
-If you plan to deploy inventory-collector packages to computers running Windows XP, where some of the computers are on a different domain than the ACT LPS share, do one of the following:
-
--   Set up a separate ACT LPS share on each domain and configure the inventory-collector package to upload log files to the ACT LPS share on the same domain.
-
--   Set up a single ACT LPS share on one computer. On the computer that hosts the share, use Group Policy to allow connections from anonymous users.
-
-These steps are not necessary if the computers where you deploy inventory-collector packages are running Windows Vista, Windows 7, Windows 8, Windows 8.1, or Windows 10.
-
-If you choose to have distributed logging with a subsequent step of moving log files to your central share, move the files to the central share before processing the files. You can move the files manually or use a technology like Distributed File-System Replication (DFSR).
-
-## Related topics
-
-
-[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
-
-[ACT Database Configuration](act-database-configuration.md)
-
-[ACT Database Migration](act-database-migration.md)
-
-[ACT LPS Share Permissions](act-lps-share-permissions.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-glossary.md b/windows/plan/act-glossary.md
index 87b42aab6e..17f66a70be 100644
--- a/windows/plan/act-glossary.md
+++ b/windows/plan/act-glossary.md
@@ -1,118 +1,5 @@
 ---
 title: ACT Glossary (Windows 10)
 description: The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT).
-ms.assetid: 984d1cce-c1ac-4aa8-839a-a23e15da6f32
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT Glossary
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT).
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Term</th>
-<th align="left">Definition</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>ACT Community</p></td>
-<td align="left"><p>An online environment that enables ACT users to share issues and solution data with other registered ACT users.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>ACT Log Processing Service (LPS)</p></td>
-<td align="left"><p>The service that processes the log files uploaded from your client computers, adding the information to your ACT database.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>AppHelp message</p></td>
-<td align="left"><p>A type of compatibility fix. An AppHelp message is designed to appear when a user starts an application that has compatibility issues. The message can prevent the application from starting, or simply provide information about compatibility issues in the application.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Application Compatibility Manager (ACM)</p></td>
-<td align="left"><p>The user interface that enables you to view reports generated from the ACT database. This is also where you create data-collection packages.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Compatibility Administrator</p></td>
-<td align="left"><p>A tool that enables you to create and deploy compatibility fixes, compatibility modes, and AppHelp messages, to resolve your compatibility issues.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>compatibility fix</p></td>
-<td align="left"><p>A small piece of code that intercepts API calls from applications, transforming them so that Windows will provide the same product support for the application as previous versions of the operating system. Previously known as a &quot;shim&quot;.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>compatibility mode</p></td>
-<td align="left"><p>Group of compatibility fixes found to resolve many common application compatibility issues.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>compatibility solution</p></td>
-<td align="left"><p>The solution to a known compatibility issue, as entered by the user, Microsoft, or a vendor.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>data-collection package</p></td>
-<td align="left"><p>A Windows installer (.msi) file created by Application Compatibility Manager (ACM) for deploying to each of your client computers. Data-collection packages include inventory collection packages and runtime analysis packages.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>deployment</p></td>
-<td align="left"><p>The process of distributing and installing a software program throughout an entire organization. A deployment is not the same as a pilot, which is where you provide the software application to a smaller group of users to identify and evaluate problems that might occur during the actual deployment.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>independent software vendor (ISV)</p></td>
-<td align="left"><p>An individual or an organization that independently creates computer software.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>inventory-collector package</p></td>
-<td align="left"><p>A package that examines each of your organization's computers to identify the installed applications and system information. You can view the results on the Analyze screen in ACM.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Microsoft Compatibility Exchange</p></td>
-<td align="left"><p>A web service that transfers compatibility information between Microsoft and the ACT database.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>runtime-analysis package</p></td>
-<td align="left"><p>A data-collection package that you deploy to computers in a test environment for compatibility testing. The runtime-analysis package includes tools for monitoring applications for compatibility issues and submitting compatibility feedback.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>session 0</p></td>
-<td align="left"><p>The session that is used for all of the system services. Previously, users could run in Session 0 without issues; however, this was changed in Windows Vista so that all users are now required to run in Session 1 or later.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>shim</p></td>
-<td align="left"><p>See Other Term: compatibility fix</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>User Account Control (UAC)</p></td>
-<td align="left"><p>A security feature that helps prevent unauthorized changes to a computer, by asking the user for permission or administrator credentials before performing actions that could potentially affect the computer's operation or that change settings that affect multiple users.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-lps-share-permissions.md b/windows/plan/act-lps-share-permissions.md
index f2496dc915..37a6534881 100644
--- a/windows/plan/act-lps-share-permissions.md
+++ b/windows/plan/act-lps-share-permissions.md
@@ -1,76 +1,5 @@
 ---
 title: ACT LPS Share Permissions (Windows 10)
 description: To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level.
-ms.assetid: 51f6ddf7-f424-4abe-a0e0-71fe616f9e84
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT LPS Share Permissions
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level.
-
-## Share-Level Permissions
-
-
-The **Everyone** group must have **Change** and **Read** permissions to the ACT LPS share.
-
-**To set the share-level permissions**
-
-1.  Browse to the ACT LPS share, right-click the folder, and select **Properties**.
-
-2.  Click the **Sharing** tab, share the folder, and then click **Permissions**.
-
-3.  Add the **Everyone** group if it is not already listed, and then select the **Change** and **Read** check boxes in the **Allow** column.
-
-## Folder-Level Permissions (NTFS Only)
-
-
-The **Everyone** group must have **Write** access to the ACT LPS share.
-
-The ACT Log Processing Service account must have **List Folder Contents**, **Read**, and **Write** permissions.
-
--   If the ACT Log Processing Service account is **Local System Account**, apply the permissions to the *&lt;domain&gt;*\\*&lt;computer&gt;*$ account.
-
--   If the ACT Log Processing Service is a user account, apply the permissions to the specific user.
-
-**To set the folder-level permissions**
-
-1.  In Windows Explorer, right-click the folder for the ACT LPS share, and then click **Properties**.
-
-2.  Click the **Security** tab, add the account that runs the ACT Log Processing Service, and then select the **List Folder Contents**, **Read**, and **Write** check boxes in the **Allow** column.
-
-3.  Add the **Everyone** group if it is not already listed, and then select the **Write** check box in the **Allow** column.
-
-## Related topics
-
-
-[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
-
-[ACT Deployment Options](act-deployment-options.md)
-
-[ACT Database Configuration](act-database-configuration.md)
-
-[ACT Database Migration](act-database-migration.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-operatingsystem-application-report.md b/windows/plan/act-operatingsystem-application-report.md
index 3c0f49d348..62da93a40d 100644
--- a/windows/plan/act-operatingsystem-application-report.md
+++ b/windows/plan/act-operatingsystem-application-report.md
@@ -1,80 +1,5 @@
 ---
 title: OperatingSystem - Application Report (Windows 10)
 description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
-ms.assetid: 9721485b-6092-4974-8cfe-c84472237a57
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# &lt;OperatingSystem&gt; - Application Report
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
-
-The **&lt;OperatingSystem&gt; - Application Report** screen shows the following information for the applications from which you have collected data:
-
--   The application name, application vendor, and application version.
-
--   Your organization’s compatibility rating for the application.
-
--   Compatibility ratings from users in your organization who are using a runtime analysis package to test the application.
-
--   Whether the information for the application is included in the synchronization process with the Microsoft Compatibility Exchange.
-
--   Compatibility information for the application from the application vendor.
-
--   Compatibility ratings from the ACT Community, if you are a member of the ACT Community. To join the ACT Community, see [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md).
-
--   The count of active issues for the application.
-
--   The count of computers in your organization on which the application is installed.
-
-**To open the &lt;OperatingSystem&gt; - Application Report screen**
-
-1.  In ACM, on the **Quick Reports** pane, click **Analyze**.
-
-2.  In the **Quick Reports** pane, under an operating system heading, click **Applications**.
-
-## <a href="" id="using-the--operatingsystem----application-report-screen"></a>Using the &lt;OperatingSystem&gt; - Application Report Screen
-
-
-On the **&lt;OperatingSystem&gt; - Application Report** screen, you can perform the following actions:
-
--   Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
-
--   Choose whether to synchronize data for each application with the Microsoft Compatibility Exchange. For more information, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).
-
--   Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
--   Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
-
--   Select your compatibility rating for an application. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
-
--   Select your deployment status for an application. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
-
--   Assign categories and subcategories to an application. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
--   Specify the importance of an application to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
--   Double-click an application name to view the associated dialog box. For more information, see [&lt;Application&gt; Dialog Box](application-dialog-box.md).
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-operatingsystem-computer-report.md b/windows/plan/act-operatingsystem-computer-report.md
index 3547b28c17..bf508ee97a 100644
--- a/windows/plan/act-operatingsystem-computer-report.md
+++ b/windows/plan/act-operatingsystem-computer-report.md
@@ -1,62 +1,5 @@
 ---
 title: OperatingSystem - Computer Report (Windows 10)
-ms.assetid: ed0a56fc-9f2a-4df0-8cef-3a09d6616de8
-description: 
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# &lt;OperatingSystem&gt; - Computer Report
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The **&lt;OperatingSystem&gt; - Computer Report** screen shows the following information for each computer in your organization:
-
--   The computer name, domain, and operating system.
-
--   The count of applications and devices installed on the computer.
-
--   The count of installed applications and devices that have issues.
-
-**To open the &lt;OperatingSystem&gt; - Computer Report screen**
-
-1.  In Application Compatibility Manager (ACM), on the **Quick Reports** pane, click **Analyze**.
-
-2.  In the **Quick Reports** pane, under an operating system heading, click **Computers**.
-
-## <a href="" id="using-the--operatingsystem----computer-report-screen"></a>Using the &lt;OperatingSystem&gt; - Computer Report Screen
-
-
-On the **&lt;OperatingSystem&gt; - Computer Report** screen, you can perform the following actions:
-
--   Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
-
--   Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
--   Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
-
--   Assign categories and subcategories to a computer. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
--   Specify the importance of a computer to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
--   Double-click a computer name to view its associated dialog box. For more information, see [&lt;Computer&gt; Dialog Box](computer-dialog-box.md).
-
- 
-
- 
-
-
-
-
-
+description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-operatingsystem-device-report.md b/windows/plan/act-operatingsystem-device-report.md
index 67e74536c6..6668aa3041 100644
--- a/windows/plan/act-operatingsystem-device-report.md
+++ b/windows/plan/act-operatingsystem-device-report.md
@@ -1,64 +1,5 @@
 ---
 title: OperatingSystem - Device Report (Windows 10)
-ms.assetid: 8b5a936f-a92e-46a7-ac44-6edace262355
-description: 
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# &lt;OperatingSystem&gt; - Device Report
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The **&lt;OperatingSystem&gt; - Device Report** screen shows the following information for each device installed in your organization:
-
--   The model and manufacturer of the device.
-
--   The class of device, as reported by the device.
-
--   An evaluation from the device manufacturer of whether the device works on a 32-bit operating system or a 64-bit operating system.
-
--   The count of computers on which the device is installed.
-
-**To open the &lt;OperatingSystem&gt; - Device Report screen**
-
-1.  In Application Compatibility Manager (ACM), on the **Quick Reports** pane, click **Analyze**.
-
-2.  In the **Quick Reports** pane, under an operating system heading, click **Devices**.
-
-## <a href="" id="using-the--operatingsystem----device-report-screen"></a>Using the &lt;OperatingSystem&gt; - Device Report Screen
-
-
-On the **&lt;OperatingSystem&gt; - Device Report** screen, you can:
-
--   Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
-
--   Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
--   Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
-
--   Assign categories and subcategories to a device. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
--   Specify the importance of a device to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
--   Double-click a device name to view its associated dialog box. For more information, see [&lt;Device&gt; Dialog Box](device-dialog-box.md).
-
- 
-
- 
-
-
-
-
-
+description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-product-and-documentation-resources.md b/windows/plan/act-product-and-documentation-resources.md
index 02677af71d..2c3290db5b 100644
--- a/windows/plan/act-product-and-documentation-resources.md
+++ b/windows/plan/act-product-and-documentation-resources.md
@@ -1,62 +1,8 @@
 ---
 title: ACT Product and Documentation Resources (Windows 10)
 description: The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT).
-ms.assetid: c7954b5a-164d-4548-af58-cd3a1de5cc43
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
 ---
-
-# ACT Product and Documentation Resources
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT).
-
-## Information Related to the Application Compatibility Toolkit
-
-
--   [Microsoft SQL Server](http://go.microsoft.com/fwlink/p/?LinkId=184584). Use Microsoft SQL Server to take full advantage of ACT features. Visit the SQL Server home page for product information, technical resources, and support.
-
--   [Microsoft SQL Server Express Edition](http://go.microsoft.com/fwlink/p/?LinkId=690325). If you are not already running SQL Server, download a free version of SQL Server Express and its management tools.
-
--   [Microsoft System Center Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=690326). Visit the System Center Configuration Manager home page for product information, technical resources, and support.
-
--   [Microsoft Application Verifier](http://go.microsoft.com/fwlink/p/?LinkId=52529). Application Verifier is required by the Standard User Analyzer tool.
-
-## Information About Application Compatibility
-
-
--   [Application Compatibility home page](http://go.microsoft.com/fwlink/p/?LinkId=184586). Go here for general application compatibility information, including videos, key resources, advice, and technical guidance.
-
--   [Windows Developer Center home page](http://go.microsoft.com/fwlink/p/?LinkId=184587). Find information about the Windows SDK, including how to develop your application, how to get help with compatibility issues, and other development-related content.
-
-## Information About Windows Deployment
-
-
--   [Microsoft Deployment Toolkit](http://go.microsoft.com/fwlink/p/?LinkId=618117). Download the latest version of the Microsoft Deployment Toolkit (MDT) to assist with image creation and automated installation, reduce deployment time, standardize desktop and server images, limit service disruptions, reduce post-deployment help desk costs, and improve security and ongoing configuration management.
-
--   [Windows website](http://go.microsoft.com/fwlink/p/?LinkId=731). Visit the Windows home page for product information, technical resources, and support.
-
-## Related topics
-
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
-[Using ACT](using-act.md)
-
-[Software Requirements for ACT](software-requirements-for-act.md)
-
  
 
  
diff --git a/windows/plan/act-settings-dialog-box-preferences-tab.md b/windows/plan/act-settings-dialog-box-preferences-tab.md
index 6af88e476e..eaa5fec362 100644
--- a/windows/plan/act-settings-dialog-box-preferences-tab.md
+++ b/windows/plan/act-settings-dialog-box-preferences-tab.md
@@ -1,65 +1,5 @@
 ---
 title: Settings Dialog Box - Preferences Tab (Windows 10)
 description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings.
-ms.assetid: deae2100-4110-4d72-b5ee-7c167f80bfa4
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Settings Dialog Box - Preferences Tab
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-To display the **Settings** dialog box, in Application Compatibility Manager (ACM), on the **Tools** menu, click **Settings**.
-
-In the **Settings** dialog box, on the **Preferences** tab, use the following controls to join or leave the ACT Community, send ACT usage data to Microsoft, or be notified when there are updates available for ACT.
-
-<a href="" id="yes--i-want-to-join-the-act-community"></a>**Yes, I want to join the ACT Community**  
-If this check box is selected, you are a member of the ACT Community and can share application compatibility data with other ACT users.
-
-If this check box is cleared, you still receive compatibility data from the Microsoft compatibility database, but not from other ACT users.
-
-For more information about the ACT Community, see [ACT Community Ratings and Process](act-community-ratings-and-process.md).
-
-<a href="" id="send-act-usage-data-to-microsoft"></a>**Send ACT usage data to Microsoft**  
-If this check box is selected, the following ACT usage data is sent to Microsoft:
-
--   The version of SQL Server being used by the ACT database.
-
--   The count of 32-bit or 64-bit computers in your organization.
-
--   The count of computers running a Windows operating system.
-
--   The operating systems you intend to deploy into your organization.
-
--   The count of computers to which you deployed data-collection packages.
-
-If this check box is cleared, your ACT usage data is not sent to Microsoft.
-
-<a href="" id="notify-me-when-a-newer-version-of-act-is-available--recommended-"></a>**Notify me when a newer version of ACT is available (recommended)**  
-If this check box is selected, ACM notifies you when an update is available for ACT.
-
-## Related topics
-
-
-[Settings Dialog Box - Settings Tab](act-settings-dialog-box-settings-tab.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-settings-dialog-box-settings-tab.md b/windows/plan/act-settings-dialog-box-settings-tab.md
index 0f1b179b3c..30e7000dd2 100644
--- a/windows/plan/act-settings-dialog-box-settings-tab.md
+++ b/windows/plan/act-settings-dialog-box-settings-tab.md
@@ -1,66 +1,5 @@
 ---
 title: Settings Dialog Box - Settings Tab (Windows 10)
 description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings.
-ms.assetid: aeec1647-cf91-4f8b-9f6d-dbf4b898d901
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Settings Dialog Box - Settings Tab
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-To display the **Settings** dialog box, in Application Compatibility Manager (ACM), on the **Tools** menu, click **Settings**.
-
-In the **Settings** dialog box, on the **Settings** tab, use the following controls to modify the settings for your ACT database and ACT Log Processing Service.
-
-<a href="" id="sql-server"></a>**SQL Server**  
-Lists the database server name for the SQL Server database server that contains your ACT database.
-
-Click **Browse** to search for available database servers. A **Select Server** dialog box appears from which you can select the database server that contains your ACT database.
-
-<a href="" id="database"></a>**Database**  
-Lists the database name of your ACT database.
-
-<a href="" id="change"></a>**Change**  
-Opens the user interface where you can create, open, or migrate an ACT database.
-
-<a href="" id="this-computer-is-configured-as-a-log-processing-service"></a>**This computer is configured as a Log Processing Service**  
-If selected, indicates that this computer is used for the ACT Log Processing Service. Clear this check box to use a different computer to process the logs.
-
-If there is no designated ACT Log Processing Service, log processing defaults to the local computer.
-
-<a href="" id="log-processing-service-account"></a>**Log Processing Service Account**  
-Specifies the account information, including the account type and account credentials, to be used to start the ACT Log Processing Service.
-
-The account must have read and write access to the ACT database. For information about setting up database permissions for the ACT Log Processing Service, see [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md).
-
-<a href="" id="log-share"></a>**Log Share**  
-Specifies the absolute path to the ACT Log Processing Service share where log files are processed. Click **Browse** to search for a location. The **Share as** box automatically updates to show the directory name.
-
-For information about ensuring that all computers can access the share, see [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md).
-
-## Related topics
-
-
-[Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-technical-reference.md b/windows/plan/act-technical-reference.md
index c05f03fc92..29e311a2f5 100644
--- a/windows/plan/act-technical-reference.md
+++ b/windows/plan/act-technical-reference.md
@@ -13,77 +13,37 @@ author: TrudyHa
 
 
 **Applies to**
+- Windows 10, version 1607
+ 
+We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with Upgrade Analytics, a solution in the Microsoft Operations Management Suite. Upgrade Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released.
+ 
+Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. 
+ 
+With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. 
+ 
+Use Upgrade Analytics to get:
+- A visual workflow that guides you from pilot to production
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+- Detailed computer and application inventory
 
-The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system.
+- Powerful computer level search and drill-downs 
 
-By using ACT, you can obtain compatibility information from Microsoft and software vendors, identify compatibility issues within your own organization, and share compatibility ratings with other ACT users. The tools in ACT help you analyze and mitigate compatibility issues before you deploy a version of Windows to your organization.
+- Guidance and insights into application and driver compatibility issues, with suggested fixes 
 
-ACT is available in the [Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740).
+- Data driven application rationalization tools
+
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+
+- Data export to commonly used software deployment tools, including System Center Configuration Manager
+
+The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. For more information about Upgrade Analytics, see [Manage Windows upgrades with Upgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics)
+
+At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatiblility Administrator, which helps you to resolve potential compatibility issues.
 
 ## In this section
 
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Welcome to ACT](welcome-to-act.md)</p></td>
-<td align="left"><p>The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. With ACT, you can obtain compatibility information from Microsoft and software vendors, identify compatibility issues within your own organization, and share compatibility ratings with other ACT users. The tools in ACT help you analyze and mitigate compatibility issues before deploying a version of Windows to your organization.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Configuring ACT](configuring-act.md)</p></td>
-<td align="left"><p>This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Using ACT](using-act.md)</p></td>
-<td align="left"><p>This section describes how to use the Application Compatibility Toolkit (ACT) in your organization.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Troubleshooting ACT](troubleshooting-act.md)</p></td>
-<td align="left"><p>This section provides troubleshooting information for the Application Compatibility Toolkit (ACT).</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[ACT User Interface Reference](act-user-interface-reference.md)</p></td>
-<td align="left"><p>This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT).</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)</p></td>
-<td align="left"><p>The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT).</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[ACT Glossary](act-glossary.md)</p></td>
-<td align="left"><p>The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT).</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)</p></td>
-<td align="left"><p>You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
-
-
-
-
+|Topic |Description |
+|------|------------|
+|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. |
+|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. |
+|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. |
\ No newline at end of file
diff --git a/windows/plan/act-toolbar-icons-in-acm.md b/windows/plan/act-toolbar-icons-in-acm.md
index 9a0d2b3e79..bd6b97dcde 100644
--- a/windows/plan/act-toolbar-icons-in-acm.md
+++ b/windows/plan/act-toolbar-icons-in-acm.md
@@ -1,233 +1,5 @@
 ---
 title: Toolbar Icons in ACM (Windows 10)
 description: The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM).
-ms.assetid: 44872da1-c7ad-41b9-8323-d3c3f49b2706
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Toolbar Icons in ACM
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM).
-
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left"><strong>Icon</strong></th>
-<th align="left"><strong>Description</strong></th>
-<th align="left"><strong>Location</strong></th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-home.gif" alt="ACT home icon" /></td>
-<td align="left"><p>Opens the <strong>Application Compatibility Manager Overview</strong> screen.</p></td>
-<td align="left"><ul>
-<li><p><strong>Collect</strong> toolbar</p></li>
-<li><p><strong>Analyze</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-createnewdcp.gif" alt="ACT Create new DCP" /></td>
-<td align="left"><p>Opens the <strong>New Data Collection Package</strong> dialog box.</p>
-<p>For more information, see [Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Collect</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-exportdcp.gif" alt="ACT export DCP" /></td>
-<td align="left"><p>Exports your data-collection package settings.</p>
-<p>For more information, see [Exporting a Data-Collection Package](exporting-a-data-collection-package.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Collect</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-delete.gif" alt="ACT delete icon" /></td>
-<td align="left"><p>Deletes a data-collection package that has not yet run on your client computers.</p>
-<p>For more information, see [Deleting a Data-Collection Package](deleting-a-data-collection-package.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Collect</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-open.gif" alt="ACT open icon" /></td>
-<td align="left"><p>Imports an existing compatibility report.</p>
-<p>For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Analyze</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-savereport.gif" alt="ACT save report" /></td>
-<td align="left"><p>Saves a compatibility report, including your preferences and settings.</p>
-<p>For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Analyze</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-exportreportdata.gif" alt="ACT export report data" /></td>
-<td align="left"><p>Exports your report data to a Microsoft® Excel® spreadsheet (.xls) file.</p>
-<p>For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Analyze</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-sendandreceive.gif" alt="ACT send and receive" /></td>
-<td align="left"><p>Synchronizes your compatibility data with the Microsoft Compatibility Exchange.</p>
-<p>For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Analyze</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-filterdata.gif" alt="ACT filter data" /></td>
-<td align="left"><p>Turns the query builder on or off.</p>
-<p>For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Analyze</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-riskassessment.gif" alt="ACT Risk Assessment" /></td>
-<td align="left"><p>Opens the <strong>Set Assessment</strong> dialog box.</p>
-<p>For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Analyze</strong> toolbar</p></li>
-<li><p><strong>Report Details</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-deploymentstatus.gif" alt="ACT deployment status" /></td>
-<td align="left"><p>Opens the <strong>Set Deployment Status</strong> dialog box.</p>
-<p>For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Analyze</strong> toolbar</p></li>
-<li><p><strong>Report Details</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-categorize.gif" alt="ACT categorize icon" /></td>
-<td align="left"><p>Opens the <strong>Assign Categories</strong> dialog box.</p>
-<p>For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Analyze</strong> toolbar</p></li>
-<li><p><strong>Report Details</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-prioritize.gif" alt="ACT prioritize icon" /></td>
-<td align="left"><p>Opens the <strong>Assign Priorities</strong> dialog box.</p>
-<p>For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Analyze</strong> toolbar</p></li>
-<li><p><strong>Report Details</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-sendandreceiveicon.gif" alt="ACT send and receive icon" /></td>
-<td align="left"><p>Opens the <strong>Send and Receive Status</strong> dialog box.</p>
-<p>For more information, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Analyze</strong> toolbar</p></li>
-<li><p><strong>Report Details</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-addissue.gif" alt="ACT Add issue icon" /></td>
-<td align="left"><p>Opens the <strong>Add Issue</strong> dialog box.</p>
-<p>For more information, see [Adding or Editing an Issue](adding-or-editing-an-issue.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Report Details</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-addsolution.gif" alt="ACT add solution" /></td>
-<td align="left"><p>Opens the <strong>Add Solution</strong> dialog box.</p>
-<p>For more information, see [Adding or Editing a Solution](adding-or-editing-a-solution.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Report Details</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-save.gif" alt="ACT Save icon" /></td>
-<td align="left"><p>Saves a compatibility issue.</p></td>
-<td align="left"><ul>
-<li><p><strong>Add Issue</strong> dialog box</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-reactivate-resolved-issue.gif" alt="ACT Reactivate resolved issue icon" /></td>
-<td align="left"><p>Reactivates a resolved compatibility issue.</p>
-<p>For more information, see [Resolving an Issue](resolving-an-issue.md).</p></td>
-<td align="left"><ul>
-<li><p><strong>Add Issue</strong> dialog box</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-refresh.gif" alt="ACT refresh icon" /></td>
-<td align="left"><p>Refreshes the screen. If you are using the query builder, updates the screen with the query results.</p></td>
-<td align="left"><ul>
-<li><p><strong>Collect</strong> toolbar</p></li>
-<li><p><strong>Analyze</strong> toolbar</p></li>
-<li><p><strong>Data Collection Package - Status</strong> toolbar</p></li>
-<li><p><strong>Report Details</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-moveupanddown.gif" alt="ACT move up and down icons" /></td>
-<td align="left"><p>Enables you to scroll up and down the screen or dialog box information, showing the related details.</p>
-<p>This button may not be available for all issues or information.</p></td>
-<td align="left"><ul>
-<li><p><strong>Report Details</strong> toolbar</p></li>
-<li><p><strong>Add Issue</strong> dialog box</p></li>
-<li><p><strong>New Data Collection Package</strong> dialog box</p></li>
-<li><p><strong>Data Collection Package - Status</strong> toolbar</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-help.gif" alt="ACT help icon" /></td>
-<td align="left"><p>Opens the online Help system.</p></td>
-<td align="left"><ul>
-<li><p>All screens</p></li>
-</ul></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Ratings Icons in ACM](ratings-icons-in-acm.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-tools-packages-and-services.md b/windows/plan/act-tools-packages-and-services.md
index bf9c2bf728..7e20751a4a 100644
--- a/windows/plan/act-tools-packages-and-services.md
+++ b/windows/plan/act-tools-packages-and-services.md
@@ -1,60 +1,5 @@
 ---
 title: ACT Tools, Packages, and Services (Windows 10)
 description: The Application Compatibility Toolkit is included with the Windows ADK. Download the Windows ADK.
-ms.assetid: f5a16548-7d7b-4be9-835e-c06158dd0b89
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT Tools, Packages, and Services
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The Application Compatibility Toolkit is included with the Windows ADK. [Download the Windows ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
-
-ACT includes the following:
-
--   **Application Compatibility Manager (ACM):** A tool that you can use to create your data-collection packages and analyze the collected inventory and compatibility data.
-
--   **Inventory-collector package:** A data-collection package that can be deployed to computers to gather inventory data that will be uploaded to the ACT database.
-
--   **Runtime-analysis package:** A data-collection package that can be deployed to computers in a test environment for compatibility testing on the new operating system.
-
--   **ACT Log Processing Service (LPS):** A service that is used to process the ACT log files uploaded from the computers where your data-collection packages have been installed. The service adds the information to your ACT database.
-
--   **ACT LPS share:** A file share that is accessed by the ACT LPS, to store the log files that will be processed and added to the ACT database.
-
--   **ACT database:** A Microsoft® SQL Server database that stores the collected inventory and compatibility data. You can use ACM to view the information stored in the ACT database.
-
--   **Microsoft Compatibility Exchange:** A web service that propagates application-compatibility issues.
-
-## Related topics
-
-
-[ACT Deployment Options](act-deployment-options.md)
-
-[ACT Database Configuration](act-database-configuration.md)
-
-[ACT Database Migration](act-database-migration.md)
-
-[ACT LPS Share Permissions](act-lps-share-permissions.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-user-interface-reference.md b/windows/plan/act-user-interface-reference.md
index ff28470715..affbef996f 100644
--- a/windows/plan/act-user-interface-reference.md
+++ b/windows/plan/act-user-interface-reference.md
@@ -1,74 +1,5 @@
 ---
 title: ACT User Interface Reference (Windows 10)
 description: This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT).
-ms.assetid: 303d3dd7-2cc1-4f5f-b032-b7e288b04893
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT User Interface Reference
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT).
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Toolbar Icons in ACM](act-toolbar-icons-in-acm.md)</p></td>
-<td align="left"><p>The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM).</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Ratings Icons in ACM](ratings-icons-in-acm.md)</p></td>
-<td align="left"><p>Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Activating and Closing Windows in ACM](activating-and-closing-windows-in-acm.md)</p></td>
-<td align="left"><p>The <strong>Windows</strong> dialog box shows the windows that are open in Application Compatibility Manager (ACM).</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Settings for ACM](settings-for-acm.md)</p></td>
-<td align="left"><p>This section provides information about settings that you can configure in Application Compatibility Manager (ACM).</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Using ACT](using-act.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/activating-and-closing-windows-in-acm.md b/windows/plan/activating-and-closing-windows-in-acm.md
index dfa085659e..4640049e22 100644
--- a/windows/plan/activating-and-closing-windows-in-acm.md
+++ b/windows/plan/activating-and-closing-windows-in-acm.md
@@ -1,47 +1,8 @@
 ---
 title: Activating and Closing Windows in ACM (Windows 10)
 description: The Windows dialog box shows the windows that are open in Application Compatibility Manager (ACM).
-ms.assetid: 747bf356-d861-4ce7-933e-fa4ecfac7be5
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
 ---
-
-# Activating and Closing Windows in ACM
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The **Windows** dialog box shows the windows that are open in Application Compatibility Manager (ACM).
-
-**To view a list of the open windows in ACM**
-
--   On the **Window** menu, click **Windows**.
-
-**To show an open window in ACM**
-
--   In the **Windows** dialog box, click the window name from the list of open windows, and then click **Activate**.
-
-    The selected window appears on top of any others on your screen.
-
-**To close one or more windows in ACM**
-
--   In the **Windows** dialog box, click one or more window names from the list of open windows, and then click **Close Window(s)**.
-
-## Related topics
-
-
-[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
-
  
