diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md
index d82cbe9b63..a93c3a283c 100644
--- a/education/get-started/get-started-with-microsoft-education.md
+++ b/education/get-started/get-started-with-microsoft-education.md
@@ -1,7 +1,7 @@
---
title: Deploy and manage a full cloud IT solution with Microsoft Education
description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
-keywords: education, Microsoft Education, Microsoft Education system, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Azure AD, Set up School PCs
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -27,6 +27,7 @@ Hello, IT administrators! In this walkthrough, we'll show you how you can quickl
- **Office 365 for Education** provides online apps for work from anywhere and desktop apps for advanced functionality, built for working together and available across devices, and it's free for schools, teachers, and students
- **School Data Sync** to help automate the process for importing and integrating School Information System (SIS) data that you can use with Office 365
- **OneNote Class Notebook** to organize course content, create and deliver interactive lessons to some or all students, collaborate and provide private feedback to individual students, and connect with major LMS and SIS partners for assignment workflow
+- **Microsoft Teams** to bring conversations, content, and apps together in one place and create collaborate classrooms, connect in professional learning communities, and communicate with school staff
- **Learning Tools** are moving beyond the OneNote desktop app and is now available in Office Lens, OneNote Online, Word Online, and Word desktop
- **Whiteboard** to create interactive lessons on the big screen, share and collaborate real-time by connecting to Class Notebook and Classroom
- **Windows 10, version 1703 (Creators Update)** which brings 3D for everyone and other new and updated Windows features
@@ -43,6 +44,7 @@ Go to the Mi
In this walkthrough, we'll show you the basics on how to:
- Acquire an Office 365 for Education tenant, if you don't already have one
- Import school, student, teacher, and class data using School Data Sync (SDS)
+- Deploy Microsoft Teams to enable groups and teams in your school to communicate and collaborate
- Manage apps and settings deployment with Intune for Education
- Acquire additional apps in Microsoft Store for Education
- Use the Set up School PCs app to quickly set up and provision your Windows 10 education devices
@@ -52,7 +54,7 @@ This diagram shows a high-level view of what we cover in this walkthrough. The n
**Figure 1** - Microsoft Education IT administrator workflow
-
+
## Prerequisites
Complete these tasks before you start the walkthrough:
@@ -116,7 +118,7 @@ Already have an Office 365 for Education verified tenant? Just sign in with your
3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant.
-4. Skip ahead and follow the instructions in the walkthrough beginning with [3. Configure Microsoft Store for Education](#3-configure-microsoft-store-for-education).
+4. Skip ahead and follow the instructions in the walkthrough beginning with [4. Configure Microsoft Store for Education](#4-configure-microsoft-store-for-education).
## 1. Set up a new Office 365 for Education tenant
@@ -131,7 +133,7 @@ Don't have an Office 365 for Education verified tenant or just starting out? Fol
-3. Save your sign-in info so you can use it to sign into https://portal.office.com (the sign-in page). Click **You're ready to go...**
+3. Save your sign-in info so you can use it to sign in to https://portal.office.com (the sign-in page). Click **You're ready to go...**
4. In the **Verify eligibility for Microsoft Office 365 for Education** screen:
1. Add your domain name and follow the steps to confirm ownership of the domain.
2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain.
@@ -140,7 +142,7 @@ Don't have an Office 365 for Education verified tenant or just starting out? Fol
You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant.
-As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [6.3 Complete Office 365 for Education setup](#63-complete-office-365-education-setup) for info.
+As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [7.3 Complete Office 365 for Education setup](#73-complete-office-365-education-setup) for info.
## 2. Use School Data Sync to import student data
@@ -240,7 +242,7 @@ The Classroom application is retired, but you will need to assign the Classroom
3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
- 6. In the **License Options** section, check the box to allow users being created to receive an Office 365 license.
+ 6. In the **License Options** section, check the box to enable the Classroom Preview license for all synced students and teachers within the sync profile.
7. Check the **Intune for Education** checkbox to allow users to receive the Intune for Education license and to create the SDS dynamic groups and security groups, which be used within Intune for Education.
