Merged PR 13408: master

.openpublishing.redirection.json

@@ -13891,6 +13891,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/deployment/windows-autopilot/windows-10-autopilot.md",
+"redirect_url": "/windows/deployment/windows-autopilot/windows-autopilot",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/privacy/manage-windows-endpoints.md",
 "redirect_url": "/windows/privacy/manage-windows-1809-endpoints",
 "redirect_document_id": true

browsers/edge/docfx.json

@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],

browsers/internet-explorer/docfx.json

@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],

devices/hololens/hololens-updates.md

@@ -14,36 +14,30 @@ ms.date: 04/30/2018
 
 >**Looking for how to get the latest update? See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens).**
 
-Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. As with desktop devices, administrators can manage updates to the HoloLens operating system using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).
-
 >[!NOTE]
 >HoloLens devices must be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md) to manage updates.
 
+For a complete list of Update policies, see [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business).
 
-Mobile device management (MDM) providers use the [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) to enable update management. 
-
-The Update policies supported for HoloLens are:
-
+To configure how and when updates are applied, use the following policies:
 -	[Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
-- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice)  
-- [Update/RequireDeferUpgrade](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requiredeferupgrade) 
-- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval)
-- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) 
+-	[Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
+-	[Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
 
+To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates:
+- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
 
+In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. (See [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure))
 
-Typically, devices access Windows Update directly for updates. You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead:
+For devices on Windows 10, version 1607 only: You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead of Windows Update:
 
 - [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) 
 - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) 
 - [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) 
 
-In Microsoft Intune, use [a custom profile](https://docs.microsoft.com/intune/custom-settings-windows-holographic) to configure devices to get updates from WSUS. 
-
-
-
 
 
 ## Related topics
 
+- [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business)
 - [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)

devices/surface-hub/create-a-device-account-using-office-365.md

@@ -75,10 +75,16 @@ From here on, you'll need to finish the account creation process using PowerShel
 
 In order to run cmdlets used by these PowerShell scripts, the following must be installed for the admin PowerShell console:
 
--   [Microsoft Online Services Sign-In Assistant for IT Professionals BETA](https://go.microsoft.com/fwlink/?LinkId=718149)
+-   [Microsoft Online Services Sign-In Assistant for IT Professionals RTW](https://www.microsoft.com/en-us/download/details.aspx?id=41950)
 -   [Windows Azure Active Directory Module for Windows PowerShell](https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids)
 -   [Skype for Business Online, Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366)
 
+Install the following module in Powershell
+``` syntax
+    install-module AzureAD
+    Install-module MsOnline
+    ```
+
 ### Connecting to online services
 
 1.  Run Windows PowerShell as Administrator.
@@ -200,8 +206,7 @@ In order to enable Skype for Business, your environment will need to meet the fo
 2.  To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
 
     ```PowerShell
-    Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool
-    "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
+    Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
     ```
 
     If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
@@ -356,12 +361,7 @@ In order to enable Skype for Business, your environment will need to meet the fo
     Import-PSSession $cssess -AllowClobber
     ```
 
-2.  To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
-
-    ```PowerShell
-    Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool
-    "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
-    ```
+2. Retrieve your Surface Hub account Registrar Pool
 
 If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
 
@@ -369,6 +369,15 @@ In order to enable Skype for Business, your environment will need to meet the fo
     Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool*
     ```
     
+3.  To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
+
+    ```PowerShell
+    Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool
+    "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
+    ```
+
+    
+
 
 
 

devices/surface-hub/docfx.json

@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],

devices/surface/docfx.json

@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],

devices/surface/microsoft-surface-data-eraser.md

@@ -150,6 +150,22 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 
 Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following:
 
+### Version 3.2.78.0
+*Release Date: 4 Dec 2018*
+
+This version of Surface Data Eraser:
+
+- Includes bug fixes
+
+
+### Version 3.2.75.0
+*Release Date: 12 November 2018*
+
+This version of Surface Data Eraser:
+
+- Adds support to Surface Studio 2
+- Fixes issues with SD card
+
 ### Version 3.2.69.0
 *Release Date: 12 October 2018*
 

devices/surface/surface-diagnostic-toolkit-business.md

@@ -28,7 +28,7 @@ Specifically, SDT for Business enables you to:
 To run SDT for Business, download the components listed in the following table.
 
 >[!NOTE]
->In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (MSI.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md).  
+>In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (msiexec.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md).  
 
 Mode |	Primary scenarios | Download | Learn more
 --- | --- | --- | ---

devices/surface/surface-enterprise-management-mode.md

@@ -191,8 +191,10 @@ For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must
 
 ## Version History
 
+### Version 2.26.136.0
+* Add support to Surface Studio 2
 
-### Version 2.21.136.9
+### Version 2.21.136.0
 * Add support to Surface Pro 6
 * Add support to Surface Laptop 2
 

education/docfx.json

@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],

mdop/docfx.json

@@ -9,7 +9,7 @@
       ],
     "resource": [
         {
-          "files": ["**/images/**", "**/*.json"],
+          "files": ["**/images/**"],
           "exclude": ["**/obj/**"]
         }
     ],

mdop/mbam-v2/understanding-mbam-reports-mbam-2.md

@@ -159,7 +159,7 @@ Removable Data Volume encryption status will not be shown in the report.
 </tr>
 <tr class="even">
 <td align="left"><p>Policy-Fixed Data Drive</p></td>
-<td align="left"><p>Indicates if encryption is required for the dixed data drive.</p></td>
+<td align="left"><p>Indicates if encryption is required for the fixed data drive.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Policy Removable Data Drive</p></td>

windows/application-management/apps-in-windows-10.md

@@ -8,10 +8,12 @@ ms.pagetype: mobile
 ms.author: elizapo
 author: lizap
 ms.localizationpriority: medium
-ms.date: 08/23/2018
+ms.date: 12/12/2018
 ---
 # Understand the different apps included in Windows 10
 
+>Applies to: Windows 10
+
 The following types of apps run on Windows 10:
 - Windows apps - introduced in Windows 8, primarily installed from the Store app.
 - Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps.
@@ -38,6 +40,8 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
 > Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
 > ```
 
+<br>
+
 | Package name                           | App name                                                                                                           | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? |
 |----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
 | Microsoft.3DBuilder                    | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe)                                        | x    |      |      |      | Yes                   |
@@ -83,10 +87,9 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
 | Microsoft.ZuneMusic                    | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe)                                      | x    | x    | x    | x    | No                    |
 | Microsoft.ZuneVideo                    | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe)                                       | x    | x    | x    | x    | No                    |
 
----
+
 >[!NOTE]
 >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
----
 
 ## System apps
 
@@ -98,6 +101,8 @@ System apps are integral to the operating system. Here are the typical system ap
 > Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
 > ```
 
+<br>
+
 | Name                             | Package Name                                | 1703  | 1709 | 1803 | Uninstall through UI? |
 |----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------|
 | File Picker                      | 1527c705-839a-4832-9118-54d4Bd6a0c89        |       |      | x    | No                    |

windows/client-management/TOC.md

@@ -12,11 +12,19 @@
 ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
 ## [Windows libraries](windows-libraries.md)
 ## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md)
-### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
-### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
-### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
-### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
-### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)
-### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md)
+### [Advanced troubleshooting for Windows networking issues](troubleshoot-networking.md)
+#### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
+#### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md)
+#### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
+### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
+#### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
+#### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
+#### [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
+#### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
+### [Advanced troubleshooting for Windows start-up issues](troubleshoot-windows-startup.md)
+#### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
+#### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)
+#### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md)
+#### [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
 ## [Mobile device management for solution providers](mdm/index.md)
 ## [Change history for Client management](change-history-for-client-management.md)

windows/client-management/change-history-for-client-management.md

@@ -9,13 +9,23 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: jdeckerMS
 ms.author: jdecker
-ms.date: 11/30/2018
+ms.date: 12/06/2018
 ---
 
 # Change history for Client management
 
 This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## December 2018
+
+New or changed topic | Description
+--- | ---
+[Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) | New
+[Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) | New
+[Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) | New
+[Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) | New
+[Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) | New
+
 ## November 2018
 
 New or changed topic | Description

windows/client-management/mdm/bitlocker-csp.md

@@ -6,9 +6,8 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/31/2018
+ms.date: 12/06/2018
 ---
-
 # BitLocker CSP
 
 > [!WARNING]
@@ -795,13 +794,13 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**  
 
-<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
+<p style="margin-left: 20px">Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.</p>
 
 > [!Important]  
-> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices.  Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview) for value 0.
+> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
 
 > [!Warning]
-> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows.
+> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows.
 
 <table>
 <tr>
@@ -844,6 +843,16 @@ The following diagram shows the BitLocker configuration service provider in tree
 </Replace>
 ```
 
+>[!NOTE]
+>When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
+>
+>The endpoint for a fixed data drive's backup is chosen in the following order:
+  >1. The user's Windows Server Active Directory Domain Services account.
+  >2. The user's Azure Active Directory account.
+  >3. The user's personal OneDrive (MDM/MAM only).
+>
+>Encryption will wait until one of these three locations backs up successfully.
+
 <a href="" id="allowstandarduserencryption"></a>**AllowStandardUserEncryption**  
 Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
 

windows/client-management/mdm/enterprisemodernappmanagement-csp.md

@@ -80,10 +80,10 @@ Query parameters:
     -   Bundle - returns installed bundle packages.
     -   Framework - returns installed framework packages.
     -   Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle.
-    -   XAP - returns XAP package types.
+    -   XAP - returns XAP package types. This filter is not supported on devices other than Windows Mobile. 
     -   All - returns all package types.
 
-    If no value is specified, the combination of Main, Bundle, Framework, and XAP are returned.
+    If no value is specified, the combination of Main, Bundle, and Framework are returned.
 
 -   PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value.
 

windows/client-management/mdm/index.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: jdeckerms
-ms.date: 09/12/2018
+ms.date: 10/09/2018
 ---
 
 # Mobile device management
@@ -23,12 +23,15 @@ There are two parts to the Windows 10 management component:
 -   The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
 -   The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
 
-Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
+Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
 
 ## MDM security baseline
 
 With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices.
 
+>[!NOTE]
+>Intune support for the MDM security baseline is coming soon.
+
 The MDM security baseline includes policies that cover the following areas:
 
 - Microsoft inbox security technology (not deprecated) such as Bitlocker, Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall
@@ -38,7 +41,7 @@ The MDM security baseline includes policies that cover the following areas:
 - Legacy technology policies that offer alternative solutions with modern technology
 - And much more
 
-For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019](https://blogs.technet.microsoft.com/secguide/2018/10/01/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019/).
+For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [MDM Security baseline (Preview) for Windows 10, version 1809](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip).
 
 
 

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 09/20/2018
+ms.date: 12/06/2018
 ---
 
 # What's new in MDM enrollment and management
@@ -1760,6 +1760,12 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ## Change history in MDM documentation
 
+### December 2018
+
+|New or updated topic | Description|
+|--- | ---|
+|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.|
+
 ### September 2018
 
 |New or updated topic | Description|

windows/client-management/mdm/policy-csp-bluetooth.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/30/2018
+ms.date: 11/15/2018
 ---
 
 # Policy CSP - Bluetooth
@@ -352,15 +352,21 @@ Footnote:
 
 ## ServicesAllowedList usage guide
 
-When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly define Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).
+When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).
 
-To define which profiles and services are allowed, enter the profile or service Universally Unique Identifiers (UUID) using semicolon delimiter. To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. 
+- Disabling a service shall block incoming and outgoing connections for such services
+- Disabling a service shall not publish an SDP record containing the service being blocked
+- Disabling a service shall not allow SDP to expose a record for a blocked service
+- Disabling a service shall log when a service is blocked for auditing purposes
+- Disabling a service shall take effect upon reload of the stack or system reboot
+
+To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. 
 