 
  
diff --git a/windows/plan/adding-or-editing-a-solution.md b/windows/plan/adding-or-editing-a-solution.md
index f16e5237b2..b5a52a45c2 100644
--- a/windows/plan/adding-or-editing-a-solution.md
+++ b/windows/plan/adding-or-editing-a-solution.md
@@ -1,105 +1,5 @@
 ---
 title: Adding or Editing a Solution (Windows 10)
 description: If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation.
-ms.assetid: 86cb8804-d577-4af6-b96f-5e0409784a23
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Adding or Editing a Solution
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation.
-
-## Adding Solutions for Compatibility Issues with Your Applications and Websites
-
-
-You can view or add solutions only for applications or websites.
-
-**Note**  
-The following examples use the **&lt;Application\_Name&gt;** dialog box. The procedures for websites are similar.
-
- 
-
-**To add a solution**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, double-click the name of the application to display the **&lt;Application\_Name&gt;** dialog box.
-
-2.  Click the **Issues** tab.
-
-3.  On the **Actions** menu, click **Add Solution**.
-
-4.  Enter the information from the following table, and then click **Save**.
-
-    <table>
-    <colgroup>
-    <col width="50%" />
-    <col width="50%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Field</th>
-    <th align="left">Description</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>Title</p></td>
-    <td align="left"><p>Can be up to 100 characters in length.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>Solution Type</p></td>
-    <td align="left"><p>You must select a value from the list.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>Solution Details</p></td>
-    <td align="left"><p>Information about your solution, including the steps to reproduce your fix.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>Solution Details URL</p></td>
-    <td align="left"><p>URL for a page that shows more information about the solution.</p></td>
-    </tr>
-    </tbody>
-    </table>
-
-     
-
-**To edit an existing solution**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, double-click the name of the application to display the &lt;Application\_Name&gt; dialog box.
-
-2.  Click the **Issues** tab.
-
-3.  Double-click the issue that includes the solution that you want to modify.
-
-4.  Click the **Solutions** tab.
-
-5.  Double-click the solution to edit.
-
-6.  Modify the information about the solution, and then click **Save**.
-
-    **Note**  
-    You can only modify your own solutions. You cannot modify solutions entered by other users.
-
-     
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/adding-or-editing-an-issue.md b/windows/plan/adding-or-editing-an-issue.md
index 75e4e67390..08d2098675 100644
--- a/windows/plan/adding-or-editing-an-issue.md
+++ b/windows/plan/adding-or-editing-an-issue.md
@@ -1,115 +1,5 @@
 ---
 title: Adding or Editing an Issue (Windows 10)
 description: In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover.
-ms.assetid: 8a9fff79-9f88-4ce2-a4e6-b9382f28143d
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Adding or Editing an Issue
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover.
-
-You can use the Microsoft Compatibility Exchange to share compatibility information with others. For information about the Microsoft Compatibility Exchange, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
-## Adding Issues for Your Applications and Websites
-
-
-You can view or add issues only for applications or websites.
-
-**Note**  
-The following examples use the **&lt;Application\_Name&gt;** dialog box. The procedures are similar for websites.
-
- 
-
-**To add an issue**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, double-click the name of the application to display the **&lt;Application\_Name&gt;** dialog box.
-
-2.  On the **Actions** menu, click **Add Issue**.
-
-3.  Enter the information from the following table, and then click **Save**.
-
-    <table>
-    <colgroup>
-    <col width="50%" />
-    <col width="50%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Field</th>
-    <th align="left">Description</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>Title</p></td>
-    <td align="left"><p>Can be up to 256 characters in length.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>Priority</p></td>
-    <td align="left"><p>You must select a value from the list.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>Severity</p></td>
-    <td align="left"><p>You must select a value from the list.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>Symptom</p></td>
-    <td align="left"><p>You must select a value from the list.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>Cause</p></td>
-    <td align="left"><p>You must select a value from the list.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>Affected Operating Systems</p></td>
-    <td align="left"><p>Operating systems on which the issue occurs. You must select at least one operating system.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>Issue Description</p></td>
-    <td align="left"><p>Description of the issue, including the steps to reproduce the problem.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>Link to More Information</p></td>
-    <td align="left"><p>URL for a page that shows more information about the issue.</p></td>
-    </tr>
-    </tbody>
-    </table>
-
-     
-
-**To edit an existing issue**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, double-click the name of the application that includes the issue you want to modify.
-
-2.  In the **&lt;Application\_Name&gt;** dialog box, click the **Issues** tab, and then double-click the specific issue to be edited.
-
-3.  Modify the issue information, and then click **Save**.
-
-    **Note**  
-    You can modify your own issues. You cannot modify issues entered by another user.
-
-     
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/analyzing-your-compatibility-data.md b/windows/plan/analyzing-your-compatibility-data.md
index 30f6a43c24..2d69b55931 100644
--- a/windows/plan/analyzing-your-compatibility-data.md
+++ b/windows/plan/analyzing-your-compatibility-data.md
@@ -1,80 +1,5 @@
 ---
 title: Analyzing Your Compatibility Data (Windows 10)
 description: This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM).
-ms.assetid: b98f3d74-fe22-41a2-afe8-2eb2799933a1
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Analyzing Your Compatibility Data
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM).
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Viewing Your Compatibility Reports](viewing-your-compatibility-reports.md)</p></td>
-<td align="left"><p>This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Organizing Your Compatibility Data](organizing-your-compatibility-data.md)</p></td>
-<td align="left"><p>This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM).</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Filtering Your Compatibility Data](filtering-your-compatibility-data.md)</p></td>
-<td align="left"><p>You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)</p></td>
-<td align="left"><p>The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community. This process involves checking for updated compatibility information from Microsoft over the Internet. You can send and receive data to keep Application Compatibility Manager (ACM) updated with the latest compatibility information.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
-
-[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
-
-[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
-
-[Fixing Compatibility Issues](fixing-compatibility-issues.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/application-dialog-box.md b/windows/plan/application-dialog-box.md
index c8d9515fa6..7615d0949e 100644
--- a/windows/plan/application-dialog-box.md
+++ b/windows/plan/application-dialog-box.md
@@ -1,126 +1,5 @@
 ---
 title: Application Dialog Box (Windows 10)
 description: In Application Compatibility Manager (ACM), the Application dialog box shows information about the selected application.
-ms.assetid: a43e85a6-3cd4-4235-bc4d-01e4d097db7e
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# &lt;Application&gt; Dialog Box
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), the *&lt;Application&gt;* dialog box shows information about the selected application.
-
-**To open the &lt;Application&gt; dialog box**
-
-1.  In ACM, in the **Quick Reports** pane, click **Analyze**.
-
-2.  Under an operating system heading, click **Applications**.
-
-3.  Double-click the name of an application.
-
-## <a href="" id="tabs-in-the--application--dialog-box"></a>Tabs in the &lt;Application&gt; dialog box
-
-
-The following table shows the information available in the *&lt;Application&gt;* dialog box.
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Tab</th>
-<th align="left">Information</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Assessment</p></td>
-<td align="left"><p>Shows the compatibility ratings for the application from the application vendor, your internal organization, and the ACT Community.</p>
-<p>For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Issues</p></td>
-<td align="left"><p>For each issue associated with the selected application, shows:</p>
-<ul>
-<li><p>The issue status, either active (a red X) or resolved (a green check mark).</p></li>
-<li><p>The provider who created the record of the issue.</p></li>
-<li><p>The severity of the issue as entered by the provider.</p></li>
-<li><p>The symptom of the issue as entered by the provider.</p></li>
-<li><p>The date on which the issue was added to the ACT database.</p></li>
-</ul>
-<p>For more information, see [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md).</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Application Properties</p></td>
-<td align="left"><p>Shows the following properties for the selected application:</p>
-<ul>
-<li><p><strong>MSI</strong>. Shows the installer name, vendor, version, language, and so on.</p></li>
-<li><p><strong>Add/Remove Programs</strong>. Shows the application name that appears in Control Panel, vendor, registry path, and string for uninstalling.</p></li>
-<li><p><strong>Shell</strong>. Shows the shortcuts for the application and where the shortcuts appear on the <strong>Start</strong> menu.</p></li>
-<li><p><strong>Registry</strong>. Shows the registry name for the application, registry path, file name, and so on.</p></li>
-<li><p><strong>Service Control Manager</strong>. Shows the entries in the <strong>Services</strong> console that correspond to the application.</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Computers</p></td>
-<td align="left"><p>Shows the following information for each of the computers that have the specified application installed:</p>
-<ul>
-<li><p>Computer name, domain, and operating system.</p></li>
-<li><p>Media Access Control (MAC) address for the computer.</p></li>
-<li><p>Manufacturer of the computer.</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Labels</p></td>
-<td align="left"><p>Shows the label for the selected application.</p>
-<p>For information about labels, see [Labeling Data in ACM](labeling-data-in-acm.md).</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Feedback</p></td>
-<td align="left"><p>Shows feedback that your testers have submitted to the ACT database for the selected application.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## <a href="" id="using-the--application--dialog-box"></a>Using the &lt;Application&gt; Dialog Box
-
-
-In the **&lt;Application&gt;** dialog box, you can perform the following actions:
-
--   Select your compatibility rating for the application. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
-
--   Select your deployment status for the application. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
-
--   Assign categories and subcategories to the application. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
--   Specify the importance of the application to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
--   Choose whether to synchronize data for the application with the Microsoft Compatibility Exchange. For more information, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).
-
--   Add, edit, or resolve an issue for the selected application, and add or edit solutions. For more information, see [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md).
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md b/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md
index 8076d0787c..a83be4fbc1 100644
--- a/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md
+++ b/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md
@@ -222,8 +222,6 @@ The following table shows the operators that you can use for querying your custo
  
 
 ## Related topics
-
-
 [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
 
  
diff --git a/windows/plan/best-practice-recommendations-for-windows-to-go.md b/windows/plan/best-practice-recommendations-for-windows-to-go.md
index c9cc2ac741..33789da365 100644
--- a/windows/plan/best-practice-recommendations-for-windows-to-go.md
+++ b/windows/plan/best-practice-recommendations-for-windows-to-go.md
@@ -5,7 +5,7 @@ ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86
 keywords: best practices, USB, device, boot
 ms.prod: w10
 ms.mktglfcycl: plan
-pagetype: mobility
+ms.pagetype: mobility
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/plan/categorizing-your-compatibility-data.md b/windows/plan/categorizing-your-compatibility-data.md
index f00d576eee..e77b9ca34e 100644
--- a/windows/plan/categorizing-your-compatibility-data.md
+++ b/windows/plan/categorizing-your-compatibility-data.md
@@ -1,90 +1,5 @@
 ---
 title: Categorizing Your Compatibility Data (Windows 10)
-ms.assetid: 6420f012-316f-4ef0-bfbb-14baaa664e6e
-description: 
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Categorizing Your Compatibility Data
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-To customize and filter your compatibility reports, you can create categories and subcategories to assign to your applications, computers, devices, and websites. By default, Microsoft provides the following categories:
-
--   **Software Vendor**. In this category, you can, for example, create a subcategory for each vendor. You can then use this category to generate reports by software vendor, which can be helpful when having discussions with a specific vendor or evaluating the vendor’s performance relative to your compatibility requirements.
-
--   **Test Complexity**. You can use this category to help with planning and assigning test resources. You can, for example, create subcategories like Critical and Nice-to-Have.
-
-Categories are extensible, multiple-selection string values, so you can use them for almost anything. For example, you can create a category for signoff from multiple owners so that software can be authorized only when all categories have been selected, indicating that each group has signed off.
-
-As another example, you can create a category for unit of deployment. You can use subcategories such as Division and Region. You can use this category to track the software needs of a specific deployment unit. This way, you can see when the software required by the unit has been tested, approved, and is ready for deployment to the unit.
-
-**Note**  
-The following examples use the **&lt;Operating\_System&gt; - Application Report** screen. You can alternatively use the **&lt;Application\_Name&gt;** dialog box. You can also complete these procedures in the reports for computers, devices, and websites.
-
- 
-
-## Creating, Renaming, or Deleting Categories and Subcategories
-
-
-You can manage your categories and subcategories from both the report screen and report-details screen.
-
-**To create, rename, or delete a category or subcategory**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click any application name.
-
-2.  On the **Actions** menu, click **Assign Categories**.
-
-3.  Click **Category List**.
-
-4.  In the **Categories** or **Subcategories** area, do any or all of the following:
-
-    -   Add a category or subcategory, by clicking **Add**. Type the name of your new category or subcategory, and then click outside the active text area.
-
-        You must create at least one subcategory before a category will appear in the **Assign Categories** dialog box.
-
-    -   Rename a category or subcategory, by selecting the item and then clicking **Rename**. Type the new name, and then click outside the active text area.
-
-    -   Delete a category or subcategory, by selecting the item and then clicking **Remove**.
-
-5.  After you have finished adding, renaming, and deleting categories and subcategories, click **OK** to close the **Category List** dialog box.
-
-## Assigning Data to a Category and Subcategory
-
-
-You can assign categories and subcategories from both the report screen and report-details screen.
-
-**To assign and unassign categories and subcategories**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click the application name.
-
-2.  On the **Actions** menu, click **Assign Categories**.
-
-3.  To assign a category, select the check box next to the applicable category or subcategory.
-
-    To unassign a category, clear the check box.
-
-4.  Click **OK**.
-
-    You can use the query builder to filter based on this information.
-
- 
-
- 
-
-
-
-
-
+description: Steps to customize and filter your compatibility reports through categories and subcategories.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
index 51c36c6953..b584bf2f8d 100644
--- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md
+++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
@@ -13,13 +13,21 @@ author: TrudyHa
 
 This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+
+## RELEASE: Windows 10, version 1607
+
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update).
+
+
 ## July 2016
 
 
 | New or changed topic                                                                                                                             | Description |
 |--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.|
 | [Windows 10 servicing overview](windows-10-servicing-options.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../manage/introduction-to-windows-10-servicing.md) page. |
 
+
 ## May 2016
 
 
diff --git a/windows/plan/common-compatibility-issues.md b/windows/plan/common-compatibility-issues.md
index 4e96594b85..0883298316 100644
--- a/windows/plan/common-compatibility-issues.md
+++ b/windows/plan/common-compatibility-issues.md
@@ -1,58 +1,6 @@
 ---
 title: Common Compatibility Issues (Windows 10)
 ms.assetid: f5ad621d-bda2-45b5-ae85-bc92970f602f
-description: 
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Common Compatibility Issues
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-Compatibility issues tend to occur with the following technologies:
-
--   **User Account Control (UAC)**: Adds security to Windows by limiting administrator-level access to the computer, restricting most users to running as Standard Users. UAC limits the context in which a process executes to minimize the ability of the user to inadvertently expose the computer to viruses or other malware. UAC affects any application installer or update that requires Administrator permissions to run, performs Administrator checks or actions, or attempts to write to a non-virtualized registry location.
-
--   **Windows Resource Protection (WRP)**: Enables applications to function properly even if an application attempts to write to protected system files or registry locations. WRP creates a temporary work area and redirects write actions for the application session. WRP affects any application installation that attempts to replace, modify, or delete protected operating system files or registry keys. Attempts typically fail and return an Access Denied error.
-
--   **Internet Explorer Protected Mode**: Helps to defend against elevation-of-privilege attacks by restricting the ability to write to any local-computer-zone resources other than temporary Internet files. This mode affects any website or web application that attempts to modify user files or registry keys or that attempts to open a new window in another domain.
-
--   **Deprecation**: Any application that uses .dll files, executable (.exe) files, COM objects, registry keys, APIs, or other files that have been deprecated from previous versions of Windows may lose functionality or fail to start.
-
--   **Graphical Identification and Authentication (GINA) DLL**: Prior to the release of Windows Vista, independent software vendors (ISVs) were able to modify authentication by installing a GINA DLL. The GINA DLL performed the user identification and authentication.
-
-    The current authentication model does not require the GINA DLL and ignores all previous GINA DLLs. This change affects any application or hardware component that attempts to log on by using customized logon applications, including biometric devices (fingerprint readers), customized user interfaces, and virtual private network (VPN) solutions for remote users with customized logon user interfaces.
-
--   **Session 0**: Prior to the release of Windows Vista, the first user who logged on to a computer ran in Session 0, which is the same session that is used for system services. The current model requires all users to run in Session 1 or later so that no user runs in the same session as the system services. Applications will fail to start if they depend on *interactive services*. An interactive service is any service that attempts to send a window message, attempts to locate a window or additional service, or attempts to run any user processes that open the same named object, unless it is a globally named object.
-
--   **Windows Filtering Platform (WFP)**: WFP is an API that enables developers to create code that interacts with the filtering that occurs at several layers in the networking stack and throughout the operating system. If you are using a previous version of the WFP API in your environment, you might experience failures when running network-scanning, antivirus, or firewall applications.
-
--   **Operating System Version Changes**: The operating system version number changes with each operating system release. The **GetVersion** function returns the version number when queried by an application. This change affects any application or application installer that specifically checks for the operating system version and might prevent the installation from occurring or the application from running.
-
--   **Windows 64-bit**: 64-bit versions of Windows use the Windows on Windows 64 (WOW64) emulator. This emulator enables the 64-bit operating system to run 32-bit applications. The use of this emulator might cause an application or a component that uses 16-bit executables or installers, or 32-bit kernel drivers, to fail to start or to function incorrectly.
-
-## Related topics
-
-
-[Using Compatibility Monitor to Send Feedback](using-compatibility-monitor-to-send-feedback.md)
-
- 
-
- 
-
-
-
-
-
+description: List of common compatibility issues, based on the type of technology.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md b/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md
index f608310bd6..fe4aede4bb 100644
--- a/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md
+++ b/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md
@@ -161,15 +161,4 @@ End Function
 Most of your testing of application-compatibility issues will happen prior to the deployment of a new Windows operating system into your environment. As such, a common approach is to include the custom compatibility-fix database, which includes all of your known issues, in your corporate image. Then, as you update your compatibility-fix database, you can provide the updates by using one of the two mechanisms described in the "Deploying Your Custom Compatibility Fix Databases" section earlier in this topic.
 
 ## Related topics
-
-
-[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
-
- 
-
- 
-
-
-
-
-
+[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
\ No newline at end of file
diff --git a/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
index 688cf0a0d5..9e9c9f6ada 100644
--- a/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
+++ b/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
@@ -1009,15 +1009,4 @@ The following table lists the known compatibility modes.
 </ul></td>
 </tr>
 </tbody>
-</table>
-
- 
-
- 
-
- 
-
-
-
-
-
+</table>
\ No newline at end of file
diff --git a/windows/plan/compatibility-monitor-users-guide.md b/windows/plan/compatibility-monitor-users-guide.md
index 9a72ed30d3..a183923ba1 100644
--- a/windows/plan/compatibility-monitor-users-guide.md
+++ b/windows/plan/compatibility-monitor-users-guide.md
@@ -1,72 +1,5 @@
 ---
 title: Compatibility Monitor User's Guide (Windows 10)
 description: Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback.
-ms.assetid: 67d6eff0-1576-44bd-99b4-a3ffa5e205ac
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Compatibility Monitor User's Guide
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback.
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Using Compatibility Monitor to Send Feedback](using-compatibility-monitor-to-send-feedback.md)</p></td>
-<td align="left"><p>The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package. From the computers in your test environment, you can use Compatibility Monitor to submit compatibility information to the Application Compatibility Toolkit (ACT) database for your organization.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Common Compatibility Issues](common-compatibility-issues.md)</p></td>
-<td align="left"><p>Compatibility issues tend to occur with the following technologies:</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Deciding Which Applications to Test](deciding-which-applications-to-test.md)
-
-[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
-
-[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
-
-[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/computer-dialog-box.md b/windows/plan/computer-dialog-box.md
index b191d79a79..89054bac9a 100644
--- a/windows/plan/computer-dialog-box.md
+++ b/windows/plan/computer-dialog-box.md
@@ -1,109 +1,5 @@
 ---
 title: Computer Dialog Box (Windows 10)
 description: In Application Compatibility Manager (ACM), the Computer dialog box shows information about the selected computer.
-ms.assetid: f89cbb28-adcd-41cd-9a54-402bc4aaffd9
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# &lt;Computer&gt; Dialog Box
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), the *&lt;Computer&gt;* dialog box shows information about the selected computer.
-
-**To open the &lt;Computer&gt; dialog box**
-
-1.  In ACM, in the **Quick Reports** pane, click **Analyze**.
-
-2.  Under an operating system heading, click **Computers**.
-
-3.  Double-click the name of a computer.
-
-## <a href="" id="tabs-in-the--computer--dialog-box"></a>Tabs in the &lt;Computer&gt; dialog box
-
-
-The following table shows the information available in the *&lt;Computer&gt;* dialog box.
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Tab</th>
-<th align="left">Information</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Details</p></td>
-<td align="left"><p>Shows the following information for the selected computer:</p>
-<ul>
-<li><p>The computer name, operating system, architecture, and domain.</p></li>
-<li><p>The IP address, Media Access Control (MAC) address, and hardware identifier.</p></li>
-<li><p>The manufacturer, asset tag, and system number.</p></li>
-<li><p>The hardware specifications.</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Applications</p></td>
-<td align="left"><p>Shows the following information for each of the applications installed on the selected computer:</p>
-<ul>
-<li><p>The application name, version number, and application vendor.</p></li>
-<li><p>The compatibility rating for the application as determined by your organization.</p></li>
-<li><p>The compatibility information from the application vendor.</p></li>
-<li><p>The compatibility information from the ACT Community, which you can view if you are a member of the ACT Community. For more information, see [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md).</p></li>
-<li><p>The issues that have been opened for the application.</p></li>
-<li><p>The count of computers in your organization on which the application is installed.</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Devices</p></td>
-<td align="left"><p>Shows the following information for each of the devices installed on the selected computer:</p>
-<ul>
-<li><p>The model and manufacturer of the device.</p></li>
-<li><p>An evaluation of whether the device works on a 32-bit operating system or a 64-bit operating system.</p></li>
-<li><p>The class of device, as reported by the device.</p></li>
-<li><p>The count of computers in your organization on which the device is installed.</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Labels</p></td>
-<td align="left"><p>Shows the label for the selected computer.</p>
-<p>For information about labels, see [Labeling Data in ACM](labeling-data-in-acm.md).</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## <a href="" id="using-the--computer--dialog-box"></a>Using the &lt;Computer&gt; Dialog Box
-
-
-In the *&lt;Computer&gt;* dialog box, you can perform the following actions:
-
--   Assign categories and subcategories to the computer. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
--   Specify the importance of the computer to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/configuring-act.md b/windows/plan/configuring-act.md
index f5803ddd81..372e1dcaf1 100644
--- a/windows/plan/configuring-act.md
+++ b/windows/plan/configuring-act.md
@@ -1,90 +1,5 @@
 ---
 title: Configuring ACT (Windows 10)
 description: This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization.
-ms.assetid: aacbe35e-ea40-47ac-bebf-ed2660c8fd86
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Configuring ACT
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization.
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)</p></td>
-<td align="left"><p>The Application Compatibility Toolkit is included with the Windows ADK. [Download the Windows ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[ACT Deployment Options](act-deployment-options.md)</p></td>
-<td align="left"><p>While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[ACT Database Configuration](act-database-configuration.md)</p></td>
-<td align="left"><p>The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. If you do not use Microsoft SQL Server, you can download and install Microsoft SQL Server Express. For information about creating Microsoft SQL Server databases, see [Administering the Database Engine](http://go.microsoft.com/fwlink/p/?LinkId=64169).</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[ACT Database Migration](act-database-migration.md)</p></td>
-<td align="left"><p>The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. If the schema for an ACT database does not match the current schema, you can migrate the compatibility data to a new database. You can then use the current version of ACT to open the new database.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[ACT LPS Share Permissions](act-lps-share-permissions.md)</p></td>
-<td align="left"><p>To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Welcome to ACT](welcome-to-act.md)
-
-[Using ACT](using-act.md)
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
-[ACT User Interface Reference](act-user-interface-reference.md)
-
-[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
-
-[ACT Glossary](act-glossary.md)
-
-[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
index a88189a7a2..90b404e888 100644
--- a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
+++ b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
@@ -69,8 +69,6 @@ If you are unable to find a preloaded compatibility fix for your application, yo
     By default, Compatibility Administrator selects the basic matching criteria for your application. As a best practice, use a limited set of matching information to represent your application, because it reduces the size of the database. However, make sure you have enough information to correctly identify your application.
 