8. Click **Next**.
@@ -295,35 +297,68 @@ The Classroom application is retired, but you will need to assign the Classroom
That's it for importing sample school data using SDS.
-## 3. Configure Microsoft Store for Education
+## 3. Enable Microsoft Teams for your school
+Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education.
+
+To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school.
+
+**Enable Microsoft Teams for your school**
+
+1. Sign in to Office 365 with your work or school account.
+2. Click **Admin** to go to the Office 365 admin center.
+3. Go to **Settings > Services & add-ins**.
+4. On the **Services & add-ins** page, select **Microsoft Teams**.
+
+ **Figure 14** - Select Microsoft Teams from the list of services & add-ins
+
+ 
+
+5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**.
+
+ **Figure 15** - Select the license that you want to configure
+
+ 
+
+6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
+
+ **Figure 16** - Turn on Microsoft Teams for your organization
+
+ 
+
+7. Click **Save**.
+
+You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins** getting started guide in the Meet Microsoft Teams page.
+
+## 4. Configure Microsoft Store for Education
You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
**Associate your Microsoft Store account with Intune for Education**
-1. Sign into Microsoft Store for Education.
+
+1. Sign in to Microsoft Store for Education.
2. Accept the Microsoft Store for Business and Education Services Agreement.
This will take you to the Microsoft Store for Education portal.
- **Figure 14** - Microsoft Store for Education portal
+ **Figure 17** - Microsoft Store for Education portal
3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
- **Figure 15** - Select management tools from the list of Store settings options
+ **Figure 18** - Select management tools from the list of Store settings options
4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
- **Figure 16** - Activate Intune for Education as the management tool
+ **Figure 19** - Activate Intune for Education as the management tool
Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
-## 4. Use Intune for Education to manage groups, apps, and settings
+## 5. Use Intune for Education to manage groups, apps, and settings
Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the Intune for Education documentation.
### Example - Set up Intune for Education, buy apps from the Store, and install the apps
@@ -351,20 +386,20 @@ Intune for Education provides an **Express configuration** option so you can get
1. Log into the Intune for Education console. You will see the Intune for Education dashboard once you're logged in.
- **Figure 17** - Intune for Education dashboard
+ **Figure 20** - Intune for Education dashboard
2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
3. In the **Welcome to Intune for Education** screen, click **Get started**.
- **Figure 18** - Click Get started to set up Intune for Education
+ **Figure 21** - Click Get started to set up Intune for Education
4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
- **Figure 19** - SDS is configured
+ **Figure 22** - SDS is configured
@@ -377,7 +412,7 @@ Intune for Education provides an **Express configuration** option so you can get
> [!TIP]
> At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
>
- > **Figure 20** - Click on the buttons to go back to that step
+ > **Figure 23** - Click on the buttons to go back to that step
>
> 
@@ -390,7 +425,7 @@ Intune for Education provides an **Express configuration** option so you can get
> [!TIP]
> Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
- **Figure 21** - Choose the apps that you want to install for the group
+ **Figure 24** - Choose the apps that you want to install for the group
@@ -400,7 +435,7 @@ Intune for Education provides an **Express configuration** option so you can get
8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
- **Figure 22** - Expand the settings group to get more details
+ **Figure 25** - Expand the settings group to get more details
@@ -408,20 +443,20 @@ Intune for Education provides an **Express configuration** option so you can get
- In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
- In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
- **Figure 23** - Set some additional settings
+ **Figure 26** - Set some additional settings
10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
- **Figure 24** - Review the group, apps, and settings you configured
+ **Figure 27** - Review the group, apps, and settings you configured
11. Click **Save** to end express configuration.
12. You will see the **You're done!** screen which lets you choose one of two options.
- **Figure 25** - All done with Intune for Education express configuration
+ **Figure 28** - All done with Intune for Education express configuration
@@ -438,13 +473,13 @@ Intune for Education provides an **Express configuration** option so you can get