 These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID.
 
 Here are some examples:
 
-**Bluetooth Headsets for Voice (HFP)**
+**Example of how to enable Hands Free Profile (HFP)**
 
 BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB
 
@@ -370,8 +376,22 @@ BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB
 
 Footnote: * Used as both Service Class Identifier and Profile Identifier.
 
-Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000111E-0000-1000-8000-00805F9B34FB
+Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000**111E**-0000-1000-8000-00805F9B34FB
 
+**Allow Audio Headsets (Voice)**
+
+|Profile|Reasoning|UUID|
+|-|-|-|
+|HFP (Hands Free Profile)|For voice-enabled headsets|0x111E|
+|Generic Audio Service|Generic audio service|0x1203|
+|Headset Service Class|For older voice-enabled headsets|0x1108|
+|PnP Information|Used to identify devices occasionally|0x1200|
+
+This means that if you only want Bluetooth headsets, the UUIDs to include are:
+
+{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}
+
+<!--
 **Allow Audio Headsets only (Voice)**
 
 |Profile  |Reasoning  |UUID  |
@@ -386,38 +406,38 @@ Footnote: * *GAP, DID, and Scan Parameter are required, as these are underlying
 This means that if you only want Bluetooth headsets, the UUIDs are:
 
 {0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+-->
 
 **Allow Audio Headsets and Speakers (Voice & Music)**
 
 |Profile  |Reasoning  |UUID  |
 |---------|---------|---------|
 |HFP (Hands Free Profile)     |For voice enabled headsets         |0x111E         |
-|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers         |0x110A         |
-|GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
-|Device ID (DID)     |Generic service used by Bluetooth         |0x180A         |
-|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
+|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers         |0x110B|         
+|Generic Audio Service|Generic service used by Bluetooth|0x1203|
+|Headset Service Class|For older voice-enabled headsets|0x1108|
+|AV Remote Control Target Service|For controlling audio remotely|0x110C|
+|AV Remote Control Service|For controlling audio remotely|0x110E|
+|AV Remote Control Controller Service|For controlling audio remotely|0x110F|
+|PnP Information|Used to identify devices occasionally|0x1200|
 
-{0000111E-0000-1000-8000-00805F9B34FB};{0000110A-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+{0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; 
 
 **Classic Keyboards and Mice**
 
 |Profile  |Reasoning  |UUID  |
 |---------|---------|---------|
 |HID (Human Interface Device)     |For classic BR/EDR keyboards and mice         |0x1124         |
-|GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
-|DID (Device ID)     |Generic service used by Bluetooth         |0x180A         |
-|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
+|PnP Information|Used to identify devices occasionally|0x1200|
 
-{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+{00001124-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB};
 
-> [!Note]  
-> For both Classic and LE use a super set of the two formula’s UUIDs
 
 **LE Keyboards and Mice**  
 
 |Profile  |Reasoning  |UUID  |
 |---------|---------|---------|
-|Generic Access Atribute     |For the LE Protocol         |0x1801         |
+|Generic Access Attribute     |For the LE Protocol         |0x1801         |
 |HID Over GATT *     |For LE keyboards and mice         |0x1812         |
 |GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
 |DID (Device ID)     |Generic service used by Bluetooth         |0x180A         |
@@ -433,10 +453,12 @@ Footnote: * The Surface pen uses the HID over GATT profile
 |---------|---------|---------|
 |OBEX Object Push (OPP)     |For file transfer         |0x1105         |
 |Object Exchange (OBEX)     |Protocol for file transfer         |0x0008         |
-|Generic Access Profile (GAP)     |Generic service used by Bluetooth         |0x1800         |
-|Device ID (DID)     |Generic service used by Bluetooth         |0x180A         |
-|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
-
-{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+|PnP Information|Used to identify devices occasionally|0x1200|
 
+{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}
 
+Disabling file transfer shall have the following effects
+- Fsquirt shall not allow sending of files
+- Fsquirt shall not allow receiving of files
+- Fsquirt shall display error message informing user of policy preventing file transfer
+- 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API

windows/client-management/mdm/policy-csp-deviceinstallation.md

@@ -463,10 +463,13 @@ If you disable or do not configure this policy setting, devices can be installed
 
 For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings).
 
-To get the hardware ID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Hardware Ids** from the **Property** menu:
+You can get the hardware ID in Device Manager. For example, USB drives are listed under Disk drives:
 
-![Hardware IDs](images/hardware-ids.png)
+![Disk drives](images/device-manager-disk-drives.png)
 
+Right-click the name of the device, click **Properties** > **Details** and select **Hardware Ids** as the **Property**: 
+
+![Hardware IDs](images/disk-drive-hardware-id.png)
 
 <!--/Description-->
 > [!TIP]

windows/client-management/troubleshoot-inaccessible-boot-device.md

@@ -0,0 +1,280 @@
+---
+title: Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device
+description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 12/11/2018
+---
+
+# Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device
+
+This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer.
+
+##  Causes of the  Inaccessible_Boot_Device  Stop error
+
+Any one of the following factors may cause the stop error:
+
+*	Missing, corrupted, or misbehaving filter drivers that are related to the storage stack
+
+*	File system corruption
+
+*	Changes to the storage controller mode or settings in the BIOS 
+
+*	Using a different storage controller than the one that was used when Windows was installed
+
+*	Moving the hard disk to a different computer that has a different controller
+
+*	A faulty motherboard or storage controller, or faulty hardware 
+
+*	In unusual cases: the failure of the TrustedInstaller service to commit newly installed updates because of Component Based Store corruptions
+
+*	Corrupted files in the **Boot**  partition (for example, corruption in the volume that is labeled **SYSTEM**  when you run the `diskpart`  > `list vol`  command)
+
+##  Troubleshoot this error
+
+Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps.
+
+1. Start the system by using [the installation media for the installed version of Windows](https://support.microsoft.com/help/15088).
+
+2. On the **Install Windows**  screen, select **Next**  > **Repair your computer** .
+
+3. On the **System Recovery Options**  screen, select **Next**  > **Command Prompt** .
+
+###  Verify that the boot disk is connected and accessible
+
+####  Step 1
+
+ At the WinRE Command prompt, run `diskpart`, and then run `list disk`.
+
+A list of the physical disks that are attached to the computer should be displayed and resemble the following display:
+
+```
+  Disk ###  Status         Size     Free     Dyn  Gpt
+
+  --------  -------------  -------  -------  ---  ---
+
+  Disk 0    Online         **size*  GB      0 B        *
+``` 
+
+If the computer uses a Unified Extensible Firmware Interface (UEFI) startup interface, there will be an asterisk (*) in the **GPT**  column.
+
+If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn**  column.
+
+####  Step 2
+
+If the `list disk` command lists the OS disks correctly, run the `list vol` command in `diskpart`.
+
+`list vol` generates an output that resembles the following display:
+
+```
+  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
+
+  ----------  ---  -----------  -----  ----------  -------  ---------  --------
+
+  Volume 0         Windows RE   NTFS   Partition    499 MB  Healthy
+
+  Volume 1     C   OSDisk       NTFS   Partition    222 GB  Healthy    Boot
+
+  Volume 2         SYSTEM       FAT32  Partition    499 MB  Healthy    System
+```
+
+>[!NOTE]
+>If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer.
+
+###  Verify the integrity of Boot Configuration Database
+
+Check whether the Boot Configuration Database (BCD) has all the correct entries. To do this, run `bcdedit` at the WinRE command prompt.
+
+To verify the BCD entries:
+
+1.	Examine the **Windows Boot Manager**  section that has the **{bootmgr}** identifier. Make sure that the **device**  and **path**  entries point to the correct device and boot loader file.
+ 
+    An example output if the computer is UEFI-based:
+    
+    ```
+    device                  partition=\Device\HarddiskVolume2
+    path                    \EFI\Microsoft\Boot\bootmgfw.efi
+    ```
+
+    An example output if the machine is BIOS based:
+    ```
+    Device                partition=C:
+    ```
+    >[!NOTE]
+    >This output may not contain a path.
+
+2.	In the **Windows Boot Loader**  that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,**  and **systemroot**  point to the correct device or partition, winload file, OS partition or device, and OS folder.
+ 
+    >[!NOTE]
+    >If the computer is UEFI-based, the **bootmgr**  and **winload**  entires under **{default}**  will contain an **.efi**  extension.
+
+ ![bcdedit](images/screenshot1.png)
+
+If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that is named **bcdbackup** . To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup** .
+
+After the backup is completed, run the following command to make the changes:
+
+<pre>bcdedit /set *{identifier}* option value</pre>
+
+For example, if the device under {default} is wrong or missing, run the following command to set it: `bcdedit /set {default} device partition=C:`
+
+ If you want to re-create the BCD completely, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`.
+
+If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location per the path that is specified in the **bcdedit**  command. By default, **bootmgr**  in the BIOS partition will be in the root of the **SYSTEM**  partition. To see the file, run `Attrib -s -h -r`.
+
+If the files are missing, and you want to rebuild the boot files, follow these steps:
+
+1.	Copy all the contents under the **SYSTEM**  partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM**  volume, as follows:
+
+```
+D:\> Mkdir  BootBackup
+R:\> Copy *.* D:\BootBackup 
+```
+
+2.	If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot**  command to re-create the boot files, as follows:
+
+    ```cmd
+    Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL
+    ```
+
+    For example: if we assign the ,System Drive> (WinRE drive) the letter R and the <OSdrive> is the letter D, this command would be the following:
+
+    ```cmd
+    Bcdboot D:\windows /s R: /f ALL
+    ```
+
+    >[!NOTE]
+    >The **ALL** part of the **bcdboot** command writes all the boot files (both UEFI and BIOS) to their respective locations.
+
+If you do not have a Windows 10 ISO, you must format the partition and copy **bootmgr**  from another working computer that has a similar Windows build. To do this, follow these steps:
+
+1.	Start **Notepad** .
+
+2.	Press Ctrl+O.
+
+3.	Navigate to the system partition (in this example, it is R).
+
+4.	Right-click the partition, and then format it.
+
+###  Troubleshooting if this issue occurs after a Windows Update installation
+
+Run the following command to verify the Windows update installation and dates:
+
+```cmd
+Dism /Image:<Specify the OS drive>: /Get-packages
+```
+
+After you run this command, you will see the **Install pending** and **Uninstall Pending ** packages:
+
+![Dism output](images/pendingupdate.png)
+
+1.	Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer.
+
+    ![Dism output](images/revertpending.png)
+
+2.	Navigate to ***OSdriveLetter* :\Windows\WinSxS** , and then check whether the **pending.xml**  file exists. If it does, rename it to **pending.xml.old**.
+
+3.	To revert the registry changes, type **regedit**  at the command prompt to open **Registry Editor**.
+
+4.	Select **HKEY_LOCAL_MACHINE**, and then go to **File**  > **Load Hive**.
+
+5.	Navigate to **OSdriveLetter:\Windows\System32\config**, select the file that is named **COMPONENT** (with no extension), and then select **Open**. When you are prompted, enter the name **OfflineComponentHive** for the new hive
+    
+    ![Load Hive](images/loadhive.png)
+
+6.	Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key.
+
+7.	Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File**  > **Unload hive**.
+
+    ![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png)
+
+8.	Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter* :\Windows\System32\config**, select the file that is named **SYSTEM** (with no extension), and then select **Open** . When you are prompted, enter the name **OfflineSystemHive** for the new hive.
+
+9.	Expand **HKEY_LOCAL_MACHINE\OfflineSystemHive**, and then select the **Select** key. Check the data for the **Default** value.
+
+10.	If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default**  is **1** , expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it is **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on.
+
+11.	 Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key.
+
+###  Verifying boot critical drivers and services
+
+####  Check services	
+
+1.	 Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.)
+
+2.	Expand **Services**.
+
+3.	Make sure that the following registry keys exist under **Services**: 
+
+    * ACPI
+
+    * DISK
+    
+    *	VOLMGR
+    
+    *	PARTMGR
+    
+    *	VOLSNAP
+    
+    *	VOLUME
+
+If these keys exist, check each one to make sure that it has a value that is named **Start** and that it is set to **0**. If not, set the value to **0**.
+
+If any of these keys do not exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands:
+
+```cmd
+cd OSdrive:\Windows\System32\config
+ren SYSTEM SYSTEM.old
+copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\config\
+```
+
+####  Check upper and lower filter drivers
+
+Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers:
+
+1.  Expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001\Control**.
+
+2.	Look for any **UpperFilters** or **LowerFilters**  entries.
+
+    >[!NOTE]
+    >These filters are mainly related to storage. After you expand the **Control** key in the registry, you can search for **UpperFilters** and **LowerFilters**.
+
+ The following are some of the different registry entries in which you may find these filter drivers. These entries are located under **ControlSet**  and are designated as **Default** :
+
+\Control\Class\\{4D36E96A-E325-11CE-BFC1-08002BE10318} 
+
+\Control\Class\\{4D36E967-E325-11CE-BFC1-08002BE10318} 
+
+\Control\Class\\{4D36E97B-E325-11CE-BFC1-08002BE10318} 
+
+\Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
+
+![Registry](images/controlset.png) 
+
+If an **UpperFilters**  or **LowerFilters**  entry is non-standard (for example, it is not a Windows default filter driver, such as PartMgr), remove the entry by double-clicking it in the right pane, and then deleting only that value.
+
+>[!NOTE]
+>There could be multiple entries.
+
+The reason that these entries may affect us is because there may be an entry in the **Services** branch that has a START type set to 0 or 1 (indicating that it is loaded at the Boot or Automatic part of the boot process). Also, either the file that is referred to is missing or corrupted, or it may be named differently than what is listed in the entry. 
+
+>[!NOTE]
+>If there actually is a service that is set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error.
+
+###  Running SFC and Chkdsk
+
+ If the computer still does not start, you can try to run a **chkdisk**  process on the system drive, and also run System File Checker. To do this, run the following commands at a WinRE command prompt:
+
+*	`chkdsk /f /r OsDrive:`
+
+    ![Check disk](images/check-disk.png)
+
+*	`sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows`
+
+    ![SFC scannow](images/sfc-scannow.png)
+