 ## Related topics
-
-
 [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
 
  
diff --git a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
index ac5091d0bb..789f3199ca 100644
--- a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
+++ b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
@@ -74,8 +74,6 @@ A compatibility mode includes a set of compatibility fixes and must be deployed
     The compatibility mode is added to your custom database.
 
 ## Related topics
-
-
 [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
 
  
diff --git a/windows/plan/creating-a-runtime-analysis-package.md b/windows/plan/creating-a-runtime-analysis-package.md
index 04411a5fa7..e6b56c752b 100644
--- a/windows/plan/creating-a-runtime-analysis-package.md
+++ b/windows/plan/creating-a-runtime-analysis-package.md
@@ -1,59 +1,8 @@
 ---
 title: Creating a Runtime-Analysis Package (Windows 10)
 description: In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment.
-ms.assetid: 3c703ebe-46b3-4dcd-b355-b28344bc159b
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
 ---
-
-# Creating a Runtime-Analysis Package
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment.
-
-**To create a runtime-analysis package**
-
-1.  In ACM, click **Collect** to open the Collect screen.
-
-2.  On the **File** menu, click **New**.
-
-3.  Click **Runtime application testing**.
-
-4.  Provide the information that is requested for the package, and then click **Create**.
-
-5.  Navigate to the location where you want to save the Windows installer (.msi) file for the package.
-
-    This .msi file is the file that you can use to install the runtime-analysis package on each computer in your test environment.
-
-6.  Type a file name for the .msi file, and then click **Save**.
-
-7.  Click **Finish**.
-
-## Related topics
-
-
-[Deciding Which Applications to Test](deciding-which-applications-to-test.md)
-
-[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
-
-[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
-
-[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
-
- 
-
  
 
 
diff --git a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md
index 5b48ebdbb8..f63dd95d8f 100644
--- a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md
+++ b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md
@@ -89,15 +89,4 @@ The following issues might occur with computers running Windows 2000:
 -   Copying an AppHelp entry for a system database or a custom-compatibility fix from a system database might cause Compatibility Administrator to hide the descriptive text.
 
 ## Related topics
-
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
- 
-
- 
-
-
-
-
-
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md
index 840fa87695..2953ad9c9f 100644
--- a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md
+++ b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md
@@ -1,115 +1,5 @@
 ---
 title: Creating an Enterprise Environment for Compatibility Testing (Windows 10)
 description: The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment.
-ms.assetid: cbf6d8b6-7ebc-4faa-bbbd-e02653ed4adb
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Creating an Enterprise Environment for Compatibility Testing
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. Your test environment is composed of computers on which the new operating system is installed. Your test environment can be a long-term investment. Consider retaining the test environment after deployment to assist in future deployment projects.
-
-## Modeling the Production Environment
-
-
-We recommend the following practices for setting up your test environment:
-
--   Physically separate your test environment from your production environment. Physical separation helps ensure that activity in the test environment does not affect the production environment.
-
--   On the computers in your test environment, install the new operating system.
-
--   Perform all of your tests by using accounts that have similar permissions to the accounts in your production environment. This approach helps to ensure that you can determine potential security issues.
-
-## Configuring the Test Environment for Automated Testing
-
-
-Typically, tests are run more than once, which requires being able to revert your test environment to a previous state. We recommend the following practices to ensure consistency in testing and consistency in restoring the state of your test environment:
-
--   Use disk-imaging software to create physical disk images.
-
--   Use software virtualization features to reverse changes to virtualized hard disks.
-
-## Determining When Virtualization Is Appropriate
-
-
-The following table shows some of the advantages and disadvantages of virtualization.
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Advantages</th>
-<th align="left">Disadvantages</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><ul>
-<li><p>Supports a large number of servers in a limited amount of physical space. You can run as many virtual servers as the physical computer’s resources allow.</p></li>
-<li><p>Easily shares your test environment between teams. For example, your test team can create a virtualized test environment and then provide a copy to your development team for use in its development processes.</p></li>
-<li><p>Supports multiple users performing simultaneous testing, mimicking the ability for each user to have a dedicated test environment.</p></li>
-<li><p>Easily restores your environment to a previous state. For example, you can revert to a previous state by using the <strong>Undo Disks</strong> option.</p></li>
-</ul></td>
-<td align="left"><ul>
-<li><p>May reduce performance. Virtualized servers may be slower than their physical counterparts. The performance of virtualized servers is reduced because physical resources such as disks are virtualized.</p></li>
-<li><p>May not support all applications and device drivers. Some hardware-specific device drivers and applications are not supported in virtualized servers.</p></li>
-</ul></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Testing Methodology
-
-
-When testing an application in a new operating system, we recommend the following methods:
-
--   Retain the default security-feature selections.
-
--   Use test automation tools to run your test cases in a consistent, reproducible way.
-
--   Use your application in the same way that you use it in your production environment.
-
--   Use the Compatibility Monitor tool in the runtime-analysis package to gather compatibility feedback.
-
--   Send and receive compatibility data to obtain data and solutions through the Microsoft Compatibility Exchange.
-
--   When testing a website or a web application, include both intranet and extranet sites, prioritizing the list based on how critical the site or the application is to your organization.
-
-## Related topics
-
-
-[Deciding Which Applications to Test](deciding-which-applications-to-test.md)
-
-[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
-
-[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
-
-[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/creating-an-inventory-collector-package.md b/windows/plan/creating-an-inventory-collector-package.md
index c174e746e0..c52e8f3965 100644
--- a/windows/plan/creating-an-inventory-collector-package.md
+++ b/windows/plan/creating-an-inventory-collector-package.md
@@ -1,58 +1,5 @@
 ---
 title: Creating an Inventory-Collector Package (Windows 10)
 description: You can use Application Compatibility Manager (ACM) to create an inventory-collector package.
-ms.assetid: 61d041d6-e308-47b3-921b-709d72926d6d
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Creating an Inventory-Collector Package
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-You can use Application Compatibility Manager (ACM) to create an inventory-collector package. You can then deploy the inventory-collector package to other computers to gather inventory data. The package uploads inventory data to the Application Compatibility Toolkit (ACT) database.
-
-**To create an inventory-collector package**
-
-1.  In ACM, click **Collect** to open the **Collect** screen.
-
-2.  On the **File** menu, click **New**.
-
-3.  Click **Application inventory**.
-
-4.  Provide the information that is requested for the package, and then click **Create**.
-
-5.  Browse to the location where you want to save the Windows® Installer (.msi) file for the package.
-
-    You can use this .msi file to install the inventory-collector package on each computer for which you want to gather inventory data.
-
-6.  Type a file name for the .msi file, and then click **Save**.
-
-7.  Click **Finish**.
-
-## Related topics
-
-
-[Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md)
-
-[Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/creating-and-editing-issues-and-solutions.md b/windows/plan/creating-and-editing-issues-and-solutions.md
index 0ce76a3f2f..e1897a0122 100644
--- a/windows/plan/creating-and-editing-issues-and-solutions.md
+++ b/windows/plan/creating-and-editing-issues-and-solutions.md
@@ -1,65 +1,5 @@
 ---
 title: Creating and Editing Issues and Solutions (Windows 10)
 description: This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange.
-ms.assetid: b64fe4e0-24bd-4bbd-9645-80ae5644e774
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Creating and Editing Issues and Solutions
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange.
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Adding or Editing an Issue](adding-or-editing-an-issue.md)</p></td>
-<td align="left"><p>In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Adding or Editing a Solution](adding-or-editing-a-solution.md)</p></td>
-<td align="left"><p>If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Resolving an Issue](resolving-an-issue.md)</p></td>
-<td align="left"><p>You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red <strong>x</strong> to a green check mark on your report and report detail screens.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/customizing-your-report-views.md b/windows/plan/customizing-your-report-views.md
index a68961a2e6..1c69e77305 100644
--- a/windows/plan/customizing-your-report-views.md
+++ b/windows/plan/customizing-your-report-views.md
@@ -1,149 +1,5 @@
 ---
 title: Customizing Your Report Views (Windows 10)
 description: You can customize how you view your report data in Application Compatibility Manager (ACM).
-ms.assetid: ba8da888-6749-43b4-8efb-4f26c7954721
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Customizing Your Report Views
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-You can customize how you view your report data in Application Compatibility Manager (ACM).
-
-## <a href="" id="modifying-the--operating-system--reports-view"></a>Modifying the &lt;Operating\_System&gt; Reports View
-
-
-You can choose which operating systems ACM shows in the compatibility reports. For operating systems that you exclude from the reports, the data continues to be collected but ACM does not display it.
-
-If you are using ACM on multiple computers that access the same ACT database, when you remove an operating system from your reports, all of the computers running ACM no longer show the operating system.
-
-**To add or remove an operating system from the Quick Reports pane**
-
-1.  On the **Analyze** screen, at the bottom of the **Quick Reports** pane, click **Customize this view**.
-
-2.  In the **Deployment Reports** area, select the check boxes for the operating systems you want to show in your reports, and then click **OK**.
-
-3.  Select the architectures, **32-bit**, **64-bit**, or **Both**, for which you want to see compatibility ratings in the report screens.
-
-## Adding and Removing Columns from the Report Views
-
-
-You can add and remove columns from most of the report screens. In the report dialog boxes, you cannot add or remove columns, but you can reorder the columns.
-
-**To add or remove a column**
-
-1.  On the selected report screen, right-click the column headings, and then click **Column Options**.
-
-2.  Select the check box next to any column that you want to add, and clear the check box next to any column that you want to remove.
-
-3.  If you want, reorder the columns by using the **Move Up** and **Move Down** buttons.
-
-4.  Click **OK**.
-
-### Columns by Screen
-
-The following table shows the columns that are available for each screen.
-
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Screen</th>
-<th align="left">Default columns</th>
-<th align="left">Additional columns</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[&lt;OperatingSystem&gt; - Application Report](act-operatingsystem-application-report.md)</p></td>
-<td align="left"><ul>
-<li><p>Application Name</p></li>
-<li><p>Version</p></li>
-<li><p>Company</p></li>
-<li><p>My Assessment</p></li>
-<li><p>User Assessment</p></li>
-<li><p>Send/Receive Status</p></li>
-<li><p>Vendor Assessment</p></li>
-<li><p>Community Assessment</p></li>
-<li><p>Active Issues</p></li>
-<li><p>Computers</p></li>
-</ul></td>
-<td align="left"><ul>
-<li><p>Resolved Issues</p></li>
-<li><p>Language</p></li>
-<li><p>Priority</p></li>
-<li><p>Deployment Status</p></li>
-<li><p>Issues with Solutions</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[&lt;OperatingSystem&gt; - Computer Report](act-operatingsystem-computer-report.md)</p></td>
-<td align="left"><ul>
-<li><p>Computer Name</p></li>
-<li><p>Applications with Issues</p></li>
-<li><p>Devices with Issues</p></li>
-<li><p>Operating System</p></li>
-<li><p>Domain</p></li>
-<li><p>Applications</p></li>
-<li><p>Devices</p></li>
-</ul></td>
-<td align="left"><ul>
-<li><p>Priority</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[&lt;OperatingSystem&gt; - Device Report](act-operatingsystem-device-report.md)</p></td>
-<td align="left"><ul>
-<li><p>Model</p></li>
-<li><p>Manufacturer</p></li>
-<li><p>Assessment</p></li>
-<li><p>Device Class</p></li>
-<li><p>Computers</p></li>
-</ul></td>
-<td align="left"><ul>
-<li><p>Assessment</p></li>
-<li><p>Priority</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Internet Explorer - Web Site Report](internet-explorer-web-site-report.md)</p></td>
-<td align="left"><ul>
-<li><p>Web Site</p></li>
-<li><p>My Assessment</p></li>
-<li><p>Active Issues</p></li>
-<li><p>Resolved Issues</p></li>
-</ul></td>
-<td align="left"><ul>
-<li><p>None</p></li>
-</ul></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md
index 8bb30d37a8..97e2f14378 100644
--- a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md
+++ b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md
@@ -1,239 +1,5 @@
 ---
 title: Data Sent Through the Microsoft Compatibility Exchange (Windows 10)
 description: The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community.
-ms.assetid: 3ec61e33-9db8-4367-99d5-e05c2f50e144
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Data Sent Through the Microsoft Compatibility Exchange
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community.
-
-## Data Sent to Microsoft
-
-
-During synchronization, the Microsoft Compatibility Exchange sends the following information to Microsoft Corporation:
-
--   **Application information and properties**. This data includes the application name, the vendor, the version number, the language, and the deployment type.
-
-The data-synchronization process does not send your list of URLs visited as part of the information exchange.
-
-## Data Sent to the ACT Community
-
-
-The Microsoft Compatibility Exchange sends the following information to the ACT Community for each application that you decide to share with the ACT Community:
-
--   **Application information and properties**. This data includes the application name, the vendor, the version number, the language, and the deployment type.
-
--   **Miscellaneous data**. This data includes:
-
-    -   The database GUID that identifies the organization that is the source of the data.
-
-    -   The issue data.
-
-    -   The issue ID.
-
-    -   The platform and destination operating system.
-
-    -   The severity.
-
-    -   The cause.
-
-    -   The symptom.
-
-    -   The solution data.
-
-    -   The solution type.
-
-    -   The issue and solution provider.
-
-    -   The issue and solution subprovider.
-
-    -   The issue and solution published date.
-
-    -   Your risk assessment.
-
-The data-synchronization process does not send your list of URLs visited as part of the information exchange.
-
-## Data Matching
-
-
-After you send your data, the Microsoft Compatibility Exchange matches your application properties against the known issues listed in the Application Profile database. The Microsoft Compatibility Exchange downloads any issues and corresponding solutions that match your application set and then stores the information in your ACT database.
-
-## Data Sent From Microsoft and ISVs
-
-
-For each application that matches an application in the Application Profile database, the Microsoft Compatibility Exchange returns the following information, provided by authoritative sources including Microsoft Corporation and independent software vendors (ISVs).
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Data</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Risk assessment</p></td>
-<td align="left"><p>The determination of whether the application has compatibility issues.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Symptom</p></td>
-<td align="left"><p>Behavior exhibited by the application.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Cause</p></td>
-<td align="left"><p>Reason for the failure.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Provider and subprovider</p></td>
-<td align="left"><p>Source of the compatibility issue.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Issue ID</p></td>
-<td align="left"><p>A unique ID number for the compatibility issue.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Severity</p></td>
-<td align="left"><p>Impact this issue has on the application experience.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Priority</p></td>
-<td align="left"><p>Degree of impact that this issue has on your organization.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Published Date</p></td>
-<td align="left"><p>Date that the source entered the data into the database.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Operating system name</p></td>
-<td align="left"><p>Friendly name of the installed operating system.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Major version</p></td>
-<td align="left"><p>Major version number of the operating system.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Minor version</p></td>
-<td align="left"><p>Minor version number of the operating system.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Locale</p></td>
-<td align="left"><p>Language ID of the application to which the compatibility issue applies.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Title</p></td>
-<td align="left"><p>Short title of the compatibility issue.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Summary</p></td>
-<td align="left"><p>Description of the compatibility issue.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Service pack major</p></td>
-<td align="left"><p>Major version number of the operating system service pack.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Service pack minor</p></td>
-<td align="left"><p>Minor version number of the operating system service pack.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>URL HREF</p></td>
-<td align="left"><p>URL of any links provided for the compatibility issue.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Provider and subprovider IDs</p></td>
-<td align="left"><p>IDs for the source of the compatibility issue's solution.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Solution type</p></td>
-<td align="left"><p>Type of solution provided for the compatibility issue.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Locale</p></td>
-<td align="left"><p>Language ID of the application to which the solution applies.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Title</p></td>
-<td align="left"><p>Short title of the solution.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Details</p></td>
-<td align="left"><p>Description of the solution.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>URL HREF</p></td>
-<td align="left"><p>URL of any links provided for the compatibility issue solution.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Data Sent From the ACT Community
-
-
-For each application that matches an application in the Application Profile database, the Microsoft Compatibility Exchange returns the following ACT Community information, which you receive only if you are a member of the ACT Community:
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Data</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p><strong>Works</strong></p></td>
-<td align="left"><p>The count of <strong>Works</strong> ratings, for 32-bit and 64-bit operating systems.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Works with Minor Issues or has Solutions</strong></p></td>
-<td align="left"><p>The count of <strong>Works with Minor Issues or has Solutions</strong> ratings, for 32-bit and 64-bit operating systems.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>Does Not Work</strong></p></td>
-<td align="left"><p>The count of <strong>Does Not Work</strong> ratings, for 32-bit and 64-bit operating systems.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md)
-
-[Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md
index 0bf24136b1..d4d3319cbc 100644
--- a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md
+++ b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md
@@ -1,54 +1,5 @@
 ---
 title: Deciding Whether to Fix an Application or Deploy a Workaround (Windows 10)
 description: You can fix a compatibility issue by changing the code for the application or by deploying a workaround.
-ms.assetid: e495d0c8-bfba-4537-bccd-64c4b52206f1
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Deciding Whether to Fix an Application or Deploy a Workaround
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-You can fix a compatibility issue by changing the code for the application or by deploying a workaround.
-
-## Fixing an Application
-
-
-Fixing an application by changing the code is often the recommended way to address a compatibility issue. Although applying a fix to the code might involve higher initial costs or additional development time, it can limit long-term maintenance or operational costs. After you change the code, all users can use the application without encountering the issue.
-
-If you do not have access to the code, or if you do not have the time and resources to apply a fix, an alternative approach is to deploy a workaround.
-
-## Deploying a Workaround
-
-
-A workaround involves applying alternative registry settings to address a compatibility issue. Deploying a workaround might be quicker and easier than changing the code, but you can incur long-term maintenance or operational costs. For example, you must make sure that new users have the correct set of features enabled or disabled on their computers. Using a workaround might also make your application or systems less secure. However, the overall security enhancement associated with deploying the newer version of Windows® may more than offset this reduction in security.
-
-Consider changing registry settings as a short-term solution while you develop the long-term solution of changing the code.
-
-## Related topics
-
-
-[SUA User's Guide](sua-users-guide.md)
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/deciding-which-applications-to-test.md b/windows/plan/deciding-which-applications-to-test.md
index a0d4d06986..4b548c65f6 100644
--- a/windows/plan/deciding-which-applications-to-test.md
+++ b/windows/plan/deciding-which-applications-to-test.md
@@ -1,54 +1,5 @@
 ---
 title: Deciding Which Applications to Test (Windows 10)
 description: Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing.
-ms.assetid: d7c1c28f-b7b4-43ac-bf87-2910a2b603bf
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Deciding Which Applications to Test
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing.
-
-**To choose the applications to include in compatibility testing**
-
-1.  Gather your application and device inventory. For more information, see [Taking Inventory of Your Organization](taking-inventory-of-your-organization.md).
-
-2.  Use the Microsoft Compatibility Exchange to get the latest compatibility ratings. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
-3.  Organize and group your applications, and determine which applications need to be tested. For more information, see [Organizing Your Compatibility Data](organizing-your-compatibility-data.md).
-
-    After completing these steps, you can then start creating and deploying your runtime-analysis packages to the test environment for your compatibility testing.
-
-## Related topics
-
-
-[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
-
-[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
-
-[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
-
-[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/deleting-a-data-collection-package.md b/windows/plan/deleting-a-data-collection-package.md
index 002a431377..c5401542c9 100644
--- a/windows/plan/deleting-a-data-collection-package.md
+++ b/windows/plan/deleting-a-data-collection-package.md
@@ -1,52 +1,5 @@
 ---
 title: Deleting a Data-Collection Package (Windows 10)
 description: In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database.
-ms.assetid: 1b397d7a-7216-4078-93d9-47c7becbf73e
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Deleting a Data-Collection Package
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database.
-
-You cannot undo the deletion of a data-collection package. If you mistakenly delete a data-collection package, you must create a new package to replace the deleted package.
-
-**To delete a data-collection package**
-
-1.  In ACM, click **Collect** to open the Collect screen.
-
-2.  Select the data-collection package that you want to delete, and then press the DELETE key.
-
-3.  In the confirmation box, click **Yes**.
-
-## Related topics
-
-
-[Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
-
-[Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
-
-[Labeling Data in ACM](labeling-data-in-acm.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/deploy-windows-10-in-a-school.md b/windows/plan/deploy-windows-10-in-a-school.md
index dd53f66282..590e3606e6 100644
--- a/windows/plan/deploy-windows-10-in-a-school.md
+++ b/windows/plan/deploy-windows-10-in-a-school.md
@@ -142,7 +142,7 @@ You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 6
 
 >**Note:**&nbsp;&nbsp;If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system.
 
-For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT).
+For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com//library/dn759415.aspx#InstallingaNewInstanceofMDT).
 
 Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices.
 
@@ -336,7 +336,7 @@ Now that you have an Office 365 subscription, you need to determine how you will
 
 In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
 
->**Note:**&nbsp;&nbsp;Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396).
+>**Note:**&nbsp;&nbsp;Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com//library/dn510997.aspx?f=255&MSPPError=-2147217396).
 
 ![fig 4](images/deploy-win-10-school-figure4.png)
 
@@ -385,7 +385,7 @@ You can deploy the Azure AD Connect tool by using one of the following methods:
 
  *Figure 7. Azure AD Connect in Azure*
 
-This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/en-us/library/dn635310.aspx).
+This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com//library/dn635310.aspx).
 
 ### Deploy Azure AD Connect on premises
 
@@ -436,8 +436,8 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
 
 |Method | Description and reason to select this method |
 |-------| ---------------------------------------------|
-|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
-|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx).|
+|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com//scriptcenter/dd939958.aspx).|
 |Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
 <p>
 ### Create a source file that contains the user and group accounts
@@ -448,8 +448,8 @@ After you have selected your user and group account bulk import method, you’re
 
 | Method | Source file format |
 |--------| -------------------|
-|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
-|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).|
+|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx).|
 | Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
 <p>
 ### Import the user accounts into AD DS
@@ -460,8 +460,8 @@ With the bulk-import source file finished, you’re ready to import the user and
 
 For more information about how to import user accounts into AD DS by using:
 
-- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).
-- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).
+- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).
+- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx).
 - Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
 
 ### Summary
@@ -702,14 +702,14 @@ The first step in preparation for Windows 10 deployment is to configure—that i
 <tbody>
 <tr>
 <td valign="top">1. Import operating systems</td>
-<td>Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).</td>
+<td>Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).</td>
 </tr>
 
 <tr>
 <td valign="top">2. Import device drives</td>
 <td>Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.<br/><br/>
 
-Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench).
+Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench).
 
 </td>
 </tr>
@@ -724,8 +724,8 @@ If you have Intune, you can deploy Windows Store apps after you deploy Windows 1
 
 In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to:<br/><br/>
 <ul>
-<li>Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/sideload-apps-in-windows-10).</li>
-<li>Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).</li>
+<li>Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/itpro/windows/deploy/sideload-apps-in-windows-10).</li>
+<li>Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).</li>
 </ul>
 
 
@@ -737,11 +737,11 @@ In addition, you must prepare your environment for sideloading (deploying) Windo
 </td>
 <td>You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.<br/><br/>
 
-To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx?f=255&MSPPError=-2147217396).<br/><br/>
+To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com//library/jj219423.aspx?f=255&MSPPError=-2147217396).<br/><br/>
 
 If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.<br/><br/>**Note:**&nbsp;&nbsp;You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.<br/><br/>
 
-For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
 
 </td>
 </tr>
@@ -757,7 +757,7 @@ For more information about how to create an MDT application for Window desktop a
 <li>Upgrade existing devices to Windows 10 Education 32-bit.</li>
 </ul>
 
-Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
+Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
 
 </td>
 </tr>
@@ -767,7 +767,7 @@ Again, you will create the task sequences based on the operating systems that yo
 </td>
 <td>Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.<br/><br/>
 
-For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).</td>
+For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).</td>
 </tr>
 </tbody>
 </table>
@@ -782,9 +782,9 @@ You can use Windows Deployment Services in conjunction with MDT to automatically
 
   - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx)
   - The Windows Deployment Services Help file, included in Windows Deployment Services
-  - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx)
+  - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com//library/jj648426.aspx)
 
-2. Add LTI boot images (Windows PE images) to Windows Deployment Services.<p>The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/en-us/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices).
+2. Add LTI boot images (Windows PE images) to Windows Deployment Services.<p>The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com//library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices).
 
 ### Summary
 
@@ -897,7 +897,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
 <td valign="top">Use of Microsoft accounts</td>
 <td>You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br/><br/>
 **Note:**&nbsp;&nbsp;Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.<br/><br/>
-**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.<br/><br/>
+**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com//library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.<br/><br/>
 **Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
 </td>
 </tr>
@@ -905,7 +905,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
 <tr>
 <td valign="top">Restrict local administrator accounts on the devices</td>
 <td>Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.<br/><br/>
-**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).<br/><br/>
+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com//library/cc732525.aspx).<br/><br/>
 **Intune**. Not available.
 </td>
 </tr>
@@ -913,7 +913,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
 <tr>
 <td valign="top">Restrict the local administrator accounts on the devices</td>
 <td>Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.<br/><br/>
-**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).<br/><br/>
+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com//library/cc732525.aspx).<br/><br/>
 **Intune**. Not available.
 </td>
 </tr>
@@ -921,7 +921,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
 <tr>
 <td valign="top">Manage the built-in administrator account created during device deployment</td>
 <td>When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.<br/><br/>
-**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx).<br/><br/>
+**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com//library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com//library/jj852165.aspx).<br/><br/>
 **Intune**. Not available.
 </td>
 </tr>
@@ -929,7 +929,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
 <tr>
 <td valign="top">Control Windows Store access</td>
 <td>You can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.<br/><br/>
-**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).<br/><br/>
+**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com//library/hh832040.aspx#BKMK_UseGP).<br/><br/>
 **Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy.
 </td>
 </tr>
@@ -953,7 +953,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
 <tr>
 <td valign="top">Use of audio recording</td>
 <td>Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.<br/><br/>
-**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx).<br/><br/>
+**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com//library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com//library/ee791899.aspx).<br/><br/>
 **Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy.
 </td>
 </tr>
@@ -989,13 +989,13 @@ Microsoft has several recommended settings for educational institutions. Table 1
 
 Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
 
-For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/en-us/library/cc754948.aspx).
+For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com//library/cc754948.aspx).
 
 #### To configure Group Policy settings
 
-1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/en-us/library/cc738830.aspx).
-2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/en-us/library/cc739902.aspx).
-3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx).
+1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com//library/cc738830.aspx).
+2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com//library/cc739902.aspx).
+3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com//library/cc738954(v=ws.10).aspx).
 
 ### Configure settings by using Intune
 
@@ -1006,9 +1006,9 @@ For more information about Intune, see [Documentation for Microsoft Intune](http
 #### To configure Intune settings
 
 1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune).
-2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646962.aspx).
-3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/en-us/library/dn646984.aspx).
-4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646959.aspx). 
+2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com//library/dn646962.aspx).
+3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com//library/dn646984.aspx).
+4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com//library/dn646959.aspx). 
 
 ### Deploy apps by using Intune
 
@@ -1041,14 +1041,14 @@ Prior to deployment of Windows 10, ensure that you complete the tasks listed in
 
 Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated. 
 
->**Note:**&nbsp;&nbsp;To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx).
+>**Note:**&nbsp;&nbsp;To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com//library/dn781089.aspx).
 
 In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
 
 #### To deploy Windows 10
 
 1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide.
-2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Running%20the%20Deployment%20Wizard).
+2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com//library/dn759415.aspx#Running%20the%20Deployment%20Wizard).
 