1. In the Intune for Education console, click **Apps** from the menu on the left.
- **Figure 26** - Click on **Apps** to see the list of apps for your tenant
+ **Figure 29** - Click on **Apps** to see the list of apps for your tenant
2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
- **Figure 27** - Select the option to add a new Store app
+ **Figure 30** - Select the option to add a new Store app
@@ -463,7 +498,7 @@ Intune for Education provides an **Express configuration** option so you can get
For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
- **Figure 28** - Apps inventory in Microsoft Store for Education
+ **Figure 31** - Apps inventory in Microsoft Store for Education
@@ -478,40 +513,40 @@ Now that you've bought the apps, use Intune for Education to specify the group t
1. In the Intune for Education console, click the **Groups** option from the menu on the left.
- **Figure 29** - Groups page in Intune for Education
+ **Figure 32** - Groups page in Intune for Education
2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page.
- **Figure 30** - List of all users in the tenant
+ **Figure 33** - List of all users in the tenant
3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
- **Figure 31** - Edit apps to assign them to users
+ **Figure 34** - Edit apps to assign them to users
4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select.
- **Figure 32** - Select the apps to deploy to the group
+ **Figure 35** - Select the apps to deploy to the group
5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected.
- **Figure 33** - Updated list of assigned apps
+ **Figure 36** - Updated list of assigned apps
You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
-## 5. Set up Windows 10 devices
+## 6. Set up Windows 10 devices
-### 5.1 Set up devices using Set up School PCs or Windows OOBE
+### 6.1 Set up devices using Set up School PCs or Windows OOBE
We recommend using the latest build of Windows 10, version 1703 on your education devices. To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options:
- **Option 1: [Use the Set up School PCs app](#usesetupschoolpcs)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
- **Option 2: [Go through Windows OOBE and join the device to Azure AD](#usewindowsoobandjoinaad)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
@@ -551,13 +586,13 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
- **Figure 34** - Let's start with region
+ **Figure 37** - Let's start with region
3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
- **Figure 35** - Select setup for an organization
+ **Figure 38** - Select setup for an organization
@@ -566,7 +601,7 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
6. Click **Accept** to go through the rest of device setup.
-### 5.2 Verify correct device setup
+### 6.2 Verify correct device setup
Verify that the device is set up correctly and boots without any issues.
**Verify that the device was set up correctly**
@@ -576,11 +611,11 @@ Verify that the device is set up correctly and boots without any issues.
> [!NOTE]
> It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
- **Figure 36** - Sample list of apps for a user
+ **Figure 39** - Sample list of apps for a user
-### 5.3 Verify the device is Azure AD joined
+### 6.3 Verify the device is Azure AD joined
Let's now verify that the device is joined to your organization's Azure AD and shows up as being managed in Microsoft Intune for Education.
**Verify if the device is joined to Azure AD**
@@ -588,7 +623,7 @@ Let's now verify that the device is joined to your organization's Azure AD and s
2. Select **Groups** and select **All Devices**.
3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
- **Figure 37** - List of all managed devices
+ **Figure 40** - List of all managed devices
@@ -596,23 +631,23 @@ Let's now verify that the device is joined to your organization's Azure AD and s
5. Select **Accounts > Access work or school**.
6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
- **Figure 38** - Confirm that the Windows 10 device is joined to Azure AD
+ **Figure 41** - Confirm that the Windows 10 device is joined to Azure AD
**That's it! You're done!** You've completed basic cloud setup, deployment, and management using Microsoft Education. You can continue follow the rest of the walkthrough to finish setup and complete other tasks.
-## 6. Finish setup and other tasks
+## 7. Finish setup and other tasks
-### 6.1 Update group settings in Intune for Education
+### 7.1 Update group settings in Intune for Education
If you need to make changes or updates to any of the apps or settings for the group(s), follow these steps.
1. Log in to the Intune for Education console.
2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
- **Figure 39** - See the list of available settings in Intune for Education
+ **Figure 42** - See the list of available settings in Intune for Education
@@ -622,7 +657,7 @@ If you need to make changes or updates to any of the apps or settings for the gr
5. Click **Save** or **Discard changes**.
-### 6.2 Configure Azure settings
+### 7.2 Configure Azure settings
After completing the basic setup for your cloud infrastructure and confirming that it is up and running, it's time to prepare for additional devices to be added and enable capabilities for the user to use.