windows/client-management/troubleshoot-networking.md

@@ -0,0 +1,20 @@
+---
+title: Advanced troubleshooting for Windows networking issues
+description: Learn how to troubleshoot networking issues.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 
+---
+
+# Advanced troubleshooting for Windows networking issues
+
+In these topics, you will learn how to troubleshoot common problems related to Windows networking.
+
+- [Advanced troubleshooting Wireless Network](advanced-troubleshooting-wireless-network-connectivity.md)
+- [Data collection for troubleshooting 802.1x authentication](data-collection-for-802-authentication.md)
+- [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md)
+- [Advanced troubleshooting for TCP/IP issues](troubleshoot-tcpip.md)

windows/client-management/troubleshoot-stop-errors.md

@@ -101,7 +101,7 @@ The memory dump file is saved at the following locations.
 
 You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video: 
 
->[!video https://www.youtube.com/embed?v=xN7tOfgNKag]
+>[!video https://www.youtube.com/watch?v=xN7tOfgNKag&feature=youtu.be]
 
 
 More information on how to use Dumpchk.exe to check your dump files:

windows/client-management/troubleshoot-tcpip-connectivity.md

@@ -0,0 +1,109 @@
+---
+title: Troubleshoot TCP/IP connectivity
+description: Learn how to troubleshoot TCP/IP connectivity.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 12/06/2018
+---
+
+# Troubleshoot TCP/IP connectivity
+
+You might come across connectivity errors on the application end or timeout errors. Most common scenarios would include application connectivity to a database server, SQL timeout errors, BizTalk application timeout errors, Remote Desktop Protocol (RDP) failures, file share access failures, or general connectivity.  
+ 
+When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture which could indicate a network issue.  
+ 
+* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures this is through the handshake process. Establishing a TCP session would begin with a 3-way handshake, followed by data transfer, and then a 4-way closure. The 4-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. Once the TIME_WAIT state is done, all the resources allocated for this connection are released.  
+ 
+* TCP reset is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased.  
+ 
+* TCP reset is identified by the RESET flag in the TCP header set to `1`.  
+ 
+A network trace on the source and the destination which will help you determine the flow of the traffic and see at what point the failure is observed.  
+ 
+The following sections describe some of the scenarios when you will see a RESET. 
+ 
+## Packet drops
+ 
+When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up re-transmitting the data and when there is no response received, it would end the session by sending an ACK RESET( meaning, application acknowledges whatever data exchanged so far, but due to packet drop closing the connection).  
+ 
+The simultaneous network traces on source and destination will help you verify this behavior where on the source side you would see the packets being retransmitted and on the destination none of these packets are seen. This would mean, the network device between the source and destination is dropping the packets. 
+ 
+If the initial TCP handshake is failing because of packet drops then you would see that the TCP SYN packet is retransmitted only 3 times. 
+    
+Source side connecting on port 445:
+
+![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png)
+
+Destination side: applying the same filter, you do not see any packets.
+
+![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png)
+
+For the rest of the data, TCP will retransmit the packets 5 times.
+
+**Source 192.168.1.62 side trace:**
+
+![Screenshot showing packet side trace](images/tcp-ts-8.png)
+
+**Destination 192.168.1.2 side trace:**
+     
+You would not see any of the above packets. Engage your network team to investigate with the different hops and see if any of them are potentially causing drops in the network.
+    
+If you are seeing that the SYN packets are reaching the destination, but the destination is still not responding, then verify if the port that you are trying to connect to is in the listening state. (Netstat output will help). If the port is listening and still there is no response, then there could be a wfp drop.  
+ 
+## Incorrect parameter in the TCP header
+ 
+You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being re-played by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source.  
+ 
+In this case, you will again need help from the network team to identify any such device which is modifying packets or re-playing packets to the destination. The most common ones are RiverBed devices or WAN accelerators. 
+ 
+     
+## Application side reset
+ 
+When you have identified that the resets are not due to retransmits or incorrect parameter or packets being modified with the help of network trace, then you have narrowed it down to application level reset.
+    
+The application resets are the ones where you see the Acknowledgement flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received.  
+ 
+In the below screenshots, you see that the packets seen on the source and the destination are the same without any modification or any drops, but you see an explicit reset sent by the destination to the source.
+    
+**Source Side**
+
+![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png)
+
+**On the destination-side trace** 
+
+![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png)
+
+You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet.  
+
+![Screenshot of packet flag](images/tcp-ts-11.png)
+
+The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. 
+ 
+>[!Note]
+>The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You would not see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you have the UDP packet sent out on a port and the destination does not have port listed, you will see the destination sending out  **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet
+ 
+ 
+```typescript
+10.10.10.1  10.10.10.2  UDP UDP:SrcPort=49875,DstPort=3343
+ 
+10.10.10.2  10.10.10.1  ICMP    ICMP:Destination Unreachable Message, Port Unreachable,10.10.10.2:3343
+```
+ 
+ 
+During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. You should enable firewall auditing on the machine to understand if the local firewall is dropping the packet.
+ 
+```typescript
+auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
+```
+ 
+You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it.
+
+![Screenshot of Event Properties](images/tcp-ts-12.png)
+
+Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection.
+
+![Screenshot of wfpstate.xml file](images/tcp-ts-13.png)

windows/client-management/troubleshoot-tcpip-netmon.md

@@ -0,0 +1,60 @@
+---
+title: Collect data using Network Monitor
+description: Learn how to run Network Monitor to collect data for troubleshooting TCP/IP connectivity.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 12/06/2018
+---
+
+# Collect data using Network Monitor
+
+In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
+
+To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image.
+
+![A view of the properties for the adapter](images/tcp-ts-1.png)
+
+When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch.
+
+**To capture traffic**
+
+1. Click **Start** and enter **Netmon**.
+
+2. For **netmon run command**,select **Run as administrator**.
+
+    ![Image of Start search results for Netmon](images/tcp-ts-3.png)
+
+3. Network Monitor opens with all network adapters displayed. Select **New Capture**, and then select **Start**.
+
+    ![Image of the New Capture option on menu](images/tcp-ts-4.png)
+
+4. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire.
+
+    ![Frame summary of network packets](images/tcp-ts-5.png)
+
+5. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file.
+
+The saved file has captured all the traffic that is flowing to and from the network adapters of this machine. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic. 
+ 
+**Commonly used filters**
+ 
+- Ipv4.address=="client ip" and ipv4.address=="server ip"
+- Tcp.port==
+- Udp.port==
+- Icmp 
+- Arp 
+- Property.tcpretranmits
+- Property.tcprequestfastretransmits
+- Tcp.flags.syn==1
+ 
+>[!TIP]
+>If you want to filter the capture for a specific field and do not know the syntax for that filter, just right-click that field and select **Add *the selected value* to Display Filter**. 
+ 
+Network traces which are collected using the **netsh** commands built in to Windows are of the extension "ETL". However, these ETL files can be opened using Network Monitor for further analysis. 
+
+
+