 ### Set up printers
 
diff --git a/windows/plan/deploying-a-runtime-analysis-package.md b/windows/plan/deploying-a-runtime-analysis-package.md
index bf01c5258c..38f478a9b9 100644
--- a/windows/plan/deploying-a-runtime-analysis-package.md
+++ b/windows/plan/deploying-a-runtime-analysis-package.md
@@ -1,48 +1,5 @@
 ---
 title: Deploying a Runtime-Analysis Package (Windows 10)
 description: When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing.
-ms.assetid: 304bf0be-0e7c-4c5f-baac-bed7f8bef509
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Deploying a Runtime-Analysis Package
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing.
-
-For information about creating the test environment, see [Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md).
-
-To deploy a runtime-analysis package, you can use the same deployment methods that you might use to deploy an inventory-collector package. For information about deployment methods, see [Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md).
-
-## Related topics
-
-
-[Deciding Which Applications to Test](deciding-which-applications-to-test.md)
-
-[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
-
-[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
-
-[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/deploying-an-inventory-collector-package.md b/windows/plan/deploying-an-inventory-collector-package.md
index 406a2823fd..784ecd61b4 100644
--- a/windows/plan/deploying-an-inventory-collector-package.md
+++ b/windows/plan/deploying-an-inventory-collector-package.md
@@ -1,142 +1,5 @@
 ---
 title: Deploying an Inventory-Collector Package (Windows 10)
-ms.assetid: 8726ff71-0d17-4449-bdb7-66957ae51c62
-description: 
-ms.prod: w10
-ms.mktglfcycl: plan 
-ms.sitesec: library
-author: TrudyHa
----
-
-# Deploying an Inventory-Collector Package
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-You can use the following methods to deploy an inventory-collector package to the destination computers:
-
--   **Group Policy Software Installation.** This is a feature of Active Directory Domain Services in Windows Server. All computers to which you deploy the package must be part of the Active Directory forest.
-
--   **Logon script.** You can use Windows Script Host to create a logon script. Installing by using a logon script requires administrator credentials on the local computer.
-
--   **Microsoft® System Center Configuration Manager.** For information about how to use System Center Configuration Manager, see the product documentation.
-
--   **Manual distribution.** You can use a file server on the network as a software distribution point, or you can distribute removable media. User installation of an inventory-collector package requires administrator credentials on the local computer.
-
-**To deploy an inventory-collector package by using Group Policy Software Installation**
-
-1.  Ensure that the computers to which you want to deploy the inventory-collector package are members of the Active Directory forest.
-
-2.  Create a Group Policy Object (GPO) for publishing the inventory-collector package.
-
-3.  Assign the GPO to the organizational units (OUs) that contain the set of computers.
-
-4.  Create and publish a new software installation package by using Group Policy Software Installation.
-
-    For information about the Group Policy Software Installation process, see [Best practices for Group Policy Software Installation](http://go.microsoft.com/fwlink/p/?LinkId=87996).
-
-**To assign a logon script for installing an inventory-collector package to an organizational unit**
-
-1.  Create the logon script. The following script is an example.
-
-    ``` syntax
-    Set ws = WScript.CreateObject("WScript.Shell")
-    ws.Run("\\servername\collector\package_name.exe")
-    ```
-
-    To keep the installation from running repeatedly, your script must create a marker.
-
-    For more information about logon scripts, see [Assign a Logon Script to a User in the Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=87997).
-
-2.  Save your script in the SYSVOL\\Scripts folder.
-
-3.  Open the Active Directory Users and Computers console by clicking **Start**, clicking **All Programs**, clicking **Administrative Tools**, and then clicking **Active Directory Users and Computers**.
-
-4.  Right-click the OU to which you intend to assign the logon script, click **Properties**, and then click the **Group Policy** tab.
-
-5.  Click **New** to add a new GPO, or select an existing GPO and then click **Edit**.
-
-6.  In the left pane, expand the **User Configuration** object, expand the **Windows Setting** object, and then click **Scripts (Logon/Logoff)**.
-
-7.  In the right pane, double-click the **Logon** script.
-
-8.  Click **Add**.
-
-9.  Click **Browse**, browse to the \\\\*&lt;domain&gt;*\\Sysvol\\Scripts folder, select your script, and then click **Open**.
-
-10. Click **OK** to close the **Logon Properties** dialog box.
-
-11. Close the Group Policy Management console and the Active Directory Users and Computers console.
-
-12. On a computer that is a member of the domain and a part of the OU, log on as an OU user.
-
-13. Open a **Command Prompt** window, and then type `GPUPDATE /force` to force the update of the Group Policy setting.
-
-14. At the command prompt, type `RSOP.msc` to verify your Group Policy assignment.
-
-15. In the left pane, expand the **Computer Configuration** object, expand the **Windows Setting** object, and then click **Security Settings**.
-
-16. Expand **Account Policies**, click **Password Policy**, and verify the assigned Group Policy setting.
-
-17. Close the Resultant Set of Policy console and the **Command Prompt** window.
-
-**To deploy an inventory-collector package by using System Center Configuration Manager**
-
-1.  Verify that the computers to which you want to deploy the package are included in your Configuration Manager inventory.
-
-2.  Create a Configuration Manager computer collection that includes the computers.
-
-3.  Create a shared folder that contains the source image of the inventory-collector package.
-
-4.  Create a Configuration Manager package that is based on the source image from the shared folder.
-
-    For more information, see [How to Create a Package](http://go.microsoft.com/fwlink/p/?LinkId=131355).
-
-5.  Specify the Configuration Manager software distribution points.
-
-6.  Create a Configuration Manager program that includes the required commands and command-line options to deploy the inventory-collector package.
-
-    For more information, see [How to Create a Program](http://go.microsoft.com/fwlink/p/?LinkId=131356).
-
-7.  Create a Configuration Manager advertisement that instructs Configuration Manager clients to run the program that you specified in the previous step.
-
-    For more information, see [How to Create an Advertisement](http://go.microsoft.com/fwlink/p/?LinkId=131357).
-
-**To deploy an inventory-collector package from a network share**
-
-1.  Store your package (.msi) file in a shared folder on the network.
-
-2.  Notify the users of the computers that require the inventory-collector package to run the .msi file. For example, you might send an email message that includes a hyperlink to the shared folder.
-
-**To deploy an inventory-collector package to offline computers**
-
-1.  In your inventory-collector package, specify a local output path for the log file.
-
-2.  Burn your.msi file to removable media.
-
-3.  Send the removable media to users of the offline computers.
-
-4.  Instruct the users to run the .msi file and then return the generated log file. For example, the users might send the log file in an email message or place the file on a network share.
-
-## Related topics
-
-
-[Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md)
-
-[Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md)
-
- 
-
- 
-
-
-
-
-
+description: How to deploy an inventory-collector package to your destination computers.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/device-dialog-box.md b/windows/plan/device-dialog-box.md
index 7cd1c0d3ec..5d32e55b8f 100644
--- a/windows/plan/device-dialog-box.md
+++ b/windows/plan/device-dialog-box.md
@@ -1,90 +1,5 @@
 ---
 title: Device Dialog Box (Windows 10)
 description: In Application Compatibility Manager (ACM), the Device dialog box shows information about the selected device.
-ms.assetid: 5bd7cfda-31ea-4967-8b64-6c0425092f4e
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# &lt;Device&gt; Dialog Box
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), the *&lt;Device&gt;* dialog box shows information about the selected device.
-
-**To open the &lt;Device&gt; dialog box**
-
-1.  In ACM, in the **Quick Reports** pane, click **Analyze**.
-
-2.  Under an operating system heading, click **Devices**.
-
-3.  Double-click the name of a device.
-
-## <a href="" id="tabs-in-the--device--dialog-box"></a>Tabs in the &lt;Device&gt; dialog box
-
-
-The following table shows the information available in the *&lt;Device&gt;* dialog box.
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Tab</th>
-<th align="left">Information</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Details</p></td>
-<td align="left"><p>Shows the following information for the selected device:</p>
-<ul>
-<li><p>The model and manufacturer of the device.</p></li>
-<li><p>The class of device, as reported by the device.</p></li>
-<li><p>An evaluation of whether the device works on a 32-bit operating system or a 64-bit operating system.</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Computers</p></td>
-<td align="left"><p>Shows the following information for each of the computers on which the device is installed:</p>
-<ul>
-<li><p>Computer name, domain, and operating system.</p></li>
-<li><p>The count of installed applications and devices.</p></li>
-<li><p>The count of installed applications and devices that have issues.</p></li>
-</ul></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## <a href="" id="using-the--device--dialog-box"></a>Using the &lt;Device&gt; Dialog Box
-
-
-In the *&lt;Device&gt;* dialog box, you can perform the following actions:
-
--   Assign categories and subcategories to the device. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
--   Specify the importance of the device to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
- 
-
- 
-
-
-
-
-
+description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
+---
\ No newline at end of file
diff --git a/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
index 85c5e0ba27..7bcd802f03 100644
--- a/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
+++ b/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
@@ -60,15 +60,4 @@ You can enable your disabled compatibility fixes at any time.
 2.  On the **Database** menu, click **Enable Entry**.
 
 ## Related topics
-
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
- 
-
- 
-
-
-
-
-
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/plan/example-filter-queries.md b/windows/plan/example-filter-queries.md
index 7b7732863d..8494d2a4b1 100644
--- a/windows/plan/example-filter-queries.md
+++ b/windows/plan/example-filter-queries.md
@@ -1,79 +1,5 @@
 ---
 title: Example Filter Queries (Windows 10)
 description: You can filter your compatibility-issue data or reports by selecting specific restriction criteria.
-ms.assetid: eae59380-56cc-4d57-bd2c-11a0e3c689c9
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Example Filter Queries
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-You can filter your compatibility-issue data or reports by selecting specific restriction criteria.
-
-## Example Queries
-
-
-The following sections show example queries created by using the Query Builder.
-
-### All Applications with Issues
-
-The following example query returns all applications that have one or more known issues.
-
-![act filter example all apps with issues](images/dep-win8-e-act-filterexampleallappswissues.gif)
-
-### All Applications with Solutions for Known Issues
-
-The following example query returns all applications that have solutions for their known issues.
-
-![act filter examples for issues with solutions](images/dep-win8-e-act-filterexampleforissueswsolutions.gif)
-
-### All Applications with Specific Solution Types
-
-The following example query returns all applications that have a solution type of Application Update or Application Configuration.
-
-![act filter example for specific solutions](images/dep-win8-e-act-filterexampleforspecificsolutions.gif)
-
-### All Applications with No Known Issues
-
-The following example query returns all applications that have no known issues.
-
-![act filter example all apps with no issues](images/dep-win8-e-act-filterexampleallapps0issues.gif)
-
-### All Applications with No Active Issues
-
-The following example query returns all applications that have no active issues.
-
-![act filter example all apps with no active issues](images/dep-win8-e-act-filterexampleallapps0activeissues.gif)
-
-### All Applications Appearing in a Specific Category and Subcategory
-
-The following example query returns all applications that have a category of Department and a subcategory of either Human Resources or Finance.
-
-![act filter example category](images/dep-win8-e-act-filterexamplecategory.gif)
-
-## Related topics
-
-
-[Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/exporting-a-data-collection-package.md b/windows/plan/exporting-a-data-collection-package.md
index 5baee693f6..e3b5a9ce64 100644
--- a/windows/plan/exporting-a-data-collection-package.md
+++ b/windows/plan/exporting-a-data-collection-package.md
@@ -1,54 +1,5 @@
 ---
 title: Exporting a Data-Collection Package (Windows 10)
 description: In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data.
-ms.assetid: 98fe19e4-9533-4ffc-a275-8b3776ee93ed
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Exporting a Data-Collection Package
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data.
-
-You can export only one data-collection package at a time.
-
-**To export a data-collection package**
-
-1.  In ACM, click **Collect** to open the Collect screen.
-
-2.  Select the data-collection package that you want to export.
-
-3.  On the **File** menu, click **Export**.
-
-4.  Navigate to the folder where you want to store the Windows installer (.msi) file for the data-collection package, and then click **Save**.
-
-## Related topics
-
-
-[Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
-
-[Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
-
-[Labeling Data in ACM](labeling-data-in-acm.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/filtering-your-compatibility-data.md b/windows/plan/filtering-your-compatibility-data.md
index fcc724c2d5..83040f196c 100644
--- a/windows/plan/filtering-your-compatibility-data.md
+++ b/windows/plan/filtering-your-compatibility-data.md
@@ -1,115 +1,5 @@
 ---
 title: Filtering Your Compatibility Data (Windows 10)
 description: You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria.
-ms.assetid: b64267b5-83c0-4b4d-a075-0975d3a359c8
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Filtering Your Compatibility Data
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria.
-
-The following table shows the columns in Query Builder.
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Column</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>And/Or</p></td>
-<td align="left"><p>If you select <strong>And</strong>, your data must match all query rows to appear as a returned result.</p>
-<p>If you select <strong>Or</strong>, your data can match any query row to appear as a returned result.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Field</p></td>
-<td align="left"><p>Select filter criteria.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Operator</p></td>
-<td align="left"><p>Select an operator. The available operators depend on the field that you choose.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Value</p></td>
-<td align="left"><p>Type or select a value.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Creating Basic Queries
-
-
-You can insert as many query clauses as you want to create a customized view of your compatibility data.
-
-**Note**  
-The following examples use the **&lt;Operating\_System&gt; - Application Report** screen. The process is the same for other report types.
-
- 
-
-**To create a basic query**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click **Toggle Filter**.
-
-2.  In the Query Builder, enter your filter criteria, pressing the Tab key to add clauses.
-
-    To delete a clause, right-click the row, and then click **Delete Clause**.
-
-3.  Click **Refresh**.
-
-    Your filtered results appear. To close the Query Builder, click **Toggle Filter** again.
-
-## Querying on Objects
-
-
-You can query your compatibility data based on its relationship with other objects. For example, in the applications report, you can query for applications that have corresponding issues. Fields that have a (+) suffix in Query Builder are collections of objects.
-
-**To query for a collection of objects**
-
-1.  In Query Builder, in the **Field** column, click any field that contains a plus sign (+) as suffix.
-
-2.  In the **Operator** column, select **Exists**, **Not Exists**, or **All Have**.
-
-    Query Builder creates a group clause, which is shown by a bracket that spans the rows that are included in the group.
-
-3.  Move your cursor to the next row in the group clause, and then in the **Field** column, select a field.
-
-4.  In the **Operator** column, select an operator.
-
-5.  In the **Value** column, enter a value, and then click **Refresh**.
-
-## Related topics
-
-
-[Example Filter Queries](example-filter-queries.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/fixing-compatibility-issues.md b/windows/plan/fixing-compatibility-issues.md
index b7f338d5ac..50f8032d64 100644
--- a/windows/plan/fixing-compatibility-issues.md
+++ b/windows/plan/fixing-compatibility-issues.md
@@ -1,78 +1,5 @@
 ---
 title: Fixing Compatibility Issues (Windows 10)
 description: This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues.
-ms.assetid: 30ba8d14-a41a-41b3-9019-e8658d6974de
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Fixing Compatibility Issues
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues.
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Deciding Whether to Fix an Application or Deploy a Workaround](deciding-whether-to-fix-an-application-or-deploy-a-workaround.md)</p></td>
-<td align="left"><p>You can fix a compatibility issue by changing the code for the application or by deploying a workaround.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[SUA User's Guide](sua-users-guide.md)</p></td>
-<td align="left"><p>You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)</p></td>
-<td align="left"><p>The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides the following:</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
-
-[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
-
-[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
-
-[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/identifying-computers-for-inventory-collection.md b/windows/plan/identifying-computers-for-inventory-collection.md
index a7378b9820..524304a7cf 100644
--- a/windows/plan/identifying-computers-for-inventory-collection.md
+++ b/windows/plan/identifying-computers-for-inventory-collection.md
@@ -1,104 +1,5 @@
 ---
 title: Identifying Computers for Inventory Collection (Windows 10)
-ms.assetid: f5bf2d89-fff2-4960-a153-dc1146b442fb
-description: 
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-author: TrudyHa
----
-
-# Identifying Computers for Inventory Collection
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-An inventory-collector package gathers inventory data from the computers on which it is installed. This data includes the following:
-
--   **System inventory.** Information about the client computer. This information includes the memory capacity, the processor speed, and the processor architecture.
-
--   **Device inventory.** Information about the devices that are installed on the client computer. This information includes the model, the manufacturer, and the device class.
-
--   **Software inventory.** An inventory of the applications that are installed on the computer. This information includes system technologies such as Windows® Installer.
-
-To generate a complete inventory and obtain a comprehensive view of your organization, inventory all computers. However, remember that deploying inventory-collector packages to all computers in your organization will require the additional work of analyzing and reducing a larger list of applications. If you do not have the resources to deploy to all computers or you cannot process a larger list of applications, consider deploying inventory-collector packages to representative subsets of computers instead.
-
-If you decide to deploy inventory-collector packages to representative subsets of computers in your organization, consider the following:
-
--   [Managed and Unmanaged Environments](#bmk-managedunmanaged)
-
--   [Role-Based Applications](#bmk-rolebasedapplications)
-
--   [Software Distribution](#bmk-softwaredistribution)
-
--   [Geographic Distribution](#bmk-geographicdistribution)
-
--   [Computer Types](#bmk-computertypes)
-
-## <a href="" id="bmk-managedunmanaged"></a>Managed and Unmanaged Environments
-
-
-In your organization, you may have managed environments and unmanaged environments.
-
-In a managed environment, IT administrators strictly control and manage the installation and use of applications. In this environment, you can discover the full inventory by deploying inventory-collector packages to a limited subset of computers.
-
-In an unmanaged environment, users have administrator permissions and can install applications at their own discretion. To obtain the full inventory, you must deploy your inventory-collector packages to more computers.
-
-## <a href="" id="bmk-rolebasedapplications"></a>Role-Based Applications
-
-
-Your organization may use role-based applications that relate to job function. For example, accountants may use finance-related applications. Reviewing application use together with job function helps you better identify which subsets of computers need inventory-collector packages.
-
-## <a href="" id="bmk-softwaredistribution"></a>Software Distribution
-
-
-You can distribute applications in various ways within an organization. For example, you can use Group Policy, Microsoft® IntelliMirror®, Microsoft System Center Configuration Manager, or a customized distribution method. Reviewing the policies for your software distribution system helps you better identify which subsets of computers need inventory-collector packages.
-
-## <a href="" id="bmk-geographicdistribution"></a>Geographic Distribution
-
-
-While you plan for inventory collection, consider the geographic distribution of your organization, and consider application use within each region. Be sure to account for divisional applications, localized applications, and applications that are specific to the geographic location and export restrictions. Consult with technical and business leaders from each region to understand the differences and determine which subsets of computers need inventory-collector packages.
-
-## <a href="" id="bmk-computertypes"></a>Computer Types
-
-
-Computer types can be an important factor in the deployment of inventory-collector packages. The following sections describe common computer types.
-
-### Mobile Computers
-
-Mobile users are frequently offline, occasionally synchronizing with the corporate network through a LAN or VPN connection. The user must be online for the inventory-collector package to be downloaded and installed, and must be online again for the logged data to be uploaded.
-
-### Multiuser Computers
-
-Multiuser computers are typically in university computer labs, libraries, and organizations that enable job sharing. These computers include a core set of applications that are always available, in addition to many applications that can be installed and removed as necessary. Because these computers typically have a core set of applications, you can identify a narrow subset of computers to receive the inventory-collector package.
-
-### AppStations and TaskStations
-
-AppStations that run vertical applications are typically for marketing, claims and loan processing, and customer service. TaskStations are typically dedicated to running a single application in a location such as a manufacturing floor (as an entry terminal) or a call center. Because AppStations and TaskStations do not typically enable users to add or remove applications, you can identify a narrow subset of computers to receive the inventory-collector package.
-
-### Kiosks
-
-Kiosks are generally in public areas. These computers run unattended. They also generally run a single application by using a single-use account and automatic logon. Because these computers typically run a single application, you can identify a narrow subset of computers to receive the inventory-collector package.
-
-## Related topics
-
-
-[Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md)
-
-[Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md)
-
- 
-
- 
-
-
-
-
-
+description: To generate a complete inventory and obtain a comprehensive view of your organization, inventory all computers. However, remember that deploying inventory-collector packages to all computers in your organization will require the additional work of analyzing and reducing a larger list of applications. If you do not have the resources to deploy to all computers or you cannot process a larger list of applications, consider deploying inventory-collector packages to representative subsets of computers instead.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/index.md b/windows/plan/index.md
index e8c8cdb020..1a3583938b 100644
--- a/windows/plan/index.md
+++ b/windows/plan/index.md
@@ -15,14 +15,14 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
 ## In this section
 |Topic |Description |
 |------|------------|
-|[Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) |This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
-|[Windows 10 servicing overview](windows-10-servicing-options.md) |Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. |
+|[Windows 10 servicing options](windows-10-servicing-options.md) |Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. |
 |[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. |
 |[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
 |[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
 |[Windows Update for Business](windows-update-for-business.md) |Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. |
 |[Windows To Go: feature overview](windows-to-go-overview.md) |Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. |
 |[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. |
+|[Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) |This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
 
 ## Related topics
 - [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md)
diff --git a/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
index c55deebb84..bd057029b9 100644
--- a/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
+++ b/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
@@ -59,15 +59,4 @@ When a custom database is no longer necessary, either because the applications a
 2.  On the **File** menu, click **Uninstall**.
 
 ## Related topics
-
-
-[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
-
- 
-
- 
-
-
-
-
-
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/plan/internet-explorer-web-site-report.md b/windows/plan/internet-explorer-web-site-report.md
index da0098b6c3..f30fc92bd6 100644
--- a/windows/plan/internet-explorer-web-site-report.md
+++ b/windows/plan/internet-explorer-web-site-report.md
@@ -1,68 +1,5 @@
 ---
 title: Internet Explorer - Web Site Report (Windows 10)
-ms.assetid: f072033d-9d42-47ed-8fb0-dbdc28442910
-description: 
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Internet Explorer - Web Site Report
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The **Internet Explorer - Web Site Report** screen shows the following information for each of the websites visited in your organization:
-
--   The website URL.
-
--   Your organization's compatibility rating for the website.
-
--   The count of issues for the website.
-
--   The count of resolved issues for the website.
-
-**To open the Internet Explorer - Web Site Report screen**
-
-1.  In Application Compatibility Manager (ACM), on the **Quick Reports** pane, click **Analyze**.
-
-2.  In the **Quick Reports** pane, under the **Internet Explorer** heading, click **Web Sites**.
-
-## Using the Internet Explorer - Web Site Report Screen
-
-
-On the **Internet Explorer - Web Site Report** screen, you can:
-
--   Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
-
--   Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
--   Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
-
--   Specify your compatibility rating for a website. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
-
--   Select your deployment status for a website. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
-
--   Assign categories and subcategories to a website. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
--   Specify the importance of a website to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
--   Double-click a website name to view its associated dialog box. For more information, see [&lt;WebsiteURL&gt; Dialog Box](websiteurl-dialog-box.md).
-
- 
-
- 
-
-
-
-
-
+description: The Internet Explorer - Web Site Report screen shows the URL, your organization's compatibility rating, issue count, and resolved issue count, for each of the websites visited in your organization.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/labeling-data-in-acm.md b/windows/plan/labeling-data-in-acm.md
index 1e0ae71639..92f7448f84 100644
--- a/windows/plan/labeling-data-in-acm.md
+++ b/windows/plan/labeling-data-in-acm.md
@@ -1,54 +1,5 @@
 ---
 title: Labeling Data in ACM (Windows 10)
 description: Application data and its associated compatibility issues can vary within an organization.
-ms.assetid: d099c747-e68a-4cad-a639-9f33efab35b3
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Labeling Data in ACM
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-Application data and its associated compatibility issues can vary within an organization. For example, the applications used by a Human Resources (HR) department might differ from the applications used by a Sales department. Even for applications that are used across an organization, different compatibility issues might be found for each business group because of the unique application use by each business group.
-
-Your data-collection packages can add a *label* to your inventoried applications. To filter by business group when analyzing reports, you can create a different data-collection package for each business group and have each package assign a unique label. For example, you can create a data-collection package for your Sales department with a **Sales** label. During reports analysis, you can filter your results so that only the data with the **Sales** label is visible.
-
-You can specify a label when you create a data-collection package. You cannot change the label for an existing data-collection package.
-
-**To specify the label for a new data-collection package**
-
-1.  In Application Compatibility Manager (ACM), on the **Go** menu, click **Collect**.
-
-2.  On the **Collect** screen, click **File** from the toolbar, and then click **New** to start creating a new data-collection package.
-
-3.  In the wizard, enter the label that you want to be applied by the data-collection package.
-
-## Related topics
-
-
-[Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
-
-[Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
-
-[Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/log-file-locations-for-data-collection-packages.md b/windows/plan/log-file-locations-for-data-collection-packages.md
index 99ea5bc63f..5fa3b6c466 100644
--- a/windows/plan/log-file-locations-for-data-collection-packages.md
+++ b/windows/plan/log-file-locations-for-data-collection-packages.md
@@ -1,54 +1,5 @@
 ---
 title: Log File Locations for Data-Collection Packages (Windows 10)
-ms.assetid: dcc395e7-2d9c-4935-abab-33c5934ce24a
-description: 
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Log File Locations for Data-Collection Packages
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-When you create a data-collection package in Application Compatibility Manager (ACM), you can select an output location for your log files. You have the following options:
-
--   Specify an ACT Log Processing Service (LPS) share. The data-collection package automatically writes the log files to the specified ACT LPS share.
-
-    If the ACT LPS share is unavailable when the upload time interval is reached, the data-collection package will make two more attempts.
-
-    For inventory collector packages, after the third attempt, the inventory collector package no longer attempts to upload data.
-
-    For runtime-analysis packages, if the problem persists, the runtime-analysis package will store the log file in %SYSTEMDRIVE%\\Users\\All Users\\Microsoft\\Application Compatibility Toolkit\\LogProcessor\\Failed. The runtime-analysis package will attempt to upload the files again at the next upload interval.
-
--   Select **Local (%ACTAppData%\\DataCollector\\Output)**. If you use this option, the data-collection package creates log files on the local system and the computer administrator must manually copy the files to the ACT LPS share location. Consider this option for mobile users who are not always connected to the network. The log files are located in %SYSTEMDRIVE%\\Users\\All Users\\Microsoft\\Application Compatibility Toolkit\\DataCollector\\Output.
-
--   Type an alternate network share location. If you use this option, verify that the data-collection package can write to the alternate location. You might consider this option if your organization is geographically diverse. For example, administrators can create data-collection packages and file shares individually for each geographic location. Administrators at a central location must then move the log files to a central location and map the files to the ACT LPS share for processing and entry into the ACT database.
-
-## Related topics
-
-
-[Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
-
-[Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
-
-[Labeling Data in ACM](labeling-data-in-acm.md)
-
- 
-
- 
-
-
-
-
-
+description: Selecting the output for your data-collection package log files.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md
index 7c8a961d1d..a654054608 100644
--- a/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md
+++ b/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md
@@ -56,17 +56,6 @@ This section provides information about managing your application-compatibility
  