#### Enable many devices to be added by a single person
@@ -634,7 +669,7 @@ Follow the steps in this section to enable a single person to add many devices t
2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, https://portal.azure.com.
3. Select **Azure Active Directory > Users and groups > Device settings**.
- **Figure 40** - Device settings in the new Azure portal
+ **Figure 43** - Device settings in the new Azure portal
@@ -651,22 +686,22 @@ Follow the steps in this section to ensure that settings for the each user follo
3. Select **Azure Active Directory > Users and groups > Device settings**.
4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
- **Figure 41** - Enable settings to roam with users
+ **Figure 44** - Enable settings to roam with users
5. Click **Save** to update device settings.
-### 6.3 Complete Office 365 for Education setup
+### 7.3 Complete Office 365 for Education setup
Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the Office 365 admin documentation.
-### 6.4 Add more users
+### 7.4 Add more users
After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
See Add users to Office 365 to learn more. Once you're done adding new users, go to the Intune for Education console and verify that the same users were added to the Intune for Education groups as well.
-### 6.5 Connect other devices to your cloud infrastructure
-Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [5. Set up Windows 10 devices](#5-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
+### 7.5 Connect other devices to your cloud infrastructure
+Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [6. Set up Windows 10 devices](#6-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
> [!NOTE]
> These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device.
@@ -679,7 +714,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
- **Figure 42** - Device is now managed by Intune for Education
+ **Figure 45** - Device is now managed by Intune for Education
@@ -689,11 +724,11 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
- **Figure 43** - Device is connected to organization's MDM
+ **Figure 46** - Device is connected to organization's MDM
-6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [5.3 Verify the device is Azure AD joined](#53-verify-the-device-is-azure-ad-joined).
+6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [6.3 Verify the device is Azure AD joined](#63-verify-the-device-is-azure-ad-joined).
It may take several minutes before the new device shows up so check again later.
diff --git a/education/get-started/images/microsoft_education_it_getstarted_workflow.png b/education/get-started/images/microsoft_education_it_getstarted_workflow.png
new file mode 100644
index 0000000000..ebcaa2add9
Binary files /dev/null and b/education/get-started/images/microsoft_education_it_getstarted_workflow.png differ
diff --git a/education/get-started/images/o365_msteams_settings.PNG b/education/get-started/images/o365_msteams_settings.PNG
new file mode 100644
index 0000000000..0e3dab4886
Binary files /dev/null and b/education/get-started/images/o365_msteams_settings.PNG differ
diff --git a/education/get-started/images/o365_msteams_turnon.PNG b/education/get-started/images/o365_msteams_turnon.PNG
new file mode 100644
index 0000000000..95588d5031
Binary files /dev/null and b/education/get-started/images/o365_msteams_turnon.PNG differ
diff --git a/education/get-started/images/o365_settings_services_msteams.PNG b/education/get-started/images/o365_settings_services_msteams.PNG
new file mode 100644
index 0000000000..ca4dee07ac
Binary files /dev/null and b/education/get-started/images/o365_settings_services_msteams.PNG differ
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index 00af76258b..e3cec30bb9 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -1,6 +1,7 @@
---
title: Change history for Windows 10 for Education (Windows 10)
description: New and changed topics in Windows 10 for Education
+keywords: Windows 10 education documentation, change history
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 27bf9b1c63..a192cd0edf 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -2,7 +2,7 @@
title: Chromebook migration guide (Windows 10)
description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
-keywords: migrate, automate, device
+keywords: migrate, automate, device, Chromebook migration
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 715ba27c8a..03caa021e6 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -1,7 +1,7 @@
---
title: Windows 10 configuration recommendations for education customers
description: Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
-keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school", "education", "configurations"]
+keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations
ms.mktglfcycl: plan
ms.sitesec: library
localizationpriority: high
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 4037a7093e..1669188d1a 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -1,7 +1,7 @@
---
title: Deploy Windows 10 in a school district (Windows 10)
description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices.