windows/client-management/troubleshoot-tcpip-port-exhaust.md

@@ -0,0 +1,196 @@
+---
+title: Troubleshoot port exhaustion issues
+description: Learn how to troubleshoot port exhaustion issues.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 12/06/2018
+---
+
+# Troubleshoot port exhaustion issues
+
+TCP and UDP protocols work based on port numbers used for establishing connection. Any application or a service that needs to establish a TCP/UDP connection will require a port on its side. 
+ 
+There are two types of ports:
+
+- *Ephemeral ports*, which are usually dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection.
+- *Well-known ports* are the defined port for a particular application or service. For example, file server service is on port 445, HTTPS is 443, HTTP is 80, and RPC is 135. Custom application will also have their defined port numbers.
+ 
+Clients when connecting to an application or service will make use of an ephemeral port from its machine to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to https://www.microsoft.com on port 443.
+ 
+In a scenario where the same browser is creating a lot of connections to multiple website, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports are on a machine are used, we term it as *port exhaustion*. 
+ 
+## Default dynamic port range for TCP/IP
+ 
+To comply with [Internet Assigned Numbers Authority (IANA)](http://www.iana.org/assignments/port-numbers) recommendations, Microsoft has increased the dynamic client port range for outgoing connections. The new default start port is **49152**, and the new default end port is **65535**. This is a change from the configuration of earlier versions of Windows that used a default port range of **1025** through **5000**. 
+ 
+You can view the dynamic port range on a computer by using the following netsh commands: 
+
+- `netsh int ipv4 show dynamicport tcp` 
+- `netsh int ipv4 show dynamicport udp` 
+- `netsh int ipv6 show dynamicport tcp` 
+- `netsh int ipv6 show dynamicport udp` 
+ 
+
+The range is set separately for each transport (TCP or UDP). The port range is now a range that has a starting point and an ending point. Microsoft customers who deploy servers that are running Windows Server may have problems that affect RPC communication between servers if firewalls are used on the internal network. In these situations, we recommend that you reconfigure the firewalls to allow traffic between servers in the dynamic port range of **49152** through **65535**. This range is in addition to well-known ports that are used by services and applications. Or, the port range that is used by the servers can be modified on each server. You adjust this range by using the netsh command, as follows. The above command sets the dynamic port range for TCP. 
+ 
+```cmd
+netsh int <ipv4|ipv6> set dynamic <tcp|udp> start=number num=range
+```
+ 
+The start port is number, and the total number of ports is range. The following are sample commands:
+ 
+- `netsh int ipv4 set dynamicport tcp start=10000 num=1000`
+- `netsh int ipv4 set dynamicport udp start=10000 num=1000`
+- `netsh int ipv6 set dynamicport tcp start=10000 num=1000`
+- `netsh int ipv6 set dynamicport udp start=10000 num=1000`
+ 
+These sample commands set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. To duplicate the default behavior of Windows Server 2003, use 1025 as the start port, and then use 3976 as the range for both TCP and UDP. This results in a start port of 1025 and an end port of 5000.
+ 
+Specifically, about outbound connections as incoming connections will not require an Ephemeral port for accepting connections.
+ 
+Since outbound connections start to fail, you will see a lot of the below behaviors:
+ 
+- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
+
+    ![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png)
+
+- Group Policy update failures:
+
+    ![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png)
+
+- File shares are inaccessible:
+
+    ![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png)
+
+- RDP from the affected server fails:
+
+    ![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png)
+
+- Any other application running on the machine will start to give out errors
+
+Reboot of the server will resolve the issue temporarily, but you would see all the symptoms come back after a period of time.
+
+If you suspect that the machine is in a state of port exhaustion: 
+ 
+1.	Try making an outbound connection. From the server/machine, access a remote share or try an RDP to another server or telnet to a server on a port. If the outbound connection fails for all of these, go to the next step.
+
+2.	Open event viewer and under the system logs, look for the events which clearly indicate the current state: 
+
+    a.	**Event ID 4227**
+
+    ![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png)
+
+    b.	**Event ID 4231**
+
+    ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png)
+
+3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
+
+    ![Screenshot of netstate command output](images/tcp-ts-20.png)
+
+After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
+ 
+You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion.
+ 
+>[!Note]
+>Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
+>
+>Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state.  An update for Windows 8.1 and Windows Server 2012R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
+ 
+4.	Open a command prompt in admin mode and run the below command
+
+    ```cmd
+    Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl
+    ```
+
+5.	Open the server.etl file with [Network Monitor](troubleshoot-tcpip-netmon.md) and in the filter section, apply the filter **Wscore_MicrosoftWindowsWinsockAFD.AFD_EVENT_BIND.Status.LENTStatus.Code == 0x209**. You should see entries which say **STATUS_TOO_MANY_ADDRESSES**. If you do not find any entries, then the server is still not out of ports. If you find them, then you can confirm that the server is under port exhaustion.
+ 
+## Troubleshoot Port exhaustion
+ 
+The key is to identify which process or application is using all the ports. Below are some of the tools that you can use to isolate to one single process
+ 
+### Method 1
+
+Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below Powershell command to identify the process:
+
+```Powershell
+Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending 
+```
+
+Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports.
+ 
+For Windows 7 and Windows Server 2008 R2, you can update your Powershell version to include the above cmdlet. 
+ 
+### Method 2
+
+If method 1 does not help you identify the process (prior to Windows 10 and Windows Server 2012 R2), then have a look at Task Manager: 
+
+1.	Add a column called “handles” under details/processes.
+2.	Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
+
+    ![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png)
+
+3.	If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
+ 
+### Method 3
+
+If Task Manager did not help you identify the process, then use Process Explorer to investigate the issue.
+ 
+Steps to use Process explorer: 
+
+1.	[Download Process Explorer](https://docs.microsoft.com/sysinternals/downloads/process-explorer) and run it **Elevated**. 
+2.	Alt + click the column header, select **Choose Columns**, and on the **Process Performance** tab, add **Handle Count**.
+3.	Select **View \ Show Lower Pane**.
+4.	Select **View \ Lower Pane View \ Handles**.
+5.	Click the **Handles** column to sort by that value.
+6.	Examine the processes with higher handle counts than the rest (will likely be over 10,000 if you can't make outbound connections).
+7.	Click to highlight one of the processes with a high handle count.
+8.	In the lower pane, the handles listed as below are sockets. (Sockets are technically file handles).
+    
+    File   \Device\AFD
+
+    ![Screenshot of Process Explorer](images/tcp-ts-22.png)
+
+10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
+ 
+Finally, if the above methods did not help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles.
+ 
+As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands:
+
+```cmd
+netsh int ipv4 set dynamicport tcp start=10000 num=1000
+```
+
+This will set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535.
+ 
+>[!NOTE]
+>Note that increasing the dynamic port range is not a permanent solution but only temporary. You will need to track down which process/processors are consuming max number of ports and troubleshoot from that process standpoint as to why its consuming such high number of ports. 
+
+For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend.
+
+```
+@ECHO ON
+set v=%1
+:loop
+set /a v+=1
+ECHO %date% %time% >> netstat.txt
+netstat -ano >> netstat.txt
+ 
+PING 1.1.1.1 -n 1 -w 60000 >NUL
+ 
+goto loop
+```
+
+
+
+ 
+## Useful links
+
+- [Port Exhaustion and You!](https://blogs.technet.microsoft.com/askds/2008/10/29/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend/) - this article gives a detail on netstat states and how you can use netstat output to determine the port status
+
+- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/clinth/2013/08/09/detecting-ephemeral-port-exhaustion/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10)
+

windows/client-management/troubleshoot-tcpip-rpc-errors.md

@@ -0,0 +1,187 @@
+---
+title: Troubleshoot Remote Procedure Call (RPC) errors
+description: Learn how to troubleshoot Remote Procedure Call (RPC) errors
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 12/06/2018
+---
+
+# Troubleshoot Remote Procedure Call (RPC) errors
+
+You might encounter an **RPC server unavailable** error when connecting to Windows Management Instrumentation (WMI), SQL Server, during a remote connection, or for some Microsoft Management Console (MMC) snap-ins. The following image is an example of an RPC error.
+
+![The following error has occurred: the RPC server is unavailable](images/rpc-error.png)
+
+This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’. 
+
+Before getting in to troubleshooting the **RPC server unavailable*- error, let’s first understand basics about the error. There are a few important terms to understand:
+
+- Endpoint mapper – a service listening on the server, which guides client apps to server apps by port and UUID.
+- Tower – describes the RPC protocol, to allow the client and server to negotiate a connection.
+- Floor – the contents of a tower with specific data like ports, IP addresses, and identifiers.
+- UUID – a well-known GUID that identifies the RPC application. The UUID is what you use to see a specific kind of RPC application conversation, as there are likely to be many.
+- Opnum – the identifier of a function that the client wants the server to execute. It’s just a hexadecimal number, but a good network analyzer will translate the function for you. If neither knows, your application vendor must tell you.
+- Port – the communication endpoints for the client and server applications.
+- Stub data – the information given to functions and data exchanged between the client and server. This is the payload, the important part.
+ 
+>[!Note]
+> A lot of the above information is used in troubleshooting, the most important is the Dynamic RPC port number you get while talking to EPM.
+ 
+## How the connection works
+
+Client A wants to execute some functions or wants to make use of a service running on the remote server, will first establish the connection with the Remote Server by doing a three-way handshake.  
+
+![Diagram illustrating connection to remote server](images/rpc-flow.png)
+
+RPC ports can be given from a specific range as well.
+### Configure RPC dynamic port allocation
+ 
+Remote Procedure Call (RPC) dynamic port allocation is used by server applications and remote administration applications such as Dynamic Host Configuration Protocol (DHCP) Manager, Windows Internet Name Service (WINS) Manager, and so on. RPC dynamic port allocation will instruct the RPC program to use a particular random port in the range configured for TCP and UDP, based on the implementation of the operating system used. 
+ 
+Customers using firewalls may want to control which ports RPC is using so that their firewall router can be configured to forward only these Transmission Control Protocol (UDP and TCP) ports. Many RPC servers in Windows let you specify the server port in custom configuration items such as registry entries. When you can specify a dedicated server port, you know what traffic flows between the hosts across the firewall, and you can define what traffic is allowed in a more directed manner.
+ 
+As a server port, please choose a port outside of the range you may want to specify below. You can find a comprehensive list of server ports that are used in Windows and major Microsoft products in the article [Service overview and network port requirements for Windows](https://support.microsoft.com/help/832017).
+The article also lists the RPC servers and which RPC servers can be configured to use custom server ports beyond the facilities the RPC runtime offers. 
+ 
+Some firewalls also allow for UUID filtering where it learns from a RPC Endpoint Mapper request for a RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass.
+ 
+With Registry Editor, you can modify the following parameters for RPC. The RPC Port key values discussed below are all located in the following key in the registry:
+ 
+**HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ Entry name Data Type**
+
+**Ports REG_MULTI_SZ**
+ 
+- Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by **5984**, and a set of ports may be represented by **5000-5100**. If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid.
+ 
+**PortsInternetAvailable REG_SZ Y or N (not case-sensitive)**
+ 
+- If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available.
+ 
+**UseInternetPorts REG_SZ ) Y or N (not case-sensitive)**
+ 
+- Specifies the system default policy.
+- If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously.
+- If N, the processes using the default will be assigned ports from the set of intranet-only ports.
+ 
+**Example:**
+
+In this example ports 5000 through 6000 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This is not a recommendation of a minimum number of ports needed for any particular system.
+
+1.	Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
+
+2.	Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ).
+
+    For example, the new registry key appears as follows:
+    Ports: REG_MULTI_SZ: 5000-6000
+    PortsInternetAvailable: REG_SZ: Y
+    UseInternetPorts: REG_SZ: Y
+
+3.	Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 6000, inclusive. 
+
+You should open up a range of ports above port 5000. Port numbers below 5000 may already be in use by other applications and could cause conflicts with your DCOM application(s). Furthermore, previous experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other.
+ 
+>[!Note]
+>The minimum number of ports required may differ from computer to computer. Computers with higher traffic may run into a port exhaustion situation if the RPC dynamic ports are restricted. Take this into consideration when restricting the port range.
+ 
+>[!WARNING]
+>If there is an error in the port configuration or there are insufficient ports in the pool, the Endpoint Mapper Service will not be able to register RPC servers with dynamic endpoints. When there is a configuration error, the error code will be 87 (0x57) ERROR_INVALID_PARAMETER. This can affect Windows RPC servers as well, such as Netlogon. It will log event 5820 in this case:
+> 
+>Log Name: System
+>Source: NETLOGON
+>Event ID: 5820
+>Level: Error
+>Keywords: Classic
+>Description:
+>The Netlogon service could not add the AuthZ RPC interface. The service was terminated. The following error occurred: 'The parameter is incorrect.'
+ 
+If you would like to do a deep dive as to how it works, see [RPC over IT/Pro](https://blogs.technet.microsoft.com/askds/2012/01/24/rpc-over-itpro/).
+ 
+ 
+## Troubleshooting RPC error
+ 
+### PortQuery
+
+The best thing to always troubleshoot RPC issues before even getting in to traces is by making use of tools like **PortQry**. You can quickly determine if you are able to make a connection by running the command:
+
+```cmd
+Portqry.exe -n <ServerIP> -e 135
+``` 
+ 
+This would give you a lot of output to look for, but you should be looking for **ip_tcp*- and the port number in the brackets, which tells whether you were successfully able to get a dynamic port from EPM and also make a connection to it. If the above fails, you can typically start collecting simultaneous network traces. Something like this from the output of “PortQry”:
+
+```cmd 
+Portqry.exe -n 169.254.0.2 -e 135
+```
+Partial output below:
+ 
+>Querying target system called:
+>169.254.0.2
+>Attempting to resolve IP address to a name...
+>IP address resolved to RPCServer.contoso.com
+>querying...
+>TCP port 135 (epmap service): LISTENING
+>Using ephemeral source port
+>Querying Endpoint Mapper Database...
+>Server's response:
+>UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
+>ncacn_ip_tcp:169.254.0.10**[49664]**
+
+ 
+The one in bold is the ephemeral port number that you made a connection to successfully. 
+ 
+### Netsh
+
+You can run the commands below to leverage Windows inbuilt netsh captures, to collect a simultaneous trace. Remember to execute the below on an “Admin CMD”, it requires elevation.
+ 
+- On the client
+```cmd
+Netsh trace start scenario=netconnection capture=yes tracefile=c:\client_nettrace.etl maxsize=512 overwrite=yes report=yes
+```
+ 
+- On the Server
+```cmd
+Netsh trace start scenario=netconnection capture=yes tracefile=c:\server_nettrace.etl maxsize=512 overwrite=yes report=yes
+```
+
+Now try to reproduce your issue from the client machine and as soon as you feel the issue has been reproduced, go ahead and stop the traces using the command
+```cmd
+Netsh trace stop
+```
+
+Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md) or Message Analyzer and filter the trace for
+
+- Ipv4.address==<client-ip> and ipv4.address==<server-ip> and tcp.port==135 or just tcp.port==135 should help.
+
+- Look for the “EPM” Protocol Under the “Protocol” column.
+
+- Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use.
+
+    ![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png)
+
+- Check if we are connecting successfully to this Dynamic port successfully.
+
+- The filter should be something like this: tcp.port==<dynamic-port-allocated> and ipv4.address==<server-ip> 
+
+    ![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png)
+
+This should help you verify the connectivity and isolate if any network issues are seen.
+
+
+### Port not reachable
+
+The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port.
+ 
+![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png)
+ 
+The port cannot be reachable due to one of the following reasons:
+
+- The dynamic port range is blocked on the firewall in the environment. 
+- A middle device is dropping the packets. 
+- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc).
+
+
+