 
 ## Related topics
-
-
 [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
 
-[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
-
- 
-
- 
-
-
-
-
-
+[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
\ No newline at end of file
diff --git a/windows/plan/managing-your-data-collection-packages.md b/windows/plan/managing-your-data-collection-packages.md
index 46eaa26130..03cbe4849d 100644
--- a/windows/plan/managing-your-data-collection-packages.md
+++ b/windows/plan/managing-your-data-collection-packages.md
@@ -1,80 +1,5 @@
 ---
 title: Managing Your Data-Collection Packages (Windows 10)
 description: This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages.
-ms.assetid: 369ae82f-c8ca-42ec-85df-1b760a74e70a
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Managing Your Data-Collection Packages
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages. Data-collection packages include inventory-collector packages and runtime-analysis packages. The following procedures apply to both package types.
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)</p></td>
-<td align="left"><p>When you create a data-collection package in Application Compatibility Manager (ACM), you can select an output location for your log files. You have the following options:</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Exporting a Data-Collection Package](exporting-a-data-collection-package.md)</p></td>
-<td align="left"><p>In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Deleting a Data-Collection Package](deleting-a-data-collection-package.md)</p></td>
-<td align="left"><p>In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Labeling Data in ACM](labeling-data-in-acm.md)</p></td>
-<td align="left"><p>Application data and its associated compatibility issues can vary within an organization. For example, the applications used by a Human Resources (HR) department might differ from the applications used by a Sales department. Even for applications that are used across an organization, different compatibility issues might be found for each business group because of the unique application use by each business group.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
-
-[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
-
-[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
-
-[Fixing Compatibility Issues](fixing-compatibility-issues.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/organizational-tasks-for-each-report-type.md b/windows/plan/organizational-tasks-for-each-report-type.md
index e572f3b042..61498e165d 100644
--- a/windows/plan/organizational-tasks-for-each-report-type.md
+++ b/windows/plan/organizational-tasks-for-each-report-type.md
@@ -1,96 +1,5 @@
 ---
 title: Organizational Tasks for Each Report Type (Windows 10)
 description: The following table shows which tasks can be performed for each report type.
-ms.assetid: 7463fab1-ba6e-4a9a-9112-0b69a18fe353
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Organizational Tasks for Each Report Type
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The following table shows which tasks can be performed for each report type.
-
-<table style="width:100%;">
-<colgroup>
-<col width="14%" />
-<col width="14%" />
-<col width="14%" />
-<col width="14%" />
-<col width="14%" />
-<col width="14%" />
-<col width="14%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Report</th>
-<th align="left">[Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md)</th>
-<th align="left">[Selecting Your Deployment Status](selecting-your-deployment-status.md)</th>
-<th align="left">[Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md)</th>
-<th align="left">[Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md)</th>
-<th align="left">[Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md)</th>
-<th align="left">[Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md)</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[&lt;OperatingSystem&gt; - Application Report](act-operatingsystem-application-report.md)</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Yes</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[&lt;OperatingSystem&gt; - Computer Report](act-operatingsystem-computer-report.md)</p></td>
-<td align="left"><p>No</p></td>
-<td align="left"><p>No</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>No</p></td>
-<td align="left"><p>No</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[&lt;OperatingSystem&gt; - Device Report](act-operatingsystem-device-report.md)</p></td>
-<td align="left"><p>No</p></td>
-<td align="left"><p>No</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>No</p></td>
-<td align="left"><p>No</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[&lt;WebsiteURL&gt; Dialog Box](websiteurl-dialog-box.md)</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Yes</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/organizing-your-compatibility-data.md b/windows/plan/organizing-your-compatibility-data.md
index 54bc38d151..30d2918977 100644
--- a/windows/plan/organizing-your-compatibility-data.md
+++ b/windows/plan/organizing-your-compatibility-data.md
@@ -1,90 +1,5 @@
 ---
 title: Organizing Your Compatibility Data (Windows 10)
 description: This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM).
-ms.assetid: e91ae444-5d85-4b5f-b655-a765ecc78b1e
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Organizing Your Compatibility Data
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM).
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Organizational Tasks for Each Report Type](organizational-tasks-for-each-report-type.md)</p></td>
-<td align="left"><p>The following table shows which tasks can be performed for each report type.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md)</p></td>
-<td align="left"><p>You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system. Your rating applies to your entire organization and is based on your own testing results and organizational requirements.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Selecting Your Deployment Status](selecting-your-deployment-status.md)</p></td>
-<td align="left"><p>In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md)</p></td>
-<td align="left"><p>To customize and filter your compatibility reports, you can create categories and subcategories to assign to your applications, computers, devices, and websites. By default, Microsoft provides the following categories:</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md)</p></td>
-<td align="left"><p>You can prioritize your applications, websites, computers, and devices to help customize and filter your compatibility reports. The priority levels are:</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md)</p></td>
-<td align="left"><p>For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md)</p></td>
-<td align="left"><p>This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Viewing Your Compatibility Reports](viewing-your-compatibility-reports.md)
-
-[Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
-
-[Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/prioritizing-your-compatibility-data.md b/windows/plan/prioritizing-your-compatibility-data.md
index 3d55e9d1f3..7304d6dbb9 100644
--- a/windows/plan/prioritizing-your-compatibility-data.md
+++ b/windows/plan/prioritizing-your-compatibility-data.md
@@ -1,103 +1,5 @@
 ---
 title: Prioritizing Your Compatibility Data (Windows 10)
-ms.assetid: 103e125a-bd2b-4019-9d6a-2e1d50c380b1
-description: 
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Prioritizing Your Compatibility Data
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-You can prioritize your applications, websites, computers, and devices to help customize and filter your compatibility reports. The priority levels are:
-
--   **Priority 1 - Business Critical**. The highest priority level, applied to an item that is so important to your organization that a compatibility issue with the item would keep you from deploying a new operating system.
-
--   **Priority 2 - Important**. Items that your organization regularly uses but can function without.
-
--   **Priority 3 - Nice to Have**. Lower-priority items that you want to show in your compatibility reports that do not belong in either of the previous two categories.
-
--   **Priority 4 - Unimportant**. Items that are irrelevant to the daily functions of your organization.
-
--   **Unspecified**. The default priority level, applied to items that have not yet been reviewed for deployment.
-
-## Prioritizing Your Applications, Computers, Devices, and Websites
-
-
-The following example uses the **&lt;Operating\_System&gt; - Application Report** screen. You can alternatively use the **&lt;Application\_Name&gt;** dialog box. The procedure is the same on the reports for computers, devices, and websites.
-
-**To change the priority**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click the name of the application.
-
-2.  On the **Actions** menu, click **Set Priority**.
-
-3.  Click a priority, and then click **OK**.
-
-**To filter your data by priority**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click **Toggle Filter**.
-
-2.  Enter your filter criteria, pressing the Tab key to add clauses.
-
-    Consider the following example, which shows a query that filters for all applications that have a priority level of **Business Critical** or **Important**.
-
-    <table>
-    <colgroup>
-    <col width="25%" />
-    <col width="25%" />
-    <col width="25%" />
-    <col width="25%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">And/Or</th>
-    <th align="left">Field</th>
-    <th align="left">Operator</th>
-    <th align="left">Value</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>And</p></td>
-    <td align="left"><p>Priority</p></td>
-    <td align="left"><p>Equals</p></td>
-    <td align="left"><p>Priority 1 - Business Critical</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>Or</p></td>
-    <td align="left"><p>Priority</p></td>
-    <td align="left"><p>Equals</p></td>
-    <td align="left"><p>Priority 2 - Important</p></td>
-    </tr>
-    </tbody>
-    </table>
-
-     
-
-    To delete a clause, right-click the row, and then click **Delete Clause**.
-
-3.  Click **Refresh**.
-
-    Your filtered results appear.
-
- 
-
- 
-
-
-
-
-
+description: Prioritizing your apps, websites, computers, and devices to help customize and filter your compatibilty reports.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/ratings-icons-in-acm.md b/windows/plan/ratings-icons-in-acm.md
index e8f095c0ac..c1f0184338 100644
--- a/windows/plan/ratings-icons-in-acm.md
+++ b/windows/plan/ratings-icons-in-acm.md
@@ -1,111 +1,5 @@
 ---
 title: Ratings Icons in ACM (Windows 10)
 description: Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community.
-ms.assetid: 0165499e-cb47-4d76-98a6-b871d23e4e83
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Ratings Icons in ACM
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community.
-
-For information about specifying your own ratings, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md). For information about community ratings, see [ACT Community Ratings and Process](act-community-ratings-and-process.md).
-
-## Icons
-
-
-The following table shows icons that appear on the report screens and dialog boxes for **Company Assessment** and **Vendor Assessment**.
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Icon</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-greenworksicon.gif" alt="ACT Green icon" /></td>
-<td align="left"><p>Application, device, or website functions as expected on a 32-bit operating system.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-greenworks64icon.gif" alt="ACT green 64-bit icon" /></td>
-<td align="left"><p>Application, device, or website functions as expected on a 64-bit operating system.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-minorissuesicon.png" alt="ACT minor issue icon" /></td>
-<td align="left"><p>Application, device, or website with issues that are minor or have known solutions on a 32-bit operating system. Severity 3 issues are considered minor issues.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-minorissues64icon.gif" alt="ACT Minor issues 64-bit icon" /></td>
-<td align="left"><p>Application, device, or website with issues that are minor or have known solutions on a 64-bit operating system.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-doesnotworkicon.gif" alt="ACT does not work icon" /></td>
-<td align="left"><p>Application, device, or website with major issues, such as data loss or severely impaired functionality, on 32-bit operating systems. Severity 1 and Severity 2 issues are considered major issues.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-doesnotwork64icon.gif" alt="ACT does not work 64-bit icon" /></td>
-<td align="left"><p>Application, device, or website with major issues, such as data loss or severely impaired functionality, on 64-bit operating systems.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><img src="images/dep-win8-e-act-infoicon.gif" alt="ACT Information icon" /></td>
-<td align="left"><p>Application, device, or website that does not have any application assessment data for 32-bit operating systems. The item does not match any information in the database, or no assessments have been submitted.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><img src="images/dep-win8-e-act-info64icon.gif" alt="ACT 64-bit info icon" /></td>
-<td align="left"><p>Application, device, or website that does not have any application assessment data for 64-bit operating systems.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## User Ratings and ACT Community Ratings
-
-
-Ratings are displayed graphically in the **User Ratings** column and the **Community Assessment** column. The rating color and bar count depend on how the users or community rated the item. There are three possible ratings:
-
--   **Works**. Applications with this rating receive five green bars.
-
--   **Works with minor issues or has solutions**. Applications with this rating receive three light-green bars.
-
--   **Does not work**. Applications with this rating receive a single red bar.
-
-The color gradient from one to five bars shows the average rating.
-
-![act community](images/dep-win8-e-act-communityexample.gif)
-
-## Related topics
-
-
-[Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md)
-
-[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/resolving-an-issue.md b/windows/plan/resolving-an-issue.md
index 4d5557c944..e6a5b97651 100644
--- a/windows/plan/resolving-an-issue.md
+++ b/windows/plan/resolving-an-issue.md
@@ -1,62 +1,5 @@
 ---
 title: Resolving an Issue (Windows 10)
 description: You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red x to a green check mark on your report and report detail screens.
-ms.assetid: 96195122-185d-4f6a-8e84-79c3d069e933
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Resolving an Issue
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red **x** to a green check mark on your report and report detail screens.
-
-Resolving an issue is not required. However, if you do not resolve the issue, the issue remains active in your ACT database and provides inaccurate reports.
-
-## Resolving Issues for Your Applications and Websites
-
-
-This procedure describes how to resolve an existing issue that is documented in ACM. For information about adding an issue, see [Adding or Editing an Issue](adding-or-editing-an-issue.md).
-
-**Note**  
-The following example uses the **&lt;Application\_Name&gt;** dialog box. The procedure is similar for websites.
-
- 
-
-**To resolve issues**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, double-click the name of the application to display the **&lt;Application\_Name&gt;** dialog box.
-
-2.  Click the **Issues** tab.
-
-3.  Double-click the specific issue to resolve.
-
-4.  On the **Actions** menu, click **Resolve**, and then close the **&lt;Application\_Name&gt; - &lt;Issue\_Title&gt;** dialog box.
-
-    The issue appears with a green check mark in the report details screen.
-
-    **Note**  
-    If you have not entered a solution but have resolved the issue, Microsoft recommends that you enter a solution with **Other** solution type and add text that describes why you resolved the issue without a solution. For information about entering solutions, see [Adding or Editing a Solution](adding-or-editing-a-solution.md).
-
-     
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/saving-opening-and-exporting-reports.md b/windows/plan/saving-opening-and-exporting-reports.md
index 67d940bd0d..65bfc93fba 100644
--- a/windows/plan/saving-opening-and-exporting-reports.md
+++ b/windows/plan/saving-opening-and-exporting-reports.md
@@ -1,78 +1,5 @@
 ---
 title: Saving, Opening, and Exporting Reports (Windows 10)
 description: You can perform several common reporting tasks from the Analyze screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file.
-ms.assetid: 8be72a6c-63ab-4451-ad79-815e2ac18aa2
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Saving, Opening, and Exporting Reports
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-You can perform several common reporting tasks from the **Analyze** screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file.
-
-## Saving Your Compatibility Report
-
-
-You can save your compatibility report data, including any custom filters created by the query builder tool. You can import this report data back into Application Compatibility Manager (ACM) at a later time.
-
-**To save a report**
-
-1.  In the **Quick Reports** pane, click **Analyze**.
-
-2.  Expand the node for the target operating system for which you want to see compatibility reports, and then click a node for a report type.
-
-3.  On the **File** menu, click **Save As**.
-
-4.  Browse to the folder where you want to save your report, and then click **Save**.
-
-## Opening an Existing Compatibility Report
-
-
-In ACM, you can open, or import, a compatibility report (.adq) file.
-
-**To open a report**
-
-1.  In the **Quick Reports** pane, click **Analyze**.
-
-2.  Expand the node for the target operating system for which you want to see compatibility reports, and then click a node for a report type.
-
-3.  On the **File** menu, click **Open Report**.
-
-4.  Browse to the folder where you saved your report, and then click **Open**.
-
-## Exporting Compatibility Report Data
-
-
-You can export your compatibility report data to an Microsoft® Excel® spreadsheet (.xls) file.
-
-**To export report data**
-
-1.  In the **Quick Reports** pane, click **Analyze**.
-
-2.  Expand the node for the target operating system for which you want to see compatibility reports, and then click a node for a report type.
-
-3.  On the **File** menu, click **Export Report**.
-
-4.  Browse to the folder where you want to store the spreadsheet file, and then click **Save**.
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md
index 99b2f4a61f..2488fe4e38 100644
--- a/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md
+++ b/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md
@@ -62,8 +62,6 @@ You can export your search results to a text (.txt) file for later review or arc
 2.  Browse to the location where you want to store your search result file, and then click **Save**.
 
 ## Related topics
-
-
 [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
 
  
diff --git a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
index 25906a1746..34260942d9 100644
--- a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
+++ b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
@@ -166,8 +166,6 @@ You can export any of your search results into a tab-delimited text (.txt) file
 2.  Browse to the location where you intend to store the search results file, and then click **Save**.
 
 ## Related topics
-
-
 [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
 
  
diff --git a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md
index 782d3c1651..3674f73b68 100644
--- a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md
+++ b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md
@@ -1,98 +1,5 @@
 ---
 title: Selecting the Send and Receive Status for an Application (Windows 10)
 description: For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange.
-ms.assetid: ae139093-27cf-4ad8-882d-e0509e78d33a
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Selecting the Send and Receive Status for an Application
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange
-
-. For information about how to send and receive data, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
-## Selecting the Send and Receive Status for an Application
-
-
-**Note**  
-The following example uses the **&lt;Operating\_System&gt; - Application Report** screen. You can alternatively use the **&lt;Application\_Name&gt;** dialog box.
-
- 
-
-**To change the send and receive status for an application**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click the application name for which you want to select the send and receive status.
-
-2.  On the **Actions** menu, click **Set Send and Receive Status**.
-
-3.  Select one of the following:
-
-    -   **Do not send to Microsoft**
-
-    -   **Send to Microsoft** (default)
-
-4.  Click **OK**.
-
-**To filter based on send and receive status**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click **Toggle Filter**.
-
-2.  In the **Query Builder**, enter your filter criteria, pressing the Tab key to add clauses.
-
-    To delete a clause, right-click the row, and then click **Delete Clause**.
-
-    The following example shows a query that filters for applications with a send and receive status of **Do not send to Microsoft**.
-
-    <table>
-    <colgroup>
-    <col width="25%" />
-    <col width="25%" />
-    <col width="25%" />
-    <col width="25%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">And/Or</th>
-    <th align="left">Field</th>
-    <th align="left">Operator</th>
-    <th align="left">Value</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>And</p></td>
-    <td align="left"><p>Send and Receive Status</p></td>
-    <td align="left"><p>Equals</p></td>
-    <td align="left"><p>Do not send to Microsoft</p></td>
-    </tr>
-    </tbody>
-    </table>
-
-     
-
-3.  Click **Refresh**.
-
-    Your filtered results appear.
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/selecting-your-compatibility-rating.md b/windows/plan/selecting-your-compatibility-rating.md
index b7042d456d..e0b0defc6d 100644
--- a/windows/plan/selecting-your-compatibility-rating.md
+++ b/windows/plan/selecting-your-compatibility-rating.md
@@ -1,108 +1,5 @@
 ---
 title: Selecting Your Compatibility Rating (Windows 10)
 description: You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system.
-ms.assetid: 959da499-8fd6-4f32-8771-a0580dd8e0d3
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Selecting Your Compatibility Rating
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system. Your rating applies to your entire organization and is based on your own testing results and organizational requirements.
-
-Possible ratings include:
-
--   **Works**. During your organization's testing phase, there were no issues with the application, installation package, or website.
-
--   **Works with minor issues or has solutions**. During your organization's testing phase, there were no Severity 1 or Severity 2 issues with the application, installation package, or website. For information about severity levels, see [Adding or Editing an Issue](adding-or-editing-an-issue.md).
-
--   **Does not work**. During your organization's testing phase, the application, installation package, or website experienced a Severity 1 or Severity 2 issue.
-
--   **No data**. You have no compatibility data to provide.
-
-## Selecting a Compatibility Rating
-
-
-You can select your compatibility rating from the report screen or from the associated dialog box that shows report details. As an example, the following procedures use the **&lt;Operating\_System&gt; - Application Report** screen. You can alternatively use the **&lt;Application\_Name&gt;** dialog box. The procedure is the same on the report for websites.
-
-**To select your compatibility rating**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click the application name.
-
-2.  On the **Actions** menu, click **Set Assessment**.
-
-3.  Choose your ratings. Select separate ratings for 32-bit operating systems and 64-bit operating systems, and then click **OK**.
-
-    If your organization does not use a 32-bit operating system, or does not use a 64-bit operating system, you can hide the option in the **Customize Report Views** dialog box. If you hide the option, the associated column no longer appears in the **Set Assessment** dialog box.
-
-## Filtering By Your Compatibility Ratings
-
-
-You can filter your applications, installation packages, or website data by your compatibility ratings.
-
-**To filter based on your compatibility ratings**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click **Toggle Filter**.
-
-2.  In the **Query Builder**, enter your filter criteria, pressing the Tab key to add additional clauses.
-
-    For example, the following query will show applications with a rating of **Works** or a rating of **Works with minor issues or has solutions**.
-
-    <table>
-    <colgroup>
-    <col width="25%" />
-    <col width="25%" />
-    <col width="25%" />
-    <col width="25%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">And/Or</th>
-    <th align="left">Field</th>
-    <th align="left">Operator</th>
-    <th align="left">Value</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>And</p></td>
-    <td align="left"><p>My Assessment</p></td>
-    <td align="left"><p>Equals</p></td>
-    <td align="left"><p>Works</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>Or</p></td>
-    <td align="left"><p>My Assessment</p></td>
-    <td align="left"><p>Equals</p></td>
-    <td align="left"><p>Works with minor issues or has solutions</p></td>
-    </tr>
-    </tbody>
-    </table>
-
-     
-
-    To delete a clause, right-click the row, and then click **Delete Clause**.
-
-3.  Click **Refresh**.
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/selecting-your-deployment-status.md b/windows/plan/selecting-your-deployment-status.md
index 8cc4a070bc..61fdf90369 100644
--- a/windows/plan/selecting-your-deployment-status.md
+++ b/windows/plan/selecting-your-deployment-status.md
@@ -1,117 +1,5 @@
 ---
 title: Selecting Your Deployment Status (Windows 10)
 description: In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites.
-ms.assetid: 7735d256-77eb-4498-93aa-c838ee6e00fc
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Selecting Your Deployment Status
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites.
-
-## Selecting Your Deployment Status
-
-
-You can change the deployment status from both the report screen and the associated report dialog box.
-
-**Note**  
-The following examples use the **&lt;Operating\_System&gt; - Application Report** screen. You can alternatively use the **&lt;Application\_Name&gt;** dialog box. The procedure is the same for setting deployment status on the report for websites.
-
- 
-
-**To change the deployment status of an application**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click the application name.
-
-2.  On the **Actions** menu, click **Set Deployment Status**.
-
-3.  Select one of the following options:
-
-    -   **Not Reviewed** (default)
-
-    -   **Testing**
-
-    -   **Mitigating**
-
-    -   **Ready to Deploy**
-
-    -   **Will Not Deploy**
-
-4.  Click **OK**.
-
-## Filtering By Deployment Status
-
-
-You can filter your applications and websites by your deployment status.
-
-**To filter based on deployment status**
-
-1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click **Toggle Filter**.
-
-    The **Query Builder** appears with a blank row.
-
-2.  In the **Query Builder**, enter your filter criteria, pressing the Tab key to add clauses.
-
-    For example, the following query filters for applications with a deployment status of **Mitigating** or **Ready to Deploy**.
-
-    <table>
-    <colgroup>
-    <col width="25%" />
-    <col width="25%" />
-    <col width="25%" />
-    <col width="25%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">And/Or</th>
-    <th align="left">Field</th>
-    <th align="left">Operator</th>
-    <th align="left">Value</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>And</p></td>
-    <td align="left"><p>Deployment Status</p></td>
-    <td align="left"><p>Equals</p></td>
-    <td align="left"><p>Mitigating</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>Or</p></td>
-    <td align="left"><p>Deployment Status</p></td>
-    <td align="left"><p>Equals</p></td>
-    <td align="left"><p>Ready to Deploy</p></td>
-    </tr>
-    </tbody>
-    </table>
-
-     
-
-    To delete a clause, right-click the row, and then click **Delete Clause**.
-
-3.  Click **Refresh**.
-
-    Your filtered results appear.
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/sending-and-receiving-compatibility-data.md b/windows/plan/sending-and-receiving-compatibility-data.md
index 5a694085b2..fe2e0356a0 100644
--- a/windows/plan/sending-and-receiving-compatibility-data.md
+++ b/windows/plan/sending-and-receiving-compatibility-data.md
@@ -1,69 +1,5 @@
 ---
 title: Sending and Receiving Compatibility Data (Windows 10)
 description: The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community.
-ms.assetid: b86d2431-1caa-4f95-baf9-52ff6af546cd
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Sending and Receiving Compatibility Data
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community. This process involves checking for updated compatibility information from Microsoft over the Internet. You can send and receive data to keep Application Compatibility Manager (ACM) updated with the latest compatibility information.
-
-The synchronization process includes only the changes made since the last synchronization. During the synchronization process, a dialog box displaying the synchronization status appears. You can continue to work during this process. If no new issues have occurred since your last synchronization, the Microsoft Compatibility Exchange uploads your issue information and notifies you that no updates exist.
-
-The synchronization process uses the Microsoft Compatibility Exchange to:
-
--   Download new information from Microsoft and ISVs, except for the applications for which you choose not to send application data to Microsoft.
-
--   Upload your compatibility issues to Microsoft.
-
--   Upload and download compatibility information from the ACT Community, if you are a member of the ACT Community and agree to share your data. For information about configuring your membership in the ACT Community, see [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md).
-
-For information about which data is sent and received through the Microsoft Compatibility exchange, see [Data Sent Through the Microsoft Compatibility Exchange](data-sent-through-the-microsoft-compatibility-exchange.md).
-
-## Reviewing and Synchronizing Your Data
-
-
-Prior to sending your application data to Microsoft, you can review your application list and view the exact data being sent as a text (.txt) file. After you are done reviewing the information, you can synchronize your data with Microsoft.
-
-**To review and synchronize your data**
-
-1.  On the **Analyze** screen, click **Send and Receive**.
-
-2.  Click **Review the data before sending**.
-
-    The **Send and Receive Data** dialog box shows all of the application data that is to be sent to Microsoft during the synchronization process. To avoid sending application data for specific applications, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).
-
-3.  Optionally, click **Review all data**, save the resulting .txt file locally, and then review the exact XML data that will be sent to Microsoft.
-
-4.  After you finish reviewing the application list and XML data, click **Send**.
-
-## Related topics
-
-
-[Data Sent Through the Microsoft Compatibility Exchange](data-sent-through-the-microsoft-compatibility-exchange.md)
-
-[ACT Community Ratings and Process](act-community-ratings-and-process.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/settings-for-acm.md b/windows/plan/settings-for-acm.md
index 6abb406ec3..fe209d179d 100644
--- a/windows/plan/settings-for-acm.md
+++ b/windows/plan/settings-for-acm.md
@@ -1,70 +1,5 @@
 ---
 title: Settings for ACM (Windows 10)
 description: This section provides information about settings that you can configure in Application Compatibility Manager (ACM).
-ms.assetid: e0126284-4348-4708-8976-a1e404f35971
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Settings for ACM
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section provides information about settings that you can configure in Application Compatibility Manager (ACM).
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Settings Dialog Box - Settings Tab](act-settings-dialog-box-settings-tab.md)</p></td>
-<td align="left"><p>To display the <strong>Settings</strong> dialog box, in Application Compatibility Manager (ACM), on the <strong>Tools</strong> menu, click <strong>Settings</strong>.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md)</p></td>
-<td align="left"><p>To display the <strong>Settings</strong> dialog box, in Application Compatibility Manager (ACM), on the <strong>Tools</strong> menu, click <strong>Settings</strong>.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Configuring ACT](configuring-act.md)
-
-[ACT Database Configuration](act-database-configuration.md)
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/software-requirements-for-act.md b/windows/plan/software-requirements-for-act.md
index 3564e2d753..d631eef7aa 100644
--- a/windows/plan/software-requirements-for-act.md
+++ b/windows/plan/software-requirements-for-act.md
@@ -1,86 +1,5 @@
 ---
 title: Software Requirements for ACT (Windows 10)
 description: The Application Compatibility Toolkit (ACT) has the following software requirements.
-ms.assetid: 9bbc21d4-f2ac-4a91-8add-017b1eacdeee
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Software Requirements for ACT
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The Application Compatibility Toolkit (ACT) has the following software requirements.
-
-## Operating Systems
-
-
-ACT can be installed on the following operating systems:
-
--   Windows 10
-
--   Windows 8.1
-
--   Windows 8
-
--   Windows 7
-
--   Windows Server 2012
-
--   Windows Server 2008 R2
-
-You can deploy inventory collector packages to all of the operating systems where you can install ACT. In addition, you can also deploy inventory collector packages to Windows Server 2008, Windows Vista, and Windows XP.
-
-**Note**  
-As of Update 2, there is a known issue where the inventory collector package fails on Windows Vista.
-
- 
-
-## Database Components
-
-
-ACT requires one of the following database components:
-
--   Microsoft® SQL Server® 2012
-
--   Microsoft® SQL Server® 2008 R2
-
--   SQL Server 2008
-
--   SQL Server 2005
-
--   SQL Server 2008 Express
-
--   SQL Server 2005 Express Edition
-
-## .NET Framework
-
-
-ACT requires .NET Framework 4.
-
-## Related topics
-
-
-[What's New in Act 6.1](whats-new-in-act-60.md)
-
-[Software Requirements for RAP](software-requirements-for-rap.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/software-requirements-for-rap.md b/windows/plan/software-requirements-for-rap.md
index 07311438e4..b9914238fc 100644
--- a/windows/plan/software-requirements-for-rap.md
+++ b/windows/plan/software-requirements-for-rap.md
@@ -1,70 +1,5 @@
 ---
 title: Software Requirements for RAP (Windows 10)
 description: The runtime-analysis package (RAP) has the following software requirements.
-ms.assetid: 0163ce70-f5ba-400c-bdd5-a25511aac91f
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Software Requirements for RAP
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The runtime-analysis package (RAP) has the following software requirements.
-
-## Compatibility Monitor Supported Operating Systems
-
-
-The Microsoft Compatibility Monitor tool is included in the runtime-analysis package. You can use the Compatibility Monitor on the following operating systems:
-
--   Windows 10
-
--   Windows 8.1
-
--   Windows 8
-
--   Windows 7
-
-## SUA Tool and Compatibility Administrator Supported Operating Systems
-
-
-The Standard User Analyzer (SUA) tool and wizard and the Compatibility Administrator tool are included in the runtime-analysis package. You can use the tools on the following operating systems:
-
--   Windows 10
-
--   Windows 8.1
-
--   Windows 8
-
--   Windows 7
-
--   Windows Server 2012
-
--   Windows Server 2008 R2
-
-## Related topics
-
-
-[What's New in Act 6.1](whats-new-in-act-60.md)
-
-[Software Requirements for ACT](software-requirements-for-act.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/sua-users-guide.md b/windows/plan/sua-users-guide.md
index e0f2921b80..fff7a5757e 100644
--- a/windows/plan/sua-users-guide.md
+++ b/windows/plan/sua-users-guide.md
@@ -54,16 +54,6 @@ You can use SUA in either of the following ways:
 </tr>
 </tbody>
 </table>
-
- 
-
-## Related topics
-
-
-[Deciding Whether to Fix an Application or Deploy a Workaround](deciding-whether-to-fix-an-application-or-deploy-a-workaround.md)
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
  
 
  
diff --git a/windows/plan/taking-inventory-of-your-organization.md b/windows/plan/taking-inventory-of-your-organization.md
index 07b40d240a..d199af1ab6 100644
--- a/windows/plan/taking-inventory-of-your-organization.md
+++ b/windows/plan/taking-inventory-of-your-organization.md
@@ -1,76 +1,5 @@
 ---
 title: Taking Inventory of Your Organization (Windows 10)
 description: This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization.
-ms.assetid: d52f138d-c6b2-4ab1-bb38-5b036311a51d
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Taking Inventory of Your Organization
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization.
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md)</p></td>
-<td align="left"><p>An inventory-collector package gathers inventory data from the computers on which it is installed. This data includes the following:</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md)</p></td>
-<td align="left"><p>You can use Application Compatibility Manager (ACM) to create an inventory-collector package. You can then deploy the inventory-collector package to other computers to gather inventory data. The package uploads inventory data to the Application Compatibility Toolkit (ACT) database.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md)</p></td>
-<td align="left"><p>You can use the following methods to deploy an inventory-collector package to the destination computers:</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
-
-[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
-
-[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
-
-[Fixing Compatibility Issues](fixing-compatibility-issues.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/testing-compatibility-on-the-target-platform.md b/windows/plan/testing-compatibility-on-the-target-platform.md
index 621a8bfeb2..9ba06e8cb3 100644
--- a/windows/plan/testing-compatibility-on-the-target-platform.md
+++ b/windows/plan/testing-compatibility-on-the-target-platform.md
@@ -1,84 +1,5 @@
 ---
 title: Testing Compatibility on the Target Platform (Windows 10)
 description: This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment.
-ms.assetid: 8f3e9d58-37c2-41ea-a216-32712baf6cf4
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Testing Compatibility on the Target Platform
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment.
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Deciding Which Applications to Test](deciding-which-applications-to-test.md)</p></td>
-<td align="left"><p>Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)</p></td>
-<td align="left"><p>The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. Your test environment is composed of computers on which the new operating system is installed. Your test environment can be a long-term investment. Consider retaining the test environment after deployment to assist in future deployment projects.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)</p></td>
-<td align="left"><p>In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)</p></td>
-<td align="left"><p>When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)</p></td>
-<td align="left"><p>Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
-
-[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
-
-[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
-
-[Fixing Compatibility Issues](fixing-compatibility-issues.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/testing-your-application-mitigation-packages.md b/windows/plan/testing-your-application-mitigation-packages.md
index 669904c1e6..5fc970623c 100644
--- a/windows/plan/testing-your-application-mitigation-packages.md
+++ b/windows/plan/testing-your-application-mitigation-packages.md
@@ -84,15 +84,4 @@ At this point, you probably cannot resolve any unresolved application compatibil
     If your developers have insufficient resources to resolve the application compatibility issues, outsource the mitigation effort to another organization within your company.
 