-keywords: configure, tools, device, school
+keywords: configure, tools, device, school district, deploy Windows 10
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index e81b0dbbd7..8c0efa4efe 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -1,7 +1,7 @@
---
title: Deploy Windows 10 in a school (Windows 10)
description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
-keywords: configure, tools, device, school
+keywords: configure, tools, device, school, deploy Windows 10
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index ceecbfb175..e10a79af57 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -1,7 +1,7 @@
---
title: Deployment recommendations for school IT administrators
description: Provides guidance on ways to customize the OS privacy settings, as well as some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
-keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school"]
+keywords: Windows 10 deployment, recommendations, privacy settings, school
ms.mktglfcycl: plan
ms.sitesec: library
localizationpriority: high
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 77b128ce18..f9dbde2df7 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -1,7 +1,7 @@
---
title: Education scenarios Microsoft Store for Education
description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools.
-keywords: ["school", "store for business"]
+keywords: school, Microsoft Store for Education, Microsoft education store
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 1e81d3437e..595d935f57 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -1,7 +1,7 @@
---
title: Get Minecraft Education Edition
description: Learn how to get and distribute Minecraft Education Edition.
-keywords: school, minecraft
+keywords: school, Minecraft, education edition
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index a07b93cce8..2d28eccfc9 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -1,7 +1,7 @@
---
title: For IT administrators get Minecraft Education Edition
description: Learn how IT admins can get and distribute Minecraft in their schools.
-keywords: ["school"]
+keywords: Minecraft, Education Edition, IT admins, acquire
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index 9a8c59b2c6..81edf2b7a9 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -1,7 +1,7 @@
---
title: Set up student PCs to join domain
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
-keywords: school
+keywords: school, student PC setup, Windows Configuration Designer
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 401f60f084..bcb92096ac 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -1,7 +1,7 @@
---
title: Provision student PCs with apps
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
-keywords: ["shared cart", "shared PC", "school"]
+keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index 5aa6b3ed7b..2e60824894 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -1,7 +1,7 @@
---
title: Take a Test app technical reference
description: The policies and settings applied by the Take a Test app.
-keywords: take a test, test taking, school
+keywords: take a test, test taking, school, policies
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index 18d4fc79ab..19b0f65e62 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -1,7 +1,7 @@
---
title: Set up Take a Test on multiple PCs
description: Learn how to set up and use the Take a Test app on multiple PCs.
-keywords: ["take a test", "test taking", "school"]
+keywords: take a test, test taking, school, set up on multiple PCs
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index c7b5339f40..19053b9c55 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -1,7 +1,7 @@
---
title: Set up Take a Test on a single PC
description: Learn how to set up and use the Take a Test app on a single PC.
-keywords: take a test, test taking, school
+keywords: take a test, test taking, school, set up on single PC
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 361dbff702..c526121def 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -1,7 +1,7 @@
---
title: Take tests in Windows 10
description: Learn how to set up and use the Take a Test app.
-keywords: take a test, test taking, school
+keywords: take a test, test taking, school, how to, use Take a Test
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 36de86549d..24cf0d3cb4 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -1,7 +1,7 @@
---
title: For teachers get Minecraft Education Edition
description: Learn how teachers can get and distribute Minecraft.
-keywords: ["school", "minecraft"]
+keywords: school, Minecraft, Education Edition, educators, teachers, acquire, distribute
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 7338cfbdc0..bba42e5d55 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -1,7 +1,7 @@
---
title: Use Set up School PCs app
description: Learn how the Set up School PCs app works and how to use it.