windows/client-management/troubleshoot-tcpip.md

@@ -0,0 +1,20 @@
+---
+title: Advanced troubleshooting for TCP/IP issues
+description: Learn how to troubleshoot TCP/IP issues.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 12/06/2018
+---
+
+# Advanced troubleshooting for TCP/IP issues
+
+In these topics, you will learn how to troubleshoot common problems in a TCP/IP network environment.
+
+- [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
+- [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
+- [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
+- [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)

windows/client-management/troubleshoot-windows-startup.md

@@ -0,0 +1,19 @@
+---
+title: Advanced troubleshooting for Windows start-up issues
+description: Learn how to troubleshoot Windows start-up issues.
+ms.prod: w10
+ms.sitesec: library
+ms.topic: troubleshooting
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 
+---
+
+# Advanced troubleshooting for Windows start-up issues
+
+In these topics, you will learn how to troubleshoot common problems related to Windows start-up.
+
+- [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
+- [Advanced troubleshooting for Stop error or blue screen error](troubleshoot-stop-errors.md)
+- [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md)

windows/configuration/kiosk-methods.md

@@ -16,7 +16,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t
 
 |  |  |
 --- | ---
- | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.<br><br>When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.<br><br>A single-app kiosk is ideal for public use.<br><br>(Using [ShellLauncher WMI](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png)
+ | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.<br><br>When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.<br><br>A single-app kiosk is ideal for public use.<br><br>(Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png)
  |  **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.<br><br>A multi-app kiosk is appropriate for devices that are shared by multiple people.<br><br>When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. | ![Illustration of a kiosk Start screen](images/kiosk-desktop.png)
 
 Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. 
@@ -47,7 +47,7 @@ You can use this method | For this edition | For this kiosk account type
 You can use this method | For this edition | For this kiosk account type 
 --- | --- | ---
 [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD 
-[ShellLauncher WMI](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD
+[Shell Launcher](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD
 [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
 
 <span id="desktop" />
@@ -68,7 +68,7 @@ Method | App type | Account type | Single-app kiosk | Multi-app kiosk
 [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X  |
 [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md)  | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X  | X
 Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X
-[ShellLauncher WMI](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | 
+[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | 
 [MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD |  | X
 
 

windows/configuration/kiosk-prepare.md

@@ -28,7 +28,7 @@ For a more secure kiosk experience, we recommend that you make the following con
 
 Recommendation | How to
 --- | ---
-Hide update notifications<br>(New in Windows 10, version 1809)   | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as DWORD (32-bit) type:</br>`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
+Hide update notifications<br>(New in Windows 10, version 1809)   | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as DWORD (32-bit) type:</br>`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
 Replace "blue screen" with blank screen for OS errors   | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`
 Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
 Hide **Ease of access** feature on the sign-in screen. |     See [how to disable the Ease of Access button in the registry.](https://docs.microsoft.com/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)

windows/configuration/lockdown-features-windows-10.md

@@ -38,7 +38,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
 <tbody>
 <tr class="odd">
 <td align="left"><p>[Hibernate Once/Resume Many (HORM)](https://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device</p></td>
-<td align="left">N/A</td>
+<td align="left">[HORM](https://docs.microsoft.com/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)</td>
 <td align="left"><p>HORM is supported in Windows 10, version 1607 and later. </p></td>
 </tr>
 <tr class="even">

windows/configuration/set-up-shared-or-guest-pc.md

@@ -89,7 +89,7 @@ You can configure Windows to be in shared PC mode in a couple different ways:
 