 ## Related topics
-
-
-[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
-
- 
-
- 
-
-
-
-
-
+[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
\ No newline at end of file
diff --git a/windows/plan/troubleshooting-act-database-issues.md b/windows/plan/troubleshooting-act-database-issues.md
index ba1e7c4f7a..e0fb05fd2a 100644
--- a/windows/plan/troubleshooting-act-database-issues.md
+++ b/windows/plan/troubleshooting-act-database-issues.md
@@ -1,157 +1,5 @@
 ---
 title: Troubleshooting ACT Database Issues (Windows 10)
 description: The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT).
-ms.assetid: c36ab5d8-cc82-4681-808d-3d491551b75e
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Troubleshooting ACT Database Issues
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT).
-
-For information about how to set up the database, see [ACT Database Configuration](act-database-configuration.md).
-
-## Connecting to a SQL Server Database
-
-
-When you attempt to connect to a SQL Server database, you may receive the following error message:
-
-The SQL Server you entered either does not exist or you do not have the required credentials for access.
-
-This error message indicates that the connection to the database is not valid. To investigate this error, do the following:
-
-1.  Verify that the SQL Server database to which you are connecting is a valid database.
-
-2.  Verify that you have read and write permissions to the database. If you do not have read and write permissions, contact your SQL Server administrator. For more information, see [Adding a Member to a SQL Server Database Role](http://go.microsoft.com/fwlink/p/?LinkId=64170).
-
-If you have read and write permissions to the database but cannot connect to it, you may be able to change the settings for your instance of SQL Server to resolve the issue. Namely, you can enable TCP/IP and firewall exceptions.
-
-**To enable TCP/IP and firewall exceptions for your instance of SQL Server**
-
-1.  In a **Command Prompt** window, type the following command to stop your instance of SQL Server.
-
-    ``` syntax
-    net stop 
-    <MSSQLSERVER>
-    ```
-
-    In the preceding command, *MSSQLSERVER* is the name of the instance of SQL Server. For SQL Server, the default name is MSSQLSERVER. For Microsoft SQL Server Express, the default name is MSSQL$SQLEXPRESS.
-
-2.  Enable TCP/IP for your instance of SQL Server:
-
-    1.  In the **Command Prompt** window, type `SQLServerManager.msc`
-
-    2.  In SQL Server Configuration Manager, expand **SQL Server 2005 Network Configuration**, and then click **Protocols for MSSQLSERVER**.
-
-    3.  Right-click **TCP/IP**, and then click **Enable**.
-
-3.  Add firewall port exceptions for your instance of SQL Server:
-
-    1.  In the **Command Prompt** window, type `firewall.cpl`
-
-    2.  In the Windows® Firewall tool, click the **Exceptions** tab, and then click **Add Port**.
-
-    3.  Add a firewall exception for TCP port 1433 (SQL Server) and for UDP port 1434 (SQL Server Browser), and then click **OK**.
-
-        **Note**  
-        SQL Server Browser is the service that receives incoming SQL Server requests so that you can access the SQL Server Express database from a remote computer. By default, this service is disabled, which means that you can only access the database locally. If Application Compatibility Manager (ACM) or the ACT Log Processing Service is not installed on the same computer as the database, you must use the Services tool to manually start SQL Server Browser.
-
-         
-
-4.  In the **Command Prompt** window, type `net start <MSSQLSERVER>` to start your instance of SQL Server, where *MSSQLSERVER* is the name of the instance.
-
-5.  Type `sc config SQLBrowser start= auto` to change the configuration of SQL Server Browser.
-
-6.  Type `net start SQLBrowser` to start SQL Server Browser.
-
-## Verifying SQL Server Version
-
-
-If you attempt to connect to a SQL Server version that is not valid for ACT, you may receive the following error message:
-
-The SQL Server you are trying to connect to is not a supported version. Please check the Help documentation to find out about the supported versions of the SQL Server.
-
-To investigate this error, verify that ACT supports your version of SQL Server or SQL Server Express. For more information, see [Software Requirements for ACT](software-requirements-for-act.md).
-
-## Creating an ACT Database
-
-
-You cannot create an ACT database by using ACM if you do not have database-creation permissions for the instance of SQL Server. To create the database, add the required permissions to the user account and then use ACM to create it. Alternatively, ask a SQL Server administrator to create the database.
-
-**To grant database-creation permissions to a user account**
-
-1.  In SQL Server Management Studio, expand the **Security** folder, right-click **Logins**, and then click **New Logins**.
-
-2.  On the **General** page, type the name of the user account that you will use to create the ACT database.
-
-3.  Click **Server Roles**.
-
-4.  Select the **sysadmin** or **dbcreator** check box, depending on your organization's policy.
-
-**To create an ACT database as a SQL Server administrator**
-
-1.  Use SQL Server Management Studio to open and run the CreateDB.sql script against your instance of SQL Server. For information about the location of the CreateDB.sql file, see [ACT Database Configuration](act-database-configuration.md).
-
-    - or -
-
-    Use the OSQL tool, and run the command `osql -E -S <serverName> -I CreateDB.sql`
-
-2.  In ACM, in the **Settings** dialog box, update the **Database** box with the information for the newly created database.
-
-    To use ACM with the ACT database, the user account must have read and write permissions to the database.
-
-## Granting ACT Database Permissions for the ACT Log Processing Service
-
-
-The ACT Log Processing Service requires read and write access to the ACT database.
-
-**To grant permissions to the ACT database**
-
-1.  In SQL Server Management Studio, expand the **Security** folder, right-click **Logins**, and then click **New Login**.
-
-2.  Complete the following information on the **General** page:
-
-    -   **Login name**. Type the name of the account that requires permissions. If you are using the Local System account for the ACT Log Processing Service, provide access to the *&lt;domain&gt;*\\*&lt;computer\_name&gt;*$ account, where *&lt;computer\_name&gt;* is the name of the computer that is running the ACT Log Processing Service.
-
-    -   **Default database**. Select the ACT database to which your user account requires permissions.
-
-3.  Click **User Mapping**.
-
-4.  Select the check box next to your ACT database.
-
-5.  Select the **db\_datareader** and **db\_datawriter** check boxes, and then click **OK**.
-
-    **Important**  
-    If you continue to experience issues with the ACT Log Processing Service, even while you are using the Local System account, see [Troubleshooting Kerberos Delegation](http://go.microsoft.com/fwlink/p/?LinkId=65474).
-
-     
-
-## Related topics
-
-
-[ACT Database Configuration](act-database-configuration.md)
-
-[Software Requirements for ACT](software-requirements-for-act.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/troubleshooting-act.md b/windows/plan/troubleshooting-act.md
index 3de62348a2..1366988ae6 100644
--- a/windows/plan/troubleshooting-act.md
+++ b/windows/plan/troubleshooting-act.md
@@ -1,72 +1,5 @@
 ---
 title: Troubleshooting ACT (Windows 10)
 description: This section provides troubleshooting information for the Application Compatibility Toolkit (ACT).
-ms.assetid: 5696b0c0-5db5-4111-a1e1-825129e683d8
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Troubleshooting ACT
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section provides troubleshooting information for the Application Compatibility Toolkit (ACT).
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Troubleshooting the ACT Configuration Wizard](troubleshooting-the-act-configuration-wizard.md)</p></td>
-<td align="left"><p>When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears. The wizard helps you configure your ACT database, your shared folder for ACT log files, and your ACT Log Processing Service account.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md)</p></td>
-<td align="left"><p>The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md)</p></td>
-<td align="left"><p>The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT).</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Using ACT](using-act.md)
-
-[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/troubleshooting-the-act-configuration-wizard.md b/windows/plan/troubleshooting-the-act-configuration-wizard.md
index 709b60fb6d..08200ff49f 100644
--- a/windows/plan/troubleshooting-the-act-configuration-wizard.md
+++ b/windows/plan/troubleshooting-the-act-configuration-wizard.md
@@ -1,76 +1,5 @@
 ---
 title: Troubleshooting the ACT Configuration Wizard (Windows 10)
 description: When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears.
-ms.assetid: f4f489c7-50b7-4b07-8b03-79777e1aaefd
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Troubleshooting the ACT Configuration Wizard
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears. The wizard helps you configure your ACT database, your shared folder for ACT log files, and your ACT Log Processing Service account.
-
-## Selecting a Configuration for ACM
-
-
-The **Enterprise configuration** option enables all ACT functionality. You must be an administrator on the local computer to select this option.
-
-The **View and manage reports only** option enables you to use ACM to create data-collection packages and analyze your data. You cannot access the ACT Log Processing Service. This option assumes that another computer in your organization is processing the logs and loading the compatibility data into the ACT database.
-
-## Configuring ACT Database Settings
-
-
-To configure ACT database settings in the ACT Configuration Wizard, you must have read and write permissions to the ACT database. For more information, see [ACT Database Configuration](act-database-configuration.md). If you do not have the appropriate permissions, contact your Microsoft® SQL Server® administrator. For more information, see [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md).
-
-## Configuring the ACT Log Processing Service
-
-
-If you use the Local System account to run the ACT Log Processing Service, your user account must be an Administrator account. Your computer account *&lt;domain&gt;*\\*&lt;computer&gt;*$ must have read and write permissions to the ACT database.
-
-Your user account must also have **Log on as a service** permissions. For more information, see [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md).
-
-## Configuring the Share for the ACT Log Processing Service
-
-
-For information about how to configure the share for the ACT Log Processing Service, see [ACT LPS Share Permissions](act-lps-share-permissions.md).
-
-## Changing Settings After You Finish the ACT Configuration Wizard
-
-
-In the **Settings** dialog box in ACM, you can change some of the settings that you see in the ACT Configuration Wizard. You can also change other settings that are not available in the wizard. For more information, see [Settings for ACM](settings-for-acm.md).
-
-## Restarting the ACT Configuration Wizard
-
-
-If you cancel the configuration process before you reach the final page of the ACT Configuration Wizard, your settings are deleted and the wizard restarts the next time that you start ACM.
-
-## Related topics
-
-
-[Configuring ACT](configuring-act.md)
-
-[Using ACT](using-act.md)
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/troubleshooting-the-act-log-processing-service.md b/windows/plan/troubleshooting-the-act-log-processing-service.md
index 0fff19e588..5f338b3141 100644
--- a/windows/plan/troubleshooting-the-act-log-processing-service.md
+++ b/windows/plan/troubleshooting-the-act-log-processing-service.md
@@ -1,103 +1,5 @@
 ---
 title: Troubleshooting the ACT Log Processing Service (Windows 10)
 description: The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service.
-ms.assetid: cb6f90c2-9f7d-4a34-a91e-8ed55b8c256d
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Troubleshooting the ACT Log Processing Service
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service.
-
-For information about how to set up permissions for the service, see [ACT LPS Share Permissions](act-lps-share-permissions.md).
-
-## Reviewing Files in ACT Log File Format
-
-
-When you are reviewing log files for ACT, be aware that the log files are in Unicode format.
-
-## Uploading Files to the ACT Log Processing Service Share After Setting Permissions
-
-
-If you cannot upload files to the ACT Log Processing Service share, you must first verify that the account permissions are set correctly for the share. For more information, see [ACT LPS Share Permissions](act-lps-share-permissions.md).
-
-If the computers from which you are collecting data and the ACT Log Processing Service share are on different domains, or if the computers are not domain members, you must take additional steps. For the **Anonymous** group, provide explicit write permissions to the ACT Log Processing Service share. Alternatively, you can provide similar permissions to the **Authenticated users** group if you do not want to enable anonymous access. For more information, see [Everyone Group Does Not Include Anonymous Security Identifier](http://go.microsoft.com/fwlink/p/?LinkId=79830).
-
-If you are collecting data from computers that are running Microsoft® Windows® 2000 and you are uploading your collected data to a different domain, you must also explicitly enable null session access for the ACT Log Processing Service share.
-
-## Working Around Windows Firewall on the Computer That Hosts the ACT Log Processing Service Share
-
-
-If your organization has configured Windows Firewall on the computer that hosts your ACT Log Processing Service share, log files will not be copied to your share. To work around this issue, you can use one of the following methods:
-
--   Before you set up the ACT Log Processing Service share, turn off Windows Firewall on the computer that will host the share.
-
--   Continue to use Windows Firewall, but enable the **File Sharing** option.
-
-## Viewing and Assigning "Log on as a service" Permissions
-
-
-Starting the ACT Log Processing Service requires either a Local System account or a user account. For a user account to start the ACT Log Processing Service and complete the ACT Configuration Wizard, the *&lt;domain&gt;*\\*&lt;user&gt;* account must have **Log on as a service** permissions. By default, these permissions are assigned to built-in computer accounts, such as the Local System account.
-
-**To add rights to a user account for logging on as a service**
-
-1.  In Control Panel, double-click **Administrative Tools**, and then double-click **Local Security Policy**.
-
-2.  Expand the **Local Policies** folder, and then click **User Rights Assignment**.
-
-3.  Double-click the **Log on as a service** policy.
-
-4.  Verify that your *&lt;domain&gt;*\\*&lt;user&gt;* account appears. If it does not appear, click **Add User or Group**.
-
-5.  Add your user account information, click **OK**, and then click **OK** again.
-
-## Starting the ACT Log Processing Service
-
-
-If the ACT Log Processing Service does not start and log files are not being processed, the reason may be one of the following:
-
--   **A conflict exists between ACT and the Microsoft® SQL Server® database.** If both ACT and the SQL Server database are on the same computer, the ACT Log Processing Service might have started before the SQL Server service.
-
--   **The ACT Log Processing Service does not have the correct permissions to the ACT database.** To investigate, see [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md).
-
--   **The account type is incorrect for the account that is running the ACT Log Processing Service.** The ACT Log Processing Service account must be an Administrator account.
-
-**To manually restart the ACT Log Processing Service**
-
-1.  In Control Panel, double-click **Administrative Tools**, and then double-click **Services**.
-
-2.  Right-click **ACT Log Processing Service**, and then click **Restart**.
-
-3.  In the event log, verify that no issues occurred when the service restarted.
-
-## Related topics
-
-
-[Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md)
-
-[Configuring ACT](configuring-act.md)
-
-[Software Requirements for ACT](software-requirements-for-act.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/understanding-and-using-compatibility-fixes.md b/windows/plan/understanding-and-using-compatibility-fixes.md
index 6c73a5645b..6ab830868c 100644
--- a/windows/plan/understanding-and-using-compatibility-fixes.md
+++ b/windows/plan/understanding-and-using-compatibility-fixes.md
@@ -93,15 +93,4 @@ Compatibility fixes are shipped as part of the Windows operating system and are
 You can apply the compatibility fixes to any of your applications. However, Microsoft does not provide the tools to use the Compatibility Fix infrastructure to create your own custom fixes.
 
 ## Related topics
-
-
-[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
-
- 
-
- 
-
-
-
-
-
+[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
\ No newline at end of file
diff --git a/windows/plan/using-act.md b/windows/plan/using-act.md
index 3793af0dd1..3e3ffff7d2 100644
--- a/windows/plan/using-act.md
+++ b/windows/plan/using-act.md
@@ -1,90 +1,5 @@
 ---
 title: Using ACT (Windows 10)
 description: This section describes how to use the Application Compatibility Toolkit (ACT) in your organization.
-ms.assetid: e6a68f44-7503-450d-a000-a04fbb93a146
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Using ACT
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section describes how to use the Application Compatibility Toolkit (ACT) in your organization.
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)</p></td>
-<td align="left"><p>This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)</p></td>
-<td align="left"><p>This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)</p></td>
-<td align="left"><p>This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages. Data-collection packages include inventory-collector packages and runtime-analysis packages. The following procedures apply to both package types.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)</p></td>
-<td align="left"><p>This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM).</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Fixing Compatibility Issues](fixing-compatibility-issues.md)</p></td>
-<td align="left"><p>This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Welcome to ACT](welcome-to-act.md)
-
-[Configuring ACT](configuring-act.md)
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
-[ACT User Interface Reference](act-user-interface-reference.md)
-
-[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
-
-[ACT Glossary](act-glossary.md)
-
-[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/using-compatibility-monitor-to-send-feedback.md b/windows/plan/using-compatibility-monitor-to-send-feedback.md
index 9a86a64d25..c5e20c52ba 100644
--- a/windows/plan/using-compatibility-monitor-to-send-feedback.md
+++ b/windows/plan/using-compatibility-monitor-to-send-feedback.md
@@ -1,84 +1,5 @@
 ---
 title: Using Compatibility Monitor to Send Feedback (Windows 10)
 description: The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package.
-ms.assetid: dc59193e-7ff4-4950-8c20-e90c246e469d
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Using Compatibility Monitor to Send Feedback
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package. From the computers in your test environment, you can use Compatibility Monitor to submit compatibility information to the Application Compatibility Toolkit (ACT) database for your organization.
-
-**To automatically monitor applications on your computer for compatibility issues**
-
-1.  Start the Compatibility Monitor tool.
-
-2.  In Compatibility Monitor, click **Start Monitoring**.
-
-3.  Leave Compatibility Monitor running, and use the applications that you want to test for compatibility issues.
-
-    Compatibility information is automatically detected during monitoring, and is silently submitted to the ACT database at regular intervals.
-
-4.  After you finish testing applications, click **Stop Monitoring** to stop the automatic monitoring and submission of compatibility information.
-
-**To submit your compatibility rating for an application**
-
-1.  Start the Compatibility Monitor tool.
-
-2.  In Compatibility Monitor, click **Give Compatibility Feedback**.
-
-    You can enter and submit compatibility ratings whether monitoring is on or off. The process of submitting your compatibility feedback is entirely independent of the monitoring process.
-
-3.  Find your application in the list, and then select your compatibility rating for the application.
-
-    You can select ratings for one or more applications.
-
-4.  Click **Submit** to submit your compatibility ratings to the ACT database.
-
-    A copy of your ratings is kept on your computer so that you can review and modify the ratings later.
-
-**To submit a description of a compatibility issue for an application**
-
-1.  Start the Compatibility Monitor tool.
-
-2.  In Compatibility Monitor, click **Give Compatibility Feedback**.
-
-3.  Find your application in the list, and then click the **Add Details** link.
-
-4.  In the **Title** box, enter a title for the compatibility issue. The title is typically a phrase that briefly describes the issue. Check with others in your organization to verify your organization’s preferred style for issue titles.
-
-5.  In the **Description** box, enter a description of the compatibility issue.
-
-6.  Optionally, attach a screen shot or a step-by-step recording of the compatibility issue.
-
-7.  Click **Submit** to submit your compatibility issue to the ACT database.
-
-    After submitting your compatibility issue, you cannot edit it later. To submit further compatibility issues, you will need to submit a new issue.
-
-## Related topics
-
-
-[Common Compatibility Issues](common-compatibility-issues.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/using-the-sdbinstexe-command-line-tool.md b/windows/plan/using-the-sdbinstexe-command-line-tool.md
index fdd93bf2f3..301917b901 100644
--- a/windows/plan/using-the-sdbinstexe-command-line-tool.md
+++ b/windows/plan/using-the-sdbinstexe-command-line-tool.md
@@ -79,18 +79,5 @@ The following table describes the available command-line options.
 </tbody>
 </table>
 
- 
-
 ## Related topics
-
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
- 
-
- 
-
-
-
-
-
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/plan/using-the-sua-tool.md b/windows/plan/using-the-sua-tool.md
index c758d2f32d..df93b0550b 100644
--- a/windows/plan/using-the-sua-tool.md
+++ b/windows/plan/using-the-sua-tool.md
@@ -69,8 +69,6 @@ The following flowchart shows the process of using the SUA tool.
     The SUA tool generates a custom compatibility-fix database and automatically applies it to the local computer, so that you can test the fixes to see whether they worked.
 
 ## Related topics
-
-
 [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
 
 [Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
diff --git a/windows/plan/using-the-sua-wizard.md b/windows/plan/using-the-sua-wizard.md
index a8f3b3ce03..17703c2eb7 100644
--- a/windows/plan/using-the-sua-wizard.md
+++ b/windows/plan/using-the-sua-wizard.md
@@ -73,8 +73,6 @@ The following flowchart shows the process of using the SUA Wizard.
     If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer additional remedies. If the additional remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md).
 
 ## Related topics
-
-
 [SUA User's Guide](sua-users-guide.md)
 
  
diff --git a/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md b/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md
index 8c89db2a64..34186e3746 100644
--- a/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md
+++ b/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md
@@ -40,8 +40,6 @@ Compatibility Administrator enables you to copy your compatibility fixes from on
 If you open the **Events** screen and then perform the copy operation, you can see a description of the action, along with the time stamp, which enables you to view your fix information without confusion.
 