-keywords: shared cart, shared PC, school, set up school pcs
+keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json
index 22574d09a4..2a01ff236f 100644
--- a/windows/access-protection/docfx.json
+++ b/windows/access-protection/docfx.json
@@ -33,7 +33,9 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "justinha"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index cc2687ac6a..62b8aeb9de 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -33,7 +33,9 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "elizapo"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index b42d904675..72ba73ffff 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -33,7 +33,9 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "dongill"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 9e4397cd87..f9b0e89ad4 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -33,7 +33,9 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "jdecker"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
index 3c58607382..3df45b300e 100644
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@@ -33,7 +33,9 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "greglin"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md
index 9305ed157e..d4f7015047 100644
--- a/windows/device-security/TOC.md
+++ b/windows/device-security/TOC.md
@@ -649,6 +649,7 @@
## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
+### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
### [TPM fundamentals](tpm/tpm-fundamentals.md)
### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json
index c0e36621af..ebbbf433db 100644
--- a/windows/device-security/docfx.json
+++ b/windows/device-security/docfx.json
@@ -33,7 +33,9 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "justinha"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/device-security/images/tpm-capabilities.png b/windows/device-security/images/tpm-capabilities.png
new file mode 100644
index 0000000000..aecbb68522
Binary files /dev/null and b/windows/device-security/images/tpm-capabilities.png differ
diff --git a/windows/device-security/images/tpm-remote-attestation.png b/windows/device-security/images/tpm-remote-attestation.png
new file mode 100644
index 0000000000..fa092591a1
Binary files /dev/null and b/windows/device-security/images/tpm-remote-attestation.png differ
diff --git a/windows/device-security/tpm/how-windows-uses-the-tpm.md b/windows/device-security/tpm/how-windows-uses-the-tpm.md
new file mode 100644
index 0000000000..9c4c75440a
--- /dev/null
+++ b/windows/device-security/tpm/how-windows-uses-the-tpm.md
@@ -0,0 +1,274 @@
+---
+title: How Windows 10 uses the TPM (Windows 10)
+description: This topic for the IT professional has an overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows 10.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# How Windows 10 uses the TPM
+
+Windows 10 improves existing security features and adds new groundbreaking security features such as Device Guard and Windows Hello for Business.
+It places hardware-based security deeper inside the operating system than previous Windows versions, maximizing platform security while increasing usability.
+To achieve many of these security enhancements, Windows 10 makes extensive use of the Trusted Platform Module (TPM).
+
+This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows 10—as well as the cumulative security impact of running Windows 10 on a PC that contains a TPM.
+
+**See also**
+
+- [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications)
+- [TPM Fundamentals](tpm-fundamentals.md)
+- [TPM Recommendations](tpm-recommendations.md)
+
+## TPM Overview
+
+The TPM is a cryptographic module that enhances computer security and privacy.
+Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security.
+The TPM helps with all these scenarios and more.
+
+Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard.
+Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system.
+Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption.
+Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+
+TPMs are passive: they receive commands and return responses.
+To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses.
+TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself.
+Before it can be used for advanced scenarios, however, a TPM must be provisioned.
+Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features.
+
+The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification.
+The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms.
+The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
+
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone.
+Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve.
+For example, software alone cannot reliably report whether malware is present during the system startup process.
+The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device.
+Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way.
+For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly cannot leave the TPM*.
+
+The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments.
+There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors.
+In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not.
+
+Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases.
+Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine your organization’s security needs and research any regulatory requirements associated with procurement for your industry.
+The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
+
+## TPM in Windows 10
+
+The security features of Windows 10 combined with the benefits of a TPM offer practical security and privacy benefits.
+The following sections start with major TPM-related security features in Windows 10 and go on to describe how key technologies use the TPM to enable or increase security.
+
+## Platform Crypto Provider
+
+Historically, Windows has included a cryptography framework called *Cryptographic API: Next Generation* (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API).
+Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
+
+Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides.
+Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third party hardware.
+If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
+
+The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software only CNG providers cannot offer or cannot offer as effectively:
+
+- **Key protection.** The Platform Crypto Provider can create keys in the TPM with restrictions on their use.
+ The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware.
+ The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable.
+ If a TPM creates a key, the key is unique and resides only in that TPM.
+ If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making additional copies of the key or enabling the use of copies elsewhere.
+ In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
+
+- **Dictionary attack protection.** Keys that a TPM protects can require an authorization value such as a PIN.
+ With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN.
+ After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time.
+ Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back.
+ In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
+
+These TPM features give Platform Crypto Provider distinct advantages over software-based solutions.
+A practical way to see these benefits in action is when using certificates on a Windows 10 device.
+On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage.
+Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate.