 ![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
 
-- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For example, open PowerShell as an administrator and enter the following:
+- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
 
 ```
 $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"

windows/deployment/deploy-whats-new.md

@@ -7,7 +7,7 @@ ms.localizationpriority: medium
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
-ms.date: 11/06/2018
+ms.date: 12/07/2018
 author: greg-lindsay
 ---
 
@@ -16,7 +16,6 @@ author: greg-lindsay
 **Applies to**
 -   Windows 10
 
-
 ## In this topic
 
 This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
@@ -34,6 +33,12 @@ Microsoft is [extending support](https://www.microsoft.com/microsoft-365/blog/20
 
 ![Support lifecycle](images/support-cycle.png)
 
+## Windows 10 servicing and support
+
+Microsoft is [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions).  These support policies are summarized in the table below.
+
+![Support lifecycle](images/support-cycle.png)
+
 ## Windows 10 Enterprise upgrade
 
 Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md).

windows/deployment/index.yml

@@ -60,7 +60,7 @@ sections:
       Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment.
       <br>&nbsp;<br>
       <table border='0'><tr><td>Topic</td><td>Description</td></tr>
-      <tr><td>[Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) </td><td>Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. </td>
+      <tr><td>[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) </td><td>Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. </td>
       <tr><td>[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) </td><td>This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. </td>
       <tr><td>[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) </td><td>This topic provides information about support for upgrading from one edition of Windows 10 to another. </td>
       <tr><td>[Windows 10 volume license media](windows-10-media.md) </td><td>This topic provides information about media available in the Microsoft Volume Licensing Service Center. </td>

windows/deployment/s-mode.md

@@ -42,7 +42,7 @@ Worried about your line of business apps not working in S mode? [Desktop Bridge]
 
 ## Repackage Win32 apps into the MSIX format
 
-The [MSIX Packaging Tool](https:/docs.microsoft.com/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. This is another way to get your apps ready to run on Windows 10 in S mode.
+The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. This is another way to get your apps ready to run on Windows 10 in S mode.
 
 
 ## Related links

windows/deployment/update/waas-delivery-optimization-reference.txt

@@ -1,23 +0,0 @@
----
-title: Delivery Optimization reference
-description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
-keywords: oms, operations management suite, wdav, updates, downloads, log analytics
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: JaimeO
-ms.localizationpriority: medium
-ms.author: jaimeo
-ms.date: 10/23/2018
----
-
-# Delivery Optimization reference
-
-**Applies to**
-
-- Windows 10
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference.
-

windows/deployment/update/waas-delivery-optimization-setup.md

@@ -1,42 +0,0 @@
----
-title: Set up Delivery Optimization
-description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
-keywords: oms, operations management suite, wdav, updates, downloads, log analytics
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: JaimeO
-ms.localizationpriority: medium
-ms.author: jaimeo
-ms.date: 10/23/2018
----
-
-# Set up Delivery Optimization for Windows 10 updates
-
-**Applies to**
-
-- Windows 10
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-## Plan to use Delivery Optimization
-
-general guidelines + “recommended policies” chart
-
-
-## Implement Delivery Optimization
-[procedural-type material; go here, click this]
-
-### Peer[?] topology (steps for setting up Group download mode)
-
-
-### Hub and spoke topology (steps for setting up peer selection)
-
-
-## Monitor Delivery Optimization
-how to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how?
-
-### Monitor w/ PS
-
-### Monitor w/ Update Compliance
-

windows/deployment/update/waas-delivery-optimization.md

@@ -1,5 +1,5 @@
 ---
-title: Delivery Optimization for Windows 10 updates (Windows 10)
+title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
 description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
 keywords: oms, operations management suite, wdav, updates, downloads, log analytics
 ms.prod: w10
@@ -8,10 +8,10 @@ ms.sitesec: library
 author: JaimeO
 ms.localizationpriority: medium
 ms.author: jaimeo
-ms.date: 10/23/2018
+ms.date: 04/30/2018
 ---
 
-# Delivery Optimization for Windows 10 updates
+# Configure Delivery Optimization for Windows 10 updates
 
 
 **Applies to**
@@ -20,14 +20,15 @@ ms.date: 10/23/2018
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
-Delivery Optimization reduces the bandwidth needed to download Windows updates and applications by sharing the work of downloading these packages among multiple devices in your deployment. It does this by using a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers.
+Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager when installation of Express Updates is enabled.  
 
-You can use Delivery Optimization in conjunction with standalone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager (when installation of Express Updates is enabled).  
+Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet.
 
-To take advantage of Delivery Optimization, you'll need the following:
 
-- The devices being updated must have access to the internet.
-- The devices must be running at least these minimum versions:
+>[!NOTE]
+>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. 
+
+The following table lists the minimum Windows 10 version that supports Delivery Optimization:
 
 | Device type | Minimum Windows version |
 |------------------|---------------|
@@ -36,11 +37,10 @@ To take advantage of Delivery Optimization, you'll need the following:
 | IoT devices | 1803 |
 | HoloLens devices | 1803 |
 
- In Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. These options are detailed in [Download mode](#download-mode).
 
->[!NOTE]
->WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. 
+By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
 
+For more details, see [Download mode](#download-mode).
 
 ## Delivery Optimization options
 

windows/deployment/update/windows-analytics-privacy.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: jaimeo
 ms.author: jaimeo
-ms.date: 07/02/2018
+ms.date: 12/11/2018
 ms.localizationpriority: high
 ---
 
@@ -17,7 +17,7 @@ ms.localizationpriority: high
 Windows Analytics is fully committed to privacy, centering on these tenets:
 
 - **Transparency:** We fully document the Windows Analytics diagnostic events (see the links for additional information) so you can review them with your company’s security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details).
-- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics
+- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics
 - **Security:** Your data is protected with strong security and encryption
 - **Trust:** Windows Analytics supports the Microsoft Online Service Terms
 
@@ -39,8 +39,11 @@ See these topics for additional background information about related privacy iss
 
 - [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance)
 - [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
-- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) (link downloads a PDF file)
-- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
+- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965)
+- [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809)
+- [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803)
+- [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709)
+- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703)
 - [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields)
 - [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview)
 - [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31)

windows/deployment/update/windows-as-a-service.md

@@ -0,0 +1,137 @@
+---
+title: Windows as a service  
+ms.prod: windows-10
+layout: LandingPage  
+ms.topic: landing-page
+ms.manager: elizapo
+author: lizap
+ms.author: elizapo  
+ms.date: 12/12/2018
+ms.localizationpriority: high
+---
+# Windows as a service
+
+Find the tools and resources you need to help deploy and support Windows as a service in your organization.
+
+## Latest news, videos, & podcasts
+
+Find the latest and greatest news on Windows 10 deployment and servicing.
+
+**Windows 10 monthly updates**
+> [!VIDEO https://www.youtube-nocookie.com/embed/BwB10v55WSk]      
+
+Windows 10 is the most secure version of Windows yet. Learn what updates we release and when we release them, so you understand the efforts we take to keep your digital life safe and secure.
+
+The latest news:
+<ul compact style="list-style: none"> 
+
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Measuring-Delivery-Optimization-and-its-impact-to-your-network/ba-p/301809#M409">Measuring Delivery Optimization and its impact to your network</a> - December 13, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181">LTSC: What is it, and when should it be used?</a> - November 29, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Local-Experience-Packs-What-are-they-and-when-should-you-use/ba-p/286841">Local Experience Packs: What are they and when should you use them?</a> - November 14, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/resuming-the-rollout-of-the-windows-10-october-2018-update/#amAFU5YS1igMQRoB.97">Resuming the Rollout of the Windows 10 October 2018 Update</a> - November 13, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/windows-10-quality-approach-for-a-complex-ecosystem/#9VlPpT2qGIlPAg5a.97">Windows 10 Quality Approach for a Complex Ecosystem</a> - November 13, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Delivery-Optimization-Scenarios-and-configuration-options/ba-p/280195">Delivery Optimization: Scenarios and Configuration Options</a> - October 30, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Language-pack-acquisition-and-retention-for-enterprise-devices/ba-p/275404">Language Pack Acquisition and Retention for Enterprise Devices</a> - October 18, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/#MDZYGkj6ZehHyF1g.97">Updated Version of Windows 10 October 2018 Update Released to Windows Insiders</a> - October 9, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/10/02/how-to-get-the-windows-10-october-2018-update/#T4LJQ3OzDkCR72em.97">How to get the Windows 10 October 2018 Update</a> - October 2, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Reduced-Windows-10-package-size-downloads-for-x64-systems/ba-p/262386">Reducing Windows 10 Package Size Downloads for x64 Systems</a> - September 26, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434">Windows 7 Servicing Stack Updates: Managing Change and Appreciating Cumulative Updates</a> - September 21, 2018</li>
+<li><a href="https://www.microsoft.com/en-us/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/">Helping customers shift to a modern desktop</a> - September 6, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-amp-Windows-Analytics-a-real-world/ba-p/242417#M228">Windows Update for Business & Windows Analytics: a real-world experience</a> - September 5, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-next-for-Windows-10-and-Windows-Server-quality-updates/ba-p/229461">What's next for Windows 10 and Windows Server quality updates</a> - August 16, 2018
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376">Windows 10 update servicing cadence</a> - August 1, 2018
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426">Windows 10 quality updates explained and the end of delta updates</a> - July 11, 2018
+<li><a href="https://blogs.windows.com/windowsexperience/2018/06/14/ai-powers-windows-10-april-2018-update-rollout/#67LrSyWdwgTyciSG.97">AI Powers Windows 10 April 2018 Update Rollout</a> - June 14, 2018
+<li><a href="https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/">Windows Server 2008 SP2 Servicing Changes</a> - June 12, 2018
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-Enhancements-diagnostics/ba-p/201978">Windows Update for Business - Enhancements, diagnostics, configuration</a> - June 7, 2018
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747">Windows 10 and the disappearing SAC-T</a> - May 31, 2018
+<li><a href="https://www.youtube.com/watch?v=EVzFIg_MhaE&t=5s">Manage update download size using Windows as a service</a> - March 30, 2018</li></ul>
+
+[See more news](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog)
+
+## IT pro champs corner
+Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing.
+
+<img src="images/champs-2.png" alt="" width="640" height="320">
+
+
+<a href="waas-servicing-differences.md">**NEW** Understanding the differences between servicing Windows 10-era and legacy Windows operating systems</a>
+
+<a href="https://docs.microsoft.com/windows-server/get-started/express-updates"><b>NEW</b> Express updates for Windows Server 2016 re-enabled for November 2018 update
+</a>
+
+<a href="https://support.microsoft.com/help/4472027/">2019 SHA-2 Code Signing Support requirement for Windows and WSUS</a>
+
+<a href="https://go.microsoft.com/fwlink/?linkid=2005509">Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices</a>
+
+## Discover
+
+Learn more about Windows as a service and its value to your organization.
+
+<img src="images/discover-land.png">
+
+<a href="waas-overview.md">Overview of Windows as a service</a>
+
+<a href="waas-quick-start.md">Quick guide to Windows as a service</a>
+
+<a href="windows-analytics-overview.md">Windows Analytics overview</a>
+
+<a href="../deploy-whats-new.md">What's new in Windows 10 deployment</a>
+
+<a href="https://channel9.msdn.com/events/Ignite/2015/BRK3303">How Microsoft IT deploys Windows 10</a></font>
+
+## Plan
+
+Prepare to implement Windows as a service effectively using the right tools, products, and strategies.
+
+<img src="images/plan-land.png" alt="" />
+
+<a href="https://www.microsoft.com/en-us/windowsforbusiness/simplified-updates">Simplified updates</a>
+
+<a href="https://www.microsoft.com/itpro/windows-10/end-user-readiness">Windows 10 end user readiness</a>
+
+<a href="https://developer.microsoft.com/windows/ready-for-windows#/">Ready for Windows</a>
+
+<a href="../upgrade/manage-windows-upgrades-with-upgrade-readiness.md">Manage Windows upgrades with Upgrade Readiness</a>
+
+<a href="https://www.microsoft.com/itshowcase/windows10deployment">Preparing your organization for a seamless Windows 10 deployment</a>
+
+## Deploy
+
+Secure your organization's deployment investment.
+
+<img src="images/deploy-land.png" alt="" />
+
+<a href="index.md">Update Windows 10 in the enterprise</a>
+
+<a href="https://www.microsoft.com/itshowcase/Article/Content/668/Deploying-Windows-10-at-Microsoft-as-an-inplace-upgrade">Deploying as an in-place upgrade</a>
+
+<a href="waas-configure-wufb.md">Configure Windows Update for Business</a>
+
+<a href="waas-optimize-windows-10-updates.md#express-update-delivery">Express update delivery</a>
+
+<a href="../planning/windows-10-deployment-considerations.md">Windows 10 deployment considerations</a>
+
+
+## Microsoft Ignite 2018
+<img src="images/ignite-land.jpg" alt="" width="640" height="320"/>
+
+Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service.
+
+[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor)
+
+[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor)
+
+[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor)
+
+[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor)
+
+[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor)
+
+[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor)
+
+[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor)
+
+[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor)
+
+[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor)

windows/deployment/update/windows-update-troubleshooting.md

@@ -164,12 +164,12 @@ Users may see that Windows 10 is consuming all the bandwidth in the different of
 
 The following group policies can help mitigate this: 
  
-[Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) 
-[Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) 
-[Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) 
+- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled)
+- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update")
+- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled)
  
 Other components that reach out to the internet:
 
-- Windows Spotlight. [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) 
-- [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) 
-- Modern App- Windows Update installation fails. [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) 
+- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) 
+- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) 
+- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) 

windows/deployment/upgrade/upgrade-readiness-deployment-script.md

@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: jaimeo
-ms.date: 10/29/2018
+ms.date: 12/12/2018
 ---
 
 # Upgrade Readiness deployment script
@@ -83,232 +83,69 @@ To run the Upgrade Readiness deployment script:
 
 The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
 
-<div font-size='5pt;'>
-<table border='1' cellspacing='0' cellpadding='0' width="100%">
-    <tr>
-        <td BGCOLOR="#a0e4fa">Exit code and meaning</td>
-        <td BGCOLOR="#a0e4fa">Suggested fix</td>
-    </tr>
-    <tr><td>0 - Success</td>
-        <td>N/A</td>
-    </tr>
-    <tr>
-        <td>1 - Unexpected error occurred while executing the script.</td>
-        <td> The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.</td>
-    </tr>
-    <tr>
-        <td>2 - Error when logging to console. $logMode = 0.<BR>(console only)</td>
-        <td>Try changing the $logMode value to **1** and try again.<BR>$logMode value 1 logs to both console and file.</td>
-    </tr>
-    <tr>
-        <td>3 - Error when logging to console and file. $logMode = 1.</td>