 ## Related topics
-
-
 [Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
 
 [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/plan/viewing-your-compatibility-reports.md b/windows/plan/viewing-your-compatibility-reports.md
index c0f5ffaae9..57ba7d07a9 100644
--- a/windows/plan/viewing-your-compatibility-reports.md
+++ b/windows/plan/viewing-your-compatibility-reports.md
@@ -1,86 +1,5 @@
 ---
 title: Viewing Your Compatibility Reports (Windows 10)
 description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
-ms.assetid: a28bbfbe-5f05-4a1e-9397-0a3ceb585871
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Viewing Your Compatibility Reports
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[&lt;OperatingSystem&gt; - Application Report](act-operatingsystem-application-report.md)</p></td>
-<td align="left"><p>This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[&lt;OperatingSystem&gt; - Computer Report](act-operatingsystem-computer-report.md)</p></td>
-<td align="left"><p>The <strong>&lt;OperatingSystem&gt; - Computer Report</strong> screen shows the following information for each computer in your organization:</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[&lt;OperatingSystem&gt; - Device Report](act-operatingsystem-device-report.md)</p></td>
-<td align="left"><p>The <strong>&lt;OperatingSystem&gt; - Device Report</strong> screen shows the following information for each device installed in your organization:</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Internet Explorer - Web Site Report](internet-explorer-web-site-report.md)</p></td>
-<td align="left"><p>The <strong>Internet Explorer - Web Site Report</strong> screen shows the following information for each of the websites visited in your organization:</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md)</p></td>
-<td align="left"><p>You can perform several common reporting tasks from the <strong>Analyze</strong> screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Customizing Your Report Views](customizing-your-report-views.md)</p></td>
-<td align="left"><p>You can customize how you view your report data in Application Compatibility Manager (ACM).</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Organizing Your Compatibility Data](organizing-your-compatibility-data.md)
-
-[Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
-
-[Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/websiteurl-dialog-box.md b/windows/plan/websiteurl-dialog-box.md
index f9f44433db..e07214a067 100644
--- a/windows/plan/websiteurl-dialog-box.md
+++ b/windows/plan/websiteurl-dialog-box.md
@@ -1,56 +1,5 @@
 ---
 title: WebsiteURL Dialog Box (Windows 10)
 description: In Application Compatibility Manager (ACM), the websiteURL dialog box shows information about the selected website.
-ms.assetid: 0dad26e1-4bba-4fef-b160-3fa1f4325da8
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# &lt;WebsiteURL&gt; Dialog Box
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), the *&lt;websiteURL&gt;* dialog box shows information about the selected website.
-
-**To open the &lt;WebsiteURL&gt; Dialog Box**
-
-1.  In ACM, in the **Quick Reports** pane, click **Analyze**.
-
-2.  Under the **Internet Explorer** heading, click **Web Sites**.
-
-3.  Double-click the URL for a website.
-
-## <a href="" id="using-the--websiteurl--dialog-box"></a>Using the &lt;WebsiteURL&gt; Dialog Box
-
-
-In the *&lt;websiteURL&gt;* dialog box, you can perform the following actions:
-
--   Select your compatibility rating for the website. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
-
--   Select your deployment status for the website. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
-
--   Assign categories and subcategories to the website. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
--   Specify the importance of the website to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
--   Add or edit an issue for the selected website, and add or edit a solution. For more information, see [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md).
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/welcome-to-act.md b/windows/plan/welcome-to-act.md
index c6755be21e..b4ef6d3088 100644
--- a/windows/plan/welcome-to-act.md
+++ b/windows/plan/welcome-to-act.md
@@ -1,82 +1,5 @@
 ---
 title: Welcome to ACT (Windows 10)
 description: The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system.
-ms.assetid: 3963db88-83d2-4b9a-872e-31c275d1a321
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Welcome to ACT
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. With ACT, you can obtain compatibility information from Microsoft and software vendors, identify compatibility issues within your own organization, and share compatibility ratings with other ACT users. The tools in ACT help you analyze and mitigate compatibility issues before deploying a version of Windows to your organization.
-
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[What's New in ACT 6.1](whats-new-in-act-60.md)</p></td>
-<td align="left"><p>Two major updates have been released since ACT 6.1. They are ACT 6.1 Update and ACT 6.1 Update 2. The following table lists changes made in the Application Compatibility Toolkit (ACT), which is included in the Windows Assessment and Deployment Kit (ADK) download.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Software Requirements for ACT](software-requirements-for-act.md)</p></td>
-<td align="left"><p>The Application Compatibility Toolkit (ACT) has the following software requirements.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Software Requirements for RAP](software-requirements-for-rap.md)</p></td>
-<td align="left"><p>The runtime-analysis package (RAP) has the following software requirements.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-## Related topics
-
-
-[Configuring ACT](configuring-act.md)
-
-[Using ACT](using-act.md)
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
-[ACT User Interface Reference](act-user-interface-reference.md)
-
-[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
-
-[ACT Glossary](act-glossary.md)
-
-[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/whats-new-in-act-60.md b/windows/plan/whats-new-in-act-60.md
index b516ef3eae..89d6afdf1c 100644
--- a/windows/plan/whats-new-in-act-60.md
+++ b/windows/plan/whats-new-in-act-60.md
@@ -1,84 +1,5 @@
 ---
 title: What's New in ACT 6.1 (Windows 10)
 description: Two major updates have been released since ACT 6.1.
-ms.assetid: f12e137d-0b55-4f7d-88e0-149302655d9b
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# What's New in ACT 6.1
-
-
-**Applies to**
-
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
-
-Two major updates have been released since ACT 6.1. They are ACT 6.1 Update and ACT 6.1 Update 2. The following table lists changes made in the Application Compatibility Toolkit (ACT), which is included in the Windows Assessment and Deployment Kit (ADK) download.
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<tbody>
-<tr class="odd">
-<td align="left">Version</td>
-<td align="left">Changes</td>
-</tr>
-<tr class="even">
-<td align="left">ACT 6.1 Update</td>
-<td align="left"><ul>
-<li>Support for Windows 10, including viewing Windows 10 reports on Application Compatibility Manager.</li>
-<li><strong>Bug fixes</strong>: this version of ACT fixed an issue where Inventory-Collector package would fail when it tried to inventory the system.</li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left">ACT 6.1 Update 2</td>
-<td align="left"><p><strong>Bug fixes</strong>: this version of ACT addresses the following bugs:</p>
-<ul>
-<li><p>Capability to create custom compatibility fixes for Windows versions other than the currently running version.</p></li>
-<li><p>Fixed issue where Inventory-Collector Package crashes when running on some Windows 7 x86 systems.</p></li>
-<li><p>Fixed issue where not specifying a tag for Inventory-Collector Package would cause an error in the log processing service. The result of this bug was that data collected by the Package would not be processed.</p></li>
-<li><p>Fixed issue where Standard User Analyzer (SUA) returns an error when trying to apply mitigations to an app on Windows 7.</p></li>
-<li><p>Fixed issue where ACT is unable to create custom compatibility fixes for 32-bit systems correctly.</p></li>
-</ul></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-**Note**  
-The version numbers for ACT 6.1 Update and Update 2 are identical, so you will need to look at the product ID of ACT to tell them apart. To find the product ID, open ACT, go to **Help** &gt; **About**, and compare the product ID to the following list.
-
--   **ACT 6.1 Update**: B264FCCB-3F1F-828F-CCF8-EDB93E860970
-
--   **ACT 6.1 Update 2**: B2BC4686-29A9-9E9D-F2E4-7E20659EECE7
-
-If you run into any of the bugs fixed in Update 2, you likely have ACT 6.1 Update or older. Please download the latest version in the Windows ADK.
-
- 
-
-## Related topics
-
-
-[Software Requirements for ACT](software-requirements-for-act.md)
-
-[Software Requirements for RAP](software-requirements-for-rap.md)
-
- 
-
- 
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md
index 6ac55f7ffc..00418ae8ae 100644
--- a/windows/plan/windows-10-servicing-options.md
+++ b/windows/plan/windows-10-servicing-options.md
@@ -1,5 +1,5 @@
 ---
-title: Windows 10 servicing options (Windows 10)
+title: Windows 10 servicing overview (Windows 10)
 description: Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process.
 ms.assetid: 6EF0792C-B587-497D-8489-4A7F5848D92A
 keywords: deploy, upgrade, update, servicing
@@ -72,6 +72,7 @@ Windows 10 enables organizations to fulfill the desire to provide users with the
 
 ## Related topics
 
+[Windows 10 release information](https://technet.microsoft.com/windows/release-info)<BR>
 [Windows 10 deployment considerations](windows-10-deployment-considerations.md)<BR>
 [Windows 10 compatibility](windows-10-compatibility.md)<BR>
 [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
\ No newline at end of file
diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md
index c8901b35ec..c672a255a8 100644
--- a/windows/whats-new/TOC.md
+++ b/windows/whats-new/TOC.md
@@ -1,20 +1,5 @@
 # [What's new in Windows 10](index.md)
-## [Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md)
-## [AppLocker](applocker.md)
-## [BitLocker](bitlocker.md)
-## [Browser: Microsoft Edge and Internet Explorer 11](edge-ie11-whats-new-overview.md)
-## [Credential Guard](credential-guard.md)
-## [Device Guard](device-guard-overview.md)
-## [Enterprise data protection (EDP)](edp-whats-new-overview.md)
-## [Enterprise management for Windows 10 devices](device-management.md)
-## [Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md)
-## [Microsoft Passport](microsoft-passport.md)
-## [Provisioning packages](new-provisioning-packages.md)
-## [Security](security.md)
-## [Security auditing](security-auditing.md)
-## [Trusted Platform Module](trusted-platform-module.md)
-## [User Account Control](user-account-control.md)
-## [Windows spotlight on the lock screen](windows-spotlight.md)
-## [Windows Store for Business overview](windows-store-for-business-overview.md)
-## [Windows Update for Business](windows-update-for-business.md)
+## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md)
+## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md)
+
 
diff --git a/windows/whats-new/applocker.md b/windows/whats-new/applocker.md
index 1c14abc6dc..3cfd7a6582 100644
--- a/windows/whats-new/applocker.md
+++ b/windows/whats-new/applocker.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: brianlic-msft
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview
 ---
 
 # What's new in AppLocker?
diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md
index 4e9d0f7b61..6db25cd066 100644
--- a/windows/whats-new/bitlocker.md
+++ b/windows/whats-new/bitlocker.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: brianlic-msft
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview
 ---
 
 # What's new in BitLocker?
diff --git a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md
index 14362dd08c..750a878d7d 100644
--- a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md
+++ b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md
@@ -11,6 +11,7 @@ author: TrudyHa
 # Change history for What's new in Windows 10
 This topic lists new and updated topics in the [What's new in Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+
 ## April 2016
 
 |New or changed topic |Description |
diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md
index 48f7a4f853..3edfe53458 100644
--- a/windows/whats-new/credential-guard.md
+++ b/windows/whats-new/credential-guard.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: brianlic-msft
+redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511
 ---
 
 # What's new in Credential Guard?
diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md
index c96f390c98..4009a8845d 100644
--- a/windows/whats-new/device-guard-overview.md
+++ b/windows/whats-new/device-guard-overview.md
@@ -8,6 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: brianlic-msft
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/whats-new-windows-10-version-1507-and-1511
 ---
 
 # Device Guard overview
@@ -18,94 +19,16 @@ author: brianlic-msft
 -   Windows Server 2016
 
 Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.
+
 Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the Microsoft Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+
 For details on how to implement Device Guard, see [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
+
 ## Why use Device Guard
 With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise.
 Device Guard also helps protect against [zero day attacks](http://go.microsoft.com/fwlink/p/?linkid=534209) and works to combat the challenges of [polymorphic viruses](http://go.microsoft.com/fwlink/p/?LinkId=534210).
-### Advantages to using Device Guard
-You can take advantage of the benefits of Device Guard, based on what you turn on and use:
--   Helps provide strong malware protection with enterprise manageability
--   Helps provide the most advanced malware protection ever offered on the Windows platform
--   Offers improved tamper resistance
-## How Device Guard works
-Device Guard restricts the Windows 10 Enterprise operating system to only running code that’s signed by trusted signers, as defined by your Code Integrity policy through specific hardware and security configurations, including:
--   User Mode Code Integrity (UMCI)
--   New kernel code integrity rules (including the new Windows Hardware Quality Labs (WHQL) signing constraints)
--   Secure Boot with database (db/dbx) restrictions
--   Virtualization-based security to help protect system memory and kernel mode apps and drivers from possible tampering.
--   **Optional:** Trusted Platform Module (TPM) 1.2 or 2.0
-Device Guard works with your image-building process, so you can turn the virtualization-based security feature on for capable devices, configure your Code Integrity policy, and set any other operating system settings you require for Windows 10 Enterprise. After that, Device Guard works to help protect your devices:
-1.  Your device starts up using Universal Extensible Firmware Interface (UEFI) Secure Boot, so that boot kits can’t run and so that Windows 10 Enterprise starts before anything else.
-2.  After securely starting up the Windows boot components, Windows 10 Enterprise can start the Hyper-V virtualization-based security services, including Kernel Mode Code Integrity. These services help protect the system core (kernel), privileged drivers, and system defenses, like anti-malware solutions, by preventing malware from running early in the boot process, or in kernel after startup.
-3.  Device Guard uses UMCI to make sure that anything that runs in User mode, such as a service, a Universal Windows Platform (UWP) app, or a Classic Windows application is trusted, allowing only trusted binaries to run.
-4.  At the same time that Windows 10 Enterprise starts up, so too does the trusted platform module (TPM). TPM provides an isolated hardware component that helps protect sensitive information, such as user credentials and certificates.
-## Required hardware and software
-The following table shows the hardware and software you need to install and configure to implement Device Guard.
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Requirement</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Windows 10 Enterprise</p></td>
-<td align="left"><p>The PC must be running Windows 10 Enterprise.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>UEFI firmware version 2.3.1 or higher and Secure Boot</p></td>
-<td align="left"><p>To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Virtualization extensions</p></td>
-<td align="left"><p>The following virtualization extensions are required to support virtualization-based security:</p>
-<ul>
-<li>Intel VT-x or AMD-V</li>
-<li>Second Level Address Translation</li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Firmware lock</p></td>
-<td align="left"><p>The firmware setup should be locked to prevent other operating systems from starting and to prevent changes to the UEFI settings. You should also disable boot methods other than from the hard drive.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>x64 architecture</p></td>
-<td align="left"><p>The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>A VT-d or AMD-Vi IOMMU (Input/output memory management unit)</p></td>
-<td align="left"><p>In Windows 10, an IOMMU enhances system resiliency against memory attacks. ¹</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Secure firmware update process</p></td>
-<td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.</p><p>Device Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes.</p></td>
-</tr>
-</tbody>
-</table>
- 
-## <a href="" id="before-you-begin"></a>Before using Device Guard in your company
-Before you can successfully use Device Guard, you must set up your environment and your policies.
-### Signing your apps
-Device Guard mode supports both UWP apps and Classic Windows applications. Trust between Device Guard and your apps happen when your apps are signed using a signature that you determine to be trustworthy. Not just any signature will work.
-This signing can happen by:
--   **Using the Windows Store publishing process.** All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
--   **Using your own digital certificate or public key infrastructure (PKI).** ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers.
--   **Using a non-Microsoft signing authority.** ISV's and enterprises can use a trusted non-Microsoft signing authority to sign all of their own Classic Windows applications.
--   **Use the Device Guard signing portal**. Available in the Windows Store for Business, you can use a Microsoft web service to sign your Classic Windows applications. For more info, see [Device Guard signing](../manage/device-guard-signing-portal.md).
-### Code Integrity policy
-Before you can use the app protection included in Device Guard, you must create a Code Integrity policy using tools provided by Microsoft, but deployed using your current management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. This policy restricts what code can run on a device.
-For the Device Guard feature, devices should only have Code Integrity pre-configured if the settings are provided by a customer for a customer-provided image.
-**Note**  This XML document can be signed in Windows 10 Enterprise, helping to add additional protection against administrative users changing or removing this policy.
- 
-### <a href="" id="virtualization-based-security-using-windows-10-hypervisor"></a>Virtualization-based security using Windows 10 Enterprise Hypervisor
-Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer.
-**Important**  Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers - legacy drivers can be updated - and have all virtualization capabilities turned on. This includes virtualization extensions and input/output memory management unit (IOMMU) support.
- 
- 
- 
+## Virtualization-based security using Windows 10 Enterprise Hypervisor
+
+Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer. 
+
+>**Important**&nbsp;&nbsp;Device Guard devices that run Kernel Code Integrity with virtualization-based security (VBS) must have compatible drivers (legacy drivers can be updated) and meet requirements for the hardware and firmware that support virtualization-based security. For more information, see [Hardware, firmware, and software requirements for Device Guard](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard)
diff --git a/windows/whats-new/device-management.md b/windows/whats-new/device-management.md
index 4ea023327b..79260f0f69 100644
--- a/windows/whats-new/device-management.md
+++ b/windows/whats-new/device-management.md
@@ -7,118 +7,11 @@ ms.pagetype: devices, mobile
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: jdeckerMS
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-corporate-devices
 ---
 
 # Enterprise management for Windows 10 devices
 
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
-
-## MDM support
-
-
-MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more. To learn more about policies, see [Configuration service provider reference for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533046).
-
-MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](http://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
-
-Corporate-owned devices can be enrolled automatically for enterprises using Azure AD.
-
-## Unenrollment
-
-
-When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device.
-
-When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed.
-
-## Infrastructure
-
-
-Enterprises have the following identity and management choices.
-
-| Area | Choices |
-|---|---|                                                                                                                                                                            
-| Identity          | Active Directory; Azure AD                                                                                                                                                  |
-| Grouping          | Domain join; Workgroup; Azure AD join                                                                                                                                       |
-| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
-
- 
-
-**Note**  
-With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](http://go.microsoft.com/fwlink/p/?LinkID=613512).
-
- 
-
-## Device lockdown
-
-
-Do you need a computer that can only do one thing? For example:
-
--   A device in the lobby that customers can use to view your product catalog.
-
--   A portable device that drivers can use to check a route on a map.
-
--   A device that a temporary worker uses to enter data.
-
-You can configure a persistent locked down state to create a kiosk-type device. When the locked-down account is logged on, the device displays only the app that you select.
-
-You can also configure a lockdown state that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
-
-Lockdown settings can also be configured for device look and feel, such as a theme or a custom layout on the Start screen.
-
-## Updates
-
-
-With Windows 10, your enterprise will have more choice and flexibility in applying operating system updates. You can manage and control updates to devices running Windows 10 Pro and Windows 10 Enterprise using MDM policies.
-
-While Windows Update provides updates to unmanaged devices, most enterprises prefer to manage and control the flow of updates using their device management solution. You can choose to apply the latest updates as soon as they are available, or you can set a source and schedule for updates that works for your specific requirements.
-
-For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md).
-
-## Easier certificate management
-
-
-For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Microsoft Passport in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device.
-
-## Learn more
-
-
-[Windows 10: Manageability Choices](http://go.microsoft.com/fwlink/p/?LinkId=533886)
-
-[Windows 10: Management](http://go.microsoft.com/fwlink/p/?LinkId=533887)
-
-[Windows 10 Technical Preview Fundamentals for IT Pros: Windows 10 Management and Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533888)
-
-[Reference for Mobile device management for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533172)
-
-Active Directory blog posts on Azure AD and Windows 10:
-
--   [Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=619025)
-
--   [Azure AD Join on Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkID=616791)
-
--   [Azure AD on Windows 10 Personal Devices]( http://go.microsoft.com/fwlink/p/?LinkId=619028)
-
--   [Azure Active Directory and Windows 10: Bringing the cloud to enterprise desktops!](http://go.microsoft.com/fwlink/p/?LinkID=615765)
-
-## Related topics
-
-
-[Manage corporate devices](../manage/manage-corporate-devices.md)
-
-[Microsoft Passport](microsoft-passport.md)
-
-[Enterprise Data Protection Overview](edp-whats-new-overview.md)
-
- 
-
- 
-
-
-
+This page has been redirected to **What's new in Windows 10, versions 1507 and 1511**.
 
 
diff --git a/windows/whats-new/edge-ie11-whats-new-overview.md b/windows/whats-new/edge-ie11-whats-new-overview.md
index 9370b6beb5..8c053fd990 100644
--- a/windows/whats-new/edge-ie11-whats-new-overview.md
+++ b/windows/whats-new/edge-ie11-whats-new-overview.md
@@ -1,56 +1,6 @@
 ---
 title: Browser Microsoft Edge and Internet Explorer 11 (Windows 10)
 description: Resources to help you explore the Windows 10 browsing options for your enterprise.
-ms.assetid: e986f903-69ad-4145-9d24-0c6d04b3e489
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: mobile
-author: eross-msft
+redirect_url: https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11
 ---
 
-# Browser: Microsoft Edge and Internet Explorer 11
-**Microsoft Edge content applies to:**
-
--   Windows 10
--   Windows 10 Mobile
-
-**Internet Explorer 11 content applies to:**
-
--   Windows 10
-
-## Enterprise guidance
-Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
-
-We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
-
-### Microsoft Edge
-Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
-
--   **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
--   **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
--   **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
--   **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
-
-### IE11
-IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
-
--   **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
--   **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.
--   **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
--   **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
--   **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
--   **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
-
-## Related topics
-- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
-- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
-- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
-- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
-- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
-- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
-
-
-
-
-
diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md
index 4b157c50e8..a6816c161f 100644
--- a/windows/whats-new/edp-whats-new-overview.md
+++ b/windows/whats-new/edp-whats-new-overview.md
@@ -1,81 +1,5 @@
 ---
 title: Enterprise data protection (EDP) overview (Windows 10)
 description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud.
-ms.assetid: 428A3135-CB5E-478B-B1FF-B6EB76F0DF14
-keywords: EDP Overview, EDP
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: mobile, security
-author: eross-msft
----
-
-# Enterprise data protection (EDP) overview
-
-**Applies to:**
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-
-Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
-
-## Benefits of EDP
-
-EDP provides:
-- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
-
-- Additional data protection for existing line-of-business apps without a need to update the apps.
-
-- Ability to wipe corporate data from devices while leaving personal data alone.
-
-- Use of audit reports for tracking issues and remedial actions.
-
-- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager (version 1511 or later), or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company.
-
-## Enterprise scenarios
-EDP currently addresses these enterprise scenarios:
-- You can encrypt enterprise data on employee-owned and corporate-owned devices.
-
-- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
-
-- You can select specific apps that can access enterprise data, called "allowed apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
-
-- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
-
-## Why use EDP?
-EDP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-
-- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. EDP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
-
-- **Manage your enterprise documents, apps, and encryption modes.**
-
-    - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
-
-    - **Using allowed apps.** Managed apps (apps that you've included on the allowed apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
-
-    - **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your EDP management-mode.
-    
-    You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in your protected apps list.
-
-    - **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list.
-
-    - **Data encryption at rest.** EDP helps protect enterprise data on local files and on removable media.
-    
-    Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
-
-    - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
-
-    - **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
-
-    - **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
-
-## Turn off EDP
-
-You can turn off all enterprise data protection and restrictions, reverting to where you were pre-EDP, with no data loss. However, turning off EDP isn't recommended. If you choose to turn it off, you can always turn it back on, but EDP won't retain your decryption and policies info.
-
-## Related topics
-- [Protect your enterprise data using enterprise data protection (EDP)](../keep-secure/protect-enterprise-data-using-edp.md)
- 
\ No newline at end of file
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip
+---
\ No newline at end of file
diff --git a/windows/whats-new/images/ICD.png b/windows/whats-new/images/ICD.png
new file mode 100644
index 0000000000..9cfcb845df
Binary files /dev/null and b/windows/whats-new/images/ICD.png differ
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index 91bd262819..a49967a2c0 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -2,119 +2,35 @@
 title: What's new in Windows 10 (Windows 10)
 description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more.
 ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
-keywords: ["What's new in Windows 10", "Windows 10"]
+keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"]
 ms.prod: w10
 author: TrudyHa
+localizationpriority: high
 ---
 
 # What's new in Windows 10
 
 
-Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more. These technical overviews are designed to help you understand key feature changes and benefits and answer common questions about Windows 10 technologies.
+Windows 10 provides IT professionals with advanced protection against modern security threats and comprehensive management and control over devices and apps, as well as flexible deployment, update, and support options. Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. 
 
 ## In this section
 
+- [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md)
+- [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md)
+
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md)</p></td>
-<td align="left"><p>This topic lists new and updated topics in the What's new in Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[AppLocker](applocker.md)</p></td>
-<td align="left"><p>AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[BitLocker](bitlocker.md)</p></td>
-<td align="left"><p>BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Browser: Microsoft Edge and Internet Explorer 11](edge-ie11-whats-new-overview.md)</p></td>
-<td align="left"><p>Resources to help you explore the Windows 10 browsing options for your enterprise.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Credential Guard](credential-guard.md)</p></td>
-<td align="left"><p>Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Device Guard](device-guard-overview.md)</p></td>
-<td align="left"><p>Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Enterprise data protection (EDP)](edp-whats-new-overview.md)</p></td>
-<td align="left"><p>With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Enterprise management for Windows 10 devices](device-management.md)</p></td>
-<td align="left"><p>Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md)</p></td>
-<td align="left"><p>Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Microsoft Passport](microsoft-passport.md)</p></td>
-<td align="left"><p>In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Provisioning packages](new-provisioning-packages.md)</p></td>
-<td align="left"><p>With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Security](security.md)</p></td>
-<td align="left"><p>There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Security auditing](security-auditing.md)</p></td>
-<td align="left"><p>Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Trusted Platform Module](trusted-platform-module.md)</p></td>
-<td align="left"><p>This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[User Account Control](user-account-control.md)</p></td>
-<td align="left"><p>User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Windows spotlight on the lock screen](windows-spotlight.md)</p></td>
-<td align="left"><p>Windows spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows spotlight is now available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows spotlight background.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Windows Store for Business overview](windows-store-for-business-overview.md)</p></td>
-<td align="left"><p>With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Windows Update for Business](windows-update-for-business.md)</p></td>
-<td align="left"><p>Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.</p></td>
-</tr>
-</tbody>
-</table>
 
  
 
 ## Learn more
 
-
-[Windows 10 content from Microsoft Ignite](http://go.microsoft.com/fwlink/p/?LinkId=613210)
-
-[Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkId=690485)
-
-## Related topics
+- [Windows 10 roadmap](https://www.microsoft.com/en-us/WindowsForBusiness/windows-roadmap)
+- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)
+- [Windows 10 update history](https://support.microsoft.com/en-us/help/12387/windows-10-update-history)
+- [Windows 10 content from Microsoft Ignite](http://go.microsoft.com/fwlink/p/?LinkId=613210)
+- [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkId=690485)
 
 
-[Windows 10 and Windows 10 Mobile](../index.md)
 
  
 
diff --git a/windows/whats-new/lockdown-features-windows-10.md b/windows/whats-new/lockdown-features-windows-10.md
index 7df7446f4e..67a759be13 100644
--- a/windows/whats-new/lockdown-features-windows-10.md
+++ b/windows/whats-new/lockdown-features-windows-10.md
@@ -8,108 +8,9 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerMS
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/lockdown-features-windows-10
 ---
 
 # Lockdown features from Windows Embedded 8.1 Industry
 
-**Applies to**
--   Windows 10
--   Windows 10 Mobile
-
-Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
-
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Windows Embedded 8.1 Industry lockdown feature</th>
-<th align="left">Windows 10 feature</th>
-<th align="left">Changes</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Hibernate Once/Resume Many (HORM)](http://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device</p></td>
-<td align="left">N/A</td>
-<td align="left"><p>HORM is not supported in Windows 10. However, with enhancements to the Windows boot process and Unified Extensible Firmware Interface (UEFI) hardware, startup times can be dramatically reduced compared to previous versions.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media</p></td>
-<td align="left">[Unified Writer Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607)</td>
-<td align="left"><p>The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations</p></td>
-<td align="left">[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391)</td>
-<td align="left"><p>Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via <strong>Turn Windows Features On/Off</strong>. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on</p></td>
-<td align="left">[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=618603)</td>
-<td align="left"><p>Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the <strong>SMISettings</strong> category.</p>
-<p>Learn [how to use Shell Launcher to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Application Launcher]( http://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on</p></td>
-<td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
-<td align="left"><p>The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Dialog Filter](http://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run</p></td>
-<td align="left">[AppLocker](../keep-secure/applocker-overview.md)</td>
-<td align="left"><p>Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.</p>
-<ul>
-<li><p>Control over which processes are able to run will now be provided by AppLocker.</p></li>
-<li><p>System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Toast Notification Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications</p></td>
-<td align="left">Mobile device management (MDM) and Group Policy</td>
-<td align="left"><p>Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.</p>
-<p>Group Policy: <strong>User Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>Start Menu and Taskbar</strong> &gt; <strong>Notifications</strong></p>
-<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow action center notifications</strong> and a [custom OMA-URI setting](http://go.microsoft.com/fwlink/p/?LinkID=616317) for <strong>AboveLock/AllowActionCenterNotifications</strong>.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Embedded Lockdown Manager](http://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features</p></td>
-<td align="left">[Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkID=525483)</td>
-<td align="left"><p>The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[USB Filter](http://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system</p></td>
-<td align="left">MDM and Group Policy</td>
-<td align="left"><p>The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.</p>
-<p>Group Policy: <strong>Computer Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>System</strong> &gt; <strong>Device Installation</strong> &gt; <strong>Device Installation Restrictions</strong></p>
-<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow removable storage</strong> or <strong>Allow USB connection (Windows 10 Mobile only)</strong>.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system</p></td>
-<td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
-<td align="left"><p>Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.</p>
-<p>In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.</p>
-<p>Learn [how to use Assigned Access to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Gesture Filter](http://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen</p></td>
-<td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
-<td align="left"><p>The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Custom Logon]( http://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown</p></td>
-<td align="left">[Embedded Logon](http://go.microsoft.com/fwlink/p/?LinkId=626760)</td>
-<td align="left"><p>No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements</p></td>
-<td align="left">[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626873)</td>
-<td align="left"><p>No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.</p></td>
-</tr>
-</tbody>
-</table>
- 
- 
- 
+This topic has been redirected.
\ No newline at end of file
diff --git a/windows/whats-new/microsoft-passport.md b/windows/whats-new/microsoft-passport.md
index 0165451cb8..e8b4935152 100644
--- a/windows/whats-new/microsoft-passport.md
+++ b/windows/whats-new/microsoft-passport.md
@@ -1,40 +1,16 @@
 ---
-title: Microsoft Passport overview (Windows 10)
-description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication.
+title: Windows Hello overview (Windows 10)
+description: In Windows 10, Windows Hello replaces passwords with strong two-factor authentication.
 ms.assetid: 292F3BE9-3651-4B20-B83F-85560631EF5B
-keywords: password, hello, fingerprint, iris, biometric
+keywords: password, hello, fingerprint, iris, biometric, passport
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: mobile, security
 author: jdeckerMS
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport
 ---
 
-# Microsoft Passport overview
-**Applies to**
--   Windows 10
--   Windows 10 Mobile
+# Windows Hello overview
 