+In mixed environments, where some computers might not have a TPM, the certificate template could simply prefer the Platform Crypto Provider over the standard Windows software provider.
+If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM.
+If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically.
+
+## Virtual Smart Card
+
+Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key.
+Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it.
+Windows can then access the card’s certificate and use the private key for authentication or to unlock BitLocker protected data volumes.
+Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN).
+Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers.
+
+In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card.
+The TPM becomes “something the user has” but still requires a PIN.
+Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM’s dictionary attack protection to prevent too many PIN guesses.
+
+For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere.
+Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart card–based multifactor authentication.
+For users, virtual smart cards are simple to use, requiring only a PIN to unlock.
+Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
+
+## Windows Hello for Business
+
+Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised.
+In addition, user name- password solutions for authentication often reuse the same user name–password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places.
+Windows Hello for Business provisions devices one by one and combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users.
+On a system that has a TPM, the TPM can protect the key.
+If a system does not have a TPM, software-based techniques protect the key.
+The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition.
+To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
+
+The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology.
+Windows Hello for Business lets a user authenticate with an existing Microsoft account, an Active Directory account, an Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](http://go.microsoft.com/fwlink/p/?LinkId=533889).
+
+Identity providers have flexibility in how they provision credentials on client devices.
+For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials.
+The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
+
+- **Endorsement key.** The TPM manufacturer can create a special key in the TPM called an endorsement key.
+ An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that that manufacturer made.
+ Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM).
+
+- **Attestation identity key.** To protect privacy, most TPM scenarios do not directly use an actual endorsement key.
+ Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM.
+ The identity CA issues attestation identity key certificates.
+ More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
+
+
+*Figure 1 TPM capabilities*
+
+For Windows Hello for Business, Microsoft can fill the role of the identity CA.
+Microsoft services can issue an attestation identity key certificate for each device, user, and identify provider to ensure that privacy is protected and to help identity providers ensure that device TPM requirements are met before Windows Hello for Business credentials are provisioned.
+
+## BitLocker Drive Encryption
+
+BitLocker provides full-volume encryption to protect data at rest.
+The most common device configuration splits the hard drive into several volumes.
+The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools.
+(These other volumes are used infrequently enough that they do not need to be visible to users.)
+Without additional protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data.
+
+In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential.
+When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions.
+If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible.
+The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device.
+BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way.
+The system firmware and TPM are carefully designed to work together to provide the following capabilities:
+
+- **Hardware root of trust for measurement.** A TPM allows software to send it commands that record measurements of software or configuration information.
+ This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value.
+ The system firmware has a component called the *Core Root of Trust for Measurement* (CRTM) that is implicitly trusted.
+ The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
+
+- **Key used only when boot measurements are accurate.** BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value.
+ The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key in Active Directory Domain Services (AD DS).
+
+Device hardware characteristics are important to BitLocker and its ability to protect data.
+One consideration is whether the device provides attack vectors when the system is at the logon screen.
+For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen.
+To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value.
+The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value.
+This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
+
+Newer hardware and Windows 10 work better together to disable direct memory access through ports and reduce attack vectors.
+The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process.
+The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot.
+
+## Device Encryption
+
+Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology.
+How it works is if a customer signs in with a Microsoft account and the system meets InstantGo hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10.
+The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account.
+The InstantGo hardware requirements inform Windows 10 that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience.
+In addition, InstantGo hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.
+
+For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves.
+This permits servicing of components without changing the resulting measurement values.
+For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup.
+These values also change less frequently.
+The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data.
+
+## Measured Boot
+
+Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system.
+In previous Windows versions, the measurement chain stopped at the Windows Boot Manager component itself, and the measurements in the TPM were not helpful for understanding the starting state of Windows.
+
+The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions.
+For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM.
+For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
+
+Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings.
+If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter.
+Other scenarios can use the operating system’s starting state to determine whether the running operating system should be trusted.
+
+TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement.
+As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows.
+Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used.
+Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware.
+
+The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot:
+
+- **Remote attestation.** Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or *quote*) of the current measurements in the TPM.
+ Windows 10 can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device.
+ Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy.
+ By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system.
+ An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM.
+ *Remote attestation* is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device.
+ Figure 2 illustrates this process.
+
+When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM.
+Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
+
+
+*Figure 2 Remote attestation*
+
+## Health attestation
+
+Some Windows 10 improvements help security solutions implement remote attestation scenarios.
+Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off.
+The simple security assertions can be used to evaluate device health.
+
+Mobile device management (MDM) solutions can receive simple security assertions from the Microsoft Health Attestation service for a client without having to deal with the complexity of the quote or the detailed TPM measurements.
+MDM solutions can act on the security information by quarantining unhealthy devices or blocking access to cloud services such as Microsoft Office 365.
+
+## Credential Guard
+
+Credential Guard is a new feature in Windows 10 that helps protect Windows credentials in organizations that have deployed AD DS.
+Historically, a user’s credentials (e.g., logon password) was hashed to generate an authorization token.
+The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use.
+The attacker could then use harvested tokens to log on to other machines and collect more credentials.
+This kind of attack is called a “*pass-the-hash*” attack, a malware technique that infects one machine to infect many machines across an organization.
+
+Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access.
+This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it.
+Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel.
+The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
+
+The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens handles.
+The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows 10.
+
+## Conclusion
+
+The TPM adds hardware-based security benefits to Windows 10.
+When installed on hardware that includes a TPM, Window 10 delivers remarkably improved security benefits.
+The following table summarizes the key benefits of the TPM’s major features.
+
+| **Feature** | **Benefits when used on a system with a TPM**|
+|----------------------------|----------------------------------------------|
+| Platform Crypto Provider | - If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
- The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
|
+| Virtual Smart Card | - Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.|
+| Windos Hello for Business | - Credentials provisioned on a device cannot be copied elsewhere.
- Confirm a device’s TPM before credentials are provisioned.
|
+| BitLocker Drive Encryption | - Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware. |
+| Device Encryption | - With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection. |
+| Measured Boot | - A hardware root of trust contains boot measurements that help detect malware during remote attestation. |
+| Health Attestation | - MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365. |
+| Credential Guard | - Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization. |
+
+Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows 10 security.
+Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers.
+Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/iotcore).
+IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements.
diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md
index 20d05b68d2..1b874b2988 100644
--- a/windows/device-security/tpm/tpm-recommendations.md
+++ b/windows/device-security/tpm/tpm-recommendations.md
@@ -100,8 +100,8 @@ The following table defines which Windows features require TPM support.
| Windows Features | Windows 10 TPM 1.2 | Windows 10 TPM 2.0 | Details |
|-------------------------|----------------------|----------------------|----------|
-| Measured Boot | Required | Required | Measured boot requires TPM 1.2 or 2.0 and UEFI Secure boot. |
-| Bitlocker | Required | Required | TPM 1.2 or later required or a removable USB memory device such as a flash drive. |
+| Measured Boot | Required | Required | Measured boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. |
+| Bitlocker | Required | Required | TPM 1.2 or later required or a removable USB memory device such as a flash drive. Please note that TPM 2.0 requires UEFI Secure Boot in order for BitLocker to work properly. |
| Passport: Domain AADJ Join | Required | Required | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support. |
| Passport: MSA or Local Account | Required | Required | TPM 2.0 is required with HMAC and EK certificate for key attestation support. |
| Device Encryption | Not Applicable | Required | TPM 2.0 is required for all InstantGo devices. |
@@ -120,4 +120,4 @@ Government customers and enterprise customers in regulated industries may have a
## Related topics
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
\ No newline at end of file
+- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index e134b0e320..8c9110e8b7 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -35,7 +35,9 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "brianlic"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
index 1078120934..d0865639cb 100644
--- a/windows/threat-protection/docfx.json
+++ b/windows/threat-protection/docfx.json
@@ -33,7 +33,9 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "justinha"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index 3c9739ce2e..bdecd75985 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -33,7 +33,9 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows"
+ "ms.technology": "windows",
+ "ms.topic": "article",
+ "ms.author": "trudyha"
},
"fileMetadata": {},
"template": [],