-        <td>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.</td>
-    </tr>
-    <tr>
-        <td>4 - Error when logging to file. $logMode = 2.</td>
-        <td>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.</td>
-    </tr>
-    <tr>
-        <td>5 - Error when logging to console and file. $logMode = unknown.</td>
-        <td>Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.</td>
-    </tr>
-    <tr>
-        <td>6 - The commercialID parameter is set to unknown. <BR>Modify the runConfig.bat file to set the CommercialID value.</td>
-        <td>The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. 
-        <BR>See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace.</td>
-    </tr>
-    <tr>
-        <td>8 - Failure to create registry key path: <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
-\CurrentVersion\Policies\DataCollection**</font></td>
-        <td>The Commercial Id property is set at the following registry key path: <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
-\CurrentVersion\Policies\DataCollection**</font>
-        <BR>Verify that the context under which the script in running has access to the registry key.</td>
-    </tr>
-    <tr>
-        <td>9 - The script failed to write Commercial Id to registry.
-        <BR>Error creating or updating registry key: **CommercialId** at <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
-\CurrentVersion\Policies\DataCollection**</font>
-        </td> 
-        <td>Verify that the context under which the script in running has access to the registry key.</td>
-    </tr>
-    <tr>
-        <td>10 - Error when writing **CommercialDataOptIn** to the registry at <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
-\CurrentVersion\Policies\DataCollection**</font></td>
-        <td>Verify that the deployment script is running in a context that has access to the registry key.</td>
-    </tr>
-    <tr>
-        <td>11 - Function **SetupCommercialId** failed with an unexpected exception.</td>
-        <td>The **SetupCommercialId** function updates the Commercial Id at the registry key path: <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
-\CurrentVersion\Policies\DataCollection**</font> <BR>Verify that the configuration script has access to this location.</td>
-    </tr>
-    <tr>
-        <td>12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings.</td>
-        <td>**Http Get** on the end points did not return a success exit code.<BR>
-        For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.<BR>
-        For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive.  
-        <BR>If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md)
-    <tr>
-        <td>13 - Can’t connect to Microsoft - setting. </td>
-        <td>An error occurred connecting to  https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. 
-14 </td>
-    </tr>
-    <tr>
-        <td>14 - Can’t connect to Microsoft - compatexchange.</td>
-        <td>An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md).</td>
-    </tr>
-    <tr>
-        <td>15 - Function CheckVortexConnectivity failed with an unexpected exception.</td>
-        <td>This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult.</td>
-    </tr>
-    <tr>
-        <td>16 - The computer requires a reboot before running the script.</td>
-        <td>A reboot is required to complete the installation of the compatibility update and related KBs. Reboot the computer before running the Upgrade Readiness deployment script.</td>
-    </tr>
-    <tr>
-        <td>17 - Function **CheckRebootRequired** failed with an unexpected exception.</td>
-        <td>A reboot is required to complete installation of the compatibility update and related KBs. Check the logs for the exception message and the HResult.</td>
-    </tr>
-    <tr>
-        <td>18 - Appraiser KBs not installed or **appraiser.dll** not found.</td>
-        <td>Either the Appraiser KBs are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic.</td>
-    </tr>
-    <tr>
-        <td>19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception.</td>
-        <td>Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed.</td> 
-    </tr>
-    <tr>
-        <td>20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at <font size='1'>**HKLM:\SOFTWARE\Microsoft\WindowsNT
-\CurrentVersion\AppCompatFlags\Appraiser**</font> </td>
-        <td>The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. </td>
-    </tr>
-    <tr>
-        <td>21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception.</td>
-        <td>Check the logs for the exception message and HResult.</td>
-    </tr>
-    <tr>
-        <td>22 - **RunAppraiser** failed with unexpected exception.</td>
-        <td>Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file.</td>
-    </tr>
-    <tr>
-        <td>23 - Error finding system variable **%WINDIR%**.</td>
-        <td>Verify that this environment variable is configured on the computer.</td>
-    </tr>   
-    <tr>
-        <td>24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
-\CurrentVersion\Policies\DataCollection**</font></td>
-        <td>This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult.</td>
-    </tr>
-    <tr>
-        <td>25 - The function **SetIEDataOptIn** failed with unexpected exception.</td>
-        <td>Check the logs for the exception message and HResult.</td>
-    </tr>
-        <tr>
-        <td>27 - The script is not running under **System** account.</td>
-        <td>The Upgrade Readiness configuration script must be run as **System**. </td>
-    </tr>
-    <tr>
-        <td>28 - Could not create log file at the specified **logPath**.</td>
-        <td> Make sure the deployment script has access to the location specified in the **logPath** parameter.</td>
-    </tr>
-    <tr>
-        <td>29 - Connectivity check failed for proxy authentication. </td>
-        <td>Instal cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
-            <BR>The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.  
-            <BR>For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). 
-            <BR>For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688).</td>
-    </tr>
-    <tr>
-        <td>30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.</td>
-        <td>The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.  
-        <BR>For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). 
-        <BR>For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).</td>
-    </tr>
-    <tr>
-        <td>31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. </td>
-        <td>Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.</td>
-    </tr>
-    <tr>
-        <td>32 - Appraiser version on the machine is outdated. </td>
-        <td>The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1.</td>
-    </tr>
-    <tr>
-        <td>33 - **CompatTelRunner.exe** exited with an exit code </td>
-        <td>**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow.</td>
-    </tr>
-    <tr>
-        <td>34 - Function **CheckProxySettings** failed with an unexpected exception. </td>
-        <td>Check the logs for the exception message and HResult.></td>
-    </tr>
-    <tr>
-        <td>35 - Function **CheckAuthProxy** failed with an unexpected exception.</td>
-        <td>Check the logs for the exception message and HResult.</td>
-    </tr>
-    <tr>
-        <td>36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception.</td>
-        <td>Check the logs for the exception message and HResult.</td>
-    </tr>
-    <tr>
-        <td>37 - **Diagnose_internal.cmd** failed with an unexpected exception.</td>
-        <td>Check the logs for the exception message and HResult.</td>
-    </tr>
-    <tr>
-        <td>38 - Function **Get-SqmID** failed with an unexpected exception. </td>
-        <td>Check the logs for the exception message and HResult.</td>
-    </tr>
-    <tr>
-        <td>39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path <font size='1'>**HKLM:\SOFTWARE\Policies\Microsoft
-\Windows\DataCollection**</font>
-        or <font size='1'>**HKLM:\SOFTWARE\Microsoft\Windows
-\CurrentVersion\Policies\DataCollection**</font></td>
-        <td>For Windows 10 machines, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will throw an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization).</td>
-    </tr>
-    <tr>
-        <td>40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. </td>
-        <td>Check the logs for the exception message and HResult.</td>
-    </tr>
-    <tr>
-        <td>41 - The script failed to impersonate the currently logged on user. </td>
-        <td>The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the logged on user. The script also tries to mimic this, but the process failed.</td>
-    </tr>
-    <tr>
-        <td>42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. </td> 
-        <td>Check the logs for the exception message and HResult.</td>
-    </tr>
-    <tr>
-        <td>43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception.</td>
-        <td>Check the logs for the exception message and HResult.</td>
-    </tr>
-<tr>
-        <td>44 - Diagtrack.dll version is old, so Auth Proxy will not work.</td>
-        <td>Update the PC using Windows Update/Windows Server Update Services.</td>
-    </tr>
-<tr>
-        <td>45 - Diagrack.dll was not found.</td>
-        <td>Update the PC using Windows Update/Windows Server Update Services.</td>
-    </tr>
-<tr>
-        <td>48 - **CommercialID** mentioned in RunConfig.bat should be a GUID.</td>
-        <td>**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.</td>
-    </tr>
-<tr>
-        <td>50 - Diagtrack Service is not running.</td>
-        <td>Diagtrack Service is required to send data to Microsoft. Enable and run the 'Connected User Experiences and Telemetry' service. </td>
-    </tr>
-<tr>
-        <td>51 - RunCensus failed with an unexpected exception.</td>
-        <td>RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details. </td>
-    </tr>
-<tr>
-        <td>52 - DeviceCensus.exe not found on a Windows 10 machine.</td>
-        <td>On computers running Windows 10, the process devicecensus.exe should be present in the <windows directory>\system32 folder. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. </td>
-    </tr>
-<tr>
-        <td>53 - There is a different CommercialID present at the GPO path:  <font size="1">**HKLM:\SOFTWARE\Policies\Microsoft
-\Windows\DataCollection**</font>. This will take precedence over the CommercialID provided in the script.</td>
-        <td>Provide the correct CommercialID at the GPO location. </td>
-    </tr>
-</table>
-</div>
+| Exit code | Suggested fix |
+|-----------|--------------|
+| 0 - Success | N/A |
+| 1 - Unexpected error occurred while executing the script. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again. |
+| 2 - Error when logging to console. $logMode = 0. (console only) | Try changing the $logMode value to **1** and try again. $logMode value 1 logs to both console and file.  |
+| 3 - Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
+| 4 - Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
+| 5 - Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
+| 6 - The commercialID parameter is set to unknown. | Modify the runConfig.bat file to set the CommercialID value. The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace. |
+| 8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection**. The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
+| 9 - The script failed to write Commercial Id to registry.  
+Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
+| 10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the deployment script is running in a context that has access to the registry key. |
+| 11 - Function **SetupCommercialId** failed with an unexpected exception. The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the configuration script has access to this location. |
+| 12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings. | **Http Get** on the end points did not return a success exit code. For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive. For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) |
+| 13 - Can’t connect to Microsoft - setting. | An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. |
+| 14 - Can’t connect to Microsoft - compatexchange. An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). |
+| 15 - Function CheckVortexConnectivity failed with an unexpected exception. | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult. |
+| 16 - The computer requires a reboot before running the script. | Restart the device to complete the installation of the compatibility update and related updates. Reboot the computer before running the Upgrade Readiness deployment script. |
+| 17 - Function **CheckRebootRequired** failed with an unexpected exception. | Restart the device to complete installation of the compatibility update and related updates. Check the logs for the exception message and the HResult. |
+|18 - Appraiser KBs not installed or **appraiser.dll** not found. | Either the Appraiser-related updates are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic. |
+| 19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception. | Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed. |
+| 20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\AppCompatFlags\Appraiser** | The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. |
+| 21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 22 - **RunAppraiser** failed with unexpected exception. | Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file. |
+| 23 - Error finding system variable **%WINDIR%**. | Verify that this environment variable is configured on the computer. |
+| 24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult. |
+| 25 - The function **SetIEDataOptIn** failed with unexpected exception. | Check the logs for the exception message and HResult. |
+| 27 - The script is not running under **System** account. | The Upgrade Readiness configuration script must be run as **System**. |
+| 28 - Could not create log file at the specified **logPath**. | Make sure the deployment script has access to the location specified in the **logPath** parameter. |
+| 29 - Connectivity check failed for proxy authentication. | Install cumulative updates on the device and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688). |
+| 30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled. | The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). |
+| 31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled by default to run daily at 0300. |
+| 32 - Appraiser version on the machine is outdated. | The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1. |
+| 33 - **CompatTelRunner.exe** exited with an exit code | **CompatTelRunner.exe** runs the appraise task on the device. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow. |
+| 34 - Function **CheckProxySettings** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 35 - Function **CheckAuthProxy** failed with an unexpected exception. Check the logs for the exception message and HResult. |
+| 36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 37 - **Diagnose_internal.cmd** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 38 - Function **Get-SqmID** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection** or **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | For Windows 10 devices, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will return an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
+| 40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 41 - The script failed to impersonate the currently logged on user. | The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the user that is logged on. The script also tries to mimic this, but the process failed. |
+| 42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | Update the device using Windows Update or Windows Server Update Services. |
+| 45 - Diagrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. |
+| 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**. |
+| 50 - Diagtrack Service is not running. | The Diagtrack service is required to send data to Microsoft. Enable and run the "Connected User Experiences and Telemetry" service. |
+| 51 - RunCensus failed with an unexpected exception. | RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details. |
+| 52 - DeviceCensus.exe not found on a Windows 10 machine. | On computers running Windows 10, the process devicecensus.exe should be present in the \system32 directory. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. |
+| 53 - There is a different CommercialID present at the GPO path: **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection**. This will take precedence over the CommercialID provided in the script. | Provide the correct CommercialID at the GPO location. |
+| 54 - Microsoft Account Sign In Assistant Service is Disabled. | This service is required for devices running Windows 10. The diagnostic data client relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client. |
+| 55 - SetDeviceNameOptIn function failed to create registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | The function SetDeviceNameOptIn sets the registry key value which determines whether to send the device name in diagnostic data. The function tries to create the registry key path if it does not already exist. Verify that the account has the correct permissions to change or add registry keys. |
+| 56 - SetDeviceNameOptIn function failed to create property AllowDeviceNameInTelemetry at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys.|
+| 57 - SetDeviceNameOptIn function failed to update AllowDeviceNameInTelemetry property to value 1 at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys. |
+| 58 - SetDeviceNameOptIn function failed with unexpected exception | The function SetDeviceNameOptIn failed with an unexpected exception. |
+| 59 - CleanupOneSettings failed to delete LastPersistedEventTimeOrFirstBoot property at registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack** |The CleanupOneSettings function clears some of the cached values needed by the Appraiser which is the data collector on the monitored device. This helps in the download of the most recent for accurate running of the data collector. Verify that the account has the correct permissions to change or add registry keys. |