-In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
-
-Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports [Fast ID Online (FIDO)](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
-Microsoft Passport also enables Windows 10 Mobile devices to be used as a remote credential when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions
-
-## Benefits of Microsoft Passport
-
--   **User convenience**. The employee provides credentials (such as account and password, or other credentials), and is then guided to set up Microsoft Passport and Hello. From that point on, the employee can access enterprise resources by providing a gesture.
--   **Security**. Microsoft Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Microsoft 
-
-Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of Trusted Platform Modules (TPMs).
-[Learn how to implement and manage Microsoft Passport in your organization.](../keep-secure/implement-microsoft-passport-in-your-organization.md)
-
-## Learn more
-
-[Why a PIN is better than a password](../keep-secure/why-a-pin-is-better-than-a-password.md)
-[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](http://go.microsoft.com/fwlink/p/?LinkId=533890)
-[Windows 10: The End Game for Passwords and Credential Theft?](http://go.microsoft.com/fwlink/p/?LinkId=533891)
-
-## Related topics
-[Device management](device-management.md)
- 
- 
+This topic has been redirected.
\ No newline at end of file
diff --git a/windows/whats-new/new-provisioning-packages.md b/windows/whats-new/new-provisioning-packages.md
index 1cdff3fc09..18725fae2a 100644
--- a/windows/whats-new/new-provisioning-packages.md
+++ b/windows/whats-new/new-provisioning-packages.md
@@ -7,102 +7,10 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerMS
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/deploy/provisioning-packages
 ---
 
 # Provisioning packages
 
 
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
-
-Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
-
-## Benefits of provisioning packages
-
-
-Provisioning packages let you:
-
--   Quickly configure a new device without going through the process of installing a new image.
-
--   Save time by configuring multiple devices using one provisioning package.
-
--   Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure.
-
--   Set up a device without the device having network connectivity.
-
-Provisioning packages can be:
-
--   Installed using removable media such as an SD card or USB flash drive.
-
--   Attached to an email.
-
--   Downloaded from a network share.
-
-## What you can configure
-
-
-The following table provides some examples of what can be configured using provisioning packages.
-
-| Customization options    | Examples                                                                                      |
-|--------------------------|-----------------------------------------------------------------------------------------------|
-| Applications             | Windows apps, line-of-business applications                                                   |
-| Bulk enrollment into MDM | Automatic enrollment into Microsoft Intune or a third-party MDM service                       |
-| Certificates             | Root certification authority (CA), client certificates                                        |
-| Connectivity profiles    | Wi-Fi, proxy settings, Email                                                                  |
-| Enterprise policies      | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
-| Data assets              | Documents, music, videos, pictures                                                            |
-| Start menu customization | Start menu layout, application pinning                                                        |
-| Other                    | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on           |
-
- 
-
-For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
-
-## Creating a provisioning package
-
-
-With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must install the Windows Assessment and Deployment Kit (ADK) for Windows 10[from the Windows Insider Program site](http://go.microsoft.com/fwlink/p/?linkid=533700).
-
-While running ADKsetup.exe, select the following features from the **Select the features you want to install** dialog box:
-
--   Deployment Tools
-
--   Windows Preinstallation Environment (Windows PE)
-
--   Windows Imaging and Configuration Designer (ICD)
-
--   Windows User State Migration Tool (USMT)
-
-Windows ICD depends on other tools in order to work correctly. If you only select Windows ICD in the installation wizard, the other tools listed above will also be selected for installation.
-
-Once you have installed Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
-
-## Applying a provisioning package to a device
-
-
-Provisioning packages can be applied both during image deployment and during runtime. For information on how to apply a provisioning package to a Windows 10-based device, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
-
-## Learn more
-
-
-[Windows 10: Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533708)
-
-## Related topics
-
-
-[Update Windows 10 images with provisioning packages](../deploy/update-windows-10-images-with-provisioning-packages.md)
-
-[Configure devices without MDM](../manage/configure-devices-without-mdm.md)
-
- 
-
- 
-
-
-
-
-
+This topic has been redirected.
\ No newline at end of file
diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md
index 13c6a7e5b8..8890adb735 100644
--- a/windows/whats-new/security-auditing.md
+++ b/windows/whats-new/security-auditing.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 author: brianlic-msft
 ms.pagetype: security, mobile
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/security-auditing-overview
 ---
 
 # What's new in security auditing?
diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md
index 18a325aa7f..e4a2614653 100644
--- a/windows/whats-new/trusted-platform-module.md
+++ b/windows/whats-new/trusted-platform-module.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: brianlic-msft
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/trusted-platform-module-overview
 ---
 
 # What's new in Trusted Platform Module?
diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md
index fad8ee0ff5..3d41d3ca1d 100644
--- a/windows/whats-new/user-account-control.md
+++ b/windows/whats-new/user-account-control.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/user-account-control-overview
 ---
 
 # What's new in User Account Control?
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
new file mode 100644
index 0000000000..1e0c6c19dd
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -0,0 +1,356 @@
+---
+title: What's new in Windows 10, versions 1507 and 1511 (Windows 10)
+description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile.
+ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+localizationpriority: high
+---
+
+# What's new in Windows 10, versions 1507 and 1511
+
+Below is a list of some of the new and updated features included in  the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511.
+
+> **Note:** For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info).
+
+## Deployment
+
+### Provisioning devices using Windows Imaging and Configuration Designer (ICD)
+
+With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. 
+
+[Learn more about provisioning in Windows 10.](../deploy/provisioning-packages.md)
+
+
+## Security
+
+### Applocker
+
+#### New Applocker features in Windows 10, version 1507
+
+-   A new parameter was added to the [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
+-   A new [AppLocker](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
+-   You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx).
+
+[Learn how to manage AppLocker within your organization](../keep-secure/applocker-overview.md).
+
+### Bitlocker
+
+#### New Bitlocker features in Windows 10, version 1511
+
+-   **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
+    It provides the following benefits:
+    -   The algorithm is FIPS-compliant.
+    -   Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
+        >**Note:**  Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
+
+#### New Bitlocker features in Windows 10, version 1507
+
+-   **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](http://technet.microsoft.com/library/dn306081.aspx#bkmk-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
+-   **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
+-   **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the "Configure pre-boot recovery message and URL" section in [BitLocker Group Policy settings](../keep-secure/bitlocker-group-policy-settings.md).
+
+[Learn how to deploy and manage BitLocker within your organization](../keep-secure/bitlocker-overview.md).
+
+### Credential Guard
+
+#### New Credential Guard features in Windows 10, version 1511
+
+-   **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations:
+    -   Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials.
+    -   Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials.
+    -   You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
+-   **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy.
+-   **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled.
+
+[Learn how to deploy and manage Credential Guard within your organization](../keep-secure/credential-guard.md).
+
+### Easier certificate management
+
+
+For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](~/keep-secure/installing-digital-certificates-on-windows-10-mobile.md)
+
+### Microsoft Passport
+
+In Windows 10, [Microsoft Passport](~/keep-secure/manage-identity-verification-using-microsoft-passport.md) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
+
+Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
+
+### Security auditing
+
+#### New Security auditing features in Windows 10, version 1511
+
+-   The [WindowsSecurityAuditing](http://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](http://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices.
+
+#### New features in Windows 10, version 1507
+
+In Windows 10, security auditing has added some improvements:
+-   [New audit subcategories](#bkmk-auditsubcat)
+-   [More info added to existing audit events](#bkmk-moreinfo)
+
+##### <a href="" id="bkmk-auditsubcat"></a>New audit subcategories
+
+In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
+-   [Audit Group Membership](../keep-secure/audit-group-membership.md) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
+    When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
+-   [Audit PNP Activity](../keep-secure/audit-pnp-activity.md) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
+    Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
+    A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
+
+##### <a href="" id="bkmk-moreinfo"></a>More info added to existing audit events
+
+With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
+-   [Changed the kernel default audit policy](#bkmk-kdal)
+-   [Added a default process SACL to LSASS.exe](#bkmk-lsass)
+-   [Added new fields in the logon event](#bkmk-logon)
+-   [Added new fields in the process creation event](#bkmk-logon)
+-   [Added new Security Account Manager events](#bkmk-sam)
+-   [Added new BCD events](#bkmk-bcd)
+-   [Added new PNP events](#bkmk-pnp)
+
+##### <a href="" id="bkmk-kdal"></a>Changed the kernel default audit policy
+
+In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
+
+##### <a href="" id="bkmk-lsass"></a>Added a default process SACL to LSASS.exe
+
+In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
+This can help identify attacks that steal credentials from the memory of a process.
+
+##### <a href="" id="bkmk-logon"></a>New fields in the logon event
+
+The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
+1.  **MachineLogon** String: yes or no
+    If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
+2.  **ElevatedToken** String: yes or no
+    If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown.
+3.  **TargetOutboundUserName** String
+    **TargetOutboundUserDomain** String
+    The username and domain of the identity that was created by the LogonUser method for outbound traffic.
+4.  **VirtualAccount** String: yes or no
+    If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no.
+5.  **GroupMembership** String
+    A list of all of the groups in the user's token.
+6.  **RestrictedAdminMode** String: yes or no
+    If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
+    For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx).
+
+##### <a href="" id="bkmk-process"></a>New fields in the process creation event
+
+The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
+1.  **TargetUserSid** String
+    The SID of the target principal.
+2.  **TargetUserName** String
+    The account name of the target user.
+3.  **TargetDomainName** String
+    The domain of the target user..
+4.  **TargetLogonId** String
+    The logon ID of the target user.
+5.  **ParentProcessName** String
+    The name of the creator process.
+6.  **ParentProcessId** String
+    A pointer to the actual parent process if it's different from the creator process.
+
+##### <a href="" id="bkmk-sam"></a>New Security Account Manager events
+
+In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
+-   SamrEnumerateGroupsInDomain
+-   SamrEnumerateUsersInDomain
+-   SamrEnumerateAliasesInDomain
+-   SamrGetAliasMembership
+-   SamrLookupNamesInDomain
+-   SamrLookupIdsInDomain
+-   SamrQueryInformationUser
+-   SamrQueryInformationGroup
+-   SamrQueryInformationUserAlias
+-   SamrGetMembersInGroup
+-   SamrGetMembersInAlias
+-   SamrGetUserDomainPasswordInformation
+
+##### <a href="" id="bkmk-bcd"></a>New BCD events
+
+Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):
+-   DEP/NEX settings
+-   Test signing
+-   PCAT SB simulation
+-   Debug
+-   Boot debug
+-   Integrity Services
+-   Disable Winload debugging menu
+
+##### <a href="" id="bkmk-pnp"></a>New PNP events
+
+Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
+
+[Learn how to manage your security audit policies within your organization](../keep-secure/security-auditing-overview.md).
+
+### Trusted Platform Module
+
+#### New TPM features in Windows 10, version 1511
+
+-   Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
+
+#### New TPM features in Windows 10, version 1507
+
+The following sections describe the new and changed functionality in the TPM for Windows 10:
+-   [Device health attestation](#bkmk-dha)
+-   [Microsoft Passport](microsoft-passport.md) support
+-   [Device Guard](device-guard-overview.md) support
+-   [Credential Guard](../keep-secure/credential-guard.md) support
+
+### <a href="" id="bkmk-dha"></a>Device health attestation
+
+Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+Some things that you can check on the device are:
+-   Is Data Execution Prevention supported and enabled?
+-   Is BitLocker Drive Encryption supported and enabled?
+-   Is SecureBoot supported and enabled?
+
+> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0.
+
+[Learn how to deploy and manage TPM within your organization](../keep-secure/trusted-platform-module-overview.md).
+
+### User Account Control
+
+User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
+
+You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
+
+For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](../keep-secure/user-account-control-group-policy-and-registry-key-settings.md).
+
+In Windows 10, User Account Control has added some improvements.
+
+#### New User Account Control features in Windows 10, version 1507
+
+-   **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](http://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
+
+[Learn how to manage User Account Control within your organization](../keep-secure/user-account-control-overview.md).
+
+### VPN profile options
+
+Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including:
+•	Always-on auto connection behavior 
+•	App=triggered VPN 
+•	VPN traffic filters
+•	Lock down VPN
+•	Integration with Microsoft Passport for Work
+
+[Learn more about the VPN options in Windows 10.](../keep-secure/vpn-profile-options.md)
+
+
+## Management
+
+Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
+
+### MDM support
+
+
+MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more. 
+
+MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](http://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
+
+Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533172)
+
+### Unenrollment
+
+
+When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device.
+
+When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed.
+
+### Infrastructure
+
+
+Enterprises have the following identity and management choices.
+
+| Area | Choices |
+|---|---|                                                                                                                                                                            
+| Identity   | Active Directory; Azure AD         |
+| Grouping   | Domain join; Workgroup; Azure AD join    |
+| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
+
+ > **Note**  
+With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](http://go.microsoft.com/fwlink/p/?LinkID=613512).
+
+ 
+### Device lockdown
+
+
+Do you need a computer that can only do one thing? For example:
+
+-   A device in the lobby that customers can use to view your product catalog.
+
+-   A portable device that drivers can use to check a route on a map.
+
+-   A device that a temporary worker uses to enter data.
+
+You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/en-us/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select.
+
+You can also [configure a lockdown state](https://technet.microsoft.com/en-us/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
+
+Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/en-us/itpro/windows/manage/windows-10-start-layout-options-and-policies).
+
+### Customized Start layout
+
+A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](../manage/customize-and-export-start-layout.md).
+
+Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](../manage/windows-spotlight.md).
+
+### Windows Store for Business
+**New in Windows 10, version 1511**
+
+With the Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps. 
+
+For more information, see [Windows Store for Business overview](../manage/windows-store-for-business-overview.md).
+
+
+## Updates
+
+Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
+
+By using [Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
+
+-   **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
+
+-   **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
+
+-   **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=699281).
+
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](http://technet.microsoft.com/library/gg682129.aspx).
+
+
+Learn more about [Windows Update for Business](../plan/windows-update-for-business.md).
+
+For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md).
+
+## Microsoft Edge
+Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
+
+-   **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
+-   **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
+-   **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
+-   **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
+
+### Enterprise guidance
+Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
+
+We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
+
+[Learn more about using Microsoft Edge in the enterprise](https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11)
+
+
+## Learn more
+
+- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
new file mode 100644
index 0000000000..5d509f5ee2
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -0,0 +1,143 @@
+---
+title: What's new in Windows 10, version 1607 (Windows 10)
+description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile.
+ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
+keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+localizationpriority: high
+---
+
+# What's new in Windows 10, version 1607
+
+Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update).
+
+> **Note:** For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info).
+ 
+## Deployment
+
+### Windows Imaging and Configuration Designer (ICD)
+
+In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in version 1607, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
+
+Windows ICD now includes simplified workflows for creating provisioning packages:
+
+- [Simple provisioning to set up common settings for Active Directory-joined devices](~/deploy/provision-pcs-for-initial-deployment.md)
+- [Advanced provisioning to deploy certificates and apps](~/deploy/provision-pcs-with-apps-and-certificates.md)
+- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain)
+
+[Learn more about using provisioning packages in Windows 10.](../deploy/provisioning-packages.md)
+
+### Windows Upgrade Analytics
+
+Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. 
+
+With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+
+Use Upgrade Analytics to get:
+
+- A visual workflow that guides you from pilot to production
+- Detailed computer and application inventory
+- Powerful computer level search and drill-downs
+- Guidance and insights into application and driver compatibility issues, with suggested fixes
+- Data driven application rationalization tools
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+- Data export to commonly used software deployment tools
+
+The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
+
+[Learn more about planning and managing Windows upgrades with Windows Upgrade Analytics.](../deploy/manage-windows-upgrades-with-upgrade-analytics.md)
+
+## Security
+
+### Credential Guard and Device Guard
+
+Isolated User Mode is now included with Hyper-V so you don't have to install it separately.
+
+### Windows Hello for Business
+
+When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
+Additional changes for Windows Hello in Windows 10, version 1607:
+
+- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
+- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
+<!--- Users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser.-->
+
+[Learn more about Windows Hello for Business.](../keep-secure/manage-identity-verification-using-microsoft-passport.md)
+
+### VPN
+
+- The VPN client can integrate with the Conditional Access Framework, a cloud-pased policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
+- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](../keep-secure/protect-enterprise-data-using-edp.md), previously known as Enterprise Data Protection.
+- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
+- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
+
+
+### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+
+Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
+
+- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
+- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
+
+[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip)
+
+### Windows Defender
+Several new features and management options have been added to Windows Defender in Windows 10, version 1607.
+
+- [Windows Defender Offline in Windows 10](../keep-secure/windows-defender-offline.md) can be run directly from within Windows, without having to create bootable media.
+- [Use PowerShell cmdlets for Windows Defender](../keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md) to configure options and run scans.
+- [Enable the Block at First Sight feature in Windows 10](../keep-secure/windows-defender-block-at-first-sight.md) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Configure enhanced notifications for Windows Defender in Windows 10](../keep-secure/windows-defender-enhanced-notifications.md) to see more informaiton about threat detections and removal.
+- [Run a Windows Defender scan from the command line](../keep-secure/run-cmd-scan-windows-defender-for-windows-10.md).
+- [Detect and block Potentially Unwanted Applications with Windows Defender](../keep-secure/enable-pua-windows-defender-for-windows-10.md) during download and install times.
+
+### Windows Defender Advanced Threat Protection (ATP)
+With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
+
+[Learn more about Windows Defender Advanced Threat Protection (ATP)](../keep-secure/windows-defender-advanced-threat-protection.md).
+
+## Management
+
+### Use Remote Desktop Connection for PCs joined to Azure Active Directory
+
+From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](../manage/connect-to-remote-aadj-pc.md)
+
+
+### Taskbar configuration
+
+Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](../manage/windows-10-start-layout-options-and-policies.md)
+
+### Mobile device management and configuration service providers (CSPs)
+
+Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for Windows 10, version 1607, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607).
+
+### Shared PC mode
+
+Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](../manage/set-up-shared-or-guest-pc.md)
+
+### Application Virtualization (App-V) for Windows 10
+
+Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally.
+
+With the release of Windows 10, version 1607, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. 
+
+[Learn how to deliver virtual applications with App-V.](../manage/appv-getting-started.md)
+
+### User Experience Virtualization (UE-V) for Windows 10
+
+Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Windows Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. 
+
+With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
+
+With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and EU-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. 
+
+[Learn how to synchronize user-customized settings with UE-V.](../manage/uev-for-windows.md)
+
+## Learn more
+
+- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)
diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md
new file mode 100644
index 0000000000..c2f98f8924
--- /dev/null
+++ b/windows/whats-new/windows-10-insider-preview.md
@@ -0,0 +1,27 @@
+---
+title: Documentation for Windows 10 Insider Preview (Windows 10)
+description: Preliminary documentation for some Windows 10 features in Insider Preview.
+ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Documentation for Windows 10 Insider Preview
+
+> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
+
+This section contains preliminary documentation for some enterprise features in Windows 10 Insider Preview. Information in this section may change frequently.
+
+
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/windows-spotlight.md b/windows/whats-new/windows-spotlight.md
index d4fb43b2ec..15caeeb2a9 100644
--- a/windows/whats-new/windows-spotlight.md
+++ b/windows/whats-new/windows-spotlight.md
@@ -1,64 +1,16 @@
 ---
-title: Windows spotlight on the lock screen (Windows 10)
-description: Windows spotlight is an option for the lock screen background that displays different background images on the lock screen.
+title: Windows Spotlight on the lock screen (Windows 10)
+description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
 ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A
 keywords: ["lockscreen"]
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: jdeckerMS
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/windows-spotlight
 ---
 
-# Windows spotlight on the lock screen
-
-
-**Applies to**
-
--   Windows 10
-
-Windows spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows spotlight is now available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows spotlight background.
-
-## What does Windows spotlight include?
-
-
--   **Background image**
-
-    The Windows spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
-
-    ![lock screen image](images/lockscreen.png)
-
--   **Feature suggestions, fun facts, tips**
-
-    The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
-
-## How do you turn off Windows spotlight?
-
-
-Go to **Settings** &gt; **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight** &gt; select a different lock screen background
-
-![personalization background](images/spotlight.png)
-
-## How do you disable Windows spotlight for managed devices?
-
-
-Windows spotlight is enabled by default. Administrators can replace Windows spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
-
-![lockscreen policy details](images/lockscreenpolicy.png)
-
-Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image.
-
-![fun facts](images/funfacts.png)
-
-## Related topics
-
-
-[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md)
-
- 
-
- 
-
-
-
+# Windows Spotlight on the lock screen
 
 
+This topic has been redirected.
\ No newline at end of file
diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md
index e1934201c2..abb7c7f8f3 100644
--- a/windows/whats-new/windows-store-for-business-overview.md
+++ b/windows/whats-new/windows-store-for-business-overview.md
@@ -6,281 +6,6 @@ ms.prod: w10
 ms.pagetype: store, mobile
 ms.mktglfcycl: manage
 ms.sitesec: library
+redirect_url: https://technet.microsoft.com/itpro/windows/manage/windows-store-for-business-overview
 author: TrudyHa
 ---
-
-# Windows Store for Business overview
-
-
-**Applies to**
-
--   Windows 10
--   Windows 10 Mobile
-
-With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
-
-## Features
-
-
-Organizations of any size can benefit from using the Store for Business provides:
-
--   **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Businessare available to you, or you can integrate the Store for Businesswith management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
-
--   **Bulk app acquisition** - Acquire apps in volume from the Store for Business.
-
--   **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device.
-
--   **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
-
-    -   Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
-
-    -   Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
-
-    -   Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
-
--   **Line-of-business apps** - Privately add and distribute your internal line-of-business apps using any of the distribution options.
-
--   **App license management**: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
-
--   **Up-to-date apps** - The Store for Business manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.
-
-## Prerequisites
-
-
-You'll need this software to work with the Store for Business.
-
-### Required
-
--   IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox.
-
--   Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.
-
-Microsoft Azure Active Directory (AD) accounts for your employees:
-
--   Admins need Azure AD accounts to sign up for the Store for Business, and then to sign in, get apps, distribute apps, and manage app licenses.
-
--   Employees need Azure AD account when they access Store for Business content from Windows devices.
-
--   If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
-
--   For offline-licensed apps, Azure AD accounts are not required for employees.
-
-For more information on Azure AD, see [About Office 365 and Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](http://go.microsoft.com/fwlink/p/?LinkId=708611).
-
-### Optional
-
-While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
-
--   Need to integrate with Windows 10 management framework and Azure AD.
-
--   Need to sync with the Store for Business inventory to distribute apps.
-
-## How does the Store for Business work?
-
-
-### Sign up!
-
-The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
-
-For more information, see [Sign up for the Store for Business](../manage/sign-up-windows-store-for-business.md).
-
-### Set up
-
-After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
-
-<table>
-<colgroup>
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Permission</th>
-<th align="left">Account settings</th>
-<th align="left">Acquire apps</th>
-<th align="left">Distribute apps</th>
-<th align="left">Device Guard signing</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Admin</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Purchaser</p></td>
-<td align="left"></td>
-<td align="left"><p>X</p></td>
-<td align="left"><p>X</p></td>
-<td align="left"></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Device Guard signer</p></td>
-<td align="left"></td>
-<td align="left"></td>
-<td align="left"></td>
-<td align="left"><p>X</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
-In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
-
-Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
-
-### Get apps and content
-
-Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. 
-
-**App types** -- These app types are supported in the Store for Business:
-
--   Universal Windows Platform apps
-
--   Universal Windows apps, by device: Phone, Surface Hub, IOT devices , HoloLens
-
-Apps purchased from the Store for Business only work on Windows 10 devices.
-
-Line-of-business (LOB) apps are also supported via the Business store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization. These apps can be distributed using the distribution methods discussed in this topic. For more information, see Working with Line-of-Business apps.
-
-**App licensing model**
-
-The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
-
-For more information, see [Apps in the Store for Business](../manage/apps-in-windows-store-for-business.md#licensing-model).
-
-### Distribute apps and content
-
-App distribution is handled through two channels, either through the Store for Business, or using a management tool. You can use either or both distribution methods in your organization.
-
-**Using the Store for Business** – Distribution options for the Store for Business:
-
--   Email link – After purchasing an app, admins can send employees a link in an email message. Employees can click the link to install the app.
-
--   Curate private store for all employees – A private store can include content you’ve purchased from the Store, and your line-of-business apps that you’ve submitted to the Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
-
--   To use the options above users must be signed in with an Azure AD account on a Windows 10 device.
-
-**Using a management tool** – For larger organizations that might want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
-
--   Scoped content distribution – Ability to scope content distribution to specific groups of employees.
-
--   Install apps for employees – Employees are not responsible for installing apps. Management tool installs apps for employees.
-
-Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps.
-
-For more information, see [Distribute apps to your employees from the Store for Business](../manage/distribute-apps-to-your-employees-windows-store-for-business.md).
-
-### Manage Store for Business settings and content
-
-Once you are signed up with the Business store and have purchased apps, Admins can manage Store for Business settings and inventory.
-
-**Manage Store for Business settings**
-
--   Assign and change roles for employees or groups
-
--   Device Guard signing
-
--   Register a management server to deploy and install content
-
--   Manage relationships with LOB publishers
-
--   Manage offline licenses
-
--   Update the name of your private store
-
-**Manage inventory**
-
--   Assign app licenses to employees
-
--   Reclaim and reassign app licenses
-
--   Manage app updates for all apps, or customize updates for each app. Online apps will automatically update from the Store. Offline apps can be updated using a management server.
-
--   Download apps for offline installs
-
-For more information, see [Manage settings in the Store for Business](../manage/manage-settings-windows-store-for-business.md) and [Manage apps](../manage/manage-apps-windows-store-for-business-overview.md).
-
-## Supported markets
-
-
-Store for Business is currently available in these markets.
-
-|Country or locale|Paid apps|Free apps|
-|-----------------|---------|---------|
-|Argentina|X|X|
-|Australia|X|X|
-|Austria|X|X|
-|Belgium (Dutch, French)|X|X|
-|Brazil| |X|
-|Canada (English, French)|X|X|
-|Chile|X|X|
-|Columbia|X|X|
-|Croatia|X|X|
-|Czech Republic|X|X|
-|Denmark|X|X|
-|Finland|X|X|
-|France|X|X|
-|Germany|X|X|
-|Greece|X|X|
-|Hong Kong SAR|X|X|
-|Hungary|X|X|
-|India| |X|
-|Indonesia|X|X|
-|Ireland|X|X|
-|Italy|X|X|
-|Japan|X|X|
-|Malaysia|X|X|
-|Mexico|X|X|
-|Netherlands|X|X|
-|New Zealand|X|X|
-|Norway|X|X|
-|Philippines|X|X|
-|Poland|X|X|
-|Portugal|X|X|
-|Romania|X|X|
-|Russia| |X|
-|Singapore|X|X|
-|Slovakia|X|X|
-|South Africa|X|X|
-|Spain|X|X|
-|Sweden|X|X|
-|Switzerland (French, German)|X|X|
-|Taiwan| |X|
-|Thailand|X|X|
-|Turkey|X|X|
-|Ukraine| |X|
-|United Kingdom|X|X|
-|United States|X|X|
-|Vietnam|X|X|
-  
-## <a href="" id="isv-wsfb"></a>ISVs and the Store for Business
-
-
-Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these app line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
-
--   Admin invites devs to be LOB publishers for your organization. These devs can be internal devs, or external ISVs.
-
--   LOB publishers accept the invitation, develop apps, and submits the app to the Windows Dev Center. LOB publishers use Enterprise associations when submitting the app to make the app exclusive to your organization.
-
--   Admin adds the app to Store for Business inventory.
-
-Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in the Store for Business. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in the Store for Business will work only on Windows 10.
-
-For more information on line-of-business apps, see [Working with Line-of-Business apps](../manage/working-with-line-of-business-apps.md).
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/whats-new/windows-update-for-business.md b/windows/whats-new/windows-update-for-business.md
index 24ae371549..524ca03a0a 100644
--- a/windows/whats-new/windows-update-for-business.md
+++ b/windows/whats-new/windows-update-for-business.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
+redirect_url: /whats-new/whats-new-windows-10-version-1507-and-1511
 ---
 
 # What's new in Windows Update for Business?