+| 60 - CleanupOneSettings failed to delete registry key: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ Diagnostics\Diagtrack\SettingsRequests** | Verify that the account has the correct permissions to change or add registry keys. |
+| 61 - CleanupOneSettings failed with an exception | CleanupOneSettings failed with an unexpected exception. |
+
+
+
 
 
 >[!NOTE]

windows/deployment/volume-activation/active-directory-based-activation-overview.md

@@ -7,18 +7,29 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: greg-lindsay
-ms.date: 04/19/2017
+ms.date: 12/07/2018
 ---
 
-# Active Directory-Based Activation Overview
+# Active Directory-Based Activation overview
 
 Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company’s domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain.
 
-## Active Directory-Based Activation Scenarios
+## ADBA scenarios
 
-VAMT enables IT Professionals to manage and activate the Active Directory-Based Activation object. Activation can be performed by using a scenario such as the following:
--   Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the Active Directory-Based Activation Object a name.
--   Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the Active Directory-Based Activation Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function.
+You might use ADBA if you only want to activate domain joined devices.
+
+If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. This is not necessary When ADBA is used. 
+
+ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. This is simpler than using the DNS service to load balance by configuring priority and weight values.
+
+Some VDI solutions also require that new clients activate during creation before they are added to the pool. In this scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage. 
+
+
+## ADBA methods
+
+VAMT enables IT Professionals to manage and activate the ADBA object. Activation can be performed using the following methods:
+-   Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name.
+-   Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function.
 
 ## Related topics
 

windows/deployment/windows-autopilot/TOC.md

@@ -1,16 +1,15 @@
 # [Windows Autopilot](windows-autopilot.md)
 ## [Requirements](windows-autopilot-requirements.md)
 ### [Configuration requirements](windows-autopilot-requirements-configuration.md)
+#### [Intune Connector (preview)](intune-connector.md)
 ### [Network requirements](windows-autopilot-requirements-network.md)
 ### [Licensing requirements](windows-autopilot-requirements-licensing.md)
-### [Intune Connector (preview)](intune-connector.md)
 ## [Scenarios and Capabilities](windows-autopilot-scenarios.md)
 ### [Support for existing devices](existing-devices.md)
 ### [User-driven mode](user-driven.md)
 #### [Azure Active Directory joined](user-driven-aad.md)
 #### [Hybrid Azure Active Directory joined](user-driven-hybrid.md)
 ### [Self-deploying mode](self-deploying.md)
-### [Enrollment status page](enrollment-status.md)
 ### [Windows Autopilot Reset](windows-autopilot-reset.md)
 #### [Remote reset](windows-autopilot-reset-remote.md)
 #### [Local reset](windows-autopilot-reset-local.md)
@@ -18,6 +17,7 @@
 ### [Configuring](configure-autopilot.md)
 #### [Adding devices](add-devices.md)
 #### [Creating profiles](profiles.md)
+#### [Enrollment status page](enrollment-status.md)
 ### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
 ### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
 ### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)

windows/deployment/windows-autopilot/add-devices.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
+ms.date: 12/12/2018
 ---
 
 # Adding devices to Windows Autopilot
@@ -20,6 +20,20 @@ ms.date: 10/02/2018
 
 Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
 
+## Manual registration
+
+To perform manual registration of a device, you must caputure its hardware ID (also known as a hardware hash) and upload this to the Windows Autopilot deployment service. See the topics below for detailed information on how to collect and upload hardware IDs.
+
+>[!IMPORTANT]
+>Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**. <br>
+>After Intune reports the profile ready to go, only then should the device be connected to the Internet.
+
+Also note that if OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries:
+
+**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE** 
+
+To ensure OOBE has not been restarted too many times, you can change this value to 1.
+
 ## Device identification
 
 To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation.
@@ -32,28 +46,26 @@ Note that the hardware hash also contains details about when it was generated, s
 
 The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo).
 
-To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, these commands can be used:
+To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt:
 
-*md c:\\HWID*
+```powershell
+md c:\\HWID
+Set-Location c:\\HWID
+Set-ExecutionPolicy Unrestricted
+Install-Script -Name Get-WindowsAutoPilotInfo
+Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
+```
 
-*Set-Location c:\\HWID*
-
-*Set-ExecutionPolicy Unrestricted*
-
-*Install-Script -Name Get-WindowsAutoPilotInfo*
-
-*Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv*
-
-You must run this PowerShell script with administrator privileges (elevated). It can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information.
+The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script.
 
 >[!NOTE]
->With Windows 10 version 1803 and above, devices will download an Autopilot profile as soon as they connect to the internet. For devices that are not yet registered with the Autopilot deployment service, a profile will be downloaded that indicates the device should not be deployed using Autopilot. If the device connects to the internet as part of the collection process, you will need to reset the PC, reimage the PC, or re-generalize the OS (using sysprep /generalize /oobe).
+>If you will connect to the device remotely to collect the hardware ID, see the information at the top of this page about device connectivity to the Internet. 
 
 ## Collecting the hardware ID from existing devices using System Center Configuration Manager
 
 Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details.
 
-## Uploading hardware IDs
+## Registering devices
 
 Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism:
 

windows/deployment/windows-autopilot/configure-autopilot.md

@@ -26,7 +26,10 @@ When deploying new devices using Windows Autopilot, a common set of steps are re
 
 2.  [Assign a profile of settings to each device](profiles.md), specifying how the device should be deployed and what user experience should be presented.
 
-3.  Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download the profile settings which are used to customize the end user experience.
+3.  Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience.
 
 <img src="./images/image2.png" width="511" height="249" />
 
+## Related topics
+
+[Windows Autopilot scenarios](windows-autopilot-scenarios.md)

windows/deployment/windows-autopilot/enrollment-status.md

@@ -10,7 +10,7 @@ ms.pagetype: deploy
 ms.localizationpriority: medium
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 11/01/2018
+ms.date: 12/13/2018
 ---
 
 # Windows Autopilot Enrollment Status page
@@ -33,6 +33,7 @@ The Windows Autopilot Enrollment Status page displaying the status of the comple
 <tr><td>Show error when installation takes longer than specified number of minutes<td colspan="2">Specify the number of minutes to wait for installation to complete. A default value of 60 minutes is entered.
 <tr><td>Show custom message when an error occurs<td>A text box is provided where you can specify a custom message to display in case of an installation error.<td>The default message is displayed: <br><b>Oh no! Something didn't do what it was supposed to.  Please contact your IT department.<b>
 <tr><td>Allow users to collect logs about installation errors<td>If there is an installation error, a <b>Collect logs</b> button is displayed. <br>If the user clicks this button they are asked to choose a location to save the log file <b>MDMDiagReport.cab</b><td>The <b>Collect logs</b> button is not displayed if there is an installation error.
+<tr><td>Block device use until these required apps are installed if they are assigned to the user/device<td colspan="2">Choose <b>All</b> or <b>Selected</b>. <br><br>If <b>Selected</b> is chosen, a <b>Select apps</b> button is displayed that enables you to choose which apps must be installed prior to enabling device use.
 </table>
 
 See the following example:
@@ -48,13 +49,20 @@ The Enrollment Status page tracks a subset of the available MDM CSP policies tha
     - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisedesktopappmanagement-csp).
 - Certain device configuration policies.
 
-Presently the following types of policies are not tracked:
+The following types of policies and installations are not tracked:
 
-- Intune Management Extensions PowerShell scripts.
-- Office 365 ProPlus installations.
-- System Center Configuration Manager apps, packages, and task sequences.
+- Intune Management Extensions PowerShell scripts
+- Office 365 ProPlus installations<sup>**</sup>
+- System Center Configuration Manager apps, packages, and task sequences
 
-## For more information
+<sup>**</sup>The ability to track Office 365 ProPlus installations was added with Windows 10, version 1809.<br>
+
+## More information
+
+For more information on configuring the Enrollment Status page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).<br>
+For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).<br>
+For more information about blocking for app installation:
+- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/).
+- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514).
 
-For more information on configuring the Enrollment Status page, [see the Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).  For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
 

windows/deployment/windows-autopilot/profiles.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
+ms.date: 12/13/2018
 ---
 
 # Configure Autopilot profiles
@@ -18,7 +18,29 @@ ms.date: 10/02/2018
 
 -   Windows 10
 
-For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied to specify the exact behavior of that device when it is deployed. The following profile settings are available:
+For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices).
+
+## Profile download
+
+When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It is important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it is necessary to re-generalize the OS using **sysprep /generalize /oobe**, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC.
+
+When a profile is downloaded depends on the version of Windows 10 that is running on the PC. See the following table.
+
+| Windows 10 version | Profile download behavior |
+| --- | --- |
+| 1703 and 1709 | The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen. |
+| 1803 | The profile is downloaded as soon as possible.  If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. |
+| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. |
+
+If you need to reboot a computer during OOBE: 
+- Press Shift-F10 to open a command prompt.
+- Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately.
+
+For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options).
+
+## Profile settings
+
+The following profile settings are available:
 
 -   **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process.
 
@@ -33,3 +55,7 @@ For each device that has been defined to the Windows Autopilot deployment servic
 -   **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users.
 
 -   **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details.
+
+## Related topics
+
+[Configure Autopilot deployment](configure-autopilot.md)

windows/deployment/windows-autopilot/windows-10-autopilot.md

@@ -1,144 +0,0 @@
----
-title: Overview of Windows Autopilot
-description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
-ms.author: greg-lindsay
-ms.date: 10/02/2018
----
-
-# Overview of Windows Autopilot
-
-**Applies to**
-
--   Windows 10
-
-Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.</br>
-This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
-
-The following video shows the process of setting up Autopilot:
-
-</br>
-<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
-
-## Benefits of Windows Autopilot
-
-Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach.
-
-From the users' perspective, it only takes a few simple operations to make their device ready to use.
-
-From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated.
-
-## Windows Autopilot Scenarios
-
-### Cloud-Driven
-
-The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side.
-
-#### The Windows Autopilot Deployment Program experience
-
-The Windows Autopilot Deployment Program enables you to:
-* Automatically join devices to Azure Active Directory (Azure AD)
-* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites))
-* Restrict the Administrator account creation
-* Create and auto-assign devices to configuration groups based on a device's profile
-* Customize OOBE content specific to the organization
-
-##### Prerequisites
-
->[!NOTE]
->Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory.  Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release.  See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
-
-* [Devices must be registered to the organization](#device-registration-and-oobe-customization)
-* [Company branding needs to be configured](#configure-company-branding-for-oobe)
-* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements)
-* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
-* Devices must have access to the internet
-* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
-* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal)
-* Microsoft Intune or other MDM services to manage your devices
-
-The end-user unboxes and turns on a new device. What follows are a few simple configuration steps:
-* Select a language and keyboard layout
-* Connect to the network
-* Provide email address (the email address of the user's Azure AD account) and password
-
-Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service).
-
-MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date.
-
-</br>
-<iframe width="560" height="315" align="center" src="https://www.youtube-nocookie.com/embed/4K4hC5NchbE" frameborder="0" allowfullscreen></iframe>
-
-#### Device registration and OOBE customization
-
-To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf.
-
-If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID.
-
-Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703:
-* Skipping Work or Home usage selection (*Automatic*)
-* Skipping OEM registration, OneDrive and Cortana (*Automatic*)
-* Skipping privacy settings
-* Skipping EULA (*starting with Windows 10, version 1709*)
-* Preventing the account used to set-up the device from getting local administrator permissions
-
-For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options:
-* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
-* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
-* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
-
-##### Configure company branding for OOBE
-
-In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first.
-
-See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings.
-
-##### Configure MDM auto-enrollment in Microsoft Intune
-
-In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Microsoft Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details.
-
->[!NOTE]
->MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription.
-
-#### Network connectivity requirements
-
-The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices.
-
-To manage devices behind firewalls and proxy servers, the following URLs need to be accessible:
-
-* https://go.microsoft.com
-* https://login.microsoftonline.com
-* https://login.live.com
-* https://account.live.com
-* https://signup.live.com
-* https://licensing.mp.microsoft.com
-* https://licensing.md.mp.microsoft.com
-* ctldl.windowsupdate.com
-* download.windowsupdate.com
-
->[!NOTE]
->Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible.
-
->[!TIP]
->If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).
-
-### IT-Driven
-
-If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
-
-
-### Self-Deploying
-
-Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. see [Windows Autopilot Self-Deploying mode (Preview)] (/windows/deployment/windows-autopilot/self-deploying).
-
-
-### Teacher-Driven
-
-If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details.
-

windows/deployment/windows-autopilot/windows-autopilot-requirements.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
+ms.date: 12/13/2018
 ---
 
 # Windows Autopilot requirements
@@ -18,6 +18,14 @@ ms.date: 10/02/2018
 
 Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune.  In order to use Windows Autopilot and leverage these capabilities, some requirements must be met:
 
--   [Licensing requirements](windows-autopilot-requirements-licensing.md) must be met.
--   [Networking requirements](windows-autopilot-requirements-network.md) need to be met.
--   [Configuration requirements](windows-autopilot-requirements-configuration.md) need to be completed.
+See the following topics for details on licensing, network, and configuration requirements:
+- [Licensing requirements](windows-autopilot-requirements-licensing.md)
+- [Networking requirements](windows-autopilot-requirements-network.md)
+- [Configuration requirements](windows-autopilot-requirements-configuration.md)
+    - For details about specific configuration requirements to enable user-driven Hybrid Azure Active Directory join for Windows Autopilot, see [Intune Connector (preview) language requirements](intune-connector.md). This requirement is a temporary workaround, and will be removed in the next release of Intune Connector. 
+
+There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
+
+## Related topics
+
+[Configure Autopilot deployment](configure-autopilot.